commit: 8ea74e72a10e8c9982702c7e68315a7fc789873e
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Jan 24 21:14:25 2016 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Jan 24 21:14:25 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=8ea74e72
grsecurity-3.1-4.3.4-201601231215.patch
{4.3.3 => 4.3.4}/0000_README | 6 +-
4.3.4/1003_linux-4.3.4.patch | 1863 ++++++++++++++++++++
.../4420_grsecurity-3.1-4.3.4-201601231215.patch | 815 +++++----
{4.3.3 => 4.3.4}/4425_grsec_remove_EI_PAX.patch | 0
{4.3.3 => 4.3.4}/4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
{4.3.3 => 4.3.4}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{4.3.3 => 4.3.4}/4470_disable-compat_vdso.patch | 0
{4.3.3 => 4.3.4}/4475_emutramp_default_on.patch | 0
12 files changed, 2295 insertions(+), 389 deletions(-)
diff --git a/4.3.3/0000_README b/4.3.4/0000_README
similarity index 92%
rename from 4.3.3/0000_README
rename to 4.3.4/0000_README
index a2a51bf..f0bdee5 100644
--- a/4.3.3/0000_README
+++ b/4.3.4/0000_README
@@ -2,7 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.3.3-201601192226.patch
+Patch: 1003_linux-4.3.4.patch
+From: http://www.kernel.org
+Desc: Linux 4.3.4
+
+Patch: 4420_grsecurity-3.1-4.3.4-201601231215.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.3.4/1003_linux-4.3.4.patch b/4.3.4/1003_linux-4.3.4.patch
new file mode 100644
index 0000000..0e103a4
--- /dev/null
+++ b/4.3.4/1003_linux-4.3.4.patch
@@ -0,0 +1,1863 @@
+diff --git a/Makefile b/Makefile
+index 2070d16..69430ed 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 3
+-SUBLEVEL = 3
++SUBLEVEL = 4
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+
+diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
+index 739a4a6..2f6e3c6 100644
+--- a/drivers/acpi/osl.c
++++ b/drivers/acpi/osl.c
+@@ -81,6 +81,7 @@ static struct workqueue_struct *kacpid_wq;
+ static struct workqueue_struct *kacpi_notify_wq;
+ static struct workqueue_struct *kacpi_hotplug_wq;
+ static bool acpi_os_initialized;
++unsigned int acpi_sci_irq = INVALID_ACPI_IRQ;
+
+ /*
+ * This list of permanent mappings is for memory that may be accessed from
+@@ -856,17 +857,19 @@ acpi_os_install_interrupt_handler(u32 gsi,
acpi_osd_handler handler,
+ acpi_irq_handler = NULL;
+ return AE_NOT_ACQUIRED;
+ }
++ acpi_sci_irq = irq;
+
+ return AE_OK;
+ }
+
+-acpi_status acpi_os_remove_interrupt_handler(u32 irq, acpi_osd_handler
handler)
++acpi_status acpi_os_remove_interrupt_handler(u32 gsi, acpi_osd_handler
handler)
+ {
+- if (irq != acpi_gbl_FADT.sci_interrupt)
++ if (gsi != acpi_gbl_FADT.sci_interrupt || !acpi_sci_irq_valid())
+ return AE_BAD_PARAMETER;
+
+- free_irq(irq, acpi_irq);
++ free_irq(acpi_sci_irq, acpi_irq);
+ acpi_irq_handler = NULL;
++ acpi_sci_irq = INVALID_ACPI_IRQ;
+
+ return AE_OK;
+ }
+@@ -1180,8 +1183,8 @@ void acpi_os_wait_events_complete(void)
+ * Make sure the GPE handler or the fixed event handler is not used
+ * on another CPU after removal.
+ */
+- if (acpi_irq_handler)
+- synchronize_hardirq(acpi_gbl_FADT.sci_interrupt);
++ if (acpi_sci_irq_valid())
++ synchronize_hardirq(acpi_sci_irq);
+ flush_workqueue(kacpid_wq);
+ flush_workqueue(kacpi_notify_wq);
+ }
+diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
+index 2f0d4db..3fe1fbe 100644
+--- a/drivers/acpi/sleep.c
++++ b/drivers/acpi/sleep.c
+@@ -632,14 +632,16 @@ static int acpi_freeze_prepare(void)
+ acpi_enable_wakeup_devices(ACPI_STATE_S0);
+ acpi_enable_all_wakeup_gpes();
+ acpi_os_wait_events_complete();
+- enable_irq_wake(acpi_gbl_FADT.sci_interrupt);
++ if (acpi_sci_irq_valid())
++ enable_irq_wake(acpi_sci_irq);
+ return 0;
+ }
+
+ static void acpi_freeze_restore(void)
+ {
+ acpi_disable_wakeup_devices(ACPI_STATE_S0);
+- disable_irq_wake(acpi_gbl_FADT.sci_interrupt);
++ if (acpi_sci_irq_valid())
++ disable_irq_wake(acpi_sci_irq);
+ acpi_enable_all_runtime_gpes();
+ }
+
+diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
+index f8319a0..39be5ac 100644
+--- a/drivers/char/tpm/tpm.h
++++ b/drivers/char/tpm/tpm.h
+@@ -115,6 +115,13 @@ enum tpm2_startup_types {
+ TPM2_SU_STATE = 0x0001,
+ };
+
++enum tpm2_start_method {
++ TPM2_START_ACPI = 2,
++ TPM2_START_FIFO = 6,
++ TPM2_START_CRB = 7,
++ TPM2_START_CRB_WITH_ACPI = 8,
++};
++
+ struct tpm_chip;
+
+ struct tpm_vendor_specific {
+diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
+index 1267322..2b971b3 100644
+--- a/drivers/char/tpm/tpm_crb.c
++++ b/drivers/char/tpm/tpm_crb.c
+@@ -34,12 +34,6 @@ enum crb_defaults {
+ CRB_ACPI_START_INDEX = 1,
+ };
+
+-enum crb_start_method {
+- CRB_SM_ACPI_START = 2,
+- CRB_SM_CRB = 7,
+- CRB_SM_CRB_WITH_ACPI_START = 8,
+-};
+-
+ struct acpi_tpm2 {
+ struct acpi_table_header hdr;
+ u16 platform_class;
+@@ -220,12 +214,6 @@ static int crb_acpi_add(struct acpi_device *device)
+ u64 pa;
+ int rc;
+
+- chip = tpmm_chip_alloc(dev, &tpm_crb);
+- if (IS_ERR(chip))
+- return PTR_ERR(chip);
+-
+- chip->flags = TPM_CHIP_FLAG_TPM2;
+-
+ status = acpi_get_table(ACPI_SIG_TPM2, 1,
+ (struct acpi_table_header **) &buf);
+ if (ACPI_FAILURE(status)) {
+@@ -233,13 +221,15 @@ static int crb_acpi_add(struct acpi_device *device)
+ return -ENODEV;
+ }
+
+- /* At least some versions of AMI BIOS have a bug that TPM2 table has
+- * zero address for the control area and therefore we must fail.
+- */
+- if (!buf->control_area_pa) {
+- dev_err(dev, "TPM2 ACPI table has a zero address for the
control area\n");
+- return -EINVAL;
+- }
++ /* Should the FIFO driver handle this? */
++ if (buf->start_method == TPM2_START_FIFO)
++ return -ENODEV;
++
++ chip = tpmm_chip_alloc(dev, &tpm_crb);
++ if (IS_ERR(chip))
++ return PTR_ERR(chip);
++
++ chip->flags = TPM_CHIP_FLAG_TPM2;
+
+ if (buf->hdr.length < sizeof(struct acpi_tpm2)) {
+ dev_err(dev, "TPM2 ACPI table has wrong size");
+@@ -259,11 +249,11 @@ static int crb_acpi_add(struct acpi_device *device)
+ * report only ACPI start but in practice seems to require both
+ * ACPI start and CRB start.
+ */
+- if (sm == CRB_SM_CRB || sm == CRB_SM_CRB_WITH_ACPI_START ||
++ if (sm == TPM2_START_CRB || sm == TPM2_START_FIFO ||
+ !strcmp(acpi_device_hid(device), "MSFT0101"))
+ priv->flags |= CRB_FL_CRB_START;
+
+- if (sm == CRB_SM_ACPI_START || sm == CRB_SM_CRB_WITH_ACPI_START)
++ if (sm == TPM2_START_ACPI || sm == TPM2_START_CRB_WITH_ACPI)
+ priv->flags |= CRB_FL_ACPI_START;
+
+ priv->cca = (struct crb_control_area __iomem *)
+diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
+index f2dffa7..696ef1d 100644
+--- a/drivers/char/tpm/tpm_tis.c
++++ b/drivers/char/tpm/tpm_tis.c
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2005, 2006 IBM Corporation
+- * Copyright (C) 2014 Intel Corporation
++ * Copyright (C) 2014, 2015 Intel Corporation
+ *
+ * Authors:
+ * Leendert van Doorn <[email protected]>
+@@ -28,6 +28,7 @@
+ #include <linux/wait.h>
+ #include <linux/acpi.h>
+ #include <linux/freezer.h>
++#include <acpi/actbl2.h>
+ #include "tpm.h"
+
+ enum tis_access {
+@@ -65,6 +66,17 @@ enum tis_defaults {
+ TIS_LONG_TIMEOUT = 2000, /* 2 sec */
+ };
+
++struct tpm_info {
++ unsigned long start;
++ unsigned long len;
++ unsigned int irq;
++};
++
++static struct tpm_info tis_default_info = {
++ .start = TIS_MEM_BASE,
++ .len = TIS_MEM_LEN,
++ .irq = 0,
++};
+
+ /* Some timeout values are needed before it is known whether the chip is
+ * TPM 1.0 or TPM 2.0.
+@@ -91,26 +103,54 @@ struct priv_data {
+ };
+
+ #if defined(CONFIG_PNP) && defined(CONFIG_ACPI)
+-static int is_itpm(struct pnp_dev *dev)
++static int has_hid(struct acpi_device *dev, const char *hid)
+ {
+- struct acpi_device *acpi = pnp_acpi_device(dev);
+ struct acpi_hardware_id *id;
+
+- if (!acpi)
+- return 0;
+-
+- list_for_each_entry(id, &acpi->pnp.ids, list) {
+- if (!strcmp("INTC0102", id->id))
++ list_for_each_entry(id, &dev->pnp.ids, list)
++ if (!strcmp(hid, id->id))
+ return 1;
+- }
+
+ return 0;
+ }
++
++static inline int is_itpm(struct acpi_device *dev)
++{
++ return has_hid(dev, "INTC0102");
++}
++
++static inline int is_fifo(struct acpi_device *dev)
++{
++ struct acpi_table_tpm2 *tbl;
++ acpi_status st;
++
++ /* TPM 1.2 FIFO */
++ if (!has_hid(dev, "MSFT0101"))
++ return 1;
++
++ st = acpi_get_table(ACPI_SIG_TPM2, 1,
++ (struct acpi_table_header **) &tbl);
++ if (ACPI_FAILURE(st)) {
++ dev_err(&dev->dev, "failed to get TPM2 ACPI table\n");
++ return 0;
++ }
++
++ if (le32_to_cpu(tbl->start_method) != TPM2_START_FIFO)
++ return 0;
++
++ /* TPM 2.0 FIFO */
++ return 1;
++}
+ #else
+-static inline int is_itpm(struct pnp_dev *dev)
++static inline int is_itpm(struct acpi_device *dev)
+ {
+ return 0;
+ }
++
++static inline int is_fifo(struct acpi_device *dev)
++{
++ return 1;
++}
+ #endif
+
+ /* Before we attempt to access the TPM we must see that the valid bit is set.
+@@ -600,9 +640,8 @@ static void tpm_tis_remove(struct tpm_chip *chip)
+ release_locality(chip, chip->vendor.locality, 1);
+ }
+
+-static int tpm_tis_init(struct device *dev, acpi_handle acpi_dev_handle,
+- resource_size_t start, resource_size_t len,
+- unsigned int irq)
++static int tpm_tis_init(struct device *dev, struct tpm_info *tpm_info,
++ acpi_handle acpi_dev_handle)
+ {
+ u32 vendor, intfcaps, intmask;
+ int rc, i, irq_s, irq_e, probe;
+@@ -622,7 +661,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle
acpi_dev_handle,
+ chip->acpi_dev_handle = acpi_dev_handle;
+ #endif
+
+- chip->vendor.iobase = devm_ioremap(dev, start, len);
++ chip->vendor.iobase = devm_ioremap(dev, tpm_info->start, tpm_info->len);
+ if (!chip->vendor.iobase)
+ return -EIO;
+
+@@ -707,7 +746,7 @@ static int tpm_tis_init(struct device *dev, acpi_handle
acpi_dev_handle,
+ chip->vendor.iobase +
+ TPM_INT_ENABLE(chip->vendor.locality));
+ if (interrupts)
+- chip->vendor.irq = irq;
++ chip->vendor.irq = tpm_info->irq;
+ if (interrupts && !chip->vendor.irq) {
+ irq_s =
+ ioread8(chip->vendor.iobase +
+@@ -890,27 +929,27 @@ static SIMPLE_DEV_PM_OPS(tpm_tis_pm, tpm_pm_suspend,
tpm_tis_resume);
+ static int tpm_tis_pnp_init(struct pnp_dev *pnp_dev,
+ const struct pnp_device_id *pnp_id)
+ {
+- resource_size_t start, len;
+- unsigned int irq = 0;
++ struct tpm_info tpm_info = tis_default_info;
+ acpi_handle acpi_dev_handle = NULL;
+
+- start = pnp_mem_start(pnp_dev, 0);
+- len = pnp_mem_len(pnp_dev, 0);
++ tpm_info.start = pnp_mem_start(pnp_dev, 0);
++ tpm_info.len = pnp_mem_len(pnp_dev, 0);
+
+ if (pnp_irq_valid(pnp_dev, 0))
+- irq = pnp_irq(pnp_dev, 0);
++ tpm_info.irq = pnp_irq(pnp_dev, 0);
+ else
+ interrupts = false;
+
+- if (is_itpm(pnp_dev))
+- itpm = true;
+-
+ #ifdef CONFIG_ACPI
+- if (pnp_acpi_device(pnp_dev))
++ if (pnp_acpi_device(pnp_dev)) {
++ if (is_itpm(pnp_acpi_device(pnp_dev)))
++ itpm = true;
++
+ acpi_dev_handle = pnp_acpi_device(pnp_dev)->handle;
++ }
+ #endif
+
+- return tpm_tis_init(&pnp_dev->dev, acpi_dev_handle, start, len, irq);
++ return tpm_tis_init(&pnp_dev->dev, &tpm_info, acpi_dev_handle);
+ }
+
+ static struct pnp_device_id tpm_pnp_tbl[] = {
+@@ -930,6 +969,7 @@ MODULE_DEVICE_TABLE(pnp, tpm_pnp_tbl);
+ static void tpm_tis_pnp_remove(struct pnp_dev *dev)
+ {
+ struct tpm_chip *chip = pnp_get_drvdata(dev);
++
+ tpm_chip_unregister(chip);
+ tpm_tis_remove(chip);
+ }
+@@ -950,6 +990,79 @@ module_param_string(hid, tpm_pnp_tbl[TIS_HID_USR_IDX].id,
+ MODULE_PARM_DESC(hid, "Set additional specific HID for this driver to probe");
+ #endif
+
++#ifdef CONFIG_ACPI
++static int tpm_check_resource(struct acpi_resource *ares, void *data)
++{
++ struct tpm_info *tpm_info = (struct tpm_info *) data;
++ struct resource res;
++
++ if (acpi_dev_resource_interrupt(ares, 0, &res)) {
++ tpm_info->irq = res.start;
++ } else if (acpi_dev_resource_memory(ares, &res)) {
++ tpm_info->start = res.start;
++ tpm_info->len = resource_size(&res);
++ }
++
++ return 1;
++}
++
++static int tpm_tis_acpi_init(struct acpi_device *acpi_dev)
++{
++ struct list_head resources;
++ struct tpm_info tpm_info = tis_default_info;
++ int ret;
++
++ if (!is_fifo(acpi_dev))
++ return -ENODEV;
++
++ INIT_LIST_HEAD(&resources);
++ ret = acpi_dev_get_resources(acpi_dev, &resources, tpm_check_resource,
++ &tpm_info);
++ if (ret < 0)
++ return ret;
++
++ acpi_dev_free_resource_list(&resources);
++
++ if (!tpm_info.irq)
++ interrupts = false;
++
++ if (is_itpm(acpi_dev))
++ itpm = true;
++
++ return tpm_tis_init(&acpi_dev->dev, &tpm_info, acpi_dev->handle);
++}
++
++static int tpm_tis_acpi_remove(struct acpi_device *dev)
++{
++ struct tpm_chip *chip = dev_get_drvdata(&dev->dev);
++
++ tpm_chip_unregister(chip);
++ tpm_tis_remove(chip);
++
++ return 0;
++}
++
++static struct acpi_device_id tpm_acpi_tbl[] = {
++ {"MSFT0101", 0}, /* TPM 2.0 */
++ /* Add new here */
++ {"", 0}, /* User Specified */
++ {"", 0} /* Terminator */
++};
++MODULE_DEVICE_TABLE(acpi, tpm_acpi_tbl);
++
++static struct acpi_driver tis_acpi_driver = {
++ .name = "tpm_tis",
++ .ids = tpm_acpi_tbl,
++ .ops = {
++ .add = tpm_tis_acpi_init,
++ .remove = tpm_tis_acpi_remove,
++ },
++ .drv = {
++ .pm = &tpm_tis_pm,
++ },
++};
++#endif
++
+ static struct platform_driver tis_drv = {
+ .driver = {
+ .name = "tpm_tis",
+@@ -966,9 +1079,25 @@ static int __init init_tis(void)
+ {
+ int rc;
+ #ifdef CONFIG_PNP
+- if (!force)
+- return pnp_register_driver(&tis_pnp_driver);
++ if (!force) {
++ rc = pnp_register_driver(&tis_pnp_driver);
++ if (rc)
++ return rc;
++ }
++#endif
++#ifdef CONFIG_ACPI
++ if (!force) {
++ rc = acpi_bus_register_driver(&tis_acpi_driver);
++ if (rc) {
++#ifdef CONFIG_PNP
++ pnp_unregister_driver(&tis_pnp_driver);
+ #endif
++ return rc;
++ }
++ }
++#endif
++ if (!force)
++ return 0;
+
+ rc = platform_driver_register(&tis_drv);
+ if (rc < 0)
+@@ -978,7 +1107,7 @@ static int __init init_tis(void)
+ rc = PTR_ERR(pdev);
+ goto err_dev;
+ }
+- rc = tpm_tis_init(&pdev->dev, NULL, TIS_MEM_BASE, TIS_MEM_LEN, 0);
++ rc = tpm_tis_init(&pdev->dev, &tis_default_info, NULL);
+ if (rc)
+ goto err_init;
+ return 0;
+@@ -992,9 +1121,14 @@ err_dev:
+ static void __exit cleanup_tis(void)
+ {
+ struct tpm_chip *chip;
+-#ifdef CONFIG_PNP
++#if defined(CONFIG_PNP) || defined(CONFIG_ACPI)
+ if (!force) {
++#ifdef CONFIG_ACPI
++ acpi_bus_unregister_driver(&tis_acpi_driver);
++#endif
++#ifdef CONFIG_PNP
+ pnp_unregister_driver(&tis_pnp_driver);
++#endif
+ return;
+ }
+ #endif
+diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+index 2795d6d..8b5988e 100644
+--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+@@ -1016,13 +1016,12 @@ static int atl1c_setup_ring_resources(struct
atl1c_adapter *adapter)
+ sizeof(struct atl1c_recv_ret_status) * rx_desc_count +
+ 8 * 4;
+
+- ring_header->desc = pci_alloc_consistent(pdev, ring_header->size,
+- &ring_header->dma);
++ ring_header->desc = dma_zalloc_coherent(&pdev->dev, ring_header->size,
++ &ring_header->dma, GFP_KERNEL);
+ if (unlikely(!ring_header->desc)) {
+- dev_err(&pdev->dev, "pci_alloc_consistend failed\n");
++ dev_err(&pdev->dev, "could not get memory for DMA buffer\n");
+ goto err_nomem;
+ }
+- memset(ring_header->desc, 0, ring_header->size);
+ /* init TPD ring */
+
+ tpd_ring[0].dma = roundup(ring_header->dma, 8);
+diff --git a/drivers/net/ethernet/freescale/gianfar.c
b/drivers/net/ethernet/freescale/gianfar.c
+index ce38d26..bcb933e 100644
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -894,7 +894,8 @@ static int gfar_of_init(struct platform_device *ofdev,
struct net_device **pdev)
+ FSL_GIANFAR_DEV_HAS_VLAN |
+ FSL_GIANFAR_DEV_HAS_MAGIC_PACKET |
+ FSL_GIANFAR_DEV_HAS_EXTENDED_HASH |
+- FSL_GIANFAR_DEV_HAS_TIMER;
++ FSL_GIANFAR_DEV_HAS_TIMER |
++ FSL_GIANFAR_DEV_HAS_RX_FILER;
+
+ err = of_property_read_string(np, "phy-connection-type", &ctype);
+
+@@ -1393,8 +1394,9 @@ static int gfar_probe(struct platform_device *ofdev)
+ priv->rx_queue[i]->rxic = DEFAULT_RXIC;
+ }
+
+- /* always enable rx filer */
+- priv->rx_filer_enable = 1;
++ /* Always enable rx filer if available */
++ priv->rx_filer_enable =
++ (priv->device_flags & FSL_GIANFAR_DEV_HAS_RX_FILER) ? 1 : 0;
+ /* Enable most messages by default */
+ priv->msg_enable = (NETIF_MSG_IFUP << 1 ) - 1;
+ /* use pritority h/w tx queue scheduling for single queue devices */
+diff --git a/drivers/net/ethernet/freescale/gianfar.h
b/drivers/net/ethernet/freescale/gianfar.h
+index 8c19948..3755372 100644
+--- a/drivers/net/ethernet/freescale/gianfar.h
++++ b/drivers/net/ethernet/freescale/gianfar.h
+@@ -917,6 +917,7 @@ struct gfar {
+ #define FSL_GIANFAR_DEV_HAS_BD_STASHING 0x00000200
+ #define FSL_GIANFAR_DEV_HAS_BUF_STASHING 0x00000400
+ #define FSL_GIANFAR_DEV_HAS_TIMER 0x00000800
++#define FSL_GIANFAR_DEV_HAS_RX_FILER 0x00002000
+
+ #if (MAXGROUPS == 2)
+ #define DEFAULT_MAPPING 0xAA
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c
b/drivers/net/ethernet/qualcomm/qca_spi.c
+index 2f87909..60ccc29 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -736,9 +736,8 @@ qcaspi_netdev_tx_timeout(struct net_device *dev)
+ netdev_info(qca->net_dev, "Transmit timeout at %ld, latency %ld\n",
+ jiffies, jiffies - dev->trans_start);
+ qca->net_dev->stats.tx_errors++;
+- /* wake the queue if there is room */
+- if (qcaspi_tx_ring_has_space(&qca->txr))
+- netif_wake_queue(dev);
++ /* Trigger tx queue flush and QCA7000 reset */
++ qca->sync = QCASPI_SYNC_UNKNOWN;
+ }
+
+ static int
+diff --git a/drivers/net/ethernet/renesas/sh_eth.c
b/drivers/net/ethernet/renesas/sh_eth.c
+index a484d8b..f3cbf90c 100644
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -1481,6 +1481,7 @@ static int sh_eth_rx(struct net_device *ndev, u32
intr_status, int *quota)
+ if (mdp->cd->shift_rd0)
+ desc_status >>= 16;
+
++ skb = mdp->rx_skbuff[entry];
+ if (desc_status & (RD_RFS1 | RD_RFS2 | RD_RFS3 | RD_RFS4 |
+ RD_RFS5 | RD_RFS6 | RD_RFS10)) {
+ ndev->stats.rx_errors++;
+@@ -1496,12 +1497,11 @@ static int sh_eth_rx(struct net_device *ndev, u32
intr_status, int *quota)
+ ndev->stats.rx_missed_errors++;
+ if (desc_status & RD_RFS10)
+ ndev->stats.rx_over_errors++;
+- } else {
++ } else if (skb) {
+ if (!mdp->cd->hw_swap)
+ sh_eth_soft_swap(
+ phys_to_virt(ALIGN(rxdesc->addr, 4)),
+ pkt_len + 2);
+- skb = mdp->rx_skbuff[entry];
+ mdp->rx_skbuff[entry] = NULL;
+ if (mdp->cd->rpadir)
+ skb_reserve(skb, NET_IP_ALIGN);
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index cf6312f..e13ad6c 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -339,9 +339,18 @@ static int ksz9021_config_init(struct phy_device *phydev)
+ {
+ const struct device *dev = &phydev->dev;
+ const struct device_node *of_node = dev->of_node;
++ const struct device *dev_walker;
+
+- if (!of_node && dev->parent->of_node)
+- of_node = dev->parent->of_node;
++ /* The Micrel driver has a deprecated option to place phy OF
++ * properties in the MAC node. Walk up the tree of devices to
++ * find a device with an OF node.
++ */
++ dev_walker = &phydev->dev;
++ do {
++ of_node = dev_walker->of_node;
++ dev_walker = dev_walker->parent;
++
++ } while (!of_node && dev_walker);
+
+ if (of_node) {
+ ksz9021_load_values_from_of(phydev, of_node,
+diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
+index 5e0b432..0a37f84 100644
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket
*sock, int kern)
+ sk->sk_family = PF_PPPOX;
+ sk->sk_protocol = PX_PROTO_OE;
+
++ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work,
++ pppoe_unbind_sock_work);
++
+ return 0;
+ }
+
+@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct
sockaddr *uservaddr,
+
+ lock_sock(sk);
+
+- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work);
+-
+ error = -EINVAL;
+ if (sp->sa_protocol != PX_PROTO_OE)
+ goto end;
+@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct
sockaddr *uservaddr,
+ po->pppoe_dev = NULL;
+ }
+
+- memset(sk_pppox(po) + 1, 0,
+- sizeof(struct pppox_sock) - sizeof(struct sock));
++ po->pppoe_ifindex = 0;
++ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa));
++ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay));
++ memset(&po->chan, 0, sizeof(po->chan));
++ po->next = NULL;
++ po->num = 0;
++
+ sk->sk_state = PPPOX_NONE;
+ }
+
+diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
+index 686f37d..b910cae 100644
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr
*uservaddr,
+ struct pptp_opt *opt = &po->proto.pptp;
+ int error = 0;
+
++ if (sockaddr_len < sizeof(struct sockaddr_pppox))
++ return -EINVAL;
++
+ lock_sock(sk);
+
+ opt->src_addr = sp->sa_addr.pptp;
+@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *sock, struct
sockaddr *uservaddr,
+ struct flowi4 fl4;
+ int error = 0;
+
++ if (sockaddr_len < sizeof(struct sockaddr_pppox))
++ return -EINVAL;
++
+ if (sp->sa_protocol != PX_PROTO_PPTP)
+ return -EINVAL;
+
+diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c
+index efc18e0..b6ea6ff 100644
+--- a/drivers/net/usb/cdc_mbim.c
++++ b/drivers/net/usb/cdc_mbim.c
+@@ -158,7 +158,7 @@ static int cdc_mbim_bind(struct usbnet *dev, struct
usb_interface *intf)
+ if (!cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting))
+ goto err;
+
+- ret = cdc_ncm_bind_common(dev, intf, data_altsetting, 0);
++ ret = cdc_ncm_bind_common(dev, intf, data_altsetting,
dev->driver_info->data);
+ if (ret)
+ goto err;
+
+@@ -582,6 +582,26 @@ static const struct driver_info cdc_mbim_info_zlp = {
+ .tx_fixup = cdc_mbim_tx_fixup,
+ };
+
++/* The spefication explicitly allows NDPs to be placed anywhere in the
++ * frame, but some devices fail unless the NDP is placed after the IP
++ * packets. Using the CDC_NCM_FLAG_NDP_TO_END flags to force this
++ * behaviour.
++ *
++ * Note: The current implementation of this feature restricts each NTB
++ * to a single NDP, implying that multiplexed sessions cannot share an
++ * NTB. This might affect performace for multiplexed sessions.
++ */
++static const struct driver_info cdc_mbim_info_ndp_to_end = {
++ .description = "CDC MBIM",
++ .flags = FLAG_NO_SETINT | FLAG_MULTI_PACKET | FLAG_WWAN,
++ .bind = cdc_mbim_bind,
++ .unbind = cdc_mbim_unbind,
++ .manage_power = cdc_mbim_manage_power,
++ .rx_fixup = cdc_mbim_rx_fixup,
++ .tx_fixup = cdc_mbim_tx_fixup,
++ .data = CDC_NCM_FLAG_NDP_TO_END,
++};
++
+ static const struct usb_device_id mbim_devs[] = {
+ /* This duplicate NCM entry is intentional. MBIM devices can
+ * be disguised as NCM by default, and this is necessary to
+@@ -597,6 +617,10 @@ static const struct usb_device_id mbim_devs[] = {
+ { USB_VENDOR_AND_INTERFACE_INFO(0x0bdb, USB_CLASS_COMM,
USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long)&cdc_mbim_info,
+ },
++ /* Huawei E3372 fails unless NDP comes after the IP packets */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x12d1, 0x157d, USB_CLASS_COMM,
USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
++ .driver_info = (unsigned long)&cdc_mbim_info_ndp_to_end,
++ },
+ /* default entry */
+ { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM,
USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long)&cdc_mbim_info_zlp,
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index db40175..fa41a6d 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1006,10 +1006,18 @@ static struct usb_cdc_ncm_ndp16 *cdc_ncm_ndp(struct
cdc_ncm_ctx *ctx, struct sk_
+ * NTH16 header as we would normally do. NDP isn't written to the SKB
yet, and
+ * the wNdpIndex field in the header is actually not consistent with
reality. It will be later.
+ */
+- if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END)
++ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) {
+ if (ctx->delayed_ndp16->dwSignature == sign)
+ return ctx->delayed_ndp16;
+
++ /* We can only push a single NDP to the end. Return
++ * NULL to send what we've already got and queue this
++ * skb for later.
++ */
++ else if (ctx->delayed_ndp16->dwSignature)
++ return NULL;
++ }
++
+ /* follow the chain of NDPs, looking for a match */
+ while (ndpoffset) {
+ ndp16 = (struct usb_cdc_ncm_ndp16 *)(skb->data + ndpoffset);
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index d9427ca..2e32c41 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -3067,17 +3067,6 @@ static int rtl8152_open(struct net_device *netdev)
+
+ mutex_lock(&tp->control);
+
+- /* The WORK_ENABLE may be set when autoresume occurs */
+- if (test_bit(WORK_ENABLE, &tp->flags)) {
+- clear_bit(WORK_ENABLE, &tp->flags);
+- usb_kill_urb(tp->intr_urb);
+- cancel_delayed_work_sync(&tp->schedule);
+-
+- /* disable the tx/rx, if the workqueue has enabled them. */
+- if (netif_carrier_ok(netdev))
+- tp->rtl_ops.disable(tp);
+- }
+-
+ tp->rtl_ops.up(tp);
+
+ rtl8152_set_speed(tp, AUTONEG_ENABLE,
+@@ -3124,12 +3113,6 @@ static int rtl8152_close(struct net_device *netdev)
+ } else {
+ mutex_lock(&tp->control);
+
+- /* The autosuspend may have been enabled and wouldn't
+- * be disable when autoresume occurs, because the
+- * netif_running() would be false.
+- */
+- rtl_runtime_suspend_enable(tp, false);
+-
+ tp->rtl_ops.down(tp);
+
+ mutex_unlock(&tp->control);
+@@ -3512,7 +3495,7 @@ static int rtl8152_resume(struct usb_interface *intf)
+ netif_device_attach(tp->netdev);
+ }
+
+- if (netif_running(tp->netdev)) {
++ if (netif_running(tp->netdev) && tp->netdev->flags & IFF_UP) {
+ if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) {
+ rtl_runtime_suspend_enable(tp, false);
+ clear_bit(SELECTIVE_SUSPEND, &tp->flags);
+@@ -3532,6 +3515,8 @@ static int rtl8152_resume(struct usb_interface *intf)
+ }
+ usb_submit_urb(tp->intr_urb, GFP_KERNEL);
+ } else if (test_bit(SELECTIVE_SUSPEND, &tp->flags)) {
++ if (tp->netdev->flags & IFF_UP)
++ rtl_runtime_suspend_enable(tp, false);
+ clear_bit(SELECTIVE_SUSPEND, &tp->flags);
+ }
+
+diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
+index c9e309c..374feba 100644
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -581,6 +581,7 @@ static int vrf_newlink(struct net *src_net, struct
net_device *dev,
+ {
+ struct net_vrf *vrf = netdev_priv(dev);
+ struct net_vrf_dev *vrf_ptr;
++ int err;
+
+ if (!data || !data[IFLA_VRF_TABLE])
+ return -EINVAL;
+@@ -589,16 +590,25 @@ static int vrf_newlink(struct net *src_net, struct
net_device *dev,
+
+ dev->priv_flags |= IFF_VRF_MASTER;
+
++ err = -ENOMEM;
+ vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL);
+ if (!vrf_ptr)
+- return -ENOMEM;
++ goto out_fail;
+
+ vrf_ptr->ifindex = dev->ifindex;
+ vrf_ptr->tb_id = vrf->tb_id;
+
++ err = register_netdevice(dev);
++ if (err < 0)
++ goto out_fail;
++
+ rcu_assign_pointer(dev->vrf_ptr, vrf_ptr);
+
+- return register_netdev(dev);
++ return 0;
++
++out_fail:
++ kfree(vrf_ptr);
++ return err;
+ }
+
+ static size_t vrf_nl_getsize(const struct net_device *dev)
+diff --git a/drivers/platform/x86/toshiba_acpi.c
b/drivers/platform/x86/toshiba_acpi.c
+index f2372f4..d2de91c 100644
+--- a/drivers/platform/x86/toshiba_acpi.c
++++ b/drivers/platform/x86/toshiba_acpi.c
+@@ -2676,6 +2676,7 @@ static int toshiba_acpi_add(struct acpi_device *acpi_dev)
+ ret = toshiba_function_keys_get(dev, &special_functions);
+ dev->kbd_function_keys_supported = !ret;
+
++ dev->hotkey_event_type = 0;
+ if (toshiba_acpi_setup_keyboard(dev))
+ pr_info("Unable to activate hotkeys\n");
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index b30e742..26ca4f9 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1838,6 +1838,11 @@ static const struct usb_device_id acm_ids[] = {
+ },
+ #endif
+
++ /* Exclude Infineon Flash Loader utility */
++ { USB_DEVICE(0x058b, 0x0041),
++ .driver_info = IGNORE_DEVICE,
++ },
++
+ /* control interfaces without any protocol set */
+ { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
+ USB_CDC_PROTO_NONE) },
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index b9ddf0c..894894f 100644
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -115,7 +115,8 @@ static void usb_parse_ss_endpoint_companion(struct device
*ddev, int cfgno,
+ USB_SS_MULT(desc->bmAttributes) > 3) {
+ dev_warn(ddev, "Isoc endpoint has Mult of %d in "
+ "config %d interface %d altsetting %d ep %d: "
+- "setting to 3\n", desc->bmAttributes + 1,
++ "setting to 3\n",
++ USB_SS_MULT(desc->bmAttributes),
+ cfgno, inum, asnum, ep->desc.bEndpointAddress);
+ ep->ss_ep_comp.bmAttributes = 2;
+ }
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 431839b..522f766 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -124,6 +124,10 @@ struct usb_hub *usb_hub_to_struct_hub(struct usb_device
*hdev)
+
+ int usb_device_supports_lpm(struct usb_device *udev)
+ {
++ /* Some devices have trouble with LPM */
++ if (udev->quirks & USB_QUIRK_NO_LPM)
++ return 0;
++
+ /* USB 2.1 (and greater) devices indicate LPM support through
+ * their USB 2.0 Extended Capabilities BOS descriptor.
+ */
+@@ -4503,6 +4507,8 @@ hub_port_init (struct usb_hub *hub, struct usb_device
*udev, int port1,
+ goto fail;
+ }
+
++ usb_detect_quirks(udev);
++
+ if (udev->wusb == 0 && le16_to_cpu(udev->descriptor.bcdUSB) >= 0x0201) {
+ retval = usb_get_bos_descriptor(udev);
+ if (!retval) {
+@@ -4701,7 +4707,6 @@ static void hub_port_connect(struct usb_hub *hub, int
port1, u16 portstatus,
+ if (status < 0)
+ goto loop;
+
+- usb_detect_quirks(udev);
+ if (udev->quirks & USB_QUIRK_DELAY_INIT)
+ msleep(1000);
+
+@@ -5317,9 +5322,6 @@ static int usb_reset_and_verify_device(struct usb_device
*udev)
+ if (udev->usb2_hw_lpm_enabled == 1)
+ usb_set_usb2_hardware_lpm(udev, 0);
+
+- bos = udev->bos;
+- udev->bos = NULL;
+-
+ /* Disable LPM and LTM while we reset the device and reinstall the alt
+ * settings. Device-initiated LPM settings, and system exit latency
+ * settings are cleared when the device is reset, so we have to set
+@@ -5328,15 +5330,18 @@ static int usb_reset_and_verify_device(struct
usb_device *udev)
+ ret = usb_unlocked_disable_lpm(udev);
+ if (ret) {
+ dev_err(&udev->dev, "%s Failed to disable LPM\n.", __func__);
+- goto re_enumerate;
++ goto re_enumerate_no_bos;
+ }
+ ret = usb_disable_ltm(udev);
+ if (ret) {
+ dev_err(&udev->dev, "%s Failed to disable LTM\n.",
+ __func__);
+- goto re_enumerate;
++ goto re_enumerate_no_bos;
+ }
+
++ bos = udev->bos;
++ udev->bos = NULL;
++
+ for (i = 0; i < SET_CONFIG_TRIES; ++i) {
+
+ /* ep0 maxpacket size may change; let the HCD know about it.
+@@ -5433,10 +5438,11 @@ done:
+ return 0;
+
+ re_enumerate:
+- /* LPM state doesn't matter when we're about to destroy the device. */
+- hub_port_logical_disconnect(parent_hub, port1);
+ usb_release_bos_descriptor(udev);
+ udev->bos = bos;
++re_enumerate_no_bos:
++ /* LPM state doesn't matter when we're about to destroy the device. */
++ hub_port_logical_disconnect(parent_hub, port1);
+ return -ENODEV;
+ }
+
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index f5a3819..017c1de 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -199,6 +199,12 @@ static const struct usb_device_id usb_quirk_list[] = {
+ { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+
++ /* Blackmagic Design Intensity Shuttle */
++ { USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM },
++
++ /* Blackmagic Design UltraStudio SDI */
++ { USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM },
++
+ { } /* terminating entry must be last */
+ };
+
+diff --git a/drivers/usb/gadget/udc/pxa27x_udc.c
b/drivers/usb/gadget/udc/pxa27x_udc.c
+index 670ac0b..001a3b7 100644
+--- a/drivers/usb/gadget/udc/pxa27x_udc.c
++++ b/drivers/usb/gadget/udc/pxa27x_udc.c
+@@ -2536,6 +2536,9 @@ static int pxa_udc_suspend(struct platform_device *_dev,
pm_message_t state)
+ udc->pullup_resume = udc->pullup_on;
+ dplus_pullup(udc, 0);
+
++ if (udc->driver)
++ udc->driver->disconnect(&udc->gadget);
++
+ return 0;
+ }
+
+diff --git a/drivers/usb/host/ohci-at91.c b/drivers/usb/host/ohci-at91.c
+index 342ffd1..8c6e15b 100644
+--- a/drivers/usb/host/ohci-at91.c
++++ b/drivers/usb/host/ohci-at91.c
+@@ -473,6 +473,8 @@ static int ohci_hcd_at91_drv_probe(struct platform_device
*pdev)
+ if (!pdata)
+ return -ENOMEM;
+
++ pdev->dev.platform_data = pdata;
++
+ if (!of_property_read_u32(np, "num-ports", &ports))
+ pdata->ports = ports;
+
+@@ -483,6 +485,7 @@ static int ohci_hcd_at91_drv_probe(struct platform_device
*pdev)
+ */
+ if (i >= pdata->ports) {
+ pdata->vbus_pin[i] = -EINVAL;
++ pdata->overcurrent_pin[i] = -EINVAL;
+ continue;
+ }
+
+@@ -513,10 +516,8 @@ static int ohci_hcd_at91_drv_probe(struct platform_device
*pdev)
+ }
+
+ at91_for_each_port(i) {
+- if (i >= pdata->ports) {
+- pdata->overcurrent_pin[i] = -EINVAL;
+- continue;
+- }
++ if (i >= pdata->ports)
++ break;
+
+ pdata->overcurrent_pin[i] =
+ of_get_named_gpio_flags(np, "atmel,oc-gpio", i, &flags);
+@@ -552,8 +553,6 @@ static int ohci_hcd_at91_drv_probe(struct platform_device
*pdev)
+ }
+ }
+
+- pdev->dev.platform_data = pdata;
+-
+ device_init_wakeup(&pdev->dev, 1);
+ return usb_hcd_at91_probe(&ohci_at91_hc_driver, pdev);
+ }
+diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c
+index dc31c42..9f1c053 100644
+--- a/drivers/usb/host/whci/qset.c
++++ b/drivers/usb/host/whci/qset.c
+@@ -377,6 +377,10 @@ static int qset_fill_page_list(struct whc *whc, struct
whc_std *std, gfp_t mem_f
+ if (std->pl_virt == NULL)
+ return -ENOMEM;
+ std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt, pl_len,
DMA_TO_DEVICE);
++ if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr)) {
++ kfree(std->pl_virt);
++ return -EFAULT;
++ }
+
+ for (p = 0; p < std->num_pointers; p++) {
+ std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr);
+diff --git a/drivers/usb/musb/Kconfig b/drivers/usb/musb/Kconfig
+index 1f2037b..45c83ba 100644
+--- a/drivers/usb/musb/Kconfig
++++ b/drivers/usb/musb/Kconfig
+@@ -159,7 +159,7 @@ config USB_TI_CPPI_DMA
+
+ config USB_TI_CPPI41_DMA
+ bool 'TI CPPI 4.1 (AM335x)'
+- depends on ARCH_OMAP
++ depends on ARCH_OMAP && DMADEVICES
+ select TI_CPPI41
+
+ config USB_TUSB_OMAP_DMA
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
+index eac7cca..7d4f51a 100644
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -132,7 +132,6 @@ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
+ { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
+ { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
+- { USB_DEVICE(0x10C4, 0xEA80) }, /* Silicon Labs factory default */
+ { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */
+ { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */
+ { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */
+diff --git a/drivers/usb/serial/usb-serial-simple.c
b/drivers/usb/serial/usb-serial-simple.c
+index 3658662..a204782 100644
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -53,6 +53,7 @@ DEVICE(funsoft, FUNSOFT_IDS);
+
+ /* Infineon Flashloader driver */
+ #define FLASHLOADER_IDS() \
++ { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
+ { USB_DEVICE(0x8087, 0x0716) }
+ DEVICE(flashloader, FLASHLOADER_IDS);
+
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index f689219..43b1caf 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -796,6 +796,10 @@ static int uas_slave_configure(struct scsi_device *sdev)
+ if (devinfo->flags & US_FL_NO_REPORT_OPCODES)
+ sdev->no_report_opcodes = 1;
+
++ /* A few buggy USB-ATA bridges don't understand FUA */
++ if (devinfo->flags & US_FL_BROKEN_FUA)
++ sdev->broken_fua = 1;
++
+ scsi_change_queue_depth(sdev, devinfo->qdepth - 2);
+ return 0;
+ }
+diff --git a/drivers/usb/storage/unusual_devs.h
b/drivers/usb/storage/unusual_devs.h
+index 6b24791..7ffe420 100644
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -1987,7 +1987,7 @@ UNUSUAL_DEV( 0x14cd, 0x6600, 0x0201, 0x0201,
+ US_FL_IGNORE_RESIDUE ),
+
+ /* Reported by Michael Büsch <[email protected]> */
+-UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0114,
++UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0116,
+ "JMicron",
+ "USB to ATA/ATAPI Bridge",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+diff --git a/drivers/usb/storage/unusual_uas.h
b/drivers/usb/storage/unusual_uas.h
+index c85ea53..ccc113e 100644
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -132,7 +132,7 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999,
+ "JMicron",
+ "JMS567",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+- US_FL_NO_REPORT_OPCODES),
++ US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES),
+
+ /* Reported-by: Hans de Goede <[email protected]> */
+ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999,
+diff --git a/include/linux/acpi.h b/include/linux/acpi.h
+index 43856d1..1ae6ba0 100644
+--- a/include/linux/acpi.h
++++ b/include/linux/acpi.h
+@@ -193,6 +193,12 @@ int acpi_ioapic_registered(acpi_handle handle, u32
gsi_base);
+ void acpi_irq_stats_init(void);
+ extern u32 acpi_irq_handled;
+ extern u32 acpi_irq_not_handled;
++extern unsigned int acpi_sci_irq;
++#define INVALID_ACPI_IRQ ((unsigned)-1)
++static inline bool acpi_sci_irq_valid(void)
++{
++ return acpi_sci_irq != INVALID_ACPI_IRQ;
++}
+
+ extern int sbf_port;
+ extern unsigned long acpi_realmode_flags;
+diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
+index 9948c87..1d0043d 100644
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -47,4 +47,7 @@
+ /* device generates spurious wakeup, ignore remote wakeup capability */
+ #define USB_QUIRK_IGNORE_REMOTE_WAKEUP BIT(9)
+
++/* device can't handle Link Power Management */
++#define USB_QUIRK_NO_LPM BIT(10)
++
+ #endif /* __LINUX_USB_QUIRKS_H */
+diff --git a/include/net/dst.h b/include/net/dst.h
+index 9261d92..e7fa2e2 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -322,6 +322,39 @@ static inline void skb_dst_force(struct sk_buff *skb)
+ }
+ }
+
++/**
++ * dst_hold_safe - Take a reference on a dst if possible
++ * @dst: pointer to dst entry
++ *
++ * This helper returns false if it could not safely
++ * take a reference on a dst.
++ */
++static inline bool dst_hold_safe(struct dst_entry *dst)
++{
++ if (dst->flags & DST_NOCACHE)
++ return atomic_inc_not_zero(&dst->__refcnt);
++ dst_hold(dst);
++ return true;
++}
++
++/**
++ * skb_dst_force_safe - makes sure skb dst is refcounted
++ * @skb: buffer
++ *
++ * If dst is not yet refcounted and not destroyed, grab a ref on it.
++ */
++static inline void skb_dst_force_safe(struct sk_buff *skb)
++{
++ if (skb_dst_is_noref(skb)) {
++ struct dst_entry *dst = skb_dst(skb);
++
++ if (!dst_hold_safe(dst))
++ dst = NULL;
++
++ skb->_skb_refdst = (unsigned long)dst;
++ }
++}
++
+
+ /**
+ * __skb_tunnel_rx - prepare skb for rx reinsert
+diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
+index 4a6009d..235c781 100644
+--- a/include/net/inetpeer.h
++++ b/include/net/inetpeer.h
+@@ -78,6 +78,7 @@ void inet_initpeers(void) __init;
+ static inline void inetpeer_set_addr_v4(struct inetpeer_addr *iaddr, __be32
ip)
+ {
+ iaddr->a4.addr = ip;
++ iaddr->a4.vif = 0;
+ iaddr->family = AF_INET;
+ }
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index e237170..bca709a 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -387,6 +387,7 @@ struct sock {
+ sk_no_check_rx : 1,
+ sk_userlocks : 4,
+ sk_protocol : 8,
++#define SK_PROTOCOL_MAX U8_MAX
+ sk_type : 16;
+ kmemcheck_bitfield_end(flags);
+ int sk_wmem_queued;
+@@ -724,6 +725,8 @@ enum sock_flags {
+ SOCK_SELECT_ERR_QUEUE, /* Wake select on error queue */
+ };
+
++#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL <<
SOCK_TIMESTAMPING_RX_SOFTWARE))
++
+ static inline void sock_copy_flags(struct sock *nsk, struct sock *osk)
+ {
+ nsk->sk_flags = osk->sk_flags;
+@@ -798,7 +801,7 @@ void sk_stream_write_space(struct sock *sk);
+ static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb)
+ {
+ /* dont let skb dst not refcounted, we are going to leave rcu lock */
+- skb_dst_force(skb);
++ skb_dst_force_safe(skb);
+
+ if (!sk->sk_backlog.tail)
+ sk->sk_backlog.head = skb;
+diff --git a/include/net/vxlan.h b/include/net/vxlan.h
+index 480a319..f4a4972 100644
+--- a/include/net/vxlan.h
++++ b/include/net/vxlan.h
+@@ -79,7 +79,7 @@ struct vxlanhdr {
+ };
+
+ /* VXLAN header flags. */
+-#define VXLAN_HF_RCO BIT(24)
++#define VXLAN_HF_RCO BIT(21)
+ #define VXLAN_HF_VNI BIT(27)
+ #define VXLAN_HF_GBP BIT(31)
+
+diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild
+index f7b2db4..7fc5733 100644
+--- a/include/uapi/linux/Kbuild
++++ b/include/uapi/linux/Kbuild
+@@ -186,6 +186,7 @@ header-y += if_tunnel.h
+ header-y += if_vlan.h
+ header-y += if_x25.h
+ header-y += igmp.h
++header-y += ila.h
+ header-y += in6.h
+ header-y += inet_diag.h
+ header-y += in.h
+diff --git a/lib/rhashtable.c b/lib/rhashtable.c
+index a54ff89..aa388a7 100644
+--- a/lib/rhashtable.c
++++ b/lib/rhashtable.c
+@@ -503,10 +503,11 @@ int rhashtable_walk_init(struct rhashtable *ht, struct
rhashtable_iter *iter)
+ if (!iter->walker)
+ return -ENOMEM;
+
+- mutex_lock(&ht->mutex);
+- iter->walker->tbl = rht_dereference(ht->tbl, ht);
++ spin_lock(&ht->lock);
++ iter->walker->tbl =
++ rcu_dereference_protected(ht->tbl, lockdep_is_held(&ht->lock));
+ list_add(&iter->walker->list, &iter->walker->tbl->walkers);
+- mutex_unlock(&ht->mutex);
++ spin_unlock(&ht->lock);
+
+ return 0;
+ }
+@@ -520,10 +521,10 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_init);
+ */
+ void rhashtable_walk_exit(struct rhashtable_iter *iter)
+ {
+- mutex_lock(&iter->ht->mutex);
++ spin_lock(&iter->ht->lock);
+ if (iter->walker->tbl)
+ list_del(&iter->walker->list);
+- mutex_unlock(&iter->ht->mutex);
++ spin_unlock(&iter->ht->lock);
+ kfree(iter->walker);
+ }
+ EXPORT_SYMBOL_GPL(rhashtable_walk_exit);
+@@ -547,14 +548,12 @@ int rhashtable_walk_start(struct rhashtable_iter *iter)
+ {
+ struct rhashtable *ht = iter->ht;
+
+- mutex_lock(&ht->mutex);
++ rcu_read_lock();
+
++ spin_lock(&ht->lock);
+ if (iter->walker->tbl)
+ list_del(&iter->walker->list);
+-
+- rcu_read_lock();
+-
+- mutex_unlock(&ht->mutex);
++ spin_unlock(&ht->lock);
+
+ if (!iter->walker->tbl) {
+ iter->walker->tbl = rht_dereference_rcu(ht->tbl, ht);
+@@ -723,9 +722,6 @@ int rhashtable_init(struct rhashtable *ht,
+ if (params->nulls_base && params->nulls_base < (1U << RHT_BASE_SHIFT))
+ return -EINVAL;
+
+- if (params->nelem_hint)
+- size = rounded_hashtable_size(params);
+-
+ memset(ht, 0, sizeof(*ht));
+ mutex_init(&ht->mutex);
+ spin_lock_init(&ht->lock);
+@@ -745,6 +741,9 @@ int rhashtable_init(struct rhashtable *ht,
+
+ ht->p.min_size = max(ht->p.min_size, HASH_MIN_SIZE);
+
++ if (params->nelem_hint)
++ size = rounded_hashtable_size(&ht->p);
++
+ /* The maximum (not average) chain length grows with the
+ * size of the hash table, at a rate of (log N)/(log log N).
+ * The value of 16 is selected so that even if the hash
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index ae3a47f..fbd0acf 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket
*sock, int protocol,
+ struct sock *sk;
+ ax25_cb *ax25;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (!net_eq(net, &init_net))
+ return -EAFNOSUPPORT;
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index f315c8d..15cb6c5 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *sock, struct
sockaddr *addr, int addr_le
+ if (!addr || addr->sa_family != AF_BLUETOOTH)
+ return -EINVAL;
+
++ if (addr_len < sizeof(struct sockaddr_sco))
++ return -EINVAL;
++
+ lock_sock(sk);
+
+ if (sk->sk_state != BT_OPEN) {
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index fab4599..1c1f87c 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3643,7 +3643,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff
*skb,
+ serr->ee.ee_info = tstype;
+ if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
+ serr->ee.ee_data = skb_shinfo(skb)->tskey;
+- if (sk->sk_protocol == IPPROTO_TCP)
++ if (sk->sk_protocol == IPPROTO_TCP &&
++ sk->sk_type == SOCK_STREAM)
+ serr->ee.ee_data -= sk->sk_tskey;
+ }
+
+@@ -4268,7 +4269,8 @@ static struct sk_buff *skb_reorder_vlan_header(struct
sk_buff *skb)
+ return NULL;
+ }
+
+- memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN);
++ memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
++ 2 * ETH_ALEN);
+ skb->mac_header += VLAN_HLEN;
+ return skb;
+ }
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 3307c02..dbbda99 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -422,8 +422,6 @@ static void sock_warn_obsolete_bsdism(const char *name)
+ }
+ }
+
+-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL <<
SOCK_TIMESTAMPING_RX_SOFTWARE))
+-
+ static void sock_disable_timestamp(struct sock *sk, unsigned long flags)
+ {
+ if (sk->sk_flags & flags) {
+@@ -862,7 +860,8 @@ set_rcvbuf:
+
+ if (val & SOF_TIMESTAMPING_OPT_ID &&
+ !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
+- if (sk->sk_protocol == IPPROTO_TCP) {
++ if (sk->sk_protocol == IPPROTO_TCP &&
++ sk->sk_type == SOCK_STREAM) {
+ if (sk->sk_state != TCP_ESTABLISHED) {
+ ret = -EINVAL;
+ break;
+diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
+index 675cf94..6feddca 100644
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock,
int protocol,
+ {
+ struct sock *sk;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (!net_eq(net, &init_net))
+ return -EAFNOSUPPORT;
+
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 1d0c3ad..4b16cf3 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -261,6 +261,9 @@ static int inet_create(struct net *net, struct socket
*sock, int protocol,
+ int try_loading_module = 0;
+ int err;
+
++ if (protocol < 0 || protocol >= IPPROTO_MAX)
++ return -EINVAL;
++
+ sock->state = SS_UNCONNECTED;
+
+ /* Look for the requested type/protocol pair. */
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
+index e0fcbbb..bd903fe 100644
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -24,6 +24,7 @@ struct fou {
+ u16 type;
+ struct udp_offload udp_offloads;
+ struct list_head list;
++ struct rcu_head rcu;
+ };
+
+ #define FOU_F_REMCSUM_NOPARTIAL BIT(0)
+@@ -417,7 +418,7 @@ static void fou_release(struct fou *fou)
+ list_del(&fou->list);
+ udp_tunnel_sock_release(sock);
+
+- kfree(fou);
++ kfree_rcu(fou, rcu);
+ }
+
+ static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg
*cfg)
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index a7739c8..d77be28 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1509,7 +1509,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb)
+ if (likely(sk->sk_rx_dst))
+ skb_dst_drop(skb);
+ else
+- skb_dst_force(skb);
++ skb_dst_force_safe(skb);
+
+ __skb_queue_tail(&tp->ucopy.prequeue, skb);
+ tp->ucopy.memory += skb->truesize;
+@@ -1710,8 +1710,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct
sk_buff *skb)
+ {
+ struct dst_entry *dst = skb_dst(skb);
+
+- if (dst) {
+- dst_hold(dst);
++ if (dst && dst_hold_safe(dst)) {
+ sk->sk_rx_dst = dst;
+ inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
+ }
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 3dbee0d..c958596 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3147,7 +3147,7 @@ static int tcp_send_syn_data(struct sock *sk, struct
sk_buff *syn)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct tcp_fastopen_request *fo = tp->fastopen_req;
+- int syn_loss = 0, space, err = 0, copied;
++ int syn_loss = 0, space, err = 0;
+ unsigned long last_syn_loss = 0;
+ struct sk_buff *syn_data;
+
+@@ -3185,17 +3185,18 @@ static int tcp_send_syn_data(struct sock *sk, struct
sk_buff *syn)
+ goto fallback;
+ syn_data->ip_summed = CHECKSUM_PARTIAL;
+ memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
+- copied = copy_from_iter(skb_put(syn_data, space), space,
+- &fo->data->msg_iter);
+- if (unlikely(!copied)) {
+- kfree_skb(syn_data);
+- goto fallback;
+- }
+- if (copied != space) {
+- skb_trim(syn_data, copied);
+- space = copied;
++ if (space) {
++ int copied = copy_from_iter(skb_put(syn_data, space), space,
++ &fo->data->msg_iter);
++ if (unlikely(!copied)) {
++ kfree_skb(syn_data);
++ goto fallback;
++ }
++ if (copied != space) {
++ skb_trim(syn_data, copied);
++ space = copied;
++ }
+ }
+-
+ /* No more data pending in inet_wait_for_connect() */
+ if (space == fo->size)
+ fo->data = NULL;
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 3939dd2..ddd3511 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -349,6 +349,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device
*dev)
+ setup_timer(&ndev->rs_timer, addrconf_rs_timer,
+ (unsigned long)ndev);
+ memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf));
++
++ if (ndev->cnf.stable_secret.initialized)
++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
++ else
++ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64;
++
+ ndev->cnf.mtu6 = dev->mtu;
+ ndev->cnf.sysctl = NULL;
+ ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
+@@ -2453,7 +2459,7 @@ ok:
+ #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
+ if (in6_dev->cnf.optimistic_dad &&
+ !net->ipv6.devconf_all->forwarding && sllao)
+- addr_flags = IFA_F_OPTIMISTIC;
++ addr_flags |= IFA_F_OPTIMISTIC;
+ #endif
+
+ /* Do not allow to create too much of autoconfigured
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 38d66dd..df095ee 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket
*sock, int protocol,
+ int try_loading_module = 0;
+ int err;
+
++ if (protocol < 0 || protocol >= IPPROTO_MAX)
++ return -EINVAL;
++
+ /* Look for the requested type/protocol pair. */
+ lookup_protocol:
+ err = -ESOCKTNOSUPPORT;
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 3c7b931..e5ea177 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1571,13 +1571,11 @@ static int ip6gre_changelink(struct net_device *dev,
struct nlattr *tb[],
+ return -EEXIST;
+ } else {
+ t = nt;
+-
+- ip6gre_tunnel_unlink(ign, t);
+- ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
+- ip6gre_tunnel_link(ign, t);
+- netdev_state_change(dev);
+ }
+
++ ip6gre_tunnel_unlink(ign, t);
++ ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
++ ip6gre_tunnel_link(ign, t);
+ return 0;
+ }
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 9e9b77b..8935dc1 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const
struct sk_buff *skb)
+ {
+ struct dst_entry *dst = skb_dst(skb);
+
+- if (dst) {
++ if (dst && dst_hold_safe(dst)) {
+ const struct rt6_info *rt = (const struct rt6_info *)dst;
+
+- dst_hold(dst);
+ sk->sk_rx_dst = dst;
+ inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
+ inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index fae6822..25f63a8 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket
*sock, int protocol,
+ struct sock *sk;
+ struct irda_sock *self;
+
++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++ return -EINVAL;
++
+ if (net != &init_net)
+ return -EAFNOSUPPORT;
+
+diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
+index 5009582..cad8c4b 100644
+--- a/net/openvswitch/conntrack.c
++++ b/net/openvswitch/conntrack.c
+@@ -53,6 +53,8 @@ struct ovs_conntrack_info {
+ struct md_labels labels;
+ };
+
++static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info);
++
+ static u16 key_to_nfproto(const struct sw_flow_key *key)
+ {
+ switch (ntohs(key->eth.type)) {
+@@ -141,6 +143,7 @@ static void __ovs_ct_update_key(struct sw_flow_key *key,
u8 state,
+ * previously sent the packet to conntrack via the ct action.
+ */
+ static void ovs_ct_update_key(const struct sk_buff *skb,
++ const struct ovs_conntrack_info *info,
+ struct sw_flow_key *key, bool post_ct)
+ {
+ const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
+@@ -158,13 +161,15 @@ static void ovs_ct_update_key(const struct sk_buff *skb,
+ zone = nf_ct_zone(ct);
+ } else if (post_ct) {
+ state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID;
++ if (info)
++ zone = &info->zone;
+ }
+ __ovs_ct_update_key(key, state, zone, ct);
+ }
+
+ void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key)
+ {
+- ovs_ct_update_key(skb, key, false);
++ ovs_ct_update_key(skb, NULL, key, false);
+ }
+
+ int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb)
+@@ -418,7 +423,7 @@ static int __ovs_ct_lookup(struct net *net, struct
sw_flow_key *key,
+ }
+ }
+
+- ovs_ct_update_key(skb, key, true);
++ ovs_ct_update_key(skb, info, key, true);
+
+ return 0;
+ }
+@@ -708,7 +713,7 @@ int ovs_ct_copy_action(struct net *net, const struct
nlattr *attr,
+ nf_conntrack_get(&ct_info.ct->ct_general);
+ return 0;
+ err_free_ct:
+- nf_conntrack_free(ct_info.ct);
++ __ovs_ct_free_action(&ct_info);
+ return err;
+ }
+
+@@ -750,6 +755,11 @@ void ovs_ct_free_action(const struct nlattr *a)
+ {
+ struct ovs_conntrack_info *ct_info = nla_data(a);
+
++ __ovs_ct_free_action(ct_info);
++}
++
++static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
++{
+ if (ct_info->helper)
+ module_put(ct_info->helper->me);
+ if (ct_info->ct)
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 7ec667d..b5c2cf2 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue
*dev_queue,
+ }
+ lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
+ if (!netif_is_multiqueue(dev))
+- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
++ sch->flags |= TCQ_F_ONETXQUEUE;
+ }
+
+ sch->handle = handle;
+diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
+index e917d27..40677cf 100644
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -635,6 +635,7 @@ static struct sock *sctp_v6_create_accept_sk(struct sock
*sk,
+ struct sock *newsk;
+ struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
+ struct sctp6_sock *newsctp6sk;
++ struct ipv6_txoptions *opt;
+
+ newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0);
+ if (!newsk)
+@@ -654,6 +655,13 @@ static struct sock *sctp_v6_create_accept_sk(struct sock
*sk,
+
+ memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+
++ rcu_read_lock();
++ opt = rcu_dereference(np->opt);
++ if (opt)
++ opt = ipv6_dup_options(newsk, opt);
++ RCU_INIT_POINTER(newnp->opt, opt);
++ rcu_read_unlock();
++
+ /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname()
+ * and getpeername().
+ */
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index 7954c52..8d67d72 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const
struct sctp_endpoint *ep,
+
+ /* Set an expiration time for the cookie. */
+ cookie->c.expiration = ktime_add(asoc->cookie_life,
+- ktime_get());
++ ktime_get_real());
+
+ /* Copy the peer's init packet. */
+ memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr,
+@@ -1780,7 +1780,7 @@ no_hmac:
+ if (sock_flag(ep->base.sk, SOCK_TIMESTAMP))
+ kt = skb_get_ktime(skb);
+ else
+- kt = ktime_get();
++ kt = ktime_get_real();
+
+ if (!asoc && ktime_before(bear_cookie->expiration, kt)) {
+ /*
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 3ec88be..84b1b50 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -7163,6 +7163,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
+ newsk->sk_type = sk->sk_type;
+ newsk->sk_bound_dev_if = sk->sk_bound_dev_if;
+ newsk->sk_flags = sk->sk_flags;
++ newsk->sk_tsflags = sk->sk_tsflags;
+ newsk->sk_no_check_tx = sk->sk_no_check_tx;
+ newsk->sk_no_check_rx = sk->sk_no_check_rx;
+ newsk->sk_reuse = sk->sk_reuse;
+@@ -7195,6 +7196,9 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
+ newinet->mc_ttl = 1;
+ newinet->mc_index = 0;
+ newinet->mc_list = NULL;
++
++ if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
++ net_enable_timestamp();
+ }
+
+ static inline void sctp_copy_descendant(struct sock *sk_to,
+diff --git a/net/socket.c b/net/socket.c
+index 9963a0b..f3fbe17 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1702,6 +1702,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf,
size_t, size,
+ msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
+ /* We assume all kernel code knows the size of sockaddr_storage */
+ msg.msg_namelen = 0;
++ msg.msg_iocb = NULL;
+ if (sock->file->f_flags & O_NONBLOCK)
+ flags |= MSG_DONTWAIT;
+ err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags);
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 86f2e7c..73bdf1b 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct
sk_buff *skb,
+ if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
+ err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
+ if (err)
+- goto tx_error;
++ return err;
+ }
+
+ clone = skb_clone(skb, GFP_ATOMIC);
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 128b098..0fc6dba 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2255,14 +2255,7 @@ static int unix_stream_read_generic(struct
unix_stream_read_state *state)
+ /* Lock the socket to prevent queue disordering
+ * while sleeps in memcpy_tomsg
+ */
+- err = mutex_lock_interruptible(&u->readlock);
+- if (unlikely(err)) {
+- /* recvmsg() in non blocking mode is supposed to return -EAGAIN
+- * sk_rcvtimeo is not honored by mutex_lock_interruptible()
+- */
+- err = noblock ? -EAGAIN : -ERESTARTSYS;
+- goto out;
+- }
++ mutex_lock(&u->readlock);
+
+ if (flags & MSG_PEEK)
+ skip = sk_peek_offset(sk, flags);
+@@ -2306,12 +2299,12 @@ again:
+ timeo = unix_stream_data_wait(sk, timeo, last,
+ last_len);
+
+- if (signal_pending(current) ||
+- mutex_lock_interruptible(&u->readlock)) {
++ if (signal_pending(current)) {
+ err = sock_intr_errno(timeo);
+ goto out;
+ }
+
++ mutex_lock(&u->readlock);
+ continue;
+ unlock:
+ unix_state_unlock(sk);
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index 0b9ec78..26f0e0a 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, char __user
*buffer, size_t buflen)
+
+ /* the key is probably readable - now try to read it */
+ can_read_key:
+- ret = key_validate(key);
+- if (ret == 0) {
+- ret = -EOPNOTSUPP;
+- if (key->type->read) {
+- /* read the data with the semaphore held (since we
+- * might sleep) */
+- down_read(&key->sem);
++ ret = -EOPNOTSUPP;
++ if (key->type->read) {
++ /* Read the data with the semaphore held (since we might sleep)
++ * to protect against the key being updated or revoked.
++ */
++ down_read(&key->sem);
++ ret = key_validate(key);
++ if (ret == 0)
+ ret = key->type->read(key, buffer, buflen);
+- up_read(&key->sem);
+- }
++ up_read(&key->sem);
+ }
+
+ error2:
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index 43b4cdd..7877e5c 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
+ ret = PTR_ERR(keyring);
+ goto error2;
+ } else if (keyring == new->session_keyring) {
++ key_put(keyring);
+ ret = 0;
+ goto error2;
+ }
diff --git a/4.3.3/4420_grsecurity-3.1-4.3.3-201601192226.patch
b/4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch
similarity index 99%
rename from 4.3.3/4420_grsecurity-3.1-4.3.3-201601192226.patch
rename to 4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch
index e9f29bb..db01d7f 100644
--- a/4.3.3/4420_grsecurity-3.1-4.3.3-201601192226.patch
+++ b/4.3.4/4420_grsecurity-3.1-4.3.4-201601231215.patch
@@ -377,6 +377,47 @@ index 22a4b68..0ec4c2a 100644
pcbit= [HW,ISDN]
pcd. [PARIDE]
+diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
+index 88152f2..302b5ed 100644
+--- a/Documentation/sysctl/fs.txt
++++ b/Documentation/sysctl/fs.txt
+@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs:
+ - nr_open
+ - overflowuid
+ - overflowgid
++- pipe-user-pages-hard
++- pipe-user-pages-soft
+ - protected_hardlinks
+ - protected_symlinks
+ - suid_dumpable
+@@ -159,6 +161,27 @@ The default is 65534.
+
+ ==============================================================
+
++pipe-user-pages-hard:
++
++Maximum total number of pages a non-privileged user may allocate for pipes.
++Once this limit is reached, no new pipes may be allocated until usage goes
++below the limit again. When set to 0, no limit is applied, which is the
default
++setting.
++
++==============================================================
++
++pipe-user-pages-soft:
++
++Maximum total number of pages a non-privileged user may allocate for pipes
++before the pipe size gets limited to a single page. Once this limit is
reached,
++new pipes will be limited to a single page in size for this user in order to
++limit total memory usage, and trying to increase them using fcntl() will be
++denied until usage goes below the limit again. The default value allows to
++allocate up to 1024 pipes at their default size. When set to 0, no limit is
++applied.
++
++==============================================================
++
+ protected_hardlinks:
+
+ A long-standing class of security issues is the hardlink-based
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index 6fccb69..60c7c7a 100644
--- a/Documentation/sysctl/kernel.txt
@@ -411,7 +452,7 @@ index 6fccb69..60c7c7a 100644
A toggle value indicating if modules are allowed to be loaded
diff --git a/Makefile b/Makefile
-index 2070d16..0bc2be1 100644
+index 69430ed..8fa626c 100644
--- a/Makefile
+++ b/Makefile
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo
$$BASH; \
@@ -38027,7 +38068,7 @@ index 7cfbda4..74f738c 100644
set_no_mwait, "Extensa 5220", {
DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
-index 2f0d4db..b9e9b15 100644
+index 3fe1fbe..198eb5f 100644
--- a/drivers/acpi/sleep.c
+++ b/drivers/acpi/sleep.c
@@ -148,7 +148,7 @@ static int __init init_nvs_nosave(const struct
dmi_system_id *d)
@@ -52578,69 +52619,6 @@ index ed00446..943fe2c 100644
break;
err = 0;
break;
-diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
-index 5e0b432..0a37f84 100644
---- a/drivers/net/ppp/pppoe.c
-+++ b/drivers/net/ppp/pppoe.c
-@@ -568,6 +568,9 @@ static int pppoe_create(struct net *net, struct socket
*sock, int kern)
- sk->sk_family = PF_PPPOX;
- sk->sk_protocol = PX_PROTO_OE;
-
-+ INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work,
-+ pppoe_unbind_sock_work);
-+
- return 0;
- }
-
-@@ -632,8 +635,6 @@ static int pppoe_connect(struct socket *sock, struct
sockaddr *uservaddr,
-
- lock_sock(sk);
-
-- INIT_WORK(&po->proto.pppoe.padt_work, pppoe_unbind_sock_work);
--
- error = -EINVAL;
- if (sp->sa_protocol != PX_PROTO_OE)
- goto end;
-@@ -663,8 +664,13 @@ static int pppoe_connect(struct socket *sock, struct
sockaddr *uservaddr,
- po->pppoe_dev = NULL;
- }
-
-- memset(sk_pppox(po) + 1, 0,
-- sizeof(struct pppox_sock) - sizeof(struct sock));
-+ po->pppoe_ifindex = 0;
-+ memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa));
-+ memset(&po->pppoe_relay, 0, sizeof(po->pppoe_relay));
-+ memset(&po->chan, 0, sizeof(po->chan));
-+ po->next = NULL;
-+ po->num = 0;
-+
- sk->sk_state = PPPOX_NONE;
- }
-
-diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
-index 686f37d..b910cae 100644
---- a/drivers/net/ppp/pptp.c
-+++ b/drivers/net/ppp/pptp.c
-@@ -418,6 +418,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr
*uservaddr,
- struct pptp_opt *opt = &po->proto.pptp;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- opt->src_addr = sp->sa_addr.pptp;
-@@ -439,6 +442,9 @@ static int pptp_connect(struct socket *sock, struct
sockaddr *uservaddr,
- struct flowi4 fl4;
- int error = 0;
-
-+ if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+ return -EINVAL;
-+
- if (sp->sa_protocol != PX_PROTO_PPTP)
- return -EINVAL;
-
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index 079f7ad..7e59810 100644
--- a/drivers/net/slip/slhc.c
@@ -52824,7 +52802,7 @@ index 111d907..1ee643e 100644
hso_start_serial_device(serial_table[i],
GFP_NOIO);
hso_kick_transmit(dev2ser(serial_table[i]));
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
-index d9427ca..37520a8 100644
+index 2e32c41..4899cb7 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -615,7 +615,7 @@ struct r8152 {
@@ -52872,10 +52850,10 @@ index d8838ded..6c93f77 100644
#define VIRTNET_DRIVER_VERSION "1.0.0"
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
-index c9e309c..745a638 100644
+index 374feba..01ba30e 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
-@@ -618,7 +618,7 @@ static const struct nla_policy vrf_nl_policy[IFLA_VRF_MAX
+ 1] = {
+@@ -628,7 +628,7 @@ static const struct nla_policy vrf_nl_policy[IFLA_VRF_MAX
+ 1] = {
[IFLA_VRF_TABLE] = { .type = NLA_U32 },
};
@@ -59122,7 +59100,7 @@ index 4d64e5c4..e21932a 100644
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 431839b..8d241f6 100644
+index 522f766..6ddc50b 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -26,6 +26,7 @@
@@ -59133,7 +59111,7 @@ index 431839b..8d241f6 100644
#include <asm/uaccess.h>
#include <asm/byteorder.h>
-@@ -4659,6 +4660,10 @@ static void hub_port_connect(struct usb_hub *hub, int
port1, u16 portstatus,
+@@ -4665,6 +4666,10 @@ static void hub_port_connect(struct usb_hub *hub, int
port1, u16 portstatus,
goto done;
return;
}
@@ -83772,19 +83750,25 @@ index e38ee0f..6fc10e4 100644
struct ovl_entry *oe;
struct ovl_fs *ufs;
diff --git a/fs/pipe.c b/fs/pipe.c
-index 8865f79..bd2c79b 100644
+index 8865f79..15e6391 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
-@@ -36,7 +36,7 @@ unsigned int pipe_max_size = 1048576;
+@@ -36,7 +36,13 @@ unsigned int pipe_max_size = 1048576;
/*
* Minimum pipe size, as required by POSIX
*/
-unsigned int pipe_min_size = PAGE_SIZE;
+unsigned int pipe_min_size __read_only = PAGE_SIZE;
++
++/* Maximum allocatable pages per user. Hard limit is unset by default, soft
++ * matches default values.
++ */
++unsigned long pipe_user_pages_hard;
++unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR;
/*
* We use a start+len construction, which provides full use of the
-@@ -55,7 +55,7 @@ unsigned int pipe_min_size = PAGE_SIZE;
+@@ -55,7 +61,7 @@ unsigned int pipe_min_size = PAGE_SIZE;
static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
{
@@ -83793,7 +83777,7 @@ index 8865f79..bd2c79b 100644
mutex_lock_nested(&pipe->mutex, subclass);
}
-@@ -70,7 +70,7 @@ EXPORT_SYMBOL(pipe_lock);
+@@ -70,7 +76,7 @@ EXPORT_SYMBOL(pipe_lock);
void pipe_unlock(struct pipe_inode_info *pipe)
{
@@ -83802,7 +83786,7 @@ index 8865f79..bd2c79b 100644
mutex_unlock(&pipe->mutex);
}
EXPORT_SYMBOL(pipe_unlock);
-@@ -291,9 +291,9 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to)
+@@ -291,9 +297,9 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to)
}
if (bufs) /* More to do? */
continue;
@@ -83814,7 +83798,7 @@ index 8865f79..bd2c79b 100644
/* syscall merging: Usually we must not sleep
* if O_NONBLOCK is set, or if we got some data.
* But if a writer sleeps in kernel space, then
-@@ -350,7 +350,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
+@@ -350,7 +356,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
__pipe_lock(pipe);
@@ -83823,7 +83807,7 @@ index 8865f79..bd2c79b 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
goto out;
-@@ -386,7 +386,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
+@@ -386,7 +392,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
for (;;) {
int bufs;
@@ -83832,7 +83816,7 @@ index 8865f79..bd2c79b 100644
send_sig(SIGPIPE, current, 0);
if (!ret)
ret = -EPIPE;
-@@ -454,9 +454,9 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
+@@ -454,9 +460,9 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
do_wakeup = 0;
}
@@ -83844,7 +83828,7 @@ index 8865f79..bd2c79b 100644
}
out:
__pipe_unlock(pipe);
-@@ -511,7 +511,7 @@ pipe_poll(struct file *filp, poll_table *wait)
+@@ -511,7 +517,7 @@ pipe_poll(struct file *filp, poll_table *wait)
mask = 0;
if (filp->f_mode & FMODE_READ) {
mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
@@ -83853,7 +83837,7 @@ index 8865f79..bd2c79b 100644
mask |= POLLHUP;
}
-@@ -521,7 +521,7 @@ pipe_poll(struct file *filp, poll_table *wait)
+@@ -521,7 +527,7 @@ pipe_poll(struct file *filp, poll_table *wait)
* Most Unices do not set POLLERR for FIFOs but on Linux they
* behave exactly like pipes for poll().
*/
@@ -83862,7 +83846,7 @@ index 8865f79..bd2c79b 100644
mask |= POLLERR;
}
-@@ -533,7 +533,7 @@ static void put_pipe_info(struct inode *inode, struct
pipe_inode_info *pipe)
+@@ -533,7 +539,7 @@ static void put_pipe_info(struct inode *inode, struct
pipe_inode_info *pipe)
int kill = 0;
spin_lock(&inode->i_lock);
@@ -83871,7 +83855,7 @@ index 8865f79..bd2c79b 100644
inode->i_pipe = NULL;
kill = 1;
}
-@@ -550,11 +550,11 @@ pipe_release(struct inode *inode, struct file *file)
+@@ -550,11 +556,11 @@ pipe_release(struct inode *inode, struct file *file)
__pipe_lock(pipe);
if (file->f_mode & FMODE_READ)
@@ -83886,7 +83870,68 @@ index 8865f79..bd2c79b 100644
wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT |
POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
-@@ -619,7 +619,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
+@@ -584,20 +590,49 @@ pipe_fasync(int fd, struct file *filp, int on)
+ return retval;
+ }
+
++static void account_pipe_buffers(struct pipe_inode_info *pipe,
++ unsigned long old, unsigned long new)
++{
++ atomic_long_add(new - old, &pipe->user->pipe_bufs);
++}
++
++static bool too_many_pipe_buffers_soft(struct user_struct *user)
++{
++ return pipe_user_pages_soft &&
++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft;
++}
++
++static bool too_many_pipe_buffers_hard(struct user_struct *user)
++{
++ return pipe_user_pages_hard &&
++ atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard;
++}
++
+ struct pipe_inode_info *alloc_pipe_info(void)
+ {
+ struct pipe_inode_info *pipe;
+
+ pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL);
+ if (pipe) {
+- pipe->bufs = kzalloc(sizeof(struct pipe_buffer) *
PIPE_DEF_BUFFERS, GFP_KERNEL);
++ unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
++ struct user_struct *user = get_current_user();
++
++ if (!too_many_pipe_buffers_hard(user)) {
++ if (too_many_pipe_buffers_soft(user))
++ pipe_bufs = 1;
++ pipe->bufs = kzalloc(sizeof(struct pipe_buffer) *
pipe_bufs, GFP_KERNEL);
++ }
++
+ if (pipe->bufs) {
+ init_waitqueue_head(&pipe->wait);
+ pipe->r_counter = pipe->w_counter = 1;
+- pipe->buffers = PIPE_DEF_BUFFERS;
++ pipe->buffers = pipe_bufs;
++ pipe->user = user;
++ account_pipe_buffers(pipe, 0, pipe_bufs);
+ mutex_init(&pipe->mutex);
+ return pipe;
+ }
++ free_uid(user);
+ kfree(pipe);
+ }
+
+@@ -608,6 +643,8 @@ void free_pipe_info(struct pipe_inode_info *pipe)
+ {
+ int i;
+
++ account_pipe_buffers(pipe, pipe->buffers, 0);
++ free_uid(pipe->user);
+ for (i = 0; i < pipe->buffers; i++) {
+ struct pipe_buffer *buf = pipe->bufs + i;
+ if (buf->ops)
+@@ -619,7 +656,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
kfree(pipe);
}
@@ -83895,7 +83940,7 @@ index 8865f79..bd2c79b 100644
/*
* pipefs_dname() is called from d_path().
-@@ -649,8 +649,9 @@ static struct inode * get_pipe_inode(void)
+@@ -649,8 +686,9 @@ static struct inode * get_pipe_inode(void)
goto fail_iput;
inode->i_pipe = pipe;
@@ -83907,7 +83952,7 @@ index 8865f79..bd2c79b 100644
inode->i_fop = &pipefifo_fops;
/*
-@@ -829,17 +830,17 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -829,17 +867,17 @@ static int fifo_open(struct inode *inode, struct file
*filp)
spin_lock(&inode->i_lock);
if (inode->i_pipe) {
pipe = inode->i_pipe;
@@ -83928,7 +83973,7 @@ index 8865f79..bd2c79b 100644
spin_unlock(&inode->i_lock);
free_pipe_info(pipe);
pipe = inode->i_pipe;
-@@ -864,10 +865,10 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -864,10 +902,10 @@ static int fifo_open(struct inode *inode, struct file
*filp)
* opened, even when there is no process writing the FIFO.
*/
pipe->r_counter++;
@@ -83941,7 +83986,7 @@ index 8865f79..bd2c79b 100644
if ((filp->f_flags & O_NONBLOCK)) {
/* suppress POLLHUP until we have
* seen a writer */
-@@ -886,14 +887,14 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -886,14 +924,14 @@ static int fifo_open(struct inode *inode, struct file
*filp)
* errno=ENXIO when there is no process reading the FIFO.
*/
ret = -ENXIO;
@@ -83959,7 +84004,7 @@ index 8865f79..bd2c79b 100644
if (wait_for_partner(pipe, &pipe->r_counter))
goto err_wr;
}
-@@ -907,11 +908,11 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -907,11 +945,11 @@ static int fifo_open(struct inode *inode, struct file
*filp)
* the process can at least talk to itself.
*/
@@ -83974,7 +84019,7 @@ index 8865f79..bd2c79b 100644
wake_up_partner(pipe);
break;
-@@ -925,13 +926,13 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -925,13 +963,13 @@ static int fifo_open(struct inode *inode, struct file
*filp)
return 0;
err_rd:
@@ -83990,7 +84035,15 @@ index 8865f79..bd2c79b 100644
wake_up_interruptible(&pipe->wait);
ret = -ERESTARTSYS;
goto err;
-@@ -1007,7 +1008,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe,
unsigned long nr_pages)
+@@ -996,6 +1034,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe,
unsigned long nr_pages)
+ memcpy(bufs + head, pipe->bufs, tail * sizeof(struct
pipe_buffer));
+ }
+
++ account_pipe_buffers(pipe, pipe->buffers, nr_pages);
+ pipe->curbuf = 0;
+ kfree(pipe->bufs);
+ pipe->bufs = bufs;
+@@ -1007,7 +1046,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe,
unsigned long nr_pages)
* Currently we rely on the pipe array holding a power-of-2 number
* of pages.
*/
@@ -83999,7 +84052,7 @@ index 8865f79..bd2c79b 100644
{
unsigned long nr_pages;
-@@ -1055,13 +1056,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd,
unsigned long arg)
+@@ -1055,18 +1094,26 @@ long pipe_fcntl(struct file *file, unsigned int cmd,
unsigned long arg)
switch (cmd) {
case F_SETPIPE_SZ: {
@@ -84019,6 +84072,16 @@ index 8865f79..bd2c79b 100644
goto out;
if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
+ ret = -EPERM;
+ goto out;
++ } else if ((too_many_pipe_buffers_hard(pipe->user) ||
++ too_many_pipe_buffers_soft(pipe->user)) &&
++ !capable(CAP_SYS_RESOURCE) &&
!capable(CAP_SYS_ADMIN)) {
++ ret = -EPERM;
++ goto out;
+ }
+ ret = pipe_set_size(pipe, nr_pages);
+ break;
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 4fb17de..13d8c0f 100644
--- a/fs/posix_acl.c
@@ -103305,10 +103368,16 @@ index 918b117..7af374b7 100644
extern struct pid_namespace init_pid_ns;
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
-index eb8b8ac..62649e1 100644
+index eb8b8ac..deb6089 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
-@@ -47,10 +47,10 @@ struct pipe_inode_info {
+@@ -42,21 +42,23 @@ struct pipe_buffer {
+ * @fasync_readers: reader side fasync
+ * @fasync_writers: writer side fasync
+ * @bufs: the circular array of pipe buffers
++ * @user: the user who created this pipe
+ **/
+ struct pipe_inode_info {
struct mutex mutex;
wait_queue_head_t wait;
unsigned int nrbufs, curbuf, buffers;
@@ -103323,6 +103392,22 @@ index eb8b8ac..62649e1 100644
unsigned int r_counter;
unsigned int w_counter;
struct page *tmp_page;
+ struct fasync_struct *fasync_readers;
+ struct fasync_struct *fasync_writers;
+ struct pipe_buffer *bufs;
++ struct user_struct *user;
+ };
+
+ /*
+@@ -123,6 +125,8 @@ void pipe_unlock(struct pipe_inode_info *);
+ void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *);
+
+ extern unsigned int pipe_max_size, pipe_min_size;
++extern unsigned long pipe_user_pages_hard;
++extern unsigned long pipe_user_pages_soft;
+ int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *);
+
+
diff --git a/include/linux/pm.h b/include/linux/pm.h
index 35d599e..c604209 100644
--- a/include/linux/pm.h
@@ -103957,7 +104042,7 @@ index 556ec1e..38c19c9 100644
/*
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index b7b9501..ab1a134 100644
+index b7b9501..f1e65cf 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -7,7 +7,7 @@
@@ -104024,11 +104109,12 @@ index b7b9501..ab1a134 100644
/*
* Bits in flags field of signal_struct.
-@@ -830,12 +855,21 @@ struct user_struct {
+@@ -830,12 +855,22 @@ struct user_struct {
unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
#endif
unsigned long locked_shm; /* How many pages of mlocked shm ? */
+ unsigned long unix_inflight; /* How many files in flight in unix
sockets */
++ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe
buffers */
#ifdef CONFIG_KEYS
struct key *uid_keyring; /* UID specific keyring */
@@ -104046,7 +104132,7 @@ index b7b9501..ab1a134 100644
/* Hash table maintenance information */
struct hlist_node uidhash_node;
kuid_t uid;
-@@ -843,7 +877,7 @@ struct user_struct {
+@@ -843,7 +878,7 @@ struct user_struct {
#ifdef CONFIG_PERF_EVENTS
atomic_long_t locked_vm;
#endif
@@ -104055,7 +104141,7 @@ index b7b9501..ab1a134 100644
extern int uids_sysfs_init(void);
-@@ -1378,6 +1412,9 @@ struct tlbflush_unmap_batch {
+@@ -1378,6 +1413,9 @@ struct tlbflush_unmap_batch {
struct task_struct {
volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
void *stack;
@@ -104065,7 +104151,7 @@ index b7b9501..ab1a134 100644
atomic_t usage;
unsigned int flags; /* per process flags, defined below */
unsigned int ptrace;
-@@ -1510,8 +1547,8 @@ struct task_struct {
+@@ -1510,8 +1548,8 @@ struct task_struct {
struct list_head thread_node;
struct completion *vfork_done; /* for vfork() */
@@ -104076,7 +104162,7 @@ index b7b9501..ab1a134 100644
cputime_t utime, stime, utimescaled, stimescaled;
cputime_t gtime;
-@@ -1534,11 +1571,6 @@ struct task_struct {
+@@ -1534,11 +1572,6 @@ struct task_struct {
struct task_cputime cputime_expires;
struct list_head cpu_timers[3];
@@ -104088,7 +104174,7 @@ index b7b9501..ab1a134 100644
char comm[TASK_COMM_LEN]; /* executable name excluding path
- access with [gs]et_task_comm (which lock
it with task_lock())
-@@ -1554,6 +1586,8 @@ struct task_struct {
+@@ -1554,6 +1587,8 @@ struct task_struct {
/* hung task detection */
unsigned long last_switch_count;
#endif
@@ -104097,7 +104183,7 @@ index b7b9501..ab1a134 100644
/* filesystem information */
struct fs_struct *fs;
/* open file information */
-@@ -1630,6 +1664,10 @@ struct task_struct {
+@@ -1630,6 +1665,10 @@ struct task_struct {
gfp_t lockdep_reclaim_gfp;
#endif
@@ -104108,7 +104194,7 @@ index b7b9501..ab1a134 100644
/* journalling filesystem info */
void *journal_info;
-@@ -1668,6 +1706,10 @@ struct task_struct {
+@@ -1668,6 +1707,10 @@ struct task_struct {
/* cg_list protected by css_set_lock and tsk->alloc_lock */
struct list_head cg_list;
#endif
@@ -104119,7 +104205,7 @@ index b7b9501..ab1a134 100644
#ifdef CONFIG_FUTEX
struct robust_list_head __user *robust_list;
#ifdef CONFIG_COMPAT
-@@ -1783,7 +1825,7 @@ struct task_struct {
+@@ -1783,7 +1826,7 @@ struct task_struct {
* Number of functions that haven't been traced
* because of depth overrun.
*/
@@ -104128,7 +104214,7 @@ index b7b9501..ab1a134 100644
/* Pause for the tracing */
atomic_t tracing_graph_pause;
#endif
-@@ -1812,22 +1854,89 @@ struct task_struct {
+@@ -1812,22 +1855,89 @@ struct task_struct {
unsigned long task_state_change;
#endif
int pagefault_disabled;
@@ -104228,7 +104314,7 @@ index b7b9501..ab1a134 100644
/* Future-safe accessor for struct task_struct's cpus_allowed. */
#define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
-@@ -1909,7 +2018,7 @@ struct pid_namespace;
+@@ -1909,7 +2019,7 @@ struct pid_namespace;
pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
struct pid_namespace *ns);
@@ -104237,7 +104323,7 @@ index b7b9501..ab1a134 100644
{
return tsk->pid;
}
-@@ -2270,6 +2379,25 @@ extern u64 sched_clock_cpu(int cpu);
+@@ -2270,6 +2380,25 @@ extern u64 sched_clock_cpu(int cpu);
extern void sched_clock_init(void);
@@ -104263,7 +104349,7 @@ index b7b9501..ab1a134 100644
#ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK
static inline void sched_clock_tick(void)
{
-@@ -2398,7 +2526,9 @@ extern void set_curr_task(int cpu, struct task_struct
*p);
+@@ -2398,7 +2527,9 @@ extern void set_curr_task(int cpu, struct task_struct
*p);
void yield(void);
union thread_union {
@@ -104273,7 +104359,7 @@ index b7b9501..ab1a134 100644
unsigned long stack[THREAD_SIZE/sizeof(long)];
};
-@@ -2431,6 +2561,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2431,6 +2562,7 @@ extern struct pid_namespace init_pid_ns;
*/
extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -104281,7 +104367,7 @@ index b7b9501..ab1a134 100644
extern struct task_struct *find_task_by_pid_ns(pid_t nr,
struct pid_namespace *ns);
-@@ -2462,7 +2593,7 @@ extern void proc_caches_init(void);
+@@ -2462,7 +2594,7 @@ extern void proc_caches_init(void);
extern void flush_signals(struct task_struct *);
extern void ignore_signals(struct task_struct *);
extern void flush_signal_handlers(struct task_struct *, int force_default);
@@ -104290,7 +104376,7 @@ index b7b9501..ab1a134 100644
static inline int dequeue_signal_lock(struct task_struct *tsk, sigset_t
*mask, siginfo_t *info)
{
-@@ -2608,7 +2739,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2608,7 +2740,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
extern void exit_itimers(struct signal_struct *);
extern void flush_itimer_signals(void);
@@ -104299,7 +104385,7 @@ index b7b9501..ab1a134 100644
extern int do_execve(struct filename *,
const char __user * const __user *,
-@@ -2723,11 +2854,13 @@ static inline int thread_group_empty(struct
task_struct *p)
+@@ -2723,11 +2855,13 @@ static inline int thread_group_empty(struct
task_struct *p)
* It must not be nested with write_lock_irq(&tasklist_lock),
* neither inside nor outside.
*/
@@ -104313,7 +104399,7 @@ index b7b9501..ab1a134 100644
static inline void task_unlock(struct task_struct *p)
{
spin_unlock(&p->alloc_lock);
-@@ -2813,9 +2946,9 @@ static inline unsigned long *end_of_stack(struct
task_struct *p)
+@@ -2813,9 +2947,9 @@ static inline unsigned long *end_of_stack(struct
task_struct *p)
#define task_stack_end_corrupted(task) \
(*(end_of_stack(task)) != STACK_END_MAGIC)
@@ -105919,50 +106005,6 @@ index f2ae33d..c457cf0 100644
struct list_head list;
/* Protects from simultaneous access to first_req list */
spinlock_t info_list_lock;
-diff --git a/include/net/dst.h b/include/net/dst.h
-index 9261d92..e7fa2e2 100644
---- a/include/net/dst.h
-+++ b/include/net/dst.h
-@@ -322,6 +322,39 @@ static inline void skb_dst_force(struct sk_buff *skb)
- }
- }
-
-+/**
-+ * dst_hold_safe - Take a reference on a dst if possible
-+ * @dst: pointer to dst entry
-+ *
-+ * This helper returns false if it could not safely
-+ * take a reference on a dst.
-+ */
-+static inline bool dst_hold_safe(struct dst_entry *dst)
-+{
-+ if (dst->flags & DST_NOCACHE)
-+ return atomic_inc_not_zero(&dst->__refcnt);
-+ dst_hold(dst);
-+ return true;
-+}
-+
-+/**
-+ * skb_dst_force_safe - makes sure skb dst is refcounted
-+ * @skb: buffer
-+ *
-+ * If dst is not yet refcounted and not destroyed, grab a ref on it.
-+ */
-+static inline void skb_dst_force_safe(struct sk_buff *skb)
-+{
-+ if (skb_dst_is_noref(skb)) {
-+ struct dst_entry *dst = skb_dst(skb);
-+
-+ if (!dst_hold_safe(dst))
-+ dst = NULL;
-+
-+ skb->_skb_refdst = (unsigned long)dst;
-+ }
-+}
-+
-
- /**
- * __skb_tunnel_rx - prepare skb for rx reinsert
diff --git a/include/net/flow.h b/include/net/flow.h
index 9b85db8..e76e5c7 100644
--- a/include/net/flow.h
@@ -106029,7 +106071,7 @@ index 47eb67b..0e733b2 100644
unsigned char rr;
unsigned char ts;
diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
-index 4a6009d..f7d9c53 100644
+index 235c781..160d4a3 100644
--- a/include/net/inetpeer.h
+++ b/include/net/inetpeer.h
@@ -52,7 +52,7 @@ struct inet_peer {
@@ -106327,6 +106369,26 @@ index 2dcea63..31d53ba 100644
}
#endif /* __NET_NET_NAMESPACE_H */
+diff --git a/include/net/netfilter/nf_conntrack_core.h
b/include/net/netfilter/nf_conntrack_core.h
+index c03f9c4..068b836 100644
+--- a/include/net/netfilter/nf_conntrack_core.h
++++ b/include/net/netfilter/nf_conntrack_core.h
+@@ -78,12 +78,10 @@ print_tuple(struct seq_file *s, const struct
nf_conntrack_tuple *tuple,
+ const struct nf_conntrack_l3proto *l3proto,
+ const struct nf_conntrack_l4proto *proto);
+
+-#ifdef CONFIG_LOCKDEP
+-# define CONNTRACK_LOCKS 8
+-#else
+-# define CONNTRACK_LOCKS 1024
+-#endif
++#define CONNTRACK_LOCKS 1024
++
+ extern spinlock_t nf_conntrack_locks[CONNTRACK_LOCKS];
++void nf_conntrack_lock(spinlock_t *lock);
+
+ extern spinlock_t nf_conntrack_expect_lock;
+
diff --git a/include/net/netlink.h b/include/net/netlink.h
index 2a5dbcc..8243656 100644
--- a/include/net/netlink.h
@@ -106514,7 +106576,7 @@ index 495c87e..5b327ff 100644
/* Structure to track chunk fragments that have been acked, but peer
diff --git a/include/net/sock.h b/include/net/sock.h
-index e237170..6cfe0bf 100644
+index bca709a..75776c9 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -198,7 +198,7 @@ struct sock_common {
@@ -106535,16 +106597,7 @@ index e237170..6cfe0bf 100644
int sk_rcvbuf;
struct sk_filter __rcu *sk_filter;
-@@ -798,7 +798,7 @@ void sk_stream_write_space(struct sock *sk);
- static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb)
- {
- /* dont let skb dst not refcounted, we are going to leave rcu lock */
-- skb_dst_force(skb);
-+ skb_dst_force_safe(skb);
-
- if (!sk->sk_backlog.tail)
- sk->sk_backlog.head = skb;
-@@ -1048,7 +1048,7 @@ struct proto {
+@@ -1051,7 +1051,7 @@ struct proto {
void (*destroy_cgroup)(struct mem_cgroup *memcg);
struct cg_proto *(*proto_cgroup)(struct mem_cgroup *memcg);
#endif
@@ -106553,7 +106606,7 @@ index e237170..6cfe0bf 100644
int proto_register(struct proto *prot, int alloc_slab);
void proto_unregister(struct proto *prot);
-@@ -1188,7 +1188,7 @@ static inline void memcg_memory_allocated_sub(struct
cg_proto *prot,
+@@ -1191,7 +1191,7 @@ static inline void memcg_memory_allocated_sub(struct
cg_proto *prot,
page_counter_uncharge(&prot->memory_allocated, amt);
}
@@ -106562,7 +106615,7 @@ index e237170..6cfe0bf 100644
sk_memory_allocated(const struct sock *sk)
{
struct proto *prot = sk->sk_prot;
-@@ -1769,7 +1769,7 @@ static inline void sk_nocaps_add(struct sock *sk,
netdev_features_t flags)
+@@ -1772,7 +1772,7 @@ static inline void sk_nocaps_add(struct sock *sk,
netdev_features_t flags)
}
static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff
*skb,
@@ -106571,7 +106624,7 @@ index e237170..6cfe0bf 100644
int copy, int offset)
{
if (skb->ip_summed == CHECKSUM_NONE) {
-@@ -2016,7 +2016,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock
*sk)
+@@ -2019,7 +2019,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock
*sk)
}
}
@@ -106580,7 +106633,7 @@ index e237170..6cfe0bf 100644
bool force_schedule);
/**
-@@ -2092,7 +2092,7 @@ struct sock_skb_cb {
+@@ -2095,7 +2095,7 @@ struct sock_skb_cb {
static inline void
sock_skb_set_dropcount(const struct sock *sk, struct sk_buff *skb)
{
@@ -113142,7 +113195,7 @@ index fa2f2f6..3682023 100644
if (!retval) {
if (old_rlim)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index e69201d..61cda5e 100644
+index e69201d..57f7b12 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -94,7 +94,6 @@
@@ -113360,7 +113413,28 @@ index e69201d..61cda5e 100644
#else
{
.procname = "nr_trim_pages",
-@@ -1852,6 +1912,16 @@ int proc_dostring(struct ctl_table *table, int write,
+@@ -1702,6 +1762,20 @@ static struct ctl_table fs_table[] = {
+ .proc_handler = &pipe_proc_fn,
+ .extra1 = &pipe_min_size,
+ },
++ {
++ .procname = "pipe-user-pages-hard",
++ .data = &pipe_user_pages_hard,
++ .maxlen = sizeof(pipe_user_pages_hard),
++ .mode = 0644,
++ .proc_handler = proc_doulongvec_minmax,
++ },
++ {
++ .procname = "pipe-user-pages-soft",
++ .data = &pipe_user_pages_soft,
++ .maxlen = sizeof(pipe_user_pages_soft),
++ .mode = 0644,
++ .proc_handler = proc_doulongvec_minmax,
++ },
+ { }
+ };
+
+@@ -1852,6 +1926,16 @@ int proc_dostring(struct ctl_table *table, int write,
(char __user *)buffer, lenp, ppos);
}
@@ -113377,7 +113451,7 @@ index e69201d..61cda5e 100644
static size_t proc_skip_spaces(char **buf)
{
size_t ret;
-@@ -1957,6 +2027,8 @@ static int proc_put_long(void __user **buf, size_t
*size, unsigned long val,
+@@ -1957,6 +2041,8 @@ static int proc_put_long(void __user **buf, size_t
*size, unsigned long val,
len = strlen(tmp);
if (len > *size)
len = *size;
@@ -113386,7 +113460,7 @@ index e69201d..61cda5e 100644
if (copy_to_user(*buf, tmp, len))
return -EFAULT;
*size -= len;
-@@ -2135,6 +2207,44 @@ int proc_dointvec(struct ctl_table *table, int write,
+@@ -2135,6 +2221,44 @@ int proc_dointvec(struct ctl_table *table, int write,
NULL,NULL);
}
@@ -113431,7 +113505,7 @@ index e69201d..61cda5e 100644
/*
* Taint values can only be increased
* This means we can safely use a temporary.
-@@ -2142,7 +2252,7 @@ int proc_dointvec(struct ctl_table *table, int write,
+@@ -2142,7 +2266,7 @@ int proc_dointvec(struct ctl_table *table, int write,
static int proc_taint(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -113440,7 +113514,7 @@ index e69201d..61cda5e 100644
unsigned long tmptaint = get_taint();
int err;
-@@ -2170,16 +2280,14 @@ static int proc_taint(struct ctl_table *table, int
write,
+@@ -2170,16 +2294,14 @@ static int proc_taint(struct ctl_table *table, int
write,
return err;
}
@@ -113459,7 +113533,7 @@ index e69201d..61cda5e 100644
struct do_proc_dointvec_minmax_conv_param {
int *min;
-@@ -2210,6 +2318,32 @@ static int do_proc_dointvec_minmax_conv(bool *negp,
unsigned long *lvalp,
+@@ -2210,6 +2332,32 @@ static int do_proc_dointvec_minmax_conv(bool *negp,
unsigned long *lvalp,
return 0;
}
@@ -113492,7 +113566,7 @@ index e69201d..61cda5e 100644
/**
* proc_dointvec_minmax - read a vector of integers with min/max values
* @table: the sysctl table
-@@ -2237,6 +2371,17 @@ int proc_dointvec_minmax(struct ctl_table *table, int
write,
+@@ -2237,6 +2385,17 @@ int proc_dointvec_minmax(struct ctl_table *table, int
write,
do_proc_dointvec_minmax_conv, ¶m);
}
@@ -113510,7 +113584,7 @@ index e69201d..61cda5e 100644
static void validate_coredump_safety(void)
{
#ifdef CONFIG_COREDUMP
-@@ -2739,6 +2884,12 @@ int proc_dostring(struct ctl_table *table, int write,
+@@ -2739,6 +2898,12 @@ int proc_dostring(struct ctl_table *table, int write,
return -ENOSYS;
}
@@ -113523,7 +113597,7 @@ index e69201d..61cda5e 100644
int proc_dointvec(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
-@@ -2795,5 +2946,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
+@@ -2795,5 +2960,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
EXPORT_SYMBOL(proc_dostring);
@@ -114989,7 +115063,7 @@ index bd2bea9..6b3c95e 100644
return false;
diff --git a/lib/kobject.c b/lib/kobject.c
-index 3e3a5c3..4a12109 100644
+index 3e3a5c3..4a121091 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -935,9 +935,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add);
@@ -115425,10 +115499,10 @@ index 1356454..70ce6c6 100644
void rb_insert_color(struct rb_node *node, struct rb_root *root)
diff --git a/lib/rhashtable.c b/lib/rhashtable.c
-index a54ff89..b4d4da9 100644
+index aa388a7..3172ae42 100644
--- a/lib/rhashtable.c
+++ b/lib/rhashtable.c
-@@ -542,8 +542,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_exit);
+@@ -543,8 +543,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_exit);
* will rewind back to the beginning and you may use it immediately
* by calling rhashtable_walk_next.
*/
@@ -115438,7 +115512,7 @@ index a54ff89..b4d4da9 100644
{
struct rhashtable *ht = iter->ht;
-@@ -629,8 +629,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_next);
+@@ -628,8 +628,8 @@ EXPORT_SYMBOL_GPL(rhashtable_walk_next);
*
* Finish a hash table walk.
*/
@@ -121524,20 +121598,6 @@ index 8e385a0..a5bdd8e 100644
tty_port_close(&dev->port, tty, filp);
}
-diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
-index f315c8d..15cb6c55 100644
---- a/net/bluetooth/sco.c
-+++ b/net/bluetooth/sco.c
-@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *sock, struct
sockaddr *addr, int addr_le
- if (!addr || addr->sa_family != AF_BLUETOOTH)
- return -EINVAL;
-
-+ if (addr_len < sizeof(struct sockaddr_sco))
-+ return -EINVAL;
-+
- lock_sock(sk);
-
- if (sk->sk_state != BT_OPEN) {
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index ea748c9..79056c3 100644
--- a/net/bridge/br_netlink.c
@@ -122324,7 +122384,7 @@ index 8a1741b..20d20e7 100644
if (!err)
err = put_user(SCM_RIGHTS, &cm->cmsg_type);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index fab4599..daf360d 100644
+index 1c1f87c..aa15378 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -969,7 +969,8 @@ static void skb_headers_offset_update(struct sk_buff *skb,
int off)
@@ -122363,21 +122423,11 @@ index fab4599..daf360d 100644
NULL);
}
-@@ -3643,7 +3646,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff
*skb,
- serr->ee.ee_info = tstype;
- if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
- serr->ee.ee_data = skb_shinfo(skb)->tskey;
-- if (sk->sk_protocol == IPPROTO_TCP)
-+ if (sk->sk_protocol == IPPROTO_TCP &&
-+ sk->sk_type == SOCK_STREAM)
- serr->ee.ee_data -= sk->sk_tskey;
- }
-
diff --git a/net/core/sock.c b/net/core/sock.c
-index 3307c02..3a9bfdc 100644
+index dbbda99..41406c3 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
-@@ -441,7 +441,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff
*skb)
+@@ -439,7 +439,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff
*skb)
struct sk_buff_head *list = &sk->sk_receive_queue;
if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) {
@@ -122386,7 +122436,7 @@ index 3307c02..3a9bfdc 100644
trace_sock_rcvqueue_full(sk, skb);
return -ENOMEM;
}
-@@ -451,7 +451,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff
*skb)
+@@ -449,7 +449,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff
*skb)
return err;
if (!sk_rmem_schedule(sk, skb, skb->truesize)) {
@@ -122395,7 +122445,7 @@ index 3307c02..3a9bfdc 100644
return -ENOBUFS;
}
-@@ -484,7 +484,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb,
const int nested)
+@@ -482,7 +482,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb,
const int nested)
skb->dev = NULL;
if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
@@ -122404,7 +122454,7 @@ index 3307c02..3a9bfdc 100644
goto discard_and_relse;
}
if (nested)
-@@ -502,7 +502,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb,
const int nested)
+@@ -500,7 +500,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb,
const int nested)
mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
} else if (sk_add_backlog(sk, skb, sk->sk_rcvbuf)) {
bh_unlock_sock(sk);
@@ -122413,17 +122463,7 @@ index 3307c02..3a9bfdc 100644
goto discard_and_relse;
}
-@@ -862,7 +862,8 @@ set_rcvbuf:
-
- if (val & SOF_TIMESTAMPING_OPT_ID &&
- !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
-- if (sk->sk_protocol == IPPROTO_TCP) {
-+ if (sk->sk_protocol == IPPROTO_TCP &&
-+ sk->sk_type == SOCK_STREAM) {
- if (sk->sk_state != TCP_ESTABLISHED) {
- ret = -EINVAL;
- break;
-@@ -908,6 +909,7 @@ set_rcvbuf:
+@@ -907,6 +907,7 @@ set_rcvbuf:
}
break;
@@ -122431,7 +122471,7 @@ index 3307c02..3a9bfdc 100644
case SO_ATTACH_BPF:
ret = -EINVAL;
if (optlen == sizeof(u32)) {
-@@ -920,7 +922,7 @@ set_rcvbuf:
+@@ -919,7 +920,7 @@ set_rcvbuf:
ret = sk_attach_bpf(ufd, sk);
}
break;
@@ -122440,7 +122480,7 @@ index 3307c02..3a9bfdc 100644
case SO_DETACH_FILTER:
ret = sk_detach_filter(sk);
break;
-@@ -1022,12 +1024,12 @@ int sock_getsockopt(struct socket *sock, int level,
int optname,
+@@ -1021,12 +1022,12 @@ int sock_getsockopt(struct socket *sock, int level,
int optname,
struct timeval tm;
} v;
@@ -122456,7 +122496,7 @@ index 3307c02..3a9bfdc 100644
return -EINVAL;
memset(&v, 0, sizeof(v));
-@@ -1165,11 +1167,11 @@ int sock_getsockopt(struct socket *sock, int level,
int optname,
+@@ -1164,11 +1165,11 @@ int sock_getsockopt(struct socket *sock, int level,
int optname,
case SO_PEERNAME:
{
@@ -122470,7 +122510,7 @@ index 3307c02..3a9bfdc 100644
return -EINVAL;
if (copy_to_user(optval, address, len))
return -EFAULT;
-@@ -1257,7 +1259,7 @@ int sock_getsockopt(struct socket *sock, int level, int
optname,
+@@ -1256,7 +1257,7 @@ int sock_getsockopt(struct socket *sock, int level, int
optname,
if (len > lv)
len = lv;
@@ -122479,7 +122519,7 @@ index 3307c02..3a9bfdc 100644
return -EFAULT;
lenout:
if (put_user(len, optlen))
-@@ -1550,7 +1552,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const
gfp_t priority)
+@@ -1549,7 +1550,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const
gfp_t priority)
newsk->sk_err = 0;
newsk->sk_priority = 0;
newsk->sk_incoming_cpu = raw_smp_processor_id();
@@ -122488,7 +122528,7 @@ index 3307c02..3a9bfdc 100644
/*
* Before updating sk_refcnt, we must commit prior changes to
memory
* (Documentation/RCU/rculist_nulls.txt for details)
-@@ -2359,7 +2361,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
+@@ -2358,7 +2359,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
*/
smp_wmb();
atomic_set(&sk->sk_refcnt, 1);
@@ -122497,7 +122537,7 @@ index 3307c02..3a9bfdc 100644
}
EXPORT_SYMBOL(sock_init_data);
-@@ -2487,6 +2489,7 @@ void sock_enable_timestamp(struct sock *sk, int flag)
+@@ -2486,6 +2487,7 @@ void sock_enable_timestamp(struct sock *sk, int flag)
int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
int level, int type)
{
@@ -122505,7 +122545,7 @@ index 3307c02..3a9bfdc 100644
struct sock_exterr_skb *serr;
struct sk_buff *skb;
int copied, err;
-@@ -2508,7 +2511,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr
*msg, int len,
+@@ -2507,7 +2509,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr
*msg, int len,
sock_recv_timestamp(msg, sk, skb);
serr = SKB_EXT_ERR(skb);
@@ -122655,7 +122695,7 @@ index 95b6139..3048623 100644
.exit = sysctl_core_net_exit,
};
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
-index 675cf94..9279a75 100644
+index 6feddca..92b3468 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -466,6 +466,7 @@ static struct proto dn_proto = {
@@ -122785,10 +122825,10 @@ index 214d44a..dcb7f86 100644
return -ENOMEM;
}
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index 1d0c3ad..408f17b 100644
+index 4b16cf3..443b1d4 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
-@@ -1396,7 +1396,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg,
int len, int *addr_len)
+@@ -1399,7 +1399,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg,
int len, int *addr_len)
return ip_recv_error(sk, msg, len, addr_len);
#if IS_ENABLED(CONFIG_IPV6)
if (sk->sk_family == AF_INET6)
@@ -123713,7 +123753,7 @@ index 0a2b61d..563a1d2 100644
write_pnet(&ireq->ireq_net, sock_net(sk_listener));
ireq->ireq_family = sk_listener->sk_family;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index a7739c8..5bbbf64 100644
+index d77be28..5bbbf64 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -89,6 +89,10 @@ int sysctl_tcp_tw_reuse __read_mostly;
@@ -123737,15 +123777,6 @@ index a7739c8..5bbbf64 100644
tcp_v4_send_reset(rsk, skb);
discard:
kfree_skb(skb);
-@@ -1509,7 +1516,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb)
- if (likely(sk->sk_rx_dst))
- skb_dst_drop(skb);
- else
-- skb_dst_force(skb);
-+ skb_dst_force_safe(skb);
-
- __skb_queue_tail(&tp->ucopy.prequeue, skb);
- tp->ucopy.memory += skb->truesize;
@@ -1592,12 +1599,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
TCP_SKB_CB(skb)->sacked = 0;
@@ -123780,16 +123811,6 @@ index a7739c8..5bbbf64 100644
tcp_v4_send_reset(NULL, skb);
}
-@@ -1710,8 +1728,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct
sk_buff *skb)
- {
- struct dst_entry *dst = skb_dst(skb);
-
-- if (dst) {
-- dst_hold(dst);
-+ if (dst && dst_hold_safe(dst)) {
- sk->sk_rx_dst = dst;
- inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
- }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index def7659..b710969 100644
--- a/net/ipv4/tcp_minisocks.c
@@ -124044,7 +124065,7 @@ index c10a9ee..c621a01 100644
return -ENOMEM;
}
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index 3939dd2..7372e9a 100644
+index ddd3511..9cad64b 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
@@ -124065,20 +124086,7 @@ index 3939dd2..7372e9a 100644
.autoconf = 1,
.force_mld_version = 0,
.mldv1_unsolicited_report_interval = 10 * HZ,
-@@ -349,6 +349,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device
*dev)
- setup_timer(&ndev->rs_timer, addrconf_rs_timer,
- (unsigned long)ndev);
- memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf));
-+
-+ if (ndev->cnf.stable_secret.initialized)
-+ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
-+ else
-+ ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64;
-+
- ndev->cnf.mtu6 = dev->mtu;
- ndev->cnf.sysctl = NULL;
- ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
-@@ -636,7 +642,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
+@@ -642,7 +642,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
idx = 0;
head = &net->dev_index_head[h];
rcu_read_lock();
@@ -124087,7 +124095,7 @@ index 3939dd2..7372e9a 100644
net->dev_base_seq;
hlist_for_each_entry_rcu(dev, head, index_hlist) {
if (idx < s_idx)
-@@ -2576,7 +2582,7 @@ int addrconf_set_dstaddr(struct net *net, void __user
*arg)
+@@ -2582,7 +2582,7 @@ int addrconf_set_dstaddr(struct net *net, void __user
*arg)
p.iph.ihl = 5;
p.iph.protocol = IPPROTO_IPV6;
p.iph.ttl = 64;
@@ -124096,7 +124104,7 @@ index 3939dd2..7372e9a 100644
if (ops->ndo_do_ioctl) {
mm_segment_t oldfs = get_fs();
-@@ -3844,16 +3850,23 @@ static const struct file_operations if6_fops = {
+@@ -3850,16 +3850,23 @@ static const struct file_operations if6_fops = {
.release = seq_release_net,
};
@@ -124121,7 +124129,7 @@ index 3939dd2..7372e9a 100644
}
static struct pernet_operations if6_proc_net_ops = {
-@@ -4472,7 +4485,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct
netlink_callback *cb,
+@@ -4478,7 +4485,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct
netlink_callback *cb,
s_ip_idx = ip_idx = cb->args[2];
rcu_read_lock();
@@ -124130,7 +124138,7 @@ index 3939dd2..7372e9a 100644
for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
idx = 0;
head = &net->dev_index_head[h];
-@@ -5140,7 +5153,7 @@ static void __ipv6_ifa_notify(int event, struct
inet6_ifaddr *ifp)
+@@ -5146,7 +5153,7 @@ static void __ipv6_ifa_notify(int event, struct
inet6_ifaddr *ifp)
rt_genid_bump_ipv6(net);
break;
}
@@ -124139,7 +124147,7 @@ index 3939dd2..7372e9a 100644
}
static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
-@@ -5160,7 +5173,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int
write,
+@@ -5166,7 +5173,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int
write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -124148,7 +124156,7 @@ index 3939dd2..7372e9a 100644
int ret;
/*
-@@ -5185,7 +5198,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
+@@ -5191,7 +5198,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
{
struct inet6_dev *idev = ctl->extra1;
int min_mtu = IPV6_MIN_MTU;
@@ -124157,7 +124165,7 @@ index 3939dd2..7372e9a 100644
lctl = *ctl;
lctl.extra1 = &min_mtu;
-@@ -5260,7 +5273,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int
write,
+@@ -5266,7 +5273,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int
write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -124166,7 +124174,7 @@ index 3939dd2..7372e9a 100644
int ret;
/*
-@@ -5325,7 +5338,7 @@ static int addrconf_sysctl_stable_secret(struct
ctl_table *ctl, int write,
+@@ -5331,7 +5338,7 @@ static int addrconf_sysctl_stable_secret(struct
ctl_table *ctl, int write,
int err;
struct in6_addr addr;
char str[IPV6_MAX_STRLEN];
@@ -124175,7 +124183,7 @@ index 3939dd2..7372e9a 100644
struct net *net = ctl->extra2;
struct ipv6_stable_secret *secret = ctl->data;
-@@ -5343,13 +5356,10 @@ static int addrconf_sysctl_stable_secret(struct
ctl_table *ctl, int write,
+@@ -5349,13 +5356,10 @@ static int addrconf_sysctl_stable_secret(struct
ctl_table *ctl, int write,
goto out;
}
@@ -124193,7 +124201,7 @@ index 3939dd2..7372e9a 100644
}
err = proc_dostring(&lctl, write, buffer, lenp, ppos);
-@@ -5397,7 +5407,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct
ctl_table *ctl,
+@@ -5403,7 +5407,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct
ctl_table *ctl,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -124203,10 +124211,10 @@ index 3939dd2..7372e9a 100644
/* ctl->data points to idev->cnf.ignore_routes_when_linkdown
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 38d66dd..dc7991d 100644
+index df095ee..537199c 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
-@@ -777,7 +777,7 @@ static int __net_init inet6_net_init(struct net *net)
+@@ -780,7 +780,7 @@ static int __net_init inet6_net_init(struct net *net)
net->ipv6.sysctl.idgen_retries = 3;
net->ipv6.sysctl.idgen_delay = 1 * HZ;
net->ipv6.sysctl.flowlabel_state_ranges = 0;
@@ -124256,7 +124264,7 @@ index 6cedc62..998bd5b 100644
return new;
}
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index 3c7b931..bcdd2bf 100644
+index e5ea177..54bf9fb 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -71,8 +71,8 @@ struct ip6gre_net {
@@ -124279,7 +124287,7 @@ index 3c7b931..bcdd2bf 100644
.handler = ip6gre_rcv,
.err_handler = ip6gre_err,
.flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
-@@ -1658,7 +1658,7 @@ static const struct nla_policy
ip6gre_policy[IFLA_GRE_MAX + 1] = {
+@@ -1656,7 +1656,7 @@ static const struct nla_policy
ip6gre_policy[IFLA_GRE_MAX + 1] = {
[IFLA_GRE_FLAGS] = { .type = NLA_U32 },
};
@@ -124288,7 +124296,7 @@ index 3c7b931..bcdd2bf 100644
.kind = "ip6gre",
.maxtype = IFLA_GRE_MAX,
.policy = ip6gre_policy,
-@@ -1673,7 +1673,7 @@ static struct rtnl_link_ops ip6gre_link_ops
__read_mostly = {
+@@ -1671,7 +1671,7 @@ static struct rtnl_link_ops ip6gre_link_ops
__read_mostly = {
.get_link_net = ip6_tnl_get_link_net,
};
@@ -124684,21 +124692,10 @@ index 45243bb..cdb398e 100644
struct ctl_table *ipv6_icmp_table;
int err;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index 9e9b77b..bdfd1ee 100644
+index 8935dc1..bdfd1ee 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
-@@ -93,16 +93,19 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const
struct sk_buff *skb)
- {
- struct dst_entry *dst = skb_dst(skb);
-
-- if (dst) {
-+ if (dst && dst_hold_safe(dst)) {
- const struct rt6_info *rt = (const struct rt6_info *)dst;
-
-- dst_hold(dst);
- sk->sk_rx_dst = dst;
- inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
- inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
+@@ -102,6 +102,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const
struct sk_buff *skb)
}
}
@@ -124709,7 +124706,7 @@ index 9e9b77b..bdfd1ee 100644
static __u32 tcp_v6_init_sequence(const struct sk_buff *skb)
{
return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
-@@ -1286,6 +1289,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff
*skb)
+@@ -1285,6 +1289,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff
*skb)
return 0;
reset:
@@ -124719,7 +124716,7 @@ index 9e9b77b..bdfd1ee 100644
tcp_v6_send_reset(sk, skb);
discard:
if (opt_skb)
-@@ -1395,12 +1401,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
+@@ -1394,12 +1401,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest,
inet6_iif(skb));
@@ -124742,7 +124739,7 @@ index 9e9b77b..bdfd1ee 100644
if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
-@@ -1452,6 +1466,10 @@ csum_error:
+@@ -1451,6 +1466,10 @@ csum_error:
bad_packet:
TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
} else {
@@ -125662,10 +125659,93 @@ index 45da11a..ef3e5dc 100644
table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
GFP_KERNEL);
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
-index c09d6c7..360b90c 100644
+index c09d6c7..290e086 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
-@@ -1749,6 +1749,10 @@ void nf_conntrack_init_end(void)
+@@ -66,6 +66,21 @@ EXPORT_SYMBOL_GPL(nf_conntrack_locks);
+ __cacheline_aligned_in_smp DEFINE_SPINLOCK(nf_conntrack_expect_lock);
+ EXPORT_SYMBOL_GPL(nf_conntrack_expect_lock);
+
++static __read_mostly spinlock_t nf_conntrack_locks_all_lock;
++static __read_mostly bool nf_conntrack_locks_all;
++
++void nf_conntrack_lock(spinlock_t *lock) __acquires(lock)
++{
++ spin_lock(lock);
++ while (unlikely(nf_conntrack_locks_all)) {
++ spin_unlock(lock);
++ spin_lock(&nf_conntrack_locks_all_lock);
++ spin_unlock(&nf_conntrack_locks_all_lock);
++ spin_lock(lock);
++ }
++}
++EXPORT_SYMBOL_GPL(nf_conntrack_lock);
++
+ static void nf_conntrack_double_unlock(unsigned int h1, unsigned int h2)
+ {
+ h1 %= CONNTRACK_LOCKS;
+@@ -82,12 +97,12 @@ static bool nf_conntrack_double_lock(struct net *net,
unsigned int h1,
+ h1 %= CONNTRACK_LOCKS;
+ h2 %= CONNTRACK_LOCKS;
+ if (h1 <= h2) {
+- spin_lock(&nf_conntrack_locks[h1]);
++ nf_conntrack_lock(&nf_conntrack_locks[h1]);
+ if (h1 != h2)
+ spin_lock_nested(&nf_conntrack_locks[h2],
+ SINGLE_DEPTH_NESTING);
+ } else {
+- spin_lock(&nf_conntrack_locks[h2]);
++ nf_conntrack_lock(&nf_conntrack_locks[h2]);
+ spin_lock_nested(&nf_conntrack_locks[h1],
+ SINGLE_DEPTH_NESTING);
+ }
+@@ -102,16 +117,19 @@ static void nf_conntrack_all_lock(void)
+ {
+ int i;
+
+- for (i = 0; i < CONNTRACK_LOCKS; i++)
+- spin_lock_nested(&nf_conntrack_locks[i], i);
+-}
++ spin_lock(&nf_conntrack_locks_all_lock);
++ nf_conntrack_locks_all = true;
+
+-static void nf_conntrack_all_unlock(void)
+-{
+- int i;
+-
+- for (i = 0; i < CONNTRACK_LOCKS; i++)
++ for (i = 0; i < CONNTRACK_LOCKS; i++) {
++ spin_lock(&nf_conntrack_locks[i]);
+ spin_unlock(&nf_conntrack_locks[i]);
++ }
++}
++
++static void nf_conntrack_all_unlock(void)
++{
++ nf_conntrack_locks_all = false;
++ spin_unlock(&nf_conntrack_locks_all_lock);
+ }
+
+ unsigned int nf_conntrack_htable_size __read_mostly;
+@@ -755,7 +773,7 @@ restart:
+ hash = hash_bucket(_hash, net);
+ for (; i < net->ct.htable_size; i++) {
+ lockp = &nf_conntrack_locks[hash % CONNTRACK_LOCKS];
+- spin_lock(lockp);
++ nf_conntrack_lock(lockp);
+ if (read_seqcount_retry(&net->ct.generation, sequence)) {
+ spin_unlock(lockp);
+ goto restart;
+@@ -1376,7 +1394,7 @@ get_next_corpse(struct net *net, int (*iter)(struct
nf_conn *i, void *data),
+ for (; *bucket < net->ct.htable_size; (*bucket)++) {
+ lockp = &nf_conntrack_locks[*bucket % CONNTRACK_LOCKS];
+ local_bh_disable();
+- spin_lock(lockp);
++ nf_conntrack_lock(lockp);
+ if (*bucket < net->ct.htable_size) {
+ hlist_nulls_for_each_entry(h, n,
&net->ct.hash[*bucket], hnnode) {
+ if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
+@@ -1749,6 +1767,10 @@ void nf_conntrack_init_end(void)
#define DYING_NULLS_VAL ((1<<30)+1)
#define TEMPLATE_NULLS_VAL ((1<<30)+2)
@@ -125676,7 +125756,7 @@ index c09d6c7..360b90c 100644
int nf_conntrack_init_net(struct net *net)
{
int ret = -ENOMEM;
-@@ -1773,7 +1777,11 @@ int nf_conntrack_init_net(struct net *net)
+@@ -1773,7 +1795,11 @@ int nf_conntrack_init_net(struct net *net)
if (!net->ct.stat)
goto err_pcpu_lists;
@@ -125702,7 +125782,7 @@ index 4e78c57..ec8fb74 100644
table = kmemdup(event_sysctl_table, sizeof(event_sysctl_table),
GFP_KERNEL);
diff --git a/net/netfilter/nf_conntrack_helper.c
b/net/netfilter/nf_conntrack_helper.c
-index bd9d315..989947e 100644
+index bd9d315..fbd2fb7 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -57,7 +57,7 @@ static struct ctl_table helper_sysctl_table[] = {
@@ -125714,6 +125794,28 @@ index bd9d315..989947e 100644
table = kmemdup(helper_sysctl_table, sizeof(helper_sysctl_table),
GFP_KERNEL);
+@@ -425,7 +425,7 @@ static void __nf_conntrack_helper_unregister(struct
nf_conntrack_helper *me,
+ }
+ local_bh_disable();
+ for (i = 0; i < net->ct.htable_size; i++) {
+- spin_lock(&nf_conntrack_locks[i % CONNTRACK_LOCKS]);
++ nf_conntrack_lock(&nf_conntrack_locks[i % CONNTRACK_LOCKS]);
+ if (i < net->ct.htable_size) {
+ hlist_nulls_for_each_entry(h, nn, &net->ct.hash[i],
hnnode)
+ unhelp(h, me);
+diff --git a/net/netfilter/nf_conntrack_netlink.c
b/net/netfilter/nf_conntrack_netlink.c
+index 94a6654..9c275f7 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -840,7 +840,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct
netlink_callback *cb)
+ for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) {
+ restart:
+ lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
+- spin_lock(lockp);
++ nf_conntrack_lock(lockp);
+ if (cb->args[0] >= net->ct.htable_size) {
+ spin_unlock(lockp);
+ goto out;
diff --git a/net/netfilter/nf_conntrack_proto.c
b/net/netfilter/nf_conntrack_proto.c
index b65d586..beec902 100644
--- a/net/netfilter/nf_conntrack_proto.c
@@ -126570,19 +126672,6 @@ index f226709..0e735a8 100644
_proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
-diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
-index 7ec667d..b5c2cf2 100644
---- a/net/sched/sch_api.c
-+++ b/net/sched/sch_api.c
-@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue
*dev_queue,
- }
- lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
- if (!netif_is_multiqueue(dev))
-- sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
-+ sch->flags |= TCQ_F_ONETXQUEUE;
- }
-
- sch->handle = handle;
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index e82a1ad..a7df216b 100644
--- a/net/sched/sch_generic.c
@@ -126618,10 +126707,10 @@ index e82a1ad..a7df216b 100644
kfree((char *) qdisc - qdisc->padded);
}
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
-index e917d27..13e2a4c 100644
+index 40677cf..9656f92 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
-@@ -973,7 +973,7 @@ static const struct inet6_protocol sctpv6_protocol = {
+@@ -981,7 +981,7 @@ static const struct inet6_protocol sctpv6_protocol = {
.flags = INET6_PROTO_NOPOLICY | INET6_PROTO_FINAL,
};
@@ -126630,7 +126719,7 @@ index e917d27..13e2a4c 100644
.sa_family = AF_INET6,
.sctp_xmit = sctp_v6_xmit,
.setsockopt = ipv6_setsockopt,
-@@ -1003,7 +1003,7 @@ static struct sctp_af sctp_af_inet6 = {
+@@ -1011,7 +1011,7 @@ static struct sctp_af sctp_af_inet6 = {
#endif
};
@@ -126639,7 +126728,7 @@ index e917d27..13e2a4c 100644
.event_msgname = sctp_inet6_event_msgname,
.skb_msgname = sctp_inet6_skb_msgname,
.af_supported = sctp_inet6_af_supported,
-@@ -1030,7 +1030,7 @@ void sctp_v6_pf_init(void)
+@@ -1038,7 +1038,7 @@ void sctp_v6_pf_init(void)
void sctp_v6_pf_exit(void)
{
@@ -126836,7 +126925,7 @@ index d7eaa73..9042a5d 100644
/*
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 3ec88be..a8d9d222 100644
+index 84b1b50..e2a95d3 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -972,7 +972,7 @@ static int sctp_setsockopt_bindx(struct sock *sk,
@@ -127020,7 +127109,7 @@ index 26d50c5..289fe22 100644
table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
diff --git a/net/socket.c b/net/socket.c
-index 9963a0b..b88ff74 100644
+index f3fbe17..b88ff74 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -89,6 +89,7 @@
@@ -127221,15 +127310,7 @@ index 9963a0b..b88ff74 100644
int err, err2;
int fput_needed;
-@@ -1702,6 +1767,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf,
size_t, size,
- msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
- /* We assume all kernel code knows the size of sockaddr_storage */
- msg.msg_namelen = 0;
-+ msg.msg_iocb = NULL;
- if (sock->file->f_flags & O_NONBLOCK)
- flags |= MSG_DONTWAIT;
- err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags);
-@@ -1927,7 +1993,7 @@ static int ___sys_sendmsg(struct socket *sock, struct
user_msghdr __user *msg,
+@@ -1928,7 +1993,7 @@ static int ___sys_sendmsg(struct socket *sock, struct
user_msghdr __user *msg,
* checking falls down on this.
*/
if (copy_from_user(ctl_buf,
@@ -127238,7 +127319,7 @@ index 9963a0b..b88ff74 100644
ctl_len))
goto out_freectl;
msg_sys->msg_control = ctl_buf;
-@@ -2077,7 +2143,7 @@ static int ___sys_recvmsg(struct socket *sock, struct
user_msghdr __user *msg,
+@@ -2078,7 +2143,7 @@ static int ___sys_recvmsg(struct socket *sock, struct
user_msghdr __user *msg,
ssize_t err;
/* kernel mode address */
@@ -127247,7 +127328,7 @@ index 9963a0b..b88ff74 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2722,7 +2788,7 @@ static int ethtool_ioctl(struct net *net, struct
compat_ifreq __user *ifr32)
+@@ -2723,7 +2788,7 @@ static int ethtool_ioctl(struct net *net, struct
compat_ifreq __user *ifr32)
ifr = compat_alloc_user_space(buf_size);
rxnfc = (void __user *)ifr + ALIGN(sizeof(struct ifreq), 8);
@@ -127256,7 +127337,7 @@ index 9963a0b..b88ff74 100644
return -EFAULT;
if (put_user(convert_in ? rxnfc : compat_ptr(data),
-@@ -2833,7 +2899,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2834,7 +2899,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
err = dev_ioctl(net, cmd,
@@ -127265,7 +127346,7 @@ index 9963a0b..b88ff74 100644
set_fs(old_fs);
return err;
-@@ -2926,7 +2992,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned
int cmd,
+@@ -2927,7 +2992,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned
int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -127274,7 +127355,7 @@ index 9963a0b..b88ff74 100644
set_fs(old_fs);
if (cmd == SIOCGIFMAP && !err) {
-@@ -3010,7 +3076,7 @@ static int routing_ioctl(struct net *net, struct socket
*sock,
+@@ -3011,7 +3076,7 @@ static int routing_ioctl(struct net *net, struct socket
*sock,
ret |= get_user(rtdev, &(ur4->rt_dev));
if (rtdev) {
ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -127283,7 +127364,7 @@ index 9963a0b..b88ff74 100644
devname[15] = 0;
} else
r4.rt_dev = NULL;
-@@ -3237,8 +3303,8 @@ int kernel_getsockopt(struct socket *sock, int level,
int optname,
+@@ -3238,8 +3303,8 @@ int kernel_getsockopt(struct socket *sock, int level,
int optname,
int __user *uoptlen;
int err;
@@ -127294,7 +127375,7 @@ index 9963a0b..b88ff74 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
-@@ -3258,7 +3324,7 @@ int kernel_setsockopt(struct socket *sock, int level,
int optname,
+@@ -3259,7 +3324,7 @@ int kernel_setsockopt(struct socket *sock, int level,
int optname,
char __user *uoptval;
int err;
@@ -127725,7 +127806,7 @@ index 350cca3..a108fc5 100644
sub->evt.event = htohl(event, sub->swap);
sub->evt.found_lower = htohl(found_lower, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 128b098..b66988b 100644
+index 0fc6dba..adadbef 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -918,6 +918,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -127934,7 +128015,7 @@ index 128b098..b66988b 100644
return max_level;
}
-@@ -2772,9 +2821,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2765,9 +2814,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_puts(seq, "Num RefCount Protocol Flags Type St "
"Inode Path\n");
else {
@@ -127949,7 +128030,7 @@ index 128b098..b66988b 100644
seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
s,
-@@ -2799,10 +2852,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2792,10 +2845,29 @@ static int unix_seq_show(struct seq_file *seq, void *v)
seq_putc(seq, '@');
i++;
}
@@ -130505,36 +130586,6 @@ index aee2ec5..c276071 100644
/* record the root user tracking */
rb_link_node(&root_key_user.node,
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index 0b9ec78..26f0e0a 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -757,16 +757,16 @@ long keyctl_read_key(key_serial_t keyid, char __user
*buffer, size_t buflen)
-
- /* the key is probably readable - now try to read it */
- can_read_key:
-- ret = key_validate(key);
-- if (ret == 0) {
-- ret = -EOPNOTSUPP;
-- if (key->type->read) {
-- /* read the data with the semaphore held (since we
-- * might sleep) */
-- down_read(&key->sem);
-+ ret = -EOPNOTSUPP;
-+ if (key->type->read) {
-+ /* Read the data with the semaphore held (since we might sleep)
-+ * to protect against the key being updated or revoked.
-+ */
-+ down_read(&key->sem);
-+ ret = key_validate(key);
-+ if (ret == 0)
- ret = key->type->read(key, buffer, buflen);
-- up_read(&key->sem);
-- }
-+ up_read(&key->sem);
- }
-
- error2:
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d334370..b03e5a8 100644
--- a/security/keys/keyring.c
@@ -130557,18 +130608,6 @@ index d334370..b03e5a8 100644
{
BUG_ON(index_key->type == NULL);
kenter("%d,%s,", keyring->serial, index_key->type->name);
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 43b4cdd..7877e5c 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- ret = PTR_ERR(keyring);
- goto error2;
- } else if (keyring == new->session_keyring) {
-+ key_put(keyring);
- ret = 0;
- goto error2;
- }
diff --git a/security/min_addr.c b/security/min_addr.c
index f728728..6457a0c 100644
--- a/security/min_addr.c
diff --git a/4.3.3/4425_grsec_remove_EI_PAX.patch
b/4.3.4/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 4.3.3/4425_grsec_remove_EI_PAX.patch
rename to 4.3.4/4425_grsec_remove_EI_PAX.patch
diff --git a/4.3.3/4427_force_XATTR_PAX_tmpfs.patch
b/4.3.4/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 4.3.3/4427_force_XATTR_PAX_tmpfs.patch
rename to 4.3.4/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.3.3/4430_grsec-remove-localversion-grsec.patch
b/4.3.4/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 4.3.3/4430_grsec-remove-localversion-grsec.patch
rename to 4.3.4/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.3.3/4435_grsec-mute-warnings.patch
b/4.3.4/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 4.3.3/4435_grsec-mute-warnings.patch
rename to 4.3.4/4435_grsec-mute-warnings.patch
diff --git a/4.3.3/4440_grsec-remove-protected-paths.patch
b/4.3.4/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 4.3.3/4440_grsec-remove-protected-paths.patch
rename to 4.3.4/4440_grsec-remove-protected-paths.patch
diff --git a/4.3.3/4450_grsec-kconfig-default-gids.patch
b/4.3.4/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 4.3.3/4450_grsec-kconfig-default-gids.patch
rename to 4.3.4/4450_grsec-kconfig-default-gids.patch
diff --git a/4.3.3/4465_selinux-avc_audit-log-curr_ip.patch
b/4.3.4/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 4.3.3/4465_selinux-avc_audit-log-curr_ip.patch
rename to 4.3.4/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.3.3/4470_disable-compat_vdso.patch
b/4.3.4/4470_disable-compat_vdso.patch
similarity index 100%
rename from 4.3.3/4470_disable-compat_vdso.patch
rename to 4.3.4/4470_disable-compat_vdso.patch
diff --git a/4.3.3/4475_emutramp_default_on.patch
b/4.3.4/4475_emutramp_default_on.patch
similarity index 100%
rename from 4.3.3/4475_emutramp_default_on.patch
rename to 4.3.4/4475_emutramp_default_on.patch
