summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2013-03-16 09:25:00 -0400
committerAnthony G. Basile <blueness@gentoo.org>2013-03-16 09:25:00 -0400
commit3ffd0980490b6bd656a839ddee22060a09a32a94 (patch)
tree0948de6e3d0685c06211b1f85667fe89aa09a375
parentGrsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.2}-201303111845 (diff)
downloadhardened-patchset-3ffd0980490b6bd656a839ddee22060a09a32a94.tar.gz
hardened-patchset-3ffd0980490b6bd656a839ddee22060a09a32a94.tar.bz2
hardened-patchset-3ffd0980490b6bd656a839ddee22060a09a32a94.zip
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.2}-201303142235
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch)134
-rw-r--r--3.2.40/0000_README2
-rw-r--r--3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch (renamed from 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch)294
-rw-r--r--3.8.2/0000_README2
-rw-r--r--3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch (renamed from 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch)775
5 files changed, 751 insertions, 456 deletions
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch
index 844bced..966075e 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch
@@ -67598,6 +67598,25 @@ index 7ad177e..5503586 100644
typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
struct bfa_iocfc_s {
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index 075e239..85a1eaf 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -3746,13 +3746,13 @@ static struct DeviceCtlBlk *device_alloc(struct AdapterCtlBlk *acb,
+ dcb->max_command = 1;
+ dcb->target_id = target;
+ dcb->target_lun = lun;
++ dcb->dev_mode = eeprom->target[target].cfg0;
+ #ifndef DC395x_NO_DISCONNECT
+ dcb->identify_msg =
+ IDENTIFY(dcb->dev_mode & NTC_DO_DISCONNECT, lun);
+ #else
+ dcb->identify_msg = IDENTIFY(0, lun);
+ #endif
+- dcb->dev_mode = eeprom->target[target].cfg0;
+ dcb->inquiry7 = 0;
+ dcb->sync_mode = 0;
+ dcb->min_nego_period = clock_period[period_index];
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 4967643..cbec06b 100644
--- a/drivers/scsi/dpt_i2o.c
@@ -71265,6 +71284,76 @@ index fbea856..06efea6 100644
if (!left--) {
if (instance->disconnected)
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 37f2899..6ca1363 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -52,7 +52,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
+ #define WDM_READ 4
+ #define WDM_INT_STALL 5
+ #define WDM_POLL_RUNNING 6
+-
++#define WDM_OVERFLOW 10
+
+ #define WDM_MAX 16
+
+@@ -115,6 +115,7 @@ static void wdm_in_callback(struct urb *urb)
+ {
+ struct wdm_device *desc = urb->context;
+ int status = urb->status;
++ int length = urb->actual_length;
+
+ spin_lock(&desc->iuspin);
+
+@@ -144,9 +145,17 @@ static void wdm_in_callback(struct urb *urb)
+ }
+
+ desc->rerr = status;
+- desc->reslength = urb->actual_length;
+- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
+- desc->length += desc->reslength;
++ if (length + desc->length > desc->wMaxCommand) {
++ /* The buffer would overflow */
++ set_bit(WDM_OVERFLOW, &desc->flags);
++ } else {
++ /* we may already be in overflow */
++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
++ memmove(desc->ubuf + desc->length, desc->inbuf, length);
++ desc->length += length;
++ desc->reslength = length;
++ }
++ }
+ wake_up(&desc->wait);
+
+ set_bit(WDM_READ, &desc->flags);
+@@ -398,6 +407,11 @@ retry:
+ rv = -ENODEV;
+ goto err;
+ }
++ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
++ clear_bit(WDM_OVERFLOW, &desc->flags);
++ rv = -ENOBUFS;
++ goto err;
++ }
+ i++;
+ if (file->f_flags & O_NONBLOCK) {
+ if (!test_bit(WDM_READ, &desc->flags)) {
+@@ -440,6 +454,7 @@ retry:
+ spin_unlock_irq(&desc->iuspin);
+ goto retry;
+ }
++
+ if (!desc->reslength) { /* zero length read */
+ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
+ clear_bit(WDM_READ, &desc->flags);
+@@ -844,6 +859,7 @@ static int wdm_post_reset(struct usb_interface *intf)
+ struct wdm_device *desc = usb_get_intfdata(intf);
+ int rv;
+
++ clear_bit(WDM_OVERFLOW, &desc->flags);
+ rv = recover_from_urb_loss(desc);
+ mutex_unlock(&desc->plock);
+ return 0;
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 24e6205..b94523b 100644
--- a/drivers/usb/core/hcd.c
@@ -81696,7 +81785,7 @@ index f6af760..d0adf34 100644
base = (void __user *)(unsigned long)argv[n].v_base;
if (len == 0) {
diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
-index 44a88a9..0eb059e 100644
+index 44a88a9..0eb059ec 100644
--- a/fs/nls/nls_base.c
+++ b/fs/nls/nls_base.c
@@ -114,34 +114,57 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxlen)
@@ -82286,7 +82375,7 @@ index 5765198..7f8e9e0 100644
int pos = slot * secsize;
put_dev_sector(sect);
diff --git a/fs/pipe.c b/fs/pipe.c
-index d0cc080..8a6f211 100644
+index d0cc080..b63ef40 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -401,9 +401,9 @@ redo:
@@ -82381,7 +82470,15 @@ index d0cc080..8a6f211 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+@@ -813,14 +813,17 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
+ int ret = -ENOENT;
+
++ if (!(filp->f_mode & (FMODE_READ|FMODE_WRITE)))
++ return -EINVAL;
++
+ mutex_lock(&inode->i_mutex);
+
if (inode->i_pipe) {
ret = 0;
if (filp->f_mode & FMODE_READ)
@@ -82393,7 +82490,7 @@ index d0cc080..8a6f211 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
+@@ -905,7 +908,7 @@ void free_pipe_info(struct inode *inode)
inode->i_pipe = NULL;
}
@@ -82402,7 +82499,7 @@ index d0cc080..8a6f211 100644
static int pipefs_delete_dentry(struct dentry *dentry)
{
/*
-@@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(void)
+@@ -945,7 +948,8 @@ static struct inode * get_pipe_inode(void)
goto fail_iput;
inode->i_pipe = pipe;
@@ -118216,7 +118313,7 @@ index 0747d8a..e8bf3f3 100644
sub->evt.event = htohl(event, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index db8d51a..608692d 100644
+index db8d51a..b141925 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -745,6 +745,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -118265,8 +118362,18 @@ index db8d51a..608692d 100644
mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
dput(nd.path.dentry);
nd.path.dentry = dentry;
-@@ -2211,7 +2231,11 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2206,12 +2226,20 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ seq_puts(seq, "Num RefCount Protocol Flags Type St "
+ "Inode Path\n");
+ else {
+- struct sock *s = v;
++ struct sock *s = v, *peer;
+ struct unix_sock *u = unix_sk(s);
unix_state_lock(s);
++ peer = unix_peer(s);
++ unix_state_unlock(s);
++
++ unix_state_double_lock(s, peer);
seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
+#ifdef CONFIG_GRKERNSEC_HIDESYM
@@ -118277,6 +118384,19 @@ index db8d51a..608692d 100644
atomic_read(&s->sk_refcnt),
0,
s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
+@@ -2235,8 +2263,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ }
+ for ( ; i < len; i++)
+ seq_putc(seq, u->addr->name->sun_path[i]);
+- }
+- unix_state_unlock(s);
++ } else if (peer)
++ seq_printf(seq, " P%lu", sock_i_ino(peer));
++
++ unix_state_double_unlock(s, peer);
+ seq_putc(seq, '\n');
+ }
+
diff --git a/net/wireless/wext.c b/net/wireless/wext.c
index a2e4c60..0979cbe 100644
--- a/net/wireless/wext.c
diff --git a/3.2.40/0000_README b/3.2.40/0000_README
index 173a1e3..6682017 100644
--- a/3.2.40/0000_README
+++ b/3.2.40/0000_README
@@ -78,7 +78,7 @@ Patch: 1039_linux-3.2.40.patch
From: http://www.kernel.org
Desc: Linux 3.2.40
-Patch: 4420_grsecurity-2.9.1-3.2.40-201303111844.patch
+Patch: 4420_grsecurity-2.9.1-3.2.40-201303142234.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch
index 94cafc4..c85236f 100644
--- a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch
+++ b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch
@@ -31356,6 +31356,57 @@ index 0833896..cccce52 100644
struct hpet_info *info)
{
struct hpet_timer __iomem *timer;
+diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
+index 1bafb40..69ae597 100644
+--- a/drivers/char/hw_random/core.c
++++ b/drivers/char/hw_random/core.c
+@@ -40,6 +40,7 @@
+ #include <linux/init.h>
+ #include <linux/miscdevice.h>
+ #include <linux/delay.h>
++#include <linux/slab.h>
+ #include <asm/uaccess.h>
+
+
+@@ -52,8 +53,12 @@ static struct hwrng *current_rng;
+ static LIST_HEAD(rng_list);
+ static DEFINE_MUTEX(rng_mutex);
+ static int data_avail;
+-static u8 rng_buffer[SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES]
+- __cacheline_aligned;
++static u8 *rng_buffer;
++
++static size_t rng_buffer_size(void)
++{
++ return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES;
++}
+
+ static inline int hwrng_init(struct hwrng *rng)
+ {
+@@ -116,7 +121,7 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf,
+
+ if (!data_avail) {
+ bytes_read = rng_get_data(current_rng, rng_buffer,
+- sizeof(rng_buffer),
++ rng_buffer_size(),
+ !(filp->f_flags & O_NONBLOCK));
+ if (bytes_read < 0) {
+ err = bytes_read;
+@@ -307,6 +312,14 @@ int hwrng_register(struct hwrng *rng)
+
+ mutex_lock(&rng_mutex);
+
++ /* kmalloc makes this safe for virt_to_page() in virtio_rng.c */
++ err = -ENOMEM;
++ if (!rng_buffer) {
++ rng_buffer = kmalloc(rng_buffer_size(), GFP_KERNEL);
++ if (!rng_buffer)
++ goto out_unlock;
++ }
++
+ /* Must not register two RNGs with the same name. */
+ err = -EEXIST;
+ list_for_each_entry(tmp, &rng_list, list) {
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 58c0e63..46c16bf 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
@@ -39411,6 +39462,25 @@ index 546d46b..642fa5b 100644
/*
* Queue element to wait for room in request queue. FIFO order is
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index f5b718d..aed7756 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -3747,13 +3747,13 @@ static struct DeviceCtlBlk *device_alloc(struct AdapterCtlBlk *acb,
+ dcb->max_command = 1;
+ dcb->target_id = target;
+ dcb->target_lun = lun;
++ dcb->dev_mode = eeprom->target[target].cfg0;
+ #ifndef DC395x_NO_DISCONNECT
+ dcb->identify_msg =
+ IDENTIFY(dcb->dev_mode & NTC_DO_DISCONNECT, lun);
+ #else
+ dcb->identify_msg = IDENTIFY(0, lun);
+ #endif
+- dcb->dev_mode = eeprom->target[target].cfg0;
+ dcb->inquiry7 = 0;
+ dcb->sync_mode = 0;
+ dcb->min_nego_period = clock_period[period_index];
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index ee77a58..af9d518 100644
--- a/drivers/scsi/hosts.c
@@ -41518,6 +41588,75 @@ index d3448ca..d2864ca 100644
if (!left--) {
if (instance->disconnected)
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 97b2c55..fe8c04b 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -70,6 +70,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
+ #define WDM_POLL_RUNNING 6
+ #define WDM_RESPONDING 7
+ #define WDM_SUSPENDING 8
++#define WDM_OVERFLOW 10
+
+ #define WDM_MAX 16
+
+@@ -134,6 +135,7 @@ static void wdm_in_callback(struct urb *urb)
+ {
+ struct wdm_device *desc = urb->context;
+ int status = urb->status;
++ int length = urb->actual_length;
+
+ spin_lock(&desc->iuspin);
+ clear_bit(WDM_RESPONDING, &desc->flags);
+@@ -164,9 +166,17 @@ static void wdm_in_callback(struct urb *urb)
+ }
+
+ desc->rerr = status;
+- desc->reslength = urb->actual_length;
+- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
+- desc->length += desc->reslength;
++ if (length + desc->length > desc->wMaxCommand) {
++ /* The buffer would overflow */
++ set_bit(WDM_OVERFLOW, &desc->flags);
++ } else {
++ /* we may already be in overflow */
++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
++ memmove(desc->ubuf + desc->length, desc->inbuf, length);
++ desc->length += length;
++ desc->reslength = length;
++ }
++ }
+ skip_error:
+ wake_up(&desc->wait);
+
+@@ -433,6 +443,11 @@ retry:
+ rv = -ENODEV;
+ goto err;
+ }
++ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
++ clear_bit(WDM_OVERFLOW, &desc->flags);
++ rv = -ENOBUFS;
++ goto err;
++ }
+ i++;
+ if (file->f_flags & O_NONBLOCK) {
+ if (!test_bit(WDM_READ, &desc->flags)) {
+@@ -472,6 +487,7 @@ retry:
+ spin_unlock_irq(&desc->iuspin);
+ goto retry;
+ }
++
+ if (!desc->reslength) { /* zero length read */
+ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
+ clear_bit(WDM_READ, &desc->flags);
+@@ -926,6 +942,7 @@ static int wdm_post_reset(struct usb_interface *intf)
+ struct wdm_device *desc = usb_get_intfdata(intf);
+ int rv;
+
++ clear_bit(WDM_OVERFLOW, &desc->flags);
+ rv = recover_from_urb_loss(desc);
+ mutex_unlock(&desc->wlock);
+ mutex_unlock(&desc->rlock);
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index 3440812..2a4ef1f 100644
--- a/drivers/usb/core/devices.c
@@ -46496,10 +46635,22 @@ index 84e8c07..6170d31 100644
}
}
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
-index b1451af..9a30647 100644
+index b1451af..72c6542 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
-@@ -989,7 +989,7 @@ cifs_init_request_bufs(void)
+@@ -561,6 +561,11 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb)
+ dentry = ERR_PTR(-ENOENT);
+ break;
+ }
++ if (!S_ISDIR(dir->i_mode)) {
++ dput(dentry);
++ dentry = ERR_PTR(-ENOTDIR);
++ break;
++ }
+
+ /* skip separators */
+ while (*s == sep)
+@@ -989,7 +994,7 @@ cifs_init_request_bufs(void)
cifs_req_cachep = kmem_cache_create("cifs_request",
CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE, 0,
@@ -46508,7 +46659,7 @@ index b1451af..9a30647 100644
if (cifs_req_cachep == NULL)
return -ENOMEM;
-@@ -1016,7 +1016,7 @@ cifs_init_request_bufs(void)
+@@ -1016,7 +1021,7 @@ cifs_init_request_bufs(void)
efficient to alloc 1 per page off the slab compared to 17K (5page)
alloc of large cifs buffers even when page debugging is on */
cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
@@ -46517,7 +46668,7 @@ index b1451af..9a30647 100644
NULL);
if (cifs_sm_req_cachep == NULL) {
mempool_destroy(cifs_req_poolp);
-@@ -1101,8 +1101,8 @@ init_cifs(void)
+@@ -1101,8 +1106,8 @@ init_cifs(void)
atomic_set(&bufAllocCount, 0);
atomic_set(&smBufAllocCount, 0);
#ifdef CONFIG_CIFS_STATS2
@@ -46710,7 +46861,7 @@ index 6901578..d402eb5 100644
return hit;
diff --git a/fs/compat.c b/fs/compat.c
-index e07a3d3..1b4dfbb 100644
+index e07a3d3..d33d8b7 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -132,8 +132,8 @@ asmlinkage long compat_sys_utimes(const char __user *filename, struct compat_tim
@@ -46742,7 +46893,18 @@ index e07a3d3..1b4dfbb 100644
goto out;
if (nr_segs > fast_segs) {
ret = -ENOMEM;
-@@ -845,6 +845,7 @@ struct compat_old_linux_dirent {
+@@ -572,6 +572,10 @@ ssize_t compat_rw_copy_check_uvector(int type,
+ }
+ *ret_pointer = iov;
+
++ ret = -EFAULT;
++ if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
++ goto out;
++
+ /*
+ * Single unix specification:
+ * We should -EINVAL if an element length is not >= 0 and fitting an
+@@ -845,6 +849,7 @@ struct compat_old_linux_dirent {
struct compat_readdir_callback {
struct compat_old_linux_dirent __user *dirent;
@@ -46750,7 +46912,7 @@ index e07a3d3..1b4dfbb 100644
int result;
};
-@@ -862,6 +863,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen,
+@@ -862,6 +867,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen,
buf->result = -EOVERFLOW;
return -EOVERFLOW;
}
@@ -46761,7 +46923,7 @@ index e07a3d3..1b4dfbb 100644
buf->result++;
dirent = buf->dirent;
if (!access_ok(VERIFY_WRITE, dirent,
-@@ -894,6 +899,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd,
+@@ -894,6 +903,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd,
buf.result = 0;
buf.dirent = dirent;
@@ -46769,7 +46931,7 @@ index e07a3d3..1b4dfbb 100644
error = vfs_readdir(file, compat_fillonedir, &buf);
if (buf.result)
-@@ -914,6 +920,7 @@ struct compat_linux_dirent {
+@@ -914,6 +924,7 @@ struct compat_linux_dirent {
struct compat_getdents_callback {
struct compat_linux_dirent __user *current_dir;
struct compat_linux_dirent __user *previous;
@@ -46777,7 +46939,7 @@ index e07a3d3..1b4dfbb 100644
int count;
int error;
};
-@@ -935,6 +942,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen,
+@@ -935,6 +946,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen,
buf->error = -EOVERFLOW;
return -EOVERFLOW;
}
@@ -46788,7 +46950,7 @@ index e07a3d3..1b4dfbb 100644
dirent = buf->previous;
if (dirent) {
if (__put_user(offset, &dirent->d_off))
-@@ -982,6 +993,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
+@@ -982,6 +997,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
buf.previous = NULL;
buf.count = count;
buf.error = 0;
@@ -46796,7 +46958,7 @@ index e07a3d3..1b4dfbb 100644
error = vfs_readdir(file, compat_filldir, &buf);
if (error >= 0)
-@@ -1003,6 +1015,7 @@ out:
+@@ -1003,6 +1019,7 @@ out:
struct compat_getdents_callback64 {
struct linux_dirent64 __user *current_dir;
struct linux_dirent64 __user *previous;
@@ -46804,7 +46966,7 @@ index e07a3d3..1b4dfbb 100644
int count;
int error;
};
-@@ -1019,6 +1032,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t
+@@ -1019,6 +1036,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
@@ -46815,7 +46977,7 @@ index e07a3d3..1b4dfbb 100644
dirent = buf->previous;
if (dirent) {
-@@ -1070,13 +1087,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd,
+@@ -1070,13 +1091,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd,
buf.previous = NULL;
buf.count = count;
buf.error = 0;
@@ -46831,6 +46993,27 @@ index e07a3d3..1b4dfbb 100644
if (__put_user_unaligned(d_off, &lastdirent->d_off))
error = -EFAULT;
else
+@@ -1103,17 +1125,12 @@ static ssize_t compat_do_readv_writev(int type, struct file *file,
+ if (!file->f_op)
+ goto out;
+
+- ret = -EFAULT;
+- if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
+- goto out;
+-
+- tot_len = compat_rw_copy_check_uvector(type, uvector, nr_segs,
++ ret = compat_rw_copy_check_uvector(type, uvector, nr_segs,
+ UIO_FASTIOV, iovstack, &iov, 1);
+- if (tot_len == 0) {
+- ret = 0;
++ if (ret <= 0)
+ goto out;
+- }
+
++ tot_len = ret;
+ ret = rw_verify_area(type, file, pos, tot_len);
+ if (ret < 0)
+ goto out;
diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c
index 112e45a..b59845b 100644
--- a/fs/compat_binfmt_elf.c
@@ -50853,7 +51036,7 @@ index 1c98f53..41e6a04 100644
nilfs->ns_crc_seed = le32_to_cpu(sbp->s_crc_seed);
return 0;
diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
-index 44a88a9..0eb059e 100644
+index 44a88a9..0eb059ec 100644
--- a/fs/nls/nls_base.c
+++ b/fs/nls/nls_base.c
@@ -114,34 +114,57 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxlen)
@@ -51274,7 +51457,7 @@ index bd8ae78..539d250 100644
ldm_crit ("Out of memory.");
return false;
diff --git a/fs/pipe.c b/fs/pipe.c
-index 05ed5ca..ab15592 100644
+index 05ed5ca..d1f8b8a 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -437,9 +437,9 @@ redo:
@@ -51369,7 +51552,15 @@ index 05ed5ca..ab15592 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -864,9 +864,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+@@ -859,14 +859,17 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
+ int ret = -ENOENT;
+
++ if (!(filp->f_mode & (FMODE_READ|FMODE_WRITE)))
++ return -EINVAL;
++
+ mutex_lock(&inode->i_mutex);
+
if (inode->i_pipe) {
ret = 0;
if (filp->f_mode & FMODE_READ)
@@ -51381,7 +51572,7 @@ index 05ed5ca..ab15592 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -958,7 +958,7 @@ void free_pipe_info(struct inode *inode)
+@@ -958,7 +961,7 @@ void free_pipe_info(struct inode *inode)
inode->i_pipe = NULL;
}
@@ -51390,7 +51581,7 @@ index 05ed5ca..ab15592 100644
/*
* pipefs_dname() is called from d_path().
-@@ -988,7 +988,8 @@ static struct inode * get_pipe_inode(void)
+@@ -988,7 +991,8 @@ static struct inode * get_pipe_inode(void)
goto fail_iput;
inode->i_pipe = pipe;
@@ -78940,7 +79131,7 @@ index 5c29750..99f6386 100644
static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
-index e920aa3..137702a 100644
+index e920aa3..38e1f43 100644
--- a/mm/process_vm_access.c
+++ b/mm/process_vm_access.c
@@ -13,6 +13,7 @@
@@ -79012,6 +79203,28 @@ index e920aa3..137702a 100644
for (i = 0; i < riovcnt && iov_l_curr_idx < liovcnt; i++) {
rc = process_vm_rw_single_vec(
(unsigned long)rvec[i].iov_base, rvec[i].iov_len,
+@@ -434,12 +435,6 @@ compat_process_vm_rw(compat_pid_t pid,
+ if (flags != 0)
+ return -EINVAL;
+
+- if (!access_ok(VERIFY_READ, lvec, liovcnt * sizeof(*lvec)))
+- goto out;
+-
+- if (!access_ok(VERIFY_READ, rvec, riovcnt * sizeof(*rvec)))
+- goto out;
+-
+ if (vm_write)
+ rc = compat_rw_copy_check_uvector(WRITE, lvec, liovcnt,
+ UIO_FASTIOV, iovstack_l,
+@@ -464,8 +459,6 @@ free_iovecs:
+ kfree(iov_r);
+ if (iov_l != iovstack_l)
+ kfree(iov_l);
+-
+-out:
+ return rc;
+ }
+
diff --git a/mm/rmap.c b/mm/rmap.c
index 8685697..b490361 100644
--- a/mm/rmap.c
@@ -85086,7 +85299,7 @@ index 1983717..4d6102c 100644
sub->evt.event = htohl(event, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 317bfe3..6786706 100644
+index 317bfe3..342dd43 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -767,6 +767,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -85135,6 +85348,34 @@ index 317bfe3..6786706 100644
mutex_unlock(&path.dentry->d_inode->i_mutex);
dput(path.dentry);
path.dentry = dentry;
+@@ -2261,9 +2281,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ seq_puts(seq, "Num RefCount Protocol Flags Type St "
+ "Inode Path\n");
+ else {
+- struct sock *s = v;
++ struct sock *s = v, *peer;
+ struct unix_sock *u = unix_sk(s);
+ unix_state_lock(s);
++ peer = unix_peer(s);
++ unix_state_unlock(s);
++
++ unix_state_double_lock(s, peer);
+
+ seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
+ s,
+@@ -2290,8 +2314,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ }
+ for ( ; i < len; i++)
+ seq_putc(seq, u->addr->name->sun_path[i]);
+- }
+- unix_state_unlock(s);
++ } else if (peer)
++ seq_printf(seq, " P%lu", sock_i_ino(peer));
++
++ unix_state_double_unlock(s, peer);
+ seq_putc(seq, '\n');
+ }
+
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index 0af7f54..c916d2f 100644
--- a/net/wireless/wext-core.c
@@ -86797,18 +87038,25 @@ index 55a6271..ad829c3 100644
hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
return 0;
diff --git a/security/keys/compat.c b/security/keys/compat.c
-index 4c48e13..7abdac9 100644
+index 4c48e13..6ba5dc8 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
-@@ -44,7 +44,7 @@ long compat_keyctl_instantiate_key_iov(
+@@ -40,12 +40,13 @@ long compat_keyctl_instantiate_key_iov(
+ ARRAY_SIZE(iovstack),
+ iovstack, &iov, 1);
+ if (ret < 0)
+- return ret;
++ goto err;
if (ret == 0)
goto no_payload_free;
- ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+ ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
++err:
if (iov != iovstack)
kfree(iov);
+ return ret;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 0b3f5d7..892c8a6 100644
--- a/security/keys/keyctl.c
diff --git a/3.8.2/0000_README b/3.8.2/0000_README
index 3b4b3f3..43053f3 100644
--- a/3.8.2/0000_README
+++ b/3.8.2/0000_README
@@ -6,7 +6,7 @@ Patch: 1001_linux-3.8.1.patch
From: http://www.kernel.org
Desc: Linux 3.8.1
-Patch: 4420_grsecurity-2.9.1-3.8.2-201303111845.patch
+Patch: 4420_grsecurity-2.9.1-3.8.3-201303142235.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch b/3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch
index e088f8a..ef25e2b 100644
--- a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch
+++ b/3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch
@@ -259,7 +259,7 @@ index 986614d..e8bfedc 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 20d5318..d5cec9c 100644
+index 8c49fc9b..9a2af09 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1540,13 +1540,13 @@ index 7eb18c1..e38b6d2 100644
#include <asm-generic/cmpxchg-local.h>
diff --git a/arch/arm/include/asm/delay.h b/arch/arm/include/asm/delay.h
-index ab98fdd..6b19938 100644
+index 720799f..2f67631 100644
--- a/arch/arm/include/asm/delay.h
+++ b/arch/arm/include/asm/delay.h
-@@ -24,9 +24,9 @@ extern struct arm_delay_ops {
- void (*delay)(unsigned long);
+@@ -25,9 +25,9 @@ extern struct arm_delay_ops {
void (*const_udelay)(unsigned long);
void (*udelay)(unsigned long);
+ bool const_clock;
-} arm_delay_ops;
+} *arm_delay_ops;
@@ -1555,7 +1555,7 @@ index ab98fdd..6b19938 100644
/*
* This function intentionally does not exist; if you see references to
-@@ -47,8 +47,8 @@ extern void __bad_udelay(void);
+@@ -48,8 +48,8 @@ extern void __bad_udelay(void);
* first constant multiplications gets optimized away if the delay is
* a constant)
*/
@@ -1977,7 +1977,7 @@ index a3f3792..7b932a6 100644
#define L_PTE_DIRTY_HIGH (1 << (55 - 32))
diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
-index 9c82f988..514705a 100644
+index c094749..fd8272e 100644
--- a/arch/arm/include/asm/pgtable.h
+++ b/arch/arm/include/asm/pgtable.h
@@ -30,6 +30,9 @@
@@ -2062,12 +2062,13 @@ index 9c82f988..514705a 100644
*/
#define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG
-@@ -240,7 +290,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
+@@ -240,8 +290,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
{
-- const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE;
-+ const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE | __supported_pte_mask;
+- const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
+- L_PTE_NONE | L_PTE_VALID;
++ const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE | L_PTE_VALID | __supported_pte_mask;
pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask);
return pte;
}
@@ -2723,7 +2724,7 @@ index 2adda11..7fbe958 100644
flush_icache_range(0xffff001c, 0xffff001c + length);
if (!vectors_high())
diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S
-index 486a15a..2d6880e 100644
+index e0eb9a1..c7d74a3 100644
--- a/arch/arm/kernel/head.S
+++ b/arch/arm/kernel/head.S
@@ -52,7 +52,9 @@
@@ -2737,7 +2738,7 @@ index 486a15a..2d6880e 100644
.endm
/*
-@@ -416,7 +418,7 @@ __enable_mmu:
+@@ -434,7 +436,7 @@ __enable_mmu:
mov r5, #(domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
domain_val(DOMAIN_TABLE, DOMAIN_MANAGER) | \
@@ -2967,7 +2968,7 @@ index 3f6cbb2..6d856f5 100644
#ifdef MULTI_TLB
cpu_tlb = *list->tlb;
diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
-index 84f4cbf..672f5b8 100644
+index 58af91c..343ce99 100644
--- a/arch/arm/kernel/smp.c
+++ b/arch/arm/kernel/smp.c
@@ -70,7 +70,7 @@ enum ipi_msg_type {
@@ -3196,7 +3197,7 @@ index 7d08b43..f7ca7ea 100644
#include "csumpartialcopygeneric.S"
diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c
-index 0dc5385..45833ef 100644
+index 6b93f6a..88d9b64 100644
--- a/arch/arm/lib/delay.c
+++ b/arch/arm/lib/delay.c
@@ -28,12 +28,14 @@
@@ -3215,7 +3216,7 @@ index 0dc5385..45833ef 100644
static const struct delay_timer *delay_timer;
static bool delay_calibrated;
-@@ -67,6 +69,12 @@ static void __timer_udelay(unsigned long usecs)
+@@ -67,6 +69,13 @@ static void __timer_udelay(unsigned long usecs)
__timer_const_udelay(usecs * UDELAY_MULT);
}
@@ -3223,18 +3224,20 @@ index 0dc5385..45833ef 100644
+ .delay = __timer_delay,
+ .const_udelay = __timer_const_udelay,
+ .udelay = __timer_udelay,
++ .const_clock = true,
+};
+
void __init register_current_timer_delay(const struct delay_timer *timer)
{
if (!delay_calibrated) {
-@@ -74,9 +82,7 @@ void __init register_current_timer_delay(const struct delay_timer *timer)
+@@ -74,10 +83,7 @@ void __init register_current_timer_delay(const struct delay_timer *timer)
delay_timer = timer;
lpj_fine = timer->freq / HZ;
loops_per_jiffy = lpj_fine;
- arm_delay_ops.delay = __timer_delay;
- arm_delay_ops.const_udelay = __timer_const_udelay;
- arm_delay_ops.udelay = __timer_udelay;
+- arm_delay_ops.const_clock = true;
+ arm_delay_ops = &arm_timer_delay_ops;
delay_calibrated = true;
} else {
@@ -3302,6 +3305,53 @@ index 0abb30f..54064da 100644
.late_init = n8x0_menelaus_late_init,
};
+diff --git a/arch/arm/mach-omap2/gpmc.c b/arch/arm/mach-omap2/gpmc.c
+index 8033cb7..2f7cb62 100644
+--- a/arch/arm/mach-omap2/gpmc.c
++++ b/arch/arm/mach-omap2/gpmc.c
+@@ -139,7 +139,6 @@ struct omap3_gpmc_regs {
+ };
+
+ static struct gpmc_client_irq gpmc_client_irq[GPMC_NR_IRQ];
+-static struct irq_chip gpmc_irq_chip;
+ static unsigned gpmc_irq_start;
+
+ static struct resource gpmc_mem_root;
+@@ -700,6 +699,18 @@ static void gpmc_irq_noop(struct irq_data *data) { }
+
+ static unsigned int gpmc_irq_noop_ret(struct irq_data *data) { return 0; }
+
++static struct irq_chip gpmc_irq_chip = {
++ .name = "gpmc",
++ .irq_startup = gpmc_irq_noop_ret,
++ .irq_enable = gpmc_irq_enable,
++ .irq_disable = gpmc_irq_disable,
++ .irq_shutdown = gpmc_irq_noop,
++ .irq_ack = gpmc_irq_noop,
++ .irq_mask = gpmc_irq_noop,
++ .irq_unmask = gpmc_irq_noop,
++
++};
++
+ static int gpmc_setup_irq(void)
+ {
+ int i;
+@@ -714,15 +725,6 @@ static int gpmc_setup_irq(void)
+ return gpmc_irq_start;
+ }
+
+- gpmc_irq_chip.name = "gpmc";
+- gpmc_irq_chip.irq_startup = gpmc_irq_noop_ret;
+- gpmc_irq_chip.irq_enable = gpmc_irq_enable;
+- gpmc_irq_chip.irq_disable = gpmc_irq_disable;
+- gpmc_irq_chip.irq_shutdown = gpmc_irq_noop;
+- gpmc_irq_chip.irq_ack = gpmc_irq_noop;
+- gpmc_irq_chip.irq_mask = gpmc_irq_noop;
+- gpmc_irq_chip.irq_unmask = gpmc_irq_noop;
+-
+ gpmc_client_irq[0].bitmask = GPMC_IRQ_FIFOEVENTENABLE;
+ gpmc_client_irq[1].bitmask = GPMC_IRQ_COUNT_EVENT;
+
diff --git a/arch/arm/mach-omap2/omap-wakeupgen.c b/arch/arm/mach-omap2/omap-wakeupgen.c
index 5d3b4f4..ddba3c0 100644
--- a/arch/arm/mach-omap2/omap-wakeupgen.c
@@ -3315,6 +3365,49 @@ index 5d3b4f4..ddba3c0 100644
.notifier_call = irq_cpu_hotplug_notify,
};
+diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c
+index e065daa..7b1ad9b 100644
+--- a/arch/arm/mach-omap2/omap_device.c
++++ b/arch/arm/mach-omap2/omap_device.c
+@@ -686,7 +686,7 @@ void omap_device_delete(struct omap_device *od)
+ * passes along the return value of omap_device_build_ss().
+ */
+ struct platform_device __init *omap_device_build(const char *pdev_name, int pdev_id,
+- struct omap_hwmod *oh, void *pdata,
++ struct omap_hwmod *oh, const void *pdata,
+ int pdata_len,
+ struct omap_device_pm_latency *pm_lats,
+ int pm_lats_cnt, int is_early_device)
+@@ -720,7 +720,7 @@ struct platform_device __init *omap_device_build(const char *pdev_name, int pdev
+ */
+ struct platform_device __init *omap_device_build_ss(const char *pdev_name, int pdev_id,
+ struct omap_hwmod **ohs, int oh_cnt,
+- void *pdata, int pdata_len,
++ const void *pdata, int pdata_len,
+ struct omap_device_pm_latency *pm_lats,
+ int pm_lats_cnt, int is_early_device)
+ {
+diff --git a/arch/arm/mach-omap2/omap_device.h b/arch/arm/mach-omap2/omap_device.h
+index 0933c59..42b8e2d 100644
+--- a/arch/arm/mach-omap2/omap_device.h
++++ b/arch/arm/mach-omap2/omap_device.h
+@@ -91,14 +91,14 @@ int omap_device_shutdown(struct platform_device *pdev);
+ /* Core code interface */
+
+ struct platform_device *omap_device_build(const char *pdev_name, int pdev_id,
+- struct omap_hwmod *oh, void *pdata,
++ struct omap_hwmod *oh, const void *pdata,
+ int pdata_len,
+ struct omap_device_pm_latency *pm_lats,
+ int pm_lats_cnt, int is_early_device);
+
+ struct platform_device *omap_device_build_ss(const char *pdev_name, int pdev_id,
+ struct omap_hwmod **oh, int oh_cnt,
+- void *pdata, int pdata_len,
++ const void *pdata, int pdata_len,
+ struct omap_device_pm_latency *pm_lats,
+ int pm_lats_cnt, int is_early_device);
+
diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
index 4653efb..8c60bf7 100644
--- a/arch/arm/mach-omap2/omap_hwmod.c
@@ -4118,19 +4211,6 @@ index a5bc92d..0bb4730 100644
omap_sram_size - omap_sram_skip);
+ pax_close_kernel();
}
-diff --git a/arch/arm/plat-orion/include/plat/addr-map.h b/arch/arm/plat-orion/include/plat/addr-map.h
-index b76c065..b6e766b 100644
---- a/arch/arm/plat-orion/include/plat/addr-map.h
-+++ b/arch/arm/plat-orion/include/plat/addr-map.h
-@@ -27,7 +27,7 @@ struct orion_addr_map_cfg {
- value in bridge_virt_base */
- void __iomem *(*win_cfg_base) (const struct orion_addr_map_cfg *cfg,
- const int win);
--};
-+} __no_const;
-
- /*
- * Information needed to setup one address mapping.
diff --git a/arch/arm/plat-samsung/include/plat/dma-ops.h b/arch/arm/plat-samsung/include/plat/dma-ops.h
index f5144cd..71f6d1f 100644
--- a/arch/arm/plat-samsung/include/plat/dma-ops.h
@@ -21922,7 +22002,7 @@ index b629bbe..0fa615a 100644
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
-index 85c3959..76b89f9 100644
+index 2cb9470..ff1fd80 100644
--- a/arch/x86/kernel/pvclock.c
+++ b/arch/x86/kernel/pvclock.c
@@ -43,11 +43,11 @@ unsigned long pvclock_tsc_khz(struct pvclock_vcpu_time_info *src)
@@ -30565,10 +30645,10 @@ index 431e875..cbb23f3 100644
-}
-__setup("vdso=", vdso_setup);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index e014092..c76ab69 100644
+index 2262003..f229ced 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
-@@ -99,8 +99,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
+@@ -100,8 +100,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
struct shared_info xen_dummy_shared_info;
@@ -30577,7 +30657,7 @@ index e014092..c76ab69 100644
RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
__read_mostly int xen_have_vector_callback;
EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -495,8 +493,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -496,8 +494,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -30587,7 +30667,7 @@ index e014092..c76ab69 100644
int f;
/*
-@@ -544,8 +541,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -545,8 +542,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -30597,7 +30677,7 @@ index e014092..c76ab69 100644
int f;
/*
-@@ -938,7 +934,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
+@@ -939,7 +935,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
return 0;
}
@@ -30606,7 +30686,7 @@ index e014092..c76ab69 100644
{
apic->read = xen_apic_read;
apic->write = xen_apic_write;
-@@ -1244,30 +1240,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1245,30 +1241,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -30644,7 +30724,7 @@ index e014092..c76ab69 100644
{
if (pm_power_off)
pm_power_off();
-@@ -1369,7 +1365,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1370,7 +1366,17 @@ asmlinkage void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -30663,7 +30743,7 @@ index e014092..c76ab69 100644
xen_setup_features();
-@@ -1398,14 +1404,7 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1399,14 +1405,7 @@ asmlinkage void __init xen_start_kernel(void)
pv_mmu_ops.ptep_modify_prot_commit = xen_ptep_modify_prot_commit;
}
@@ -30679,7 +30759,7 @@ index e014092..c76ab69 100644
xen_smp_init();
-@@ -1590,7 +1589,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
+@@ -1598,7 +1597,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
return NOTIFY_OK;
}
@@ -31090,93 +31170,6 @@ index 9a87daa..fb17486 100644
if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
goto error;
-diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
-index 533de95..7d4a8d2 100644
---- a/crypto/ablkcipher.c
-+++ b/crypto/ablkcipher.c
-@@ -388,9 +388,9 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_blkcipher rblkcipher;
-
-- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "ablkcipher");
-- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- alg->cra_ablkcipher.geniv ?: "<default>");
-+ strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type));
-+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
-+ sizeof(rblkcipher.geniv));
-
- rblkcipher.blocksize = alg->cra_blocksize;
- rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
-@@ -469,9 +469,9 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_blkcipher rblkcipher;
-
-- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "givcipher");
-- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- alg->cra_ablkcipher.geniv ?: "<built-in>");
-+ strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type));
-+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>",
-+ sizeof(rblkcipher.geniv));
-
- rblkcipher.blocksize = alg->cra_blocksize;
- rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
-diff --git a/crypto/aead.c b/crypto/aead.c
-index 0b8121e..27bc487 100644
---- a/crypto/aead.c
-+++ b/crypto/aead.c
-@@ -117,9 +117,8 @@ static int crypto_aead_report(struct sk_buff *skb, struct crypto_alg *alg)
- struct crypto_report_aead raead;
- struct aead_alg *aead = &alg->cra_aead;
-
-- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "aead");
-- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- aead->geniv ?: "<built-in>");
-+ strncpy(raead.type, "aead", sizeof(raead.type));
-+ strncpy(raead.geniv, aead->geniv ?: "<built-in>", sizeof(raead.geniv));
-
- raead.blocksize = alg->cra_blocksize;
- raead.maxauthsize = aead->maxauthsize;
-@@ -203,8 +202,8 @@ static int crypto_nivaead_report(struct sk_buff *skb, struct crypto_alg *alg)
- struct crypto_report_aead raead;
- struct aead_alg *aead = &alg->cra_aead;
-
-- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "nivaead");
-- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", aead->geniv);
-+ strncpy(raead.type, "nivaead", sizeof(raead.type));
-+ strncpy(raead.geniv, aead->geniv, sizeof(raead.geniv));
-
- raead.blocksize = alg->cra_blocksize;
- raead.maxauthsize = aead->maxauthsize;
-diff --git a/crypto/ahash.c b/crypto/ahash.c
-index 3887856..793a27f 100644
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -404,7 +404,7 @@ static int crypto_ahash_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_hash rhash;
-
-- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "ahash");
-+ strncpy(rhash.type, "ahash", sizeof(rhash.type));
-
- rhash.blocksize = alg->cra_blocksize;
- rhash.digestsize = __crypto_hash_alg_common(alg)->digestsize;
-diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
-index a8d85a1..c44e014 100644
---- a/crypto/blkcipher.c
-+++ b/crypto/blkcipher.c
-@@ -499,9 +499,9 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_blkcipher rblkcipher;
-
-- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "blkcipher");
-- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- alg->cra_blkcipher.geniv ?: "<default>");
-+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type));
-+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>",
-+ sizeof(rblkcipher.geniv));
-
- rblkcipher.blocksize = alg->cra_blocksize;
- rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 7bdd61b..afec999 100644
--- a/crypto/cryptd.c
@@ -31200,7 +31193,7 @@ index 7bdd61b..afec999 100644
static void cryptd_queue_worker(struct work_struct *work);
diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
-index 35d700a..dfd511f 100644
+index f6d9baf..dfd511f 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -30,6 +30,8 @@
@@ -31212,55 +31205,6 @@ index 35d700a..dfd511f 100644
static DEFINE_MUTEX(crypto_cfg_mutex);
/* The crypto netlink socket */
-@@ -75,7 +77,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_cipher rcipher;
-
-- snprintf(rcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "cipher");
-+ strncpy(rcipher.type, "cipher", sizeof(rcipher.type));
-
- rcipher.blocksize = alg->cra_blocksize;
- rcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
-@@ -94,8 +96,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_comp rcomp;
-
-- snprintf(rcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "compression");
--
-+ strncpy(rcomp.type, "compression", sizeof(rcomp.type));
- if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
- sizeof(struct crypto_report_comp), &rcomp))
- goto nla_put_failure;
-@@ -108,12 +109,14 @@ nla_put_failure:
- static int crypto_report_one(struct crypto_alg *alg,
- struct crypto_user_alg *ualg, struct sk_buff *skb)
- {
-- memcpy(&ualg->cru_name, &alg->cra_name, sizeof(ualg->cru_name));
-- memcpy(&ualg->cru_driver_name, &alg->cra_driver_name,
-- sizeof(ualg->cru_driver_name));
-- memcpy(&ualg->cru_module_name, module_name(alg->cra_module),
-- CRYPTO_MAX_ALG_NAME);
-+ strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
-+ strncpy(ualg->cru_driver_name, alg->cra_driver_name,
-+ sizeof(ualg->cru_driver_name));
-+ strncpy(ualg->cru_module_name, module_name(alg->cra_module),
-+ sizeof(ualg->cru_module_name));
-
-+ ualg->cru_type = 0;
-+ ualg->cru_mask = 0;
- ualg->cru_flags = alg->cra_flags;
- ualg->cru_refcnt = atomic_read(&alg->cra_refcnt);
-
-@@ -122,8 +125,7 @@ static int crypto_report_one(struct crypto_alg *alg,
- if (alg->cra_flags & CRYPTO_ALG_LARVAL) {
- struct crypto_report_larval rl;
-
-- snprintf(rl.type, CRYPTO_MAX_ALG_NAME, "%s", "larval");
--
-+ strncpy(rl.type, "larval", sizeof(rl.type));
- if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL,
- sizeof(struct crypto_report_larval), &rl))
- goto nla_put_failure;
@@ -196,7 +198,10 @@ static int crypto_report(struct sk_buff *in_skb, struct nlmsghdr *in_nlh,
struct crypto_dump_info info;
int err;
@@ -31303,47 +31247,6 @@ index 35d700a..dfd511f 100644
if (strlen(p->cru_driver_name))
exact = 1;
-diff --git a/crypto/pcompress.c b/crypto/pcompress.c
-index 04e083f..7140fe7 100644
---- a/crypto/pcompress.c
-+++ b/crypto/pcompress.c
-@@ -53,8 +53,7 @@ static int crypto_pcomp_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_comp rpcomp;
-
-- snprintf(rpcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "pcomp");
--
-+ strncpy(rpcomp.type, "pcomp", sizeof(rpcomp.type));
- if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
- sizeof(struct crypto_report_comp), &rpcomp))
- goto nla_put_failure;
-diff --git a/crypto/rng.c b/crypto/rng.c
-index f3b7894..e0a25c2 100644
---- a/crypto/rng.c
-+++ b/crypto/rng.c
-@@ -65,7 +65,7 @@ static int crypto_rng_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_rng rrng;
-
-- snprintf(rrng.type, CRYPTO_MAX_ALG_NAME, "%s", "rng");
-+ strncpy(rrng.type, "rng", sizeof(rrng.type));
-
- rrng.seedsize = alg->cra_rng.seedsize;
-
-diff --git a/crypto/shash.c b/crypto/shash.c
-index f426330f..929058a 100644
---- a/crypto/shash.c
-+++ b/crypto/shash.c
-@@ -530,7 +530,8 @@ static int crypto_shash_report(struct sk_buff *skb, struct crypto_alg *alg)
- struct crypto_report_hash rhash;
- struct shash_alg *salg = __crypto_shash_alg(alg);
-
-- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "shash");
-+ strncpy(rhash.type, "shash", sizeof(rhash.type));
-+
- rhash.blocksize = alg->cra_blocksize;
- rhash.digestsize = salg->digestsize;
-
diff --git a/drivers/acpi/apei/apei-internal.h b/drivers/acpi/apei/apei-internal.h
index f220d64..d359ad6 100644
--- a/drivers/acpi/apei/apei-internal.h
@@ -33545,7 +33448,7 @@ index b66eaa0..2619d1b 100644
if (cmd != SIOCWANDEV)
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 85e81ec..a129a39 100644
+index 57d4b15..253207b 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -272,8 +272,13 @@
@@ -33591,7 +33494,7 @@ index 85e81ec..a129a39 100644
smp_wmb();
if (out)
-@@ -1020,7 +1032,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1024,7 +1036,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
extract_buf(r, tmp);
i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -33600,7 +33503,7 @@ index 85e81ec..a129a39 100644
ret = -EFAULT;
break;
}
-@@ -1356,7 +1368,7 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1360,7 +1372,7 @@ EXPORT_SYMBOL(generate_random_uuid);
#include <linux/sysctl.h>
static int min_read_thresh = 8, min_write_thresh;
@@ -33609,7 +33512,7 @@ index 85e81ec..a129a39 100644
static int max_write_thresh = INPUT_POOL_WORDS * 32;
static char sysctl_bootid[16];
-@@ -1372,7 +1384,7 @@ static char sysctl_bootid[16];
+@@ -1376,7 +1388,7 @@ static char sysctl_bootid[16];
static int proc_do_uuid(ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -33758,32 +33661,6 @@ index 8ae1a61..9c00613 100644
.notifier_call = arch_timer_cpu_notify,
};
-diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
-index fce2000..1110478 100644
---- a/drivers/connector/cn_proc.c
-+++ b/drivers/connector/cn_proc.c
-@@ -313,6 +313,12 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
- (task_active_pid_ns(current) != &init_pid_ns))
- return;
-
-+ /* Can only change if privileged. */
-+ if (!capable(CAP_NET_ADMIN)) {
-+ err = EPERM;
-+ goto out;
-+ }
-+
- mc_op = (enum proc_cn_mcast_op *)msg->data;
- switch (*mc_op) {
- case PROC_CN_MCAST_LISTEN:
-@@ -325,6 +331,8 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
- err = EINVAL;
- break;
- }
-+
-+out:
- cn_proc_ack(err, msg->seq, msg->ack);
- }
-
diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
index 7b0d49d..134fac9 100644
--- a/drivers/cpufreq/acpi-cpufreq.c
@@ -34262,10 +34139,10 @@ index 94a58a0..f5eba42 100644
container_of(_dev_attr, struct dmi_device_attribute, dev_attr)
diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
-index 982f1f5..d21e5da 100644
+index 4cd392d..4b629e1 100644
--- a/drivers/firmware/dmi_scan.c
+++ b/drivers/firmware/dmi_scan.c
-@@ -491,11 +491,6 @@ void __init dmi_scan_machine(void)
+@@ -490,11 +490,6 @@ void __init dmi_scan_machine(void)
}
}
else {
@@ -34277,7 +34154,7 @@ index 982f1f5..d21e5da 100644
p = dmi_ioremap(0xF0000, 0x10000);
if (p == NULL)
goto error;
-@@ -770,7 +765,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *),
+@@ -769,7 +764,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *),
if (buf == NULL)
return -1;
@@ -34287,7 +34164,7 @@ index 982f1f5..d21e5da 100644
iounmap(buf);
return 0;
diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
-index bcb201c..4fd34dd 100644
+index 2a2e145..73745e79 100644
--- a/drivers/firmware/efivars.c
+++ b/drivers/firmware/efivars.c
@@ -133,7 +133,7 @@ struct efivar_attribute {
@@ -34299,7 +34176,7 @@ index bcb201c..4fd34dd 100644
#define PSTORE_EFI_ATTRIBUTES \
(EFI_VARIABLE_NON_VOLATILE | \
-@@ -1734,7 +1734,7 @@ efivar_create_sysfs_entry(struct efivars *efivars,
+@@ -1798,7 +1798,7 @@ efivar_create_sysfs_entry(struct efivars *efivars,
static int
create_efivars_bin_attributes(struct efivars *efivars)
{
@@ -34726,7 +34603,7 @@ index 8a7c48b..72effc2 100644
if (IS_GEN6(dev) || IS_GEN7(dev)) {
seq_printf(m,
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
-index 99daa89..84ebd44 100644
+index 5206f24..7af0a0a 100644
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1253,7 +1253,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev)
@@ -34739,7 +34616,7 @@ index 99daa89..84ebd44 100644
return can_switch;
}
diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
-index 7339a4b..445aaba 100644
+index 66ad64f..a865871 100644
--- a/drivers/gpu/drm/i915/i915_drv.h
+++ b/drivers/gpu/drm/i915/i915_drv.h
@@ -656,7 +656,7 @@ typedef struct drm_i915_private {
@@ -34751,7 +34628,7 @@ index 7339a4b..445aaba 100644
/* protects the irq masks */
spinlock_t irq_lock;
-@@ -1102,7 +1102,7 @@ struct drm_i915_gem_object {
+@@ -1103,7 +1103,7 @@ struct drm_i915_gem_object {
* will be page flipped away on the next vblank. When it
* reaches 0, dev_priv->pending_flip_queue will be woken up.
*/
@@ -34760,7 +34637,7 @@ index 7339a4b..445aaba 100644
};
#define to_gem_object(obj) (&((struct drm_i915_gem_object *)(obj))->base)
-@@ -1633,7 +1633,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter(
+@@ -1634,7 +1634,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter(
struct drm_i915_private *dev_priv, unsigned port);
extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
@@ -34830,10 +34707,10 @@ index 3c59584..500f2e9 100644
return ret;
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
-index fe84338..a863190 100644
+index 3c00403..5a5c6c9 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
-@@ -535,7 +535,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg)
+@@ -539,7 +539,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg)
u32 pipe_stats[I915_MAX_PIPES];
bool blc_event;
@@ -34842,7 +34719,7 @@ index fe84338..a863190 100644
while (true) {
iir = I915_READ(VLV_IIR);
-@@ -688,7 +688,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg)
+@@ -692,7 +692,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg)
irqreturn_t ret = IRQ_NONE;
int i;
@@ -34851,7 +34728,7 @@ index fe84338..a863190 100644
/* disable master interrupt before clearing iir */
de_ier = I915_READ(DEIER);
-@@ -760,7 +760,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg)
+@@ -764,7 +764,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg)
int ret = IRQ_NONE;
u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir;
@@ -34860,7 +34737,7 @@ index fe84338..a863190 100644
/* disable master interrupt before clearing iir */
de_ier = I915_READ(DEIER);
-@@ -1787,7 +1787,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev)
+@@ -1791,7 +1791,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev)
{
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
@@ -34869,7 +34746,7 @@ index fe84338..a863190 100644
I915_WRITE(HWSTAM, 0xeffe);
-@@ -1813,7 +1813,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev)
+@@ -1817,7 +1817,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34878,7 +34755,7 @@ index fe84338..a863190 100644
/* VLV magic */
I915_WRITE(VLV_IMR, 0);
-@@ -2108,7 +2108,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev)
+@@ -2112,7 +2112,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34887,7 +34764,7 @@ index fe84338..a863190 100644
for_each_pipe(pipe)
I915_WRITE(PIPESTAT(pipe), 0);
-@@ -2159,7 +2159,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg)
+@@ -2163,7 +2163,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg)
I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT |
I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT;
@@ -34896,7 +34773,7 @@ index fe84338..a863190 100644
iir = I915_READ16(IIR);
if (iir == 0)
-@@ -2244,7 +2244,7 @@ static void i915_irq_preinstall(struct drm_device * dev)
+@@ -2248,7 +2248,7 @@ static void i915_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34905,7 +34782,7 @@ index fe84338..a863190 100644
if (I915_HAS_HOTPLUG(dev)) {
I915_WRITE(PORT_HOTPLUG_EN, 0);
-@@ -2339,7 +2339,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg)
+@@ -2343,7 +2343,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg)
};
int pipe, ret = IRQ_NONE;
@@ -34914,7 +34791,7 @@ index fe84338..a863190 100644
iir = I915_READ(IIR);
do {
-@@ -2465,7 +2465,7 @@ static void i965_irq_preinstall(struct drm_device * dev)
+@@ -2469,7 +2469,7 @@ static void i965_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34923,7 +34800,7 @@ index fe84338..a863190 100644
I915_WRITE(PORT_HOTPLUG_EN, 0);
I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT));
-@@ -2572,7 +2572,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg)
+@@ -2576,7 +2576,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg)
int irq_received;
int ret = IRQ_NONE, pipe;
@@ -35931,7 +35808,7 @@ index 7d19b1b..8fdaaac 100644
BUG_ON(data->num_attributes >= data->max_attributes); \
sysfs_attr_init(&a->dev_attr.attr); \
diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
-index 1c85d39..55ed3cf 100644
+index 8047fed..1e956f0 100644
--- a/drivers/hwmon/sht15.c
+++ b/drivers/hwmon/sht15.c
@@ -169,7 +169,7 @@ struct sht15_data {
@@ -37247,10 +37124,10 @@ index 7155945..4bcc562 100644
seq_printf(seq, "\n");
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
-index 0666b5d..ed82cb4 100644
+index eee353d..74504c4 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
-@@ -1628,7 +1628,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
+@@ -1632,7 +1632,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
cmd == DM_LIST_VERSIONS_CMD)
return 0;
@@ -37260,7 +37137,7 @@ index 0666b5d..ed82cb4 100644
DMWARN("name not supplied when creating device");
return -EINVAL;
diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
-index fa51918..c26253c 100644
+index 7f24190..0e18099 100644
--- a/drivers/md/dm-raid1.c
+++ b/drivers/md/dm-raid1.c
@@ -40,7 +40,7 @@ enum dm_raid1_error {
@@ -37336,7 +37213,7 @@ index fa51918..c26253c 100644
return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
-index c89cde8..9d184cf 100644
+index aaecefa..23b3026 100644
--- a/drivers/md/dm-stripe.c
+++ b/drivers/md/dm-stripe.c
@@ -20,7 +20,7 @@ struct stripe {
@@ -37357,7 +37234,7 @@ index c89cde8..9d184cf 100644
}
ti->private = sc;
-@@ -325,7 +325,7 @@ static int stripe_status(struct dm_target *ti, status_type_t type,
+@@ -325,7 +325,7 @@ static void stripe_status(struct dm_target *ti, status_type_t type,
DMEMIT("%d ", sc->stripes);
for (i = 0; i < sc->stripes; i++) {
DMEMIT("%s ", sc->stripe[i].dev->name);
@@ -37366,7 +37243,7 @@ index c89cde8..9d184cf 100644
'D' : 'A';
}
buffer[i] = '\0';
-@@ -371,8 +371,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error)
+@@ -370,8 +370,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error)
*/
for (i = 0; i < sc->stripes; i++)
if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
@@ -37413,7 +37290,7 @@ index 4d6e853..a234157 100644
pmd->bl_info.value_type.inc = data_block_inc;
pmd->bl_info.value_type.dec = data_block_dec;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 314a0e2..1376406 100644
+index 0d8f086..f5a91d5 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -170,9 +170,9 @@ struct mapped_device {
@@ -37439,7 +37316,7 @@ index 314a0e2..1376406 100644
INIT_LIST_HEAD(&md->uevent_list);
spin_lock_init(&md->uevent_lock);
-@@ -2014,7 +2014,7 @@ static void event_callback(void *context)
+@@ -2026,7 +2026,7 @@ static void event_callback(void *context)
dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
@@ -37448,7 +37325,7 @@ index 314a0e2..1376406 100644
wake_up(&md->eventq);
}
-@@ -2669,18 +2669,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -2683,18 +2683,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
uint32_t dm_next_uevent_seq(struct mapped_device *md)
{
@@ -37471,7 +37348,7 @@ index 314a0e2..1376406 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 3db3d1b..9487468 100644
+index f363135..9b38815 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -240,10 +240,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
@@ -37496,7 +37373,7 @@ index 3db3d1b..9487468 100644
wake_up(&md_event_waiters);
}
-@@ -1503,7 +1503,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
+@@ -1507,7 +1507,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) &&
(le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET))
rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset);
@@ -37505,7 +37382,7 @@ index 3db3d1b..9487468 100644
rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
-@@ -1747,7 +1747,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
+@@ -1751,7 +1751,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
else
sb->resync_offset = cpu_to_le64(0);
@@ -37514,7 +37391,7 @@ index 3db3d1b..9487468 100644
sb->raid_disks = cpu_to_le32(mddev->raid_disks);
sb->size = cpu_to_le64(mddev->dev_sectors);
-@@ -2747,7 +2747,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store);
+@@ -2751,7 +2751,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store);
static ssize_t
errors_show(struct md_rdev *rdev, char *page)
{
@@ -37523,7 +37400,7 @@ index 3db3d1b..9487468 100644
}
static ssize_t
-@@ -2756,7 +2756,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
+@@ -2760,7 +2760,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
char *e;
unsigned long n = simple_strtoul(buf, &e, 10);
if (*buf && (*e == 0 || *e == '\n')) {
@@ -37532,7 +37409,7 @@ index 3db3d1b..9487468 100644
return len;
}
return -EINVAL;
-@@ -3203,8 +3203,8 @@ int md_rdev_init(struct md_rdev *rdev)
+@@ -3210,8 +3210,8 @@ int md_rdev_init(struct md_rdev *rdev)
rdev->sb_loaded = 0;
rdev->bb_page = NULL;
atomic_set(&rdev->nr_pending, 0);
@@ -37543,7 +37420,7 @@ index 3db3d1b..9487468 100644
INIT_LIST_HEAD(&rdev->same_set);
init_waitqueue_head(&rdev->blocked_wait);
-@@ -6980,7 +6980,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -6987,7 +6987,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
spin_unlock(&pers_lock);
seq_printf(seq, "\n");
@@ -37552,7 +37429,7 @@ index 3db3d1b..9487468 100644
return 0;
}
if (v == (void*)2) {
-@@ -7083,7 +7083,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -7090,7 +7090,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
return error;
seq = file->private_data;
@@ -37561,7 +37438,7 @@ index 3db3d1b..9487468 100644
return error;
}
-@@ -7097,7 +7097,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -7104,7 +7104,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
/* always allow read */
mask = POLLIN | POLLRDNORM;
@@ -37570,7 +37447,7 @@ index 3db3d1b..9487468 100644
mask |= POLLERR | POLLPRI;
return mask;
}
-@@ -7141,7 +7141,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -7148,7 +7148,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
(int)part_stat_read(&disk->part0, sectors[1]) -
@@ -37621,10 +37498,10 @@ index 1cbfc6b..56e1dbb 100644
/*----------------------------------------------------------------*/
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index d5bddfc..b079b4b 100644
+index 75b1f89..00ba344 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
-@@ -1818,7 +1818,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
+@@ -1819,7 +1819,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
if (r1_sync_page_io(rdev, sect, s,
bio->bi_io_vec[idx].bv_page,
READ) != 0)
@@ -37633,7 +37510,7 @@ index d5bddfc..b079b4b 100644
}
sectors -= s;
sect += s;
-@@ -2040,7 +2040,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
+@@ -2041,7 +2041,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
test_bit(In_sync, &rdev->flags)) {
if (r1_sync_page_io(rdev, sect, s,
conf->tmppage, READ)) {
@@ -37643,10 +37520,10 @@ index d5bddfc..b079b4b 100644
"md/raid1:%s: read error corrected "
"(%d sectors at %llu on %s)\n",
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index 64d4824..8b9ea57 100644
+index 8d925dc..11d674f 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
-@@ -1877,7 +1877,7 @@ static void end_sync_read(struct bio *bio, int error)
+@@ -1878,7 +1878,7 @@ static void end_sync_read(struct bio *bio, int error)
/* The write handler will notice the lack of
* R10BIO_Uptodate and record any errors etc
*/
@@ -37655,7 +37532,7 @@ index 64d4824..8b9ea57 100644
&conf->mirrors[d].rdev->corrected_errors);
/* for reconstruct, we always reschedule after a read.
-@@ -2226,7 +2226,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -2227,7 +2227,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
{
struct timespec cur_time_mon;
unsigned long hours_since_last;
@@ -37664,7 +37541,7 @@ index 64d4824..8b9ea57 100644
ktime_get_ts(&cur_time_mon);
-@@ -2248,9 +2248,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -2249,9 +2249,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
* overflowing the shift of read_errors by hours_since_last.
*/
if (hours_since_last >= 8 * sizeof(read_errors))
@@ -37676,7 +37553,7 @@ index 64d4824..8b9ea57 100644
}
static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
-@@ -2304,8 +2304,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -2305,8 +2305,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
return;
check_decay_read_errors(mddev, rdev);
@@ -37687,7 +37564,7 @@ index 64d4824..8b9ea57 100644
char b[BDEVNAME_SIZE];
bdevname(rdev->bdev, b);
-@@ -2313,7 +2313,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -2314,7 +2314,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
"md/raid10:%s: %s: Raid device exceeded "
"read_error threshold [cur %d:max %d]\n",
mdname(mddev), b,
@@ -37696,7 +37573,7 @@ index 64d4824..8b9ea57 100644
printk(KERN_NOTICE
"md/raid10:%s: %s: Failing raid device\n",
mdname(mddev), b);
-@@ -2468,7 +2468,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -2469,7 +2469,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
sect +
choose_data_offset(r10_bio, rdev)),
bdevname(rdev->bdev, b));
@@ -40321,7 +40198,7 @@ index 2111dbb..79e434b 100644
/* disable hardware control by fn key */
result = ec_read(MSI_STANDARD_EC_SCM_LOAD_ADDRESS, &data);
diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
-index b8ad71f..3ec9bb4 100644
+index 0fe987f..6f3d5c3 100644
--- a/drivers/platform/x86/sony-laptop.c
+++ b/drivers/platform/x86/sony-laptop.c
@@ -2356,7 +2356,7 @@ static void sony_nc_lid_resume_cleanup(struct platform_device *pd)
@@ -43559,6 +43436,75 @@ index 35f10bf..6a38a0b 100644
if (!left--) {
if (instance->disconnected)
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 5f0cb41..122d056 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
+ #define WDM_RESPONDING 7
+ #define WDM_SUSPENDING 8
+ #define WDM_RESETTING 9
++#define WDM_OVERFLOW 10
+
+ #define WDM_MAX 16
+
+@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *urb)
+ {
+ struct wdm_device *desc = urb->context;
+ int status = urb->status;
++ int length = urb->actual_length;
+
+ spin_lock(&desc->iuspin);
+ clear_bit(WDM_RESPONDING, &desc->flags);
+@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb)
+ }
+
+ desc->rerr = status;
+- desc->reslength = urb->actual_length;
+- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
+- desc->length += desc->reslength;
++ if (length + desc->length > desc->wMaxCommand) {
++ /* The buffer would overflow */
++ set_bit(WDM_OVERFLOW, &desc->flags);
++ } else {
++ /* we may already be in overflow */
++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
++ memmove(desc->ubuf + desc->length, desc->inbuf, length);
++ desc->length += length;
++ desc->reslength = length;
++ }
++ }
+ skip_error:
+ wake_up(&desc->wait);
+
+@@ -435,6 +445,11 @@ retry:
+ rv = -ENODEV;
+ goto err;
+ }
++ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
++ clear_bit(WDM_OVERFLOW, &desc->flags);
++ rv = -ENOBUFS;
++ goto err;
++ }
+ i++;
+ if (file->f_flags & O_NONBLOCK) {
+ if (!test_bit(WDM_READ, &desc->flags)) {
+@@ -478,6 +493,7 @@ retry:
+ spin_unlock_irq(&desc->iuspin);
+ goto retry;
+ }
++
+ if (!desc->reslength) { /* zero length read */
+ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
+ clear_bit(WDM_READ, &desc->flags);
+@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_interface *intf)
+ struct wdm_device *desc = wdm_find_device(intf);
+ int rv;
+
++ clear_bit(WDM_OVERFLOW, &desc->flags);
+ clear_bit(WDM_RESETTING, &desc->flags);
+ rv = recover_from_urb_loss(desc);
+ mutex_unlock(&desc->wlock);
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index cbacea9..246cccd 100644
--- a/drivers/usb/core/devices.c
@@ -48388,10 +48334,10 @@ index eea5da7..88fead70 100644
WARN_ON(trans->transid != btrfs_header_generation(parent));
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
-index cc93b23..f3c42bf 100644
+index 659ea81..0f63c1a 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
-@@ -7296,7 +7296,7 @@ fail:
+@@ -7300,7 +7300,7 @@ fail:
return -ENOMEM;
}
@@ -48400,7 +48346,7 @@ index cc93b23..f3c42bf 100644
struct dentry *dentry, struct kstat *stat)
{
struct inode *inode = dentry->d_inode;
-@@ -7310,6 +7310,14 @@ static int btrfs_getattr(struct vfsmount *mnt,
+@@ -7314,6 +7314,14 @@ static int btrfs_getattr(struct vfsmount *mnt,
return 0;
}
@@ -48681,10 +48627,10 @@ index d9ea6ed..1e6c8ac 100644
server->ops->print_stats(m, tcon);
}
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
-index de7f916..6cb22a9 100644
+index e328339..322228b 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
-@@ -997,7 +997,7 @@ cifs_init_request_bufs(void)
+@@ -1002,7 +1002,7 @@ cifs_init_request_bufs(void)
/* cERROR(1, "CIFSMaxBufSize %d 0x%x",CIFSMaxBufSize,CIFSMaxBufSize); */
cifs_req_cachep = kmem_cache_create("cifs_request",
CIFSMaxBufSize + max_hdr_size, 0,
@@ -48693,7 +48639,7 @@ index de7f916..6cb22a9 100644
if (cifs_req_cachep == NULL)
return -ENOMEM;
-@@ -1024,7 +1024,7 @@ cifs_init_request_bufs(void)
+@@ -1029,7 +1029,7 @@ cifs_init_request_bufs(void)
efficient to alloc 1 per page off the slab compared to 17K (5page)
alloc of large cifs buffers even when page debugging is on */
cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
@@ -48702,7 +48648,7 @@ index de7f916..6cb22a9 100644
NULL);
if (cifs_sm_req_cachep == NULL) {
mempool_destroy(cifs_req_poolp);
-@@ -1109,8 +1109,8 @@ init_cifs(void)
+@@ -1114,8 +1114,8 @@ init_cifs(void)
atomic_set(&bufAllocCount, 0);
atomic_set(&smBufAllocCount, 0);
#ifdef CONFIG_CIFS_STATS2
@@ -48942,7 +48888,7 @@ index 47bc5a8..10decbe 100644
}
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
-index c9c7aa7..065056a 100644
+index bceffe7..cd1ae59 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -274,8 +274,8 @@ smb2_clear_stats(struct cifs_tcon *tcon)
@@ -49126,7 +49072,7 @@ index 958ae0e..505c9d0 100644
return hit;
diff --git a/fs/compat.c b/fs/compat.c
-index 015e1e1..b8966ac 100644
+index a06dcbc..dacb6d3 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -54,7 +54,7 @@
@@ -49156,7 +49102,7 @@ index 015e1e1..b8966ac 100644
goto out;
if (nr_segs > fast_segs) {
ret = -ENOMEM;
-@@ -831,6 +831,7 @@ struct compat_old_linux_dirent {
+@@ -835,6 +835,7 @@ struct compat_old_linux_dirent {
struct compat_readdir_callback {
struct compat_old_linux_dirent __user *dirent;
@@ -49164,7 +49110,7 @@ index 015e1e1..b8966ac 100644
int result;
};
-@@ -848,6 +849,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen,
+@@ -852,6 +853,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen,
buf->result = -EOVERFLOW;
return -EOVERFLOW;
}
@@ -49175,7 +49121,7 @@ index 015e1e1..b8966ac 100644
buf->result++;
dirent = buf->dirent;
if (!access_ok(VERIFY_WRITE, dirent,
-@@ -878,6 +883,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd,
+@@ -882,6 +887,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd,
buf.result = 0;
buf.dirent = dirent;
@@ -49183,7 +49129,7 @@ index 015e1e1..b8966ac 100644
error = vfs_readdir(f.file, compat_fillonedir, &buf);
if (buf.result)
-@@ -897,6 +903,7 @@ struct compat_linux_dirent {
+@@ -901,6 +907,7 @@ struct compat_linux_dirent {
struct compat_getdents_callback {
struct compat_linux_dirent __user *current_dir;
struct compat_linux_dirent __user *previous;
@@ -49191,7 +49137,7 @@ index 015e1e1..b8966ac 100644
int count;
int error;
};
-@@ -918,6 +925,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen,
+@@ -922,6 +929,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen,
buf->error = -EOVERFLOW;
return -EOVERFLOW;
}
@@ -49202,7 +49148,7 @@ index 015e1e1..b8966ac 100644
dirent = buf->previous;
if (dirent) {
if (__put_user(offset, &dirent->d_off))
-@@ -963,6 +974,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
+@@ -967,6 +978,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
buf.previous = NULL;
buf.count = count;
buf.error = 0;
@@ -49210,7 +49156,7 @@ index 015e1e1..b8966ac 100644
error = vfs_readdir(f.file, compat_filldir, &buf);
if (error >= 0)
-@@ -983,6 +995,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
+@@ -987,6 +999,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
struct compat_getdents_callback64 {
struct linux_dirent64 __user *current_dir;
struct linux_dirent64 __user *previous;
@@ -49218,7 +49164,7 @@ index 015e1e1..b8966ac 100644
int count;
int error;
};
-@@ -999,6 +1012,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t
+@@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
@@ -49229,7 +49175,7 @@ index 015e1e1..b8966ac 100644
dirent = buf->previous;
if (dirent) {
-@@ -1048,13 +1065,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd,
+@@ -1052,13 +1069,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd,
buf.previous = NULL;
buf.count = count;
buf.error = 0;
@@ -50321,7 +50267,7 @@ index 22548f5..41521d8 100644
}
return 1;
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
-index 2f2e0da..89b113a 100644
+index 92e68b3..115d987 100644
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -505,8 +505,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
@@ -50370,7 +50316,7 @@ index 8462eb3..4a71af6 100644
/* locality groups */
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
-index 061727a..7622abf 100644
+index 28bbf9b..75ca7c1 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1747,7 +1747,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
@@ -50487,7 +50433,7 @@ index 061727a..7622abf 100644
return 0;
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 0465f36..99a003a 100644
+index 5fa223d..12fa738 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2429,7 +2429,7 @@ struct ext4_attr {
@@ -52391,7 +52337,7 @@ index a94e331..060bce3 100644
lock_flocks();
diff --git a/fs/namei.c b/fs/namei.c
-index 43a97ee..4e585fd 100644
+index ec97aef..eedf4fe 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -319,16 +319,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -52445,7 +52391,7 @@ index 43a97ee..4e585fd 100644
return -EACCES;
}
-@@ -826,7 +834,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
+@@ -824,7 +832,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
{
struct dentry *dentry = link->dentry;
int error;
@@ -52454,7 +52400,7 @@ index 43a97ee..4e585fd 100644
BUG_ON(nd->flags & LOOKUP_RCU);
-@@ -847,6 +855,12 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
+@@ -845,6 +853,12 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
if (error)
goto out_put_nd_path;
@@ -52467,7 +52413,7 @@ index 43a97ee..4e585fd 100644
nd->last_type = LAST_BIND;
*p = dentry->d_inode->i_op->follow_link(dentry, nd);
error = PTR_ERR(*p);
-@@ -1596,6 +1610,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
+@@ -1594,6 +1608,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
break;
res = walk_component(nd, path, &nd->last,
nd->last_type, LOOKUP_FOLLOW);
@@ -52476,7 +52422,7 @@ index 43a97ee..4e585fd 100644
put_link(nd, &link, cookie);
} while (res > 0);
-@@ -1694,7 +1710,7 @@ EXPORT_SYMBOL(full_name_hash);
+@@ -1692,7 +1708,7 @@ EXPORT_SYMBOL(full_name_hash);
static inline unsigned long hash_name(const char *name, unsigned int *hashp)
{
unsigned long a, b, adata, bdata, mask, hash, len;
@@ -52485,7 +52431,7 @@ index 43a97ee..4e585fd 100644
hash = a = 0;
len = -sizeof(unsigned long);
-@@ -1979,6 +1995,8 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1977,6 +1993,8 @@ static int path_lookupat(int dfd, const char *name,
if (err)
break;
err = lookup_last(nd, &path);
@@ -52494,7 +52440,7 @@ index 43a97ee..4e585fd 100644
put_link(nd, &link, cookie);
}
}
-@@ -1986,6 +2004,19 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1984,6 +2002,19 @@ static int path_lookupat(int dfd, const char *name,
if (!err)
err = complete_walk(nd);
@@ -52514,7 +52460,7 @@ index 43a97ee..4e585fd 100644
if (!err && nd->flags & LOOKUP_DIRECTORY) {
if (!nd->inode->i_op->lookup) {
path_put(&nd->path);
-@@ -2013,8 +2044,17 @@ static int filename_lookup(int dfd, struct filename *name,
+@@ -2011,8 +2042,17 @@ static int filename_lookup(int dfd, struct filename *name,
retval = path_lookupat(dfd, name->name,
flags | LOOKUP_REVAL, nd);
@@ -52533,7 +52479,7 @@ index 43a97ee..4e585fd 100644
return retval;
}
-@@ -2392,6 +2432,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2390,6 +2430,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
return -EPERM;
@@ -52547,7 +52493,7 @@ index 43a97ee..4e585fd 100644
return 0;
}
-@@ -2613,7 +2660,7 @@ looked_up:
+@@ -2611,7 +2658,7 @@ looked_up:
* cleared otherwise prior to returning.
*/
static int lookup_open(struct nameidata *nd, struct path *path,
@@ -52556,7 +52502,7 @@ index 43a97ee..4e585fd 100644
const struct open_flags *op,
bool got_write, int *opened)
{
-@@ -2648,6 +2695,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2646,6 +2693,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
/* Negative dentry, just create the file */
if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
umode_t mode = op->mode;
@@ -52574,7 +52520,7 @@ index 43a97ee..4e585fd 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
/*
-@@ -2669,6 +2727,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2667,6 +2725,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
nd->flags & LOOKUP_EXCL);
if (error)
goto out_dput;
@@ -52583,7 +52529,7 @@ index 43a97ee..4e585fd 100644
}
out_no_open:
path->dentry = dentry;
-@@ -2683,7 +2743,7 @@ out_dput:
+@@ -2681,7 +2741,7 @@ out_dput:
/*
* Handle the last step of open()
*/
@@ -52592,7 +52538,7 @@ index 43a97ee..4e585fd 100644
struct file *file, const struct open_flags *op,
int *opened, struct filename *name)
{
-@@ -2712,16 +2772,44 @@ static int do_last(struct nameidata *nd, struct path *path,
+@@ -2710,16 +2770,44 @@ static int do_last(struct nameidata *nd, struct path *path,
error = complete_walk(nd);
if (error)
return error;
@@ -52637,7 +52583,7 @@ index 43a97ee..4e585fd 100644
audit_inode(name, dir, 0);
goto finish_open;
}
-@@ -2770,7 +2858,7 @@ retry_lookup:
+@@ -2768,7 +2856,7 @@ retry_lookup:
*/
}
mutex_lock(&dir->d_inode->i_mutex);
@@ -52646,7 +52592,7 @@ index 43a97ee..4e585fd 100644
mutex_unlock(&dir->d_inode->i_mutex);
if (error <= 0) {
-@@ -2794,11 +2882,28 @@ retry_lookup:
+@@ -2792,11 +2880,28 @@ retry_lookup:
goto finish_open_created;
}
@@ -52676,7 +52622,7 @@ index 43a97ee..4e585fd 100644
/*
* If atomic_open() acquired write access it is dropped now due to
-@@ -2839,6 +2944,11 @@ finish_lookup:
+@@ -2837,6 +2942,11 @@ finish_lookup:
}
}
BUG_ON(inode != path->dentry->d_inode);
@@ -52688,7 +52634,7 @@ index 43a97ee..4e585fd 100644
return 1;
}
-@@ -2848,7 +2958,6 @@ finish_lookup:
+@@ -2846,7 +2956,6 @@ finish_lookup:
save_parent.dentry = nd->path.dentry;
save_parent.mnt = mntget(path->mnt);
nd->path.dentry = path->dentry;
@@ -52696,7 +52642,7 @@ index 43a97ee..4e585fd 100644
}
nd->inode = inode;
/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
-@@ -2857,6 +2966,22 @@ finish_lookup:
+@@ -2855,6 +2964,22 @@ finish_lookup:
path_put(&save_parent);
return error;
}
@@ -52719,7 +52665,7 @@ index 43a97ee..4e585fd 100644
error = -EISDIR;
if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode))
goto out;
-@@ -2955,7 +3080,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -2953,7 +3078,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
if (unlikely(error))
goto out;
@@ -52728,7 +52674,7 @@ index 43a97ee..4e585fd 100644
while (unlikely(error > 0)) { /* trailing symlink */
struct path link = path;
void *cookie;
-@@ -2973,7 +3098,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -2971,7 +3096,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
error = follow_link(&link, nd, &cookie);
if (unlikely(error))
break;
@@ -52737,7 +52683,7 @@ index 43a97ee..4e585fd 100644
put_link(nd, &link, cookie);
}
out:
-@@ -3073,8 +3198,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
+@@ -3071,8 +3196,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
goto unlock;
error = -EEXIST;
@@ -52751,7 +52697,7 @@ index 43a97ee..4e585fd 100644
/*
* Special case - lookup gave negative, but... we had foo/bar/
* From the vfs_mknod() POV we just have a negative dentry -
-@@ -3126,6 +3255,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3124,6 +3253,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
}
EXPORT_SYMBOL(user_path_create);
@@ -52772,7 +52718,7 @@ index 43a97ee..4e585fd 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -3188,6 +3331,17 @@ retry:
+@@ -3186,6 +3329,17 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -52790,7 +52736,7 @@ index 43a97ee..4e585fd 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out;
-@@ -3204,6 +3358,8 @@ retry:
+@@ -3202,6 +3356,8 @@ retry:
break;
}
out:
@@ -52799,7 +52745,7 @@ index 43a97ee..4e585fd 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3256,9 +3412,16 @@ retry:
+@@ -3254,9 +3410,16 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -52816,7 +52762,7 @@ index 43a97ee..4e585fd 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3339,6 +3502,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3337,6 +3500,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
@@ -52825,7 +52771,7 @@ index 43a97ee..4e585fd 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3371,10 +3536,21 @@ retry:
+@@ -3369,10 +3534,21 @@ retry:
error = -ENOENT;
goto exit3;
}
@@ -52847,7 +52793,7 @@ index 43a97ee..4e585fd 100644
exit3:
dput(dentry);
exit2:
-@@ -3440,6 +3616,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3438,6 +3614,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
@@ -52856,7 +52802,7 @@ index 43a97ee..4e585fd 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3466,10 +3644,22 @@ retry:
+@@ -3464,10 +3642,22 @@ retry:
if (!inode)
goto slashes;
ihold(inode);
@@ -52879,7 +52825,7 @@ index 43a97ee..4e585fd 100644
exit2:
dput(dentry);
}
-@@ -3547,9 +3737,17 @@ retry:
+@@ -3545,9 +3735,17 @@ retry:
if (IS_ERR(dentry))
goto out_putname;
@@ -52897,7 +52843,7 @@ index 43a97ee..4e585fd 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3623,6 +3821,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3621,6 +3819,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
{
struct dentry *new_dentry;
struct path old_path, new_path;
@@ -52905,7 +52851,7 @@ index 43a97ee..4e585fd 100644
int how = 0;
int error;
-@@ -3646,7 +3845,7 @@ retry:
+@@ -3644,7 +3843,7 @@ retry:
if (error)
return error;
@@ -52914,7 +52860,7 @@ index 43a97ee..4e585fd 100644
(how & LOOKUP_REVAL));
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
-@@ -3658,11 +3857,28 @@ retry:
+@@ -3656,11 +3855,28 @@ retry:
error = may_linkat(&old_path);
if (unlikely(error))
goto out_dput;
@@ -52943,7 +52889,7 @@ index 43a97ee..4e585fd 100644
done_path_create(&new_path, new_dentry);
if (retry_estale(error, how)) {
how |= LOOKUP_REVAL;
-@@ -3908,12 +4124,21 @@ retry:
+@@ -3906,12 +4122,21 @@ retry:
if (new_dentry == trap)
goto exit5;
@@ -52965,7 +52911,7 @@ index 43a97ee..4e585fd 100644
exit5:
dput(new_dentry);
exit4:
-@@ -3945,6 +4170,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -3943,6 +4168,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -52974,7 +52920,7 @@ index 43a97ee..4e585fd 100644
int len;
len = PTR_ERR(link);
-@@ -3954,7 +4181,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -3952,7 +4179,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -53564,7 +53510,7 @@ index 9b33c0c..2ffcca2 100644
}
putname(tmp);
diff --git a/fs/pipe.c b/fs/pipe.c
-index bd3479d..fb92c4d 100644
+index 8e2e73f..1ef1048 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -438,9 +438,9 @@ redo:
@@ -53659,7 +53605,7 @@ index bd3479d..fb92c4d 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -868,9 +868,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+@@ -871,9 +871,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
if (inode->i_pipe) {
ret = 0;
if (filp->f_mode & FMODE_READ)
@@ -53671,7 +53617,7 @@ index bd3479d..fb92c4d 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -962,7 +962,7 @@ void free_pipe_info(struct inode *inode)
+@@ -965,7 +965,7 @@ void free_pipe_info(struct inode *inode)
inode->i_pipe = NULL;
}
@@ -53680,7 +53626,7 @@ index bd3479d..fb92c4d 100644
/*
* pipefs_dname() is called from d_path().
-@@ -992,7 +992,8 @@ static struct inode * get_pipe_inode(void)
+@@ -995,7 +995,8 @@ static struct inode * get_pipe_inode(void)
goto fail_iput;
inode->i_pipe = pipe;
@@ -72544,7 +72490,7 @@ index 71a3ca1..cc330ee 100644
if (u->mq_bytes + mq_bytes < u->mq_bytes ||
u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
diff --git a/ipc/msg.c b/ipc/msg.c
-index 950572f..362ea07 100644
+index 31cd1bf..362ea07 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -309,18 +309,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
@@ -72572,40 +72518,6 @@ index 950572f..362ea07 100644
msg_params.key = key;
msg_params.flg = msgflg;
-@@ -820,15 +821,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp,
- struct msg_msg *copy = NULL;
- unsigned long copy_number = 0;
-
-+ ns = current->nsproxy->ipc_ns;
-+
- if (msqid < 0 || (long) bufsz < 0)
- return -EINVAL;
- if (msgflg & MSG_COPY) {
-- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, &copy_number);
-+ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax),
-+ msgflg, &msgtyp, &copy_number);
- if (IS_ERR(copy))
- return PTR_ERR(copy);
- }
- mode = convert_mode(&msgtyp, msgflg);
-- ns = current->nsproxy->ipc_ns;
-
- msq = msg_lock_check(ns, msqid);
- if (IS_ERR(msq)) {
-diff --git a/ipc/msgutil.c b/ipc/msgutil.c
-index ebfcbfa..5df8e4b 100644
---- a/ipc/msgutil.c
-+++ b/ipc/msgutil.c
-@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
- if (alen > DATALEN_MSG)
- alen = DATALEN_MSG;
-
-- dst->next = NULL;
-- dst->security = NULL;
--
- memcpy(dst + 1, src + 1, alen);
-
- len -= alen;
diff --git a/ipc/sem.c b/ipc/sem.c
index 58d31f1..cce7a55 100644
--- a/ipc/sem.c
@@ -73486,7 +73398,7 @@ index b4df219..f13c02d 100644
{
struct signal_struct *sig = current->signal;
diff --git a/kernel/fork.c b/kernel/fork.c
-index c535f33..1d768f9 100644
+index 5630e52..0cee608 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -318,7 +318,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
@@ -73735,7 +73647,7 @@ index c535f33..1d768f9 100644
return 0;
}
-@@ -1193,6 +1243,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1196,6 +1246,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
retval = -EAGAIN;
@@ -73745,7 +73657,7 @@ index c535f33..1d768f9 100644
if (atomic_read(&p->real_cred->user->processes) >=
task_rlimit(p, RLIMIT_NPROC)) {
if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
-@@ -1432,6 +1485,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1435,6 +1488,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
goto bad_fork_free_pid;
}
@@ -73757,7 +73669,7 @@ index c535f33..1d768f9 100644
if (clone_flags & CLONE_THREAD) {
current->signal->nr_threads++;
atomic_inc(&current->signal->live);
-@@ -1515,6 +1573,8 @@ bad_fork_cleanup_count:
+@@ -1518,6 +1576,8 @@ bad_fork_cleanup_count:
bad_fork_free:
free_task(p);
fork_out:
@@ -73766,7 +73678,7 @@ index c535f33..1d768f9 100644
return ERR_PTR(retval);
}
-@@ -1565,6 +1625,23 @@ long do_fork(unsigned long clone_flags,
+@@ -1568,6 +1628,23 @@ long do_fork(unsigned long clone_flags,
return -EINVAL;
}
@@ -73790,7 +73702,7 @@ index c535f33..1d768f9 100644
/*
* Determine whether and which event to report to ptracer. When
* called from kernel_thread or CLONE_UNTRACED is explicitly
-@@ -1599,6 +1676,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1602,6 +1679,8 @@ long do_fork(unsigned long clone_flags,
if (clone_flags & CLONE_PARENT_SETTID)
put_user(nr, parent_tidptr);
@@ -73799,7 +73711,7 @@ index c535f33..1d768f9 100644
if (clone_flags & CLONE_VFORK) {
p->vfork_done = &vfork;
init_completion(&vfork);
-@@ -1752,7 +1831,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1755,7 +1834,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
@@ -73808,7 +73720,7 @@ index c535f33..1d768f9 100644
return 0;
*new_fsp = copy_fs_struct(fs);
-@@ -1866,7 +1945,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -1869,7 +1948,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
fs = current->fs;
spin_lock(&fs->lock);
current->fs = new_fs;
@@ -78278,10 +78190,10 @@ index 33acb5e..57ebfd4 100644
.group = GLOBAL_ROOT_GID,
.proc_inum = PROC_USER_INIT_INO,
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index 2b042c4..24f8ec3 100644
+index dbfe36a7..6d36e9a 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
-@@ -78,7 +78,7 @@ int create_user_ns(struct cred *new)
+@@ -79,7 +79,7 @@ int create_user_ns(struct cred *new)
return ret;
}
@@ -78290,7 +78202,7 @@ index 2b042c4..24f8ec3 100644
/* Leave the new->user_ns reference with the new user namespace. */
ns->parent = parent_ns;
ns->owner = owner;
-@@ -104,15 +104,16 @@ int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
+@@ -105,15 +105,16 @@ int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
return create_user_ns(cred);
}
@@ -80047,7 +79959,7 @@ index bb1369f..efb96b5 100644
return 0;
}
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index e2df1c1..1e31d57 100644
+index 3df6d12..a11056a 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -721,6 +721,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
@@ -81920,7 +81832,7 @@ index 8c8e08f..73a5cda 100644
static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
-index 926b466..b23df53 100644
+index fd26d04..0cea1b0 100644
--- a/mm/process_vm_access.c
+++ b/mm/process_vm_access.c
@@ -13,6 +13,7 @@
@@ -88679,7 +88591,7 @@ index 6b42d47..2ac24d5 100644
sub->evt.event = htohl(event, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 5b5c876..3127bf7 100644
+index 5b5c876..6713b81 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -786,6 +786,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -88728,6 +88640,34 @@ index 5b5c876..3127bf7 100644
done_path_create(&path, dentry);
return err;
}
+@@ -2326,9 +2345,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ seq_puts(seq, "Num RefCount Protocol Flags Type St "
+ "Inode Path\n");
+ else {
+- struct sock *s = v;
++ struct sock *s = v, *peer;
+ struct unix_sock *u = unix_sk(s);
+ unix_state_lock(s);
++ peer = unix_peer(s);
++ unix_state_unlock(s);
++
++ unix_state_double_lock(s, peer);
+
+ seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
+ s,
+@@ -2355,8 +2378,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ }
+ for ( ; i < len; i++)
+ seq_putc(seq, u->addr->name->sun_path[i]);
+- }
+- unix_state_unlock(s);
++ } else if (peer)
++ seq_printf(seq, " P%lu", sock_i_ino(peer));
++
++ unix_state_double_unlock(s, peer);
+ seq_putc(seq, '\n');
+ }
+
diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c
index 8800604..0526440 100644
--- a/net/unix/sysctl_net_unix.c
@@ -90455,7 +90395,7 @@ index 55a6271..ad829c3 100644
hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
return 0;
diff --git a/security/keys/compat.c b/security/keys/compat.c
-index 1c26176..64a1ba2 100644
+index d65fa7f..cbfe366 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -44,7 +44,7 @@ static long compat_keyctl_instantiate_key_iov(
@@ -90464,7 +90404,7 @@ index 1c26176..64a1ba2 100644
- ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+ ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
-
+ err:
if (iov != iovstack)
kfree(iov);
diff --git a/security/keys/key.c b/security/keys/key.c
@@ -90588,19 +90528,6 @@ index 6ece7f2..ecdb55c 100644
goto error;
buflen -= tmp;
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 58dfe08..c5ec083 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -57,7 +57,7 @@ int install_user_keyrings(void)
-
- kenter("%p{%u}", user, uid);
-
-- if (user->uid_keyring) {
-+ if (user->uid_keyring && user->session_keyring) {
- kleave(" = 0 [exist]");
- return 0;
- }
diff --git a/security/min_addr.c b/security/min_addr.c
index f728728..6457a0c 100644
--- a/security/min_addr.c