commit: 58e7d4d2f3ab534cfb4a714a2654b406abdab3a1
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 28 19:23:36 2016 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Nov 28 19:23:36 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=58e7d4d2
grsecurity-3.1-4.8.11-201611271225
{4.8.10 => 4.8.11}/0000_README | 6 +-
{4.8.10 => 4.8.11}/1008_linux-4.8.9.patch | 0
{4.8.10 => 4.8.11}/1009_linux-4.8.10.patch | 0
4.8.11/1010_linux-4.8.11.patch | 2351 ++++++++++++++++++++
.../4420_grsecurity-3.1-4.8.11-201611271225.patch | 594 ++++-
{4.8.10 => 4.8.11}/4425_grsec_remove_EI_PAX.patch | 0
.../4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
{4.8.10 => 4.8.11}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{4.8.10 => 4.8.11}/4470_disable-compat_vdso.patch | 0
{4.8.10 => 4.8.11}/4475_emutramp_default_on.patch | 0
14 files changed, 2848 insertions(+), 103 deletions(-)
diff --git a/4.8.10/0000_README b/4.8.11/0000_README
similarity index 93%
rename from 4.8.10/0000_README
rename to 4.8.11/0000_README
index c32fdff..a5a0953 100644
--- a/4.8.10/0000_README
+++ b/4.8.11/0000_README
@@ -10,7 +10,11 @@ Patch: 1009_linux-4.8.10.patch
From: http://www.kernel.org
Desc: Linux 4.8.10
-Patch: 4420_grsecurity-3.1-4.8.10-201611232213.patch
+Patch: 1010_linux-4.8.11.patch
+From: http://www.kernel.org
+Desc: Linux 4.8.11
+
+Patch: 4420_grsecurity-3.1-4.8.11-201611271225.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.8.10/1008_linux-4.8.9.patch b/4.8.11/1008_linux-4.8.9.patch
similarity index 100%
rename from 4.8.10/1008_linux-4.8.9.patch
rename to 4.8.11/1008_linux-4.8.9.patch
diff --git a/4.8.10/1009_linux-4.8.10.patch b/4.8.11/1009_linux-4.8.10.patch
similarity index 100%
rename from 4.8.10/1009_linux-4.8.10.patch
rename to 4.8.11/1009_linux-4.8.10.patch
diff --git a/4.8.11/1010_linux-4.8.11.patch b/4.8.11/1010_linux-4.8.11.patch
new file mode 100644
index 0000000..5c67d71
--- /dev/null
+++ b/4.8.11/1010_linux-4.8.11.patch
@@ -0,0 +1,2351 @@
+diff --git a/Makefile b/Makefile
+index 7cf2b49..2b1bcba 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 8
+-SUBLEVEL = 10
++SUBLEVEL = 11
+ EXTRAVERSION =
+ NAME = Psychotic Stoned Sheep
+
+@@ -399,11 +399,12 @@ KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes
-Wno-trigraphs \
+ -fno-strict-aliasing -fno-common \
+ -Werror-implicit-function-declaration \
+ -Wno-format-security \
+- -std=gnu89
++ -std=gnu89 $(call cc-option,-fno-PIE)
++
+
+ KBUILD_AFLAGS_KERNEL :=
+ KBUILD_CFLAGS_KERNEL :=
+-KBUILD_AFLAGS := -D__ASSEMBLY__
++KBUILD_AFLAGS := -D__ASSEMBLY__ $(call cc-option,-fno-PIE)
+ KBUILD_AFLAGS_MODULE := -DMODULE
+ KBUILD_CFLAGS_MODULE := -DMODULE
+ KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds
+@@ -621,6 +622,7 @@ include arch/$(SRCARCH)/Makefile
+
+ KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
+ KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
++KBUILD_CFLAGS += $(call cc-disable-warning,frame-address,)
+
+ ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
+ KBUILD_CFLAGS += -Os
+diff --git a/arch/arm/boot/dts/imx53-qsb.dts b/arch/arm/boot/dts/imx53-qsb.dts
+index dec4b07..3799396 100644
+--- a/arch/arm/boot/dts/imx53-qsb.dts
++++ b/arch/arm/boot/dts/imx53-qsb.dts
+@@ -64,8 +64,8 @@
+ };
+
+ ldo3_reg: ldo3 {
+- regulator-min-microvolt = <600000>;
+- regulator-max-microvolt = <1800000>;
++ regulator-min-microvolt = <1725000>;
++ regulator-max-microvolt = <3300000>;
+ regulator-always-on;
+ };
+
+@@ -76,8 +76,8 @@
+ };
+
+ ldo5_reg: ldo5 {
+- regulator-min-microvolt = <1725000>;
+- regulator-max-microvolt = <3300000>;
++ regulator-min-microvolt = <1200000>;
++ regulator-max-microvolt = <3600000>;
+ regulator-always-on;
+ };
+
+@@ -100,14 +100,14 @@
+ };
+
+ ldo9_reg: ldo9 {
+- regulator-min-microvolt = <1200000>;
++ regulator-min-microvolt = <1250000>;
+ regulator-max-microvolt = <3600000>;
+ regulator-always-on;
+ };
+
+ ldo10_reg: ldo10 {
+- regulator-min-microvolt = <1250000>;
+- regulator-max-microvolt = <3650000>;
++ regulator-min-microvolt = <1200000>;
++ regulator-max-microvolt = <3600000>;
+ regulator-always-on;
+ };
+ };
+diff --git a/arch/arm64/include/asm/perf_event.h
b/arch/arm64/include/asm/perf_event.h
+index 2065f46..38b6a2b 100644
+--- a/arch/arm64/include/asm/perf_event.h
++++ b/arch/arm64/include/asm/perf_event.h
+@@ -46,7 +46,15 @@
+ #define ARMV8_PMU_EVTYPE_MASK 0xc800ffff /* Mask for writable
bits */
+ #define ARMV8_PMU_EVTYPE_EVENT 0xffff /* Mask for EVENT bits
*/
+
+-#define ARMV8_PMU_EVTYPE_EVENT_SW_INCR 0 /* Software increment
event */
++/*
++ * PMUv3 event types: required events
++ */
++#define ARMV8_PMUV3_PERFCTR_SW_INCR 0x00
++#define ARMV8_PMUV3_PERFCTR_L1D_CACHE_REFILL 0x03
++#define ARMV8_PMUV3_PERFCTR_L1D_CACHE 0x04
++#define ARMV8_PMUV3_PERFCTR_BR_MIS_PRED 0x10
++#define ARMV8_PMUV3_PERFCTR_CPU_CYCLES 0x11
++#define ARMV8_PMUV3_PERFCTR_BR_PRED 0x12
+
+ /*
+ * Event filters for PMUv3
+diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c
+index 838ccf1..2c4df15 100644
+--- a/arch/arm64/kernel/perf_event.c
++++ b/arch/arm64/kernel/perf_event.c
+@@ -30,17 +30,9 @@
+
+ /*
+ * ARMv8 PMUv3 Performance Events handling code.
+- * Common event types.
++ * Common event types (some are defined in asm/perf_event.h).
+ */
+
+-/* Required events. */
+-#define ARMV8_PMUV3_PERFCTR_SW_INCR 0x00
+-#define ARMV8_PMUV3_PERFCTR_L1D_CACHE_REFILL 0x03
+-#define ARMV8_PMUV3_PERFCTR_L1D_CACHE 0x04
+-#define ARMV8_PMUV3_PERFCTR_BR_MIS_PRED 0x10
+-#define ARMV8_PMUV3_PERFCTR_CPU_CYCLES 0x11
+-#define ARMV8_PMUV3_PERFCTR_BR_PRED 0x12
+-
+ /* At least one of the following is required. */
+ #define ARMV8_PMUV3_PERFCTR_INST_RETIRED 0x08
+ #define ARMV8_PMUV3_PERFCTR_INST_SPEC 0x1B
+diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
+index e51367d..31c144f 100644
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -602,8 +602,14 @@ static bool access_pmu_evcntr(struct kvm_vcpu *vcpu,
+
+ idx = ARMV8_PMU_CYCLE_IDX;
+ } else {
+- BUG();
++ return false;
+ }
++ } else if (r->CRn == 0 && r->CRm == 9) {
++ /* PMCCNTR */
++ if (pmu_access_event_counter_el0_disabled(vcpu))
++ return false;
++
++ idx = ARMV8_PMU_CYCLE_IDX;
+ } else if (r->CRn == 14 && (r->CRm & 12) == 8) {
+ /* PMEVCNTRn_EL0 */
+ if (pmu_access_event_counter_el0_disabled(vcpu))
+@@ -611,7 +617,7 @@ static bool access_pmu_evcntr(struct kvm_vcpu *vcpu,
+
+ idx = ((r->CRm & 3) << 3) | (r->Op2 & 7);
+ } else {
+- BUG();
++ return false;
+ }
+
+ if (!pmu_counter_idx_valid(vcpu, idx))
+diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
+index 7ac8e6e..8d586cf 100644
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -226,17 +226,25 @@ static void __init configure_exceptions(void)
+ if (firmware_has_feature(FW_FEATURE_OPAL))
+ opal_configure_cores();
+
+- /* Enable AIL if supported, and we are in hypervisor mode */
+- if (early_cpu_has_feature(CPU_FTR_HVMODE) &&
+- early_cpu_has_feature(CPU_FTR_ARCH_207S)) {
+- unsigned long lpcr = mfspr(SPRN_LPCR);
+- mtspr(SPRN_LPCR, lpcr | LPCR_AIL_3);
+- }
++ /* AIL on native is done in cpu_ready_for_interrupts() */
+ }
+ }
+
+ static void cpu_ready_for_interrupts(void)
+ {
++ /*
++ * Enable AIL if supported, and we are in hypervisor mode. This
++ * is called once for every processor.
++ *
++ * If we are not in hypervisor mode the job is done once for
++ * the whole partition in configure_exceptions().
++ */
++ if (early_cpu_has_feature(CPU_FTR_HVMODE) &&
++ early_cpu_has_feature(CPU_FTR_ARCH_207S)) {
++ unsigned long lpcr = mfspr(SPRN_LPCR);
++ mtspr(SPRN_LPCR, lpcr | LPCR_AIL_3);
++ }
++
+ /* Set IR and DR in PACA MSR */
+ get_paca()->kernel_msr = MSR_KERNEL;
+ }
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index b81fe2d..1e81a37 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -347,7 +347,6 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c)
+ #ifdef CONFIG_SMP
+ unsigned bits;
+ int cpu = smp_processor_id();
+- unsigned int socket_id, core_complex_id;
+
+ bits = c->x86_coreid_bits;
+ /* Low order bits define the core id (index of core in socket) */
+@@ -365,10 +364,7 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c)
+ if (c->x86 != 0x17 || !cpuid_edx(0x80000006))
+ return;
+
+- socket_id = (c->apicid >> bits) - 1;
+- core_complex_id = (c->apicid & ((1 << bits) - 1)) >> 3;
+-
+- per_cpu(cpu_llc_id, cpu) = (socket_id << 3) | core_complex_id;
++ per_cpu(cpu_llc_id, cpu) = c->apicid >> 3;
+ #endif
+ }
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 46f74d4..2fff657 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -210,7 +210,18 @@ static void kvm_on_user_return(struct
user_return_notifier *urn)
+ struct kvm_shared_msrs *locals
+ = container_of(urn, struct kvm_shared_msrs, urn);
+ struct kvm_shared_msr_values *values;
++ unsigned long flags;
+
++ /*
++ * Disabling irqs at this point since the following code could be
++ * interrupted and executed through kvm_arch_hardware_disable()
++ */
++ local_irq_save(flags);
++ if (locals->registered) {
++ locals->registered = false;
++ user_return_notifier_unregister(urn);
++ }
++ local_irq_restore(flags);
+ for (slot = 0; slot < shared_msrs_global.nr; ++slot) {
+ values = &locals->values[slot];
+ if (values->host != values->curr) {
+@@ -218,8 +229,6 @@ static void kvm_on_user_return(struct user_return_notifier
*urn)
+ values->curr = values->host;
+ }
+ }
+- locals->registered = false;
+- user_return_notifier_unregister(urn);
+ }
+
+ static void shared_msr_update(unsigned slot, u32 msr)
+@@ -3372,6 +3381,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+ };
+ case KVM_SET_VAPIC_ADDR: {
+ struct kvm_vapic_addr va;
++ int idx;
+
+ r = -EINVAL;
+ if (!lapic_in_kernel(vcpu))
+@@ -3379,7 +3389,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+ r = -EFAULT;
+ if (copy_from_user(&va, argp, sizeof va))
+ goto out;
++ idx = srcu_read_lock(&vcpu->kvm->srcu);
+ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
++ srcu_read_unlock(&vcpu->kvm->srcu, idx);
+ break;
+ }
+ case KVM_X86_SETUP_MCE: {
+diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile
+index ac58c16..555b9fa 100644
+--- a/arch/x86/purgatory/Makefile
++++ b/arch/x86/purgatory/Makefile
+@@ -16,6 +16,7 @@ KCOV_INSTRUMENT := n
+
+ KBUILD_CFLAGS := -fno-strict-aliasing -Wall -Wstrict-prototypes
-fno-zero-initialized-in-bss -fno-builtin -ffreestanding -c -MD -Os
-mcmodel=large
+ KBUILD_CFLAGS += -m$(BITS)
++KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
+
+ $(obj)/purgatory.ro: $(PURGATORY_OBJS) FORCE
+ $(call if_changed,ld)
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index e44944f..2932a5b 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1027,6 +1027,8 @@ static int __device_suspend_noirq(struct device *dev,
pm_message_t state, bool a
+ TRACE_DEVICE(dev);
+ TRACE_SUSPEND(0);
+
++ dpm_wait_for_children(dev, async);
++
+ if (async_error)
+ goto Complete;
+
+@@ -1038,8 +1040,6 @@ static int __device_suspend_noirq(struct device *dev,
pm_message_t state, bool a
+ if (dev->power.syscore || dev->power.direct_complete)
+ goto Complete;
+
+- dpm_wait_for_children(dev, async);
+-
+ if (dev->pm_domain) {
+ info = "noirq power domain ";
+ callback = pm_noirq_op(&dev->pm_domain->ops, state);
+@@ -1174,6 +1174,8 @@ static int __device_suspend_late(struct device *dev,
pm_message_t state, bool as
+
+ __pm_runtime_disable(dev, false);
+
++ dpm_wait_for_children(dev, async);
++
+ if (async_error)
+ goto Complete;
+
+@@ -1185,8 +1187,6 @@ static int __device_suspend_late(struct device *dev,
pm_message_t state, bool as
+ if (dev->power.syscore || dev->power.direct_complete)
+ goto Complete;
+
+- dpm_wait_for_children(dev, async);
+-
+ if (dev->pm_domain) {
+ info = "late power domain ";
+ callback = pm_late_early_op(&dev->pm_domain->ops, state);
+diff --git a/drivers/clk/imx/clk-pllv3.c b/drivers/clk/imx/clk-pllv3.c
+index 19f9b62..7a6acc3 100644
+--- a/drivers/clk/imx/clk-pllv3.c
++++ b/drivers/clk/imx/clk-pllv3.c
+@@ -223,7 +223,7 @@ static unsigned long clk_pllv3_av_recalc_rate(struct
clk_hw *hw,
+ temp64 *= mfn;
+ do_div(temp64, mfd);
+
+- return (parent_rate * div) + (u32)temp64;
++ return parent_rate * div + (unsigned long)temp64;
+ }
+
+ static long clk_pllv3_av_round_rate(struct clk_hw *hw, unsigned long rate,
+@@ -247,7 +247,11 @@ static long clk_pllv3_av_round_rate(struct clk_hw *hw,
unsigned long rate,
+ do_div(temp64, parent_rate);
+ mfn = temp64;
+
+- return parent_rate * div + parent_rate * mfn / mfd;
++ temp64 = (u64)parent_rate;
++ temp64 *= mfn;
++ do_div(temp64, mfd);
++
++ return parent_rate * div + (unsigned long)temp64;
+ }
+
+ static int clk_pllv3_av_set_rate(struct clk_hw *hw, unsigned long rate,
+diff --git a/drivers/clk/mmp/clk-of-mmp2.c b/drivers/clk/mmp/clk-of-mmp2.c
+index 3a51fff..9adaf48 100644
+--- a/drivers/clk/mmp/clk-of-mmp2.c
++++ b/drivers/clk/mmp/clk-of-mmp2.c
+@@ -313,7 +313,7 @@ static void __init mmp2_clk_init(struct device_node *np)
+ }
+
+ pxa_unit->apmu_base = of_iomap(np, 1);
+- if (!pxa_unit->mpmu_base) {
++ if (!pxa_unit->apmu_base) {
+ pr_err("failed to map apmu registers\n");
+ return;
+ }
+diff --git a/drivers/clk/mmp/clk-of-pxa168.c b/drivers/clk/mmp/clk-of-pxa168.c
+index 87f2317..f110c02 100644
+--- a/drivers/clk/mmp/clk-of-pxa168.c
++++ b/drivers/clk/mmp/clk-of-pxa168.c
+@@ -262,7 +262,7 @@ static void __init pxa168_clk_init(struct device_node *np)
+ }
+
+ pxa_unit->apmu_base = of_iomap(np, 1);
+- if (!pxa_unit->mpmu_base) {
++ if (!pxa_unit->apmu_base) {
+ pr_err("failed to map apmu registers\n");
+ return;
+ }
+diff --git a/drivers/clk/mmp/clk-of-pxa910.c b/drivers/clk/mmp/clk-of-pxa910.c
+index e22a67f..64d1ef4 100644
+--- a/drivers/clk/mmp/clk-of-pxa910.c
++++ b/drivers/clk/mmp/clk-of-pxa910.c
+@@ -282,7 +282,7 @@ static void __init pxa910_clk_init(struct device_node *np)
+ }
+
+ pxa_unit->apmu_base = of_iomap(np, 1);
+- if (!pxa_unit->mpmu_base) {
++ if (!pxa_unit->apmu_base) {
+ pr_err("failed to map apmu registers\n");
+ return;
+ }
+@@ -294,7 +294,7 @@ static void __init pxa910_clk_init(struct device_node *np)
+ }
+
+ pxa_unit->apbcp_base = of_iomap(np, 3);
+- if (!pxa_unit->mpmu_base) {
++ if (!pxa_unit->apbcp_base) {
+ pr_err("failed to map apbcp registers\n");
+ return;
+ }
+diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
+index b304421..2cde379 100644
+--- a/drivers/crypto/caam/caamalg.c
++++ b/drivers/crypto/caam/caamalg.c
+@@ -4542,6 +4542,15 @@ static int __init caam_algapi_init(void)
+ if (!aes_inst && (alg_sel == OP_ALG_ALGSEL_AES))
+ continue;
+
++ /*
++ * Check support for AES modes not available
++ * on LP devices.
++ */
++ if ((cha_vid & CHA_ID_LS_AES_MASK) == CHA_ID_LS_AES_LP)
++ if ((alg->class1_alg_type & OP_ALG_AAI_MASK) ==
++ OP_ALG_AAI_XTS)
++ continue;
++
+ t_alg = caam_alg_alloc(alg);
+ if (IS_ERR(t_alg)) {
+ err = PTR_ERR(t_alg);
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
+index 02f2a56..47d08b9 100644
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -372,14 +372,15 @@ static void pca953x_gpio_set_multiple(struct gpio_chip
*gc,
+ break;
+ }
+
+- memcpy(reg_val, chip->reg_output, NBANK(chip));
+ mutex_lock(&chip->i2c_lock);
++ memcpy(reg_val, chip->reg_output, NBANK(chip));
+ for(bank=0; bank<NBANK(chip); bank++) {
+ unsigned bankmask = mask[bank / sizeof(*mask)] >>
+ ((bank % sizeof(*mask)) * 8);
+ if(bankmask) {
+ unsigned bankval = bits[bank / sizeof(*bits)] >>
+ ((bank % sizeof(*bits)) * 8);
++ bankval &= bankmask;
+ reg_val[bank] = (reg_val[bank] & ~bankmask) | bankval;
+ }
+ }
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index b2dee10..15704aa 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -2667,8 +2667,11 @@ int gpiochip_lock_as_irq(struct gpio_chip *chip,
unsigned int offset)
+ if (IS_ERR(desc))
+ return PTR_ERR(desc);
+
+- /* Flush direction if something changed behind our back */
+- if (chip->get_direction) {
++ /*
++ * If it's fast: flush the direction setting if something changed
++ * behind our back
++ */
++ if (!chip->can_sleep && chip->get_direction) {
+ int dir = chip->get_direction(chip, offset);
+
+ if (dir)
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+index 700c56b..e443073 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+@@ -492,6 +492,7 @@ struct amdgpu_bo {
+ u64 metadata_flags;
+ void *metadata;
+ u32 metadata_size;
++ unsigned prime_shared_count;
+ /* list of all virtual address to which this bo
+ * is associated to
+ */
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+index 651115d..c02db01f6 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+@@ -132,7 +132,7 @@ static int amdgpu_bo_list_set(struct amdgpu_device *adev,
+ entry->priority = min(info[i].bo_priority,
+ AMDGPU_BO_LIST_MAX_PRIORITY);
+ entry->tv.bo = &entry->robj->tbo;
+- entry->tv.shared = true;
++ entry->tv.shared = !entry->robj->prime_shared_count;
+
+ if (entry->robj->prefered_domains == AMDGPU_GEM_DOMAIN_GDS)
+ gds_obj = entry->robj;
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_prime.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_prime.c
+index 7700dc2..3826d5a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_prime.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_prime.c
+@@ -74,20 +74,36 @@ amdgpu_gem_prime_import_sg_table(struct drm_device *dev,
+ if (ret)
+ return ERR_PTR(ret);
+
++ bo->prime_shared_count = 1;
+ return &bo->gem_base;
+ }
+
+ int amdgpu_gem_prime_pin(struct drm_gem_object *obj)
+ {
+ struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj);
+- int ret = 0;
++ long ret = 0;
+
+ ret = amdgpu_bo_reserve(bo, false);
+ if (unlikely(ret != 0))
+ return ret;
+
++ /*
++ * Wait for all shared fences to complete before we switch to future
++ * use of exclusive fence on this prime shared bo.
++ */
++ ret = reservation_object_wait_timeout_rcu(bo->tbo.resv, true, false,
++ MAX_SCHEDULE_TIMEOUT);
++ if (unlikely(ret < 0)) {
++ DRM_DEBUG_PRIME("Fence wait failed: %li\n", ret);
++ amdgpu_bo_unreserve(bo);
++ return ret;
++ }
++
+ /* pin buffer into GTT */
+ ret = amdgpu_bo_pin(bo, AMDGPU_GEM_DOMAIN_GTT, NULL);
++ if (likely(ret == 0))
++ bo->prime_shared_count++;
++
+ amdgpu_bo_unreserve(bo);
+ return ret;
+ }
+@@ -102,6 +118,8 @@ void amdgpu_gem_prime_unpin(struct drm_gem_object *obj)
+ return;
+
+ amdgpu_bo_unpin(bo);
++ if (bo->prime_shared_count)
++ bo->prime_shared_count--;
+ amdgpu_bo_unreserve(bo);
+ }
+
+diff --git a/drivers/gpu/drm/i915/intel_bios.c
b/drivers/gpu/drm/i915/intel_bios.c
+index 1f8af87..cf25607 100644
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -1143,7 +1143,7 @@ static void parse_ddi_port(struct drm_i915_private
*dev_priv, enum port port,
+ if (!child)
+ return;
+
+- aux_channel = child->raw[25];
++ aux_channel = child->common.aux_channel;
+ ddc_pin = child->common.ddc_pin;
+
+ is_dvi = child->common.device_type & DEVICE_TYPE_TMDS_DVI_SIGNALING;
+@@ -1673,7 +1673,8 @@ bool intel_bios_is_port_edp(struct drm_i915_private
*dev_priv, enum port port)
+ return false;
+ }
+
+-bool intel_bios_is_port_dp_dual_mode(struct drm_i915_private *dev_priv, enum
port port)
++static bool child_dev_is_dp_dual_mode(const union child_device_config
*p_child,
++ enum port port)
+ {
+ static const struct {
+ u16 dp, hdmi;
+@@ -1687,22 +1688,35 @@ bool intel_bios_is_port_dp_dual_mode(struct
drm_i915_private *dev_priv, enum por
+ [PORT_D] = { DVO_PORT_DPD, DVO_PORT_HDMID, },
+ [PORT_E] = { DVO_PORT_DPE, DVO_PORT_HDMIE, },
+ };
+- int i;
+
+ if (port == PORT_A || port >= ARRAY_SIZE(port_mapping))
+ return false;
+
+- if (!dev_priv->vbt.child_dev_num)
++ if ((p_child->common.device_type & DEVICE_TYPE_DP_DUAL_MODE_BITS) !=
++ (DEVICE_TYPE_DP_DUAL_MODE & DEVICE_TYPE_DP_DUAL_MODE_BITS))
+ return false;
+
++ if (p_child->common.dvo_port == port_mapping[port].dp)
++ return true;
++
++ /* Only accept a HDMI dvo_port as DP++ if it has an AUX channel */
++ if (p_child->common.dvo_port == port_mapping[port].hdmi &&
++ p_child->common.aux_channel != 0)
++ return true;
++
++ return false;
++}
++
++bool intel_bios_is_port_dp_dual_mode(struct drm_i915_private *dev_priv,
++ enum port port)
++{
++ int i;
++
+ for (i = 0; i < dev_priv->vbt.child_dev_num; i++) {
+ const union child_device_config *p_child =
+ &dev_priv->vbt.child_dev[i];
+
+- if ((p_child->common.dvo_port == port_mapping[port].dp ||
+- p_child->common.dvo_port == port_mapping[port].hdmi) &&
+- (p_child->common.device_type &
DEVICE_TYPE_DP_DUAL_MODE_BITS) ==
+- (DEVICE_TYPE_DP_DUAL_MODE & DEVICE_TYPE_DP_DUAL_MODE_BITS))
++ if (child_dev_is_dp_dual_mode(p_child, port))
+ return true;
+ }
+
+diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
+index 3051182..b8aeb28 100644
+--- a/drivers/gpu/drm/i915/intel_dp.c
++++ b/drivers/gpu/drm/i915/intel_dp.c
+@@ -4323,21 +4323,11 @@ static enum drm_connector_status
+ intel_dp_detect(struct drm_connector *connector, bool force)
+ {
+ struct intel_dp *intel_dp = intel_attached_dp(connector);
+- struct intel_digital_port *intel_dig_port = dp_to_dig_port(intel_dp);
+- struct intel_encoder *intel_encoder = &intel_dig_port->base;
+ enum drm_connector_status status = connector->status;
+
+ DRM_DEBUG_KMS("[CONNECTOR:%d:%s]\n",
+ connector->base.id, connector->name);
+
+- if (intel_dp->is_mst) {
+- /* MST devices are disconnected from a monitor POV */
+- intel_dp_unset_edid(intel_dp);
+- if (intel_encoder->type != INTEL_OUTPUT_EDP)
+- intel_encoder->type = INTEL_OUTPUT_DP;
+- return connector_status_disconnected;
+- }
+-
+ /* If full detect is not performed yet, do a full detect */
+ if (!intel_dp->detect_done)
+ status = intel_dp_long_pulse(intel_dp->attached_connector);
+diff --git a/drivers/gpu/drm/i915/intel_vbt_defs.h
b/drivers/gpu/drm/i915/intel_vbt_defs.h
+index 68db962..8886cab1 100644
+--- a/drivers/gpu/drm/i915/intel_vbt_defs.h
++++ b/drivers/gpu/drm/i915/intel_vbt_defs.h
+@@ -280,7 +280,8 @@ struct common_child_dev_config {
+ u8 dp_support:1;
+ u8 tmds_support:1;
+ u8 support_reserved:5;
+- u8 not_common3[12];
++ u8 aux_channel;
++ u8 not_common3[11];
+ u8 iboost_level;
+ } __packed;
+
+diff --git a/drivers/i2c/Kconfig b/drivers/i2c/Kconfig
+index d223650..11edabf 100644
+--- a/drivers/i2c/Kconfig
++++ b/drivers/i2c/Kconfig
+@@ -59,7 +59,6 @@ config I2C_CHARDEV
+
+ config I2C_MUX
+ tristate "I2C bus multiplexing support"
+- depends on HAS_IOMEM
+ help
+ Say Y here if you want the I2C core to support the ability to
+ handle multiplexed I2C bus topologies, by presenting each
+diff --git a/drivers/i2c/muxes/Kconfig b/drivers/i2c/muxes/Kconfig
+index e280c8e..96de9ce 100644
+--- a/drivers/i2c/muxes/Kconfig
++++ b/drivers/i2c/muxes/Kconfig
+@@ -63,6 +63,7 @@ config I2C_MUX_PINCTRL
+
+ config I2C_MUX_REG
+ tristate "Register-based I2C multiplexer"
++ depends on HAS_IOMEM
+ help
+ If you say yes to this option, support will be included for a
+ register based I2C multiplexer. This driver provides access to
+diff --git a/drivers/i2c/muxes/i2c-mux-pca954x.c
b/drivers/i2c/muxes/i2c-mux-pca954x.c
+index 3278ebf..7e6f300 100644
+--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
++++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
+@@ -247,9 +247,9 @@ static int pca954x_probe(struct i2c_client *client,
+ /* discard unconfigured channels */
+ break;
+ idle_disconnect_pd = pdata->modes[num].deselect_on_exit;
+- data->deselect |= (idle_disconnect_pd
+- || idle_disconnect_dt) << num;
+ }
++ data->deselect |= (idle_disconnect_pd ||
++ idle_disconnect_dt) << num;
+
+ ret = i2c_mux_add_adapter(muxc, force, num, class);
+
+diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
+index c995255..71c7c4c 100644
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -80,6 +80,8 @@ static struct ib_cm {
+ __be32 random_id_operand;
+ struct list_head timewait_list;
+ struct workqueue_struct *wq;
++ /* Sync on cm change port state */
++ spinlock_t state_lock;
+ } cm;
+
+ /* Counter indexes ordered by attribute ID */
+@@ -161,6 +163,8 @@ struct cm_port {
+ struct ib_mad_agent *mad_agent;
+ struct kobject port_obj;
+ u8 port_num;
++ struct list_head cm_priv_prim_list;
++ struct list_head cm_priv_altr_list;
+ struct cm_counter_group counter_group[CM_COUNTER_GROUPS];
+ };
+
+@@ -241,6 +245,12 @@ struct cm_id_private {
+ u8 service_timeout;
+ u8 target_ack_delay;
+
++ struct list_head prim_list;
++ struct list_head altr_list;
++ /* Indicates that the send port mad is registered and av is set */
++ int prim_send_port_not_ready;
++ int altr_send_port_not_ready;
++
+ struct list_head work_list;
+ atomic_t work_count;
+ };
+@@ -259,20 +269,47 @@ static int cm_alloc_msg(struct cm_id_private *cm_id_priv,
+ struct ib_mad_agent *mad_agent;
+ struct ib_mad_send_buf *m;
+ struct ib_ah *ah;
++ struct cm_av *av;
++ unsigned long flags, flags2;
++ int ret = 0;
+
++ /* don't let the port to be released till the agent is down */
++ spin_lock_irqsave(&cm.state_lock, flags2);
++ spin_lock_irqsave(&cm.lock, flags);
++ if (!cm_id_priv->prim_send_port_not_ready)
++ av = &cm_id_priv->av;
++ else if (!cm_id_priv->altr_send_port_not_ready &&
++ (cm_id_priv->alt_av.port))
++ av = &cm_id_priv->alt_av;
++ else {
++ pr_info("%s: not valid CM id\n", __func__);
++ ret = -ENODEV;
++ spin_unlock_irqrestore(&cm.lock, flags);
++ goto out;
++ }
++ spin_unlock_irqrestore(&cm.lock, flags);
++ /* Make sure the port haven't released the mad yet */
+ mad_agent = cm_id_priv->av.port->mad_agent;
+- ah = ib_create_ah(mad_agent->qp->pd, &cm_id_priv->av.ah_attr);
+- if (IS_ERR(ah))
+- return PTR_ERR(ah);
++ if (!mad_agent) {
++ pr_info("%s: not a valid MAD agent\n", __func__);
++ ret = -ENODEV;
++ goto out;
++ }
++ ah = ib_create_ah(mad_agent->qp->pd, &av->ah_attr);
++ if (IS_ERR(ah)) {
++ ret = PTR_ERR(ah);
++ goto out;
++ }
+
+ m = ib_create_send_mad(mad_agent, cm_id_priv->id.remote_cm_qpn,
+- cm_id_priv->av.pkey_index,
++ av->pkey_index,
+ 0, IB_MGMT_MAD_HDR, IB_MGMT_MAD_DATA,
+ GFP_ATOMIC,
+ IB_MGMT_BASE_VERSION);
+ if (IS_ERR(m)) {
+ ib_destroy_ah(ah);
+- return PTR_ERR(m);
++ ret = PTR_ERR(m);
++ goto out;
+ }
+
+ /* Timeout set by caller if response is expected. */
+@@ -282,7 +319,10 @@ static int cm_alloc_msg(struct cm_id_private *cm_id_priv,
+ atomic_inc(&cm_id_priv->refcount);
+ m->context[0] = cm_id_priv;
+ *msg = m;
+- return 0;
++
++out:
++ spin_unlock_irqrestore(&cm.state_lock, flags2);
++ return ret;
+ }
+
+ static int cm_alloc_response_msg(struct cm_port *port,
+@@ -352,7 +392,8 @@ static void cm_init_av_for_response(struct cm_port *port,
struct ib_wc *wc,
+ grh, &av->ah_attr);
+ }
+
+-static int cm_init_av_by_path(struct ib_sa_path_rec *path, struct cm_av *av)
++static int cm_init_av_by_path(struct ib_sa_path_rec *path, struct cm_av *av,
++ struct cm_id_private *cm_id_priv)
+ {
+ struct cm_device *cm_dev;
+ struct cm_port *port = NULL;
+@@ -387,7 +428,17 @@ static int cm_init_av_by_path(struct ib_sa_path_rec
*path, struct cm_av *av)
+ &av->ah_attr);
+ av->timeout = path->packet_life_time + 1;
+
+- return 0;
++ spin_lock_irqsave(&cm.lock, flags);
++ if (&cm_id_priv->av == av)
++ list_add_tail(&cm_id_priv->prim_list, &port->cm_priv_prim_list);
++ else if (&cm_id_priv->alt_av == av)
++ list_add_tail(&cm_id_priv->altr_list, &port->cm_priv_altr_list);
++ else
++ ret = -EINVAL;
++
++ spin_unlock_irqrestore(&cm.lock, flags);
++
++ return ret;
+ }
+
+ static int cm_alloc_id(struct cm_id_private *cm_id_priv)
+@@ -677,6 +728,8 @@ struct ib_cm_id *ib_create_cm_id(struct ib_device *device,
+ spin_lock_init(&cm_id_priv->lock);
+ init_completion(&cm_id_priv->comp);
+ INIT_LIST_HEAD(&cm_id_priv->work_list);
++ INIT_LIST_HEAD(&cm_id_priv->prim_list);
++ INIT_LIST_HEAD(&cm_id_priv->altr_list);
+ atomic_set(&cm_id_priv->work_count, -1);
+ atomic_set(&cm_id_priv->refcount, 1);
+ return &cm_id_priv->id;
+@@ -892,6 +945,15 @@ static void cm_destroy_id(struct ib_cm_id *cm_id, int err)
+ break;
+ }
+
++ spin_lock_irq(&cm.lock);
++ if (!list_empty(&cm_id_priv->altr_list) &&
++ (!cm_id_priv->altr_send_port_not_ready))
++ list_del(&cm_id_priv->altr_list);
++ if (!list_empty(&cm_id_priv->prim_list) &&
++ (!cm_id_priv->prim_send_port_not_ready))
++ list_del(&cm_id_priv->prim_list);
++ spin_unlock_irq(&cm.lock);
++
+ cm_free_id(cm_id->local_id);
+ cm_deref_id(cm_id_priv);
+ wait_for_completion(&cm_id_priv->comp);
+@@ -1192,12 +1254,13 @@ int ib_send_cm_req(struct ib_cm_id *cm_id,
+ goto out;
+ }
+
+- ret = cm_init_av_by_path(param->primary_path, &cm_id_priv->av);
++ ret = cm_init_av_by_path(param->primary_path, &cm_id_priv->av,
++ cm_id_priv);
+ if (ret)
+ goto error1;
+ if (param->alternate_path) {
+ ret = cm_init_av_by_path(param->alternate_path,
+- &cm_id_priv->alt_av);
++ &cm_id_priv->alt_av, cm_id_priv);
+ if (ret)
+ goto error1;
+ }
+@@ -1653,7 +1716,8 @@ static int cm_req_handler(struct cm_work *work)
+ dev_put(gid_attr.ndev);
+ }
+ work->path[0].gid_type = gid_attr.gid_type;
+- ret = cm_init_av_by_path(&work->path[0], &cm_id_priv->av);
++ ret = cm_init_av_by_path(&work->path[0], &cm_id_priv->av,
++ cm_id_priv);
+ }
+ if (ret) {
+ int err = ib_get_cached_gid(work->port->cm_dev->ib_device,
+@@ -1672,7 +1736,8 @@ static int cm_req_handler(struct cm_work *work)
+ goto rejected;
+ }
+ if (req_msg->alt_local_lid) {
+- ret = cm_init_av_by_path(&work->path[1], &cm_id_priv->alt_av);
++ ret = cm_init_av_by_path(&work->path[1], &cm_id_priv->alt_av,
++ cm_id_priv);
+ if (ret) {
+ ib_send_cm_rej(cm_id, IB_CM_REJ_INVALID_ALT_GID,
+ &work->path[0].sgid,
+@@ -2727,7 +2792,8 @@ int ib_send_cm_lap(struct ib_cm_id *cm_id,
+ goto out;
+ }
+
+- ret = cm_init_av_by_path(alternate_path, &cm_id_priv->alt_av);
++ ret = cm_init_av_by_path(alternate_path, &cm_id_priv->alt_av,
++ cm_id_priv);
+ if (ret)
+ goto out;
+ cm_id_priv->alt_av.timeout =
+@@ -2839,7 +2905,8 @@ static int cm_lap_handler(struct cm_work *work)
+ cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
+ work->mad_recv_wc->recv_buf.grh,
+ &cm_id_priv->av);
+- cm_init_av_by_path(param->alternate_path, &cm_id_priv->alt_av);
++ cm_init_av_by_path(param->alternate_path, &cm_id_priv->alt_av,
++ cm_id_priv);
+ ret = atomic_inc_and_test(&cm_id_priv->work_count);
+ if (!ret)
+ list_add_tail(&work->list, &cm_id_priv->work_list);
+@@ -3031,7 +3098,7 @@ int ib_send_cm_sidr_req(struct ib_cm_id *cm_id,
+ return -EINVAL;
+
+ cm_id_priv = container_of(cm_id, struct cm_id_private, id);
+- ret = cm_init_av_by_path(param->path, &cm_id_priv->av);
++ ret = cm_init_av_by_path(param->path, &cm_id_priv->av, cm_id_priv);
+ if (ret)
+ goto out;
+
+@@ -3468,7 +3535,9 @@ static int cm_establish(struct ib_cm_id *cm_id)
+ static int cm_migrate(struct ib_cm_id *cm_id)
+ {
+ struct cm_id_private *cm_id_priv;
++ struct cm_av tmp_av;
+ unsigned long flags;
++ int tmp_send_port_not_ready;
+ int ret = 0;
+
+ cm_id_priv = container_of(cm_id, struct cm_id_private, id);
+@@ -3477,7 +3546,14 @@ static int cm_migrate(struct ib_cm_id *cm_id)
+ (cm_id->lap_state == IB_CM_LAP_UNINIT ||
+ cm_id->lap_state == IB_CM_LAP_IDLE)) {
+ cm_id->lap_state = IB_CM_LAP_IDLE;
++ /* Swap address vector */
++ tmp_av = cm_id_priv->av;
+ cm_id_priv->av = cm_id_priv->alt_av;
++ cm_id_priv->alt_av = tmp_av;
++ /* Swap port send ready state */
++ tmp_send_port_not_ready = cm_id_priv->prim_send_port_not_ready;
++ cm_id_priv->prim_send_port_not_ready =
cm_id_priv->altr_send_port_not_ready;
++ cm_id_priv->altr_send_port_not_ready = tmp_send_port_not_ready;
+ } else
+ ret = -EINVAL;
+ spin_unlock_irqrestore(&cm_id_priv->lock, flags);
+@@ -3888,6 +3964,9 @@ static void cm_add_one(struct ib_device *ib_device)
+ port->cm_dev = cm_dev;
+ port->port_num = i;
+
++ INIT_LIST_HEAD(&port->cm_priv_prim_list);
++ INIT_LIST_HEAD(&port->cm_priv_altr_list);
++
+ ret = cm_create_port_fs(port);
+ if (ret)
+ goto error1;
+@@ -3945,6 +4024,8 @@ static void cm_remove_one(struct ib_device *ib_device,
void *client_data)
+ {
+ struct cm_device *cm_dev = client_data;
+ struct cm_port *port;
++ struct cm_id_private *cm_id_priv;
++ struct ib_mad_agent *cur_mad_agent;
+ struct ib_port_modify port_modify = {
+ .clr_port_cap_mask = IB_PORT_CM_SUP
+ };
+@@ -3968,15 +4049,27 @@ static void cm_remove_one(struct ib_device *ib_device,
void *client_data)
+
+ port = cm_dev->port[i-1];
+ ib_modify_port(ib_device, port->port_num, 0, &port_modify);
++ /* Mark all the cm_id's as not valid */
++ spin_lock_irq(&cm.lock);
++ list_for_each_entry(cm_id_priv, &port->cm_priv_altr_list,
altr_list)
++ cm_id_priv->altr_send_port_not_ready = 1;
++ list_for_each_entry(cm_id_priv, &port->cm_priv_prim_list,
prim_list)
++ cm_id_priv->prim_send_port_not_ready = 1;
++ spin_unlock_irq(&cm.lock);
+ /*
+ * We flush the queue here after the going_down set, this
+ * verify that no new works will be queued in the recv handler,
+ * after that we can call the unregister_mad_agent
+ */
+ flush_workqueue(cm.wq);
+- ib_unregister_mad_agent(port->mad_agent);
++ spin_lock_irq(&cm.state_lock);
++ cur_mad_agent = port->mad_agent;
++ port->mad_agent = NULL;
++ spin_unlock_irq(&cm.state_lock);
++ ib_unregister_mad_agent(cur_mad_agent);
+ cm_remove_port_fs(port);
+ }
++
+ device_unregister(cm_dev->device);
+ kfree(cm_dev);
+ }
+@@ -3989,6 +4082,7 @@ static int __init ib_cm_init(void)
+ INIT_LIST_HEAD(&cm.device_list);
+ rwlock_init(&cm.device_lock);
+ spin_lock_init(&cm.lock);
++ spin_lock_init(&cm.state_lock);
+ cm.listen_service_table = RB_ROOT;
+ cm.listen_service_id = be64_to_cpu(IB_CM_ASSIGN_SERVICE_ID);
+ cm.remote_id_table = RB_ROOT;
+diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
+index c68746c..bdab61d 100644
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -174,7 +174,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context,
unsigned long addr,
+
+ cur_base = addr & PAGE_MASK;
+
+- if (npages == 0) {
++ if (npages == 0 || npages > UINT_MAX) {
+ ret = -EINVAL;
+ goto out;
+ }
+diff --git a/drivers/infiniband/core/uverbs_main.c
b/drivers/infiniband/core/uverbs_main.c
+index 0012fa5..44b1104 100644
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -262,12 +262,9 @@ static int ib_uverbs_cleanup_ucontext(struct
ib_uverbs_file *file,
+ container_of(uobj, struct ib_uqp_object,
uevent.uobject);
+
+ idr_remove_uobj(&ib_uverbs_qp_idr, uobj);
+- if (qp != qp->real_qp) {
+- ib_close_qp(qp);
+- } else {
++ if (qp == qp->real_qp)
+ ib_uverbs_detach_umcast(qp, uqp);
+- ib_destroy_qp(qp);
+- }
++ ib_destroy_qp(qp);
+ ib_uverbs_release_uevent(file, &uqp->uevent);
+ kfree(uqp);
+ }
+diff --git a/drivers/infiniband/hw/hfi1/rc.c b/drivers/infiniband/hw/hfi1/rc.c
+index bcf76c3..e362998 100644
+--- a/drivers/infiniband/hw/hfi1/rc.c
++++ b/drivers/infiniband/hw/hfi1/rc.c
+@@ -87,7 +87,7 @@ void hfi1_add_rnr_timer(struct rvt_qp *qp, u32 to)
+ struct hfi1_qp_priv *priv = qp->priv;
+
+ qp->s_flags |= RVT_S_WAIT_RNR;
+- qp->s_timer.expires = jiffies + usecs_to_jiffies(to);
++ priv->s_rnr_timer.expires = jiffies + usecs_to_jiffies(to);
+ add_timer(&priv->s_rnr_timer);
+ }
+
+diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c
b/drivers/infiniband/hw/hfi1/user_sdma.c
+index 1694037..8f59a4f 100644
+--- a/drivers/infiniband/hw/hfi1/user_sdma.c
++++ b/drivers/infiniband/hw/hfi1/user_sdma.c
+@@ -1152,7 +1152,7 @@ static int pin_vector_pages(struct user_sdma_request
*req,
+ rb_node = hfi1_mmu_rb_extract(pq->handler,
+ (unsigned long)iovec->iov.iov_base,
+ iovec->iov.iov_len);
+- if (rb_node && !IS_ERR(rb_node))
++ if (rb_node)
+ node = container_of(rb_node, struct sdma_mmu_node, rb);
+ else
+ rb_node = NULL;
+diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c
+index 5fc6233..b9bf075 100644
+--- a/drivers/infiniband/hw/mlx4/ah.c
++++ b/drivers/infiniband/hw/mlx4/ah.c
+@@ -102,7 +102,10 @@ static struct ib_ah *create_iboe_ah(struct ib_pd *pd,
struct ib_ah_attr *ah_attr
+ if (vlan_tag < 0x1000)
+ vlan_tag |= (ah_attr->sl & 7) << 13;
+ ah->av.eth.port_pd = cpu_to_be32(to_mpd(pd)->pdn | (ah_attr->port_num
<< 24));
+- ah->av.eth.gid_index = mlx4_ib_gid_index_to_real_index(ibdev,
ah_attr->port_num, ah_attr->grh.sgid_index);
++ ret = mlx4_ib_gid_index_to_real_index(ibdev, ah_attr->port_num,
ah_attr->grh.sgid_index);
++ if (ret < 0)
++ return ERR_PTR(ret);
++ ah->av.eth.gid_index = ret;
+ ah->av.eth.vlan = cpu_to_be16(vlan_tag);
+ ah->av.eth.hop_limit = ah_attr->grh.hop_limit;
+ if (ah_attr->static_rate) {
+diff --git a/drivers/infiniband/hw/mlx4/cq.c b/drivers/infiniband/hw/mlx4/cq.c
+index 5df63da..efb6414 100644
+--- a/drivers/infiniband/hw/mlx4/cq.c
++++ b/drivers/infiniband/hw/mlx4/cq.c
+@@ -253,11 +253,14 @@ struct ib_cq *mlx4_ib_create_cq(struct ib_device *ibdev,
+ if (context)
+ if (ib_copy_to_udata(udata, &cq->mcq.cqn, sizeof (__u32))) {
+ err = -EFAULT;
+- goto err_dbmap;
++ goto err_cq_free;
+ }
+
+ return &cq->ibcq;
+
++err_cq_free:
++ mlx4_cq_free(dev->dev, &cq->mcq);
++
+ err_dbmap:
+ if (context)
+ mlx4_ib_db_unmap_user(to_mucontext(context), &cq->db);
+diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
+index e4fac929..ebe43cb 100644
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -917,8 +917,7 @@ struct ib_cq *mlx5_ib_create_cq(struct ib_device *ibdev,
+ if (err)
+ goto err_create;
+ } else {
+- /* for now choose 64 bytes till we have a proper interface */
+- cqe_size = 64;
++ cqe_size = cache_line_size() == 128 ? 128 : 64;
+ err = create_cq_kernel(dev, cq, entries, cqe_size, &cqb,
+ &index, &inlen);
+ if (err)
+diff --git a/drivers/infiniband/hw/mlx5/main.c
b/drivers/infiniband/hw/mlx5/main.c
+index bff8707a..19f8820 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -2100,14 +2100,14 @@ static void mlx5_ib_event(struct mlx5_core_dev *dev,
void *context,
+ {
+ struct mlx5_ib_dev *ibdev = (struct mlx5_ib_dev *)context;
+ struct ib_event ibev;
+-
++ bool fatal = false;
+ u8 port = 0;
+
+ switch (event) {
+ case MLX5_DEV_EVENT_SYS_ERROR:
+- ibdev->ib_active = false;
+ ibev.event = IB_EVENT_DEVICE_FATAL;
+ mlx5_ib_handle_internal_error(ibdev);
++ fatal = true;
+ break;
+
+ case MLX5_DEV_EVENT_PORT_UP:
+@@ -2154,6 +2154,9 @@ static void mlx5_ib_event(struct mlx5_core_dev *dev,
void *context,
+
+ if (ibdev->ib_active)
+ ib_dispatch_event(&ibev);
++
++ if (fatal)
++ ibdev->ib_active = false;
+ }
+
+ static void get_ext_port_caps(struct mlx5_ib_dev *dev)
+@@ -2835,7 +2838,7 @@ static void *mlx5_ib_add(struct mlx5_core_dev *mdev)
+ }
+ err = init_node_data(dev);
+ if (err)
+- goto err_dealloc;
++ goto err_free_port;
+
+ mutex_init(&dev->flow_db.lock);
+ mutex_init(&dev->cap_mask_mutex);
+@@ -2845,7 +2848,7 @@ static void *mlx5_ib_add(struct mlx5_core_dev *mdev)
+ if (ll == IB_LINK_LAYER_ETHERNET) {
+ err = mlx5_enable_roce(dev);
+ if (err)
+- goto err_dealloc;
++ goto err_free_port;
+ }
+
+ err = create_dev_resources(&dev->devr);
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index affc3f6..19d590d 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -2037,8 +2037,8 @@ struct ib_qp *mlx5_ib_create_qp(struct ib_pd *pd,
+
+ mlx5_ib_dbg(dev, "ib qpnum 0x%x, mlx qpn 0x%x, rcqn 0x%x, scqn
0x%x\n",
+ qp->ibqp.qp_num, qp->trans_qp.base.mqp.qpn,
+- to_mcq(init_attr->recv_cq)->mcq.cqn,
+- to_mcq(init_attr->send_cq)->mcq.cqn);
++ init_attr->recv_cq ?
to_mcq(init_attr->recv_cq)->mcq.cqn : -1,
++ init_attr->send_cq ?
to_mcq(init_attr->send_cq)->mcq.cqn : -1);
+
+ qp->trans_qp.xrcdn = xrcdn;
+
+@@ -4702,6 +4702,14 @@ struct ib_rwq_ind_table
*mlx5_ib_create_rwq_ind_table(struct ib_device *device,
+ udata->inlen))
+ return ERR_PTR(-EOPNOTSUPP);
+
++ if (init_attr->log_ind_tbl_size >
++ MLX5_CAP_GEN(dev->mdev, log_max_rqt_size)) {
++ mlx5_ib_dbg(dev, "log_ind_tbl_size = %d is bigger than
supported = %d\n",
++ init_attr->log_ind_tbl_size,
++ MLX5_CAP_GEN(dev->mdev, log_max_rqt_size));
++ return ERR_PTR(-EINVAL);
++ }
++
+ min_resp_len = offsetof(typeof(resp), reserved) + sizeof(resp.reserved);
+ if (udata->outlen && udata->outlen < min_resp_len)
+ return ERR_PTR(-EINVAL);
+diff --git a/drivers/infiniband/sw/rdmavt/dma.c
b/drivers/infiniband/sw/rdmavt/dma.c
+index 33076a5..04ebbb5 100644
+--- a/drivers/infiniband/sw/rdmavt/dma.c
++++ b/drivers/infiniband/sw/rdmavt/dma.c
+@@ -90,9 +90,6 @@ static u64 rvt_dma_map_page(struct ib_device *dev, struct
page *page,
+ if (WARN_ON(!valid_dma_direction(direction)))
+ return BAD_DMA_ADDRESS;
+
+- if (offset + size > PAGE_SIZE)
+- return BAD_DMA_ADDRESS;
+-
+ addr = (u64)page_address(page);
+ if (addr)
+ addr += offset;
+diff --git a/drivers/infiniband/sw/rxe/rxe_net.c
b/drivers/infiniband/sw/rxe/rxe_net.c
+index eedf2f1..7f5d735 100644
+--- a/drivers/infiniband/sw/rxe/rxe_net.c
++++ b/drivers/infiniband/sw/rxe/rxe_net.c
+@@ -243,10 +243,8 @@ static struct socket *rxe_setup_udp_tunnel(struct net
*net, __be16 port,
+ {
+ int err;
+ struct socket *sock;
+- struct udp_port_cfg udp_cfg;
+- struct udp_tunnel_sock_cfg tnl_cfg;
+-
+- memset(&udp_cfg, 0, sizeof(udp_cfg));
++ struct udp_port_cfg udp_cfg = {0};
++ struct udp_tunnel_sock_cfg tnl_cfg = {0};
+
+ if (ipv6) {
+ udp_cfg.family = AF_INET6;
+@@ -264,10 +262,8 @@ static struct socket *rxe_setup_udp_tunnel(struct net
*net, __be16 port,
+ return ERR_PTR(err);
+ }
+
+- tnl_cfg.sk_user_data = NULL;
+ tnl_cfg.encap_type = 1;
+ tnl_cfg.encap_rcv = rxe_udp_encap_recv;
+- tnl_cfg.encap_destroy = NULL;
+
+ /* Setup UDP tunnel */
+ setup_udp_tunnel_sock(net, sock, &tnl_cfg);
+diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c
b/drivers/infiniband/sw/rxe/rxe_qp.c
+index 22ba24f..f724a7e 100644
+--- a/drivers/infiniband/sw/rxe/rxe_qp.c
++++ b/drivers/infiniband/sw/rxe/rxe_qp.c
+@@ -522,6 +522,7 @@ static void rxe_qp_reset(struct rxe_qp *qp)
+ if (qp->sq.queue) {
+ __rxe_do_task(&qp->comp.task);
+ __rxe_do_task(&qp->req.task);
++ rxe_queue_reset(qp->sq.queue);
+ }
+
+ /* cleanup attributes */
+@@ -573,6 +574,7 @@ void rxe_qp_error(struct rxe_qp *qp)
+ {
+ qp->req.state = QP_STATE_ERROR;
+ qp->resp.state = QP_STATE_ERROR;
++ qp->attr.qp_state = IB_QPS_ERR;
+
+ /* drain work and packet queues */
+ rxe_run_task(&qp->resp.task, 1);
+diff --git a/drivers/infiniband/sw/rxe/rxe_queue.c
b/drivers/infiniband/sw/rxe/rxe_queue.c
+index 0827425..d14bf49 100644
+--- a/drivers/infiniband/sw/rxe/rxe_queue.c
++++ b/drivers/infiniband/sw/rxe/rxe_queue.c
+@@ -84,6 +84,15 @@ int do_mmap_info(struct rxe_dev *rxe,
+ return -EINVAL;
+ }
+
++inline void rxe_queue_reset(struct rxe_queue *q)
++{
++ /* queue is comprised from header and the memory
++ * of the actual queue. See "struct rxe_queue_buf" in rxe_queue.h
++ * reset only the queue itself and not the management header
++ */
++ memset(q->buf->data, 0, q->buf_size - sizeof(struct rxe_queue_buf));
++}
++
+ struct rxe_queue *rxe_queue_init(struct rxe_dev *rxe,
+ int *num_elem,
+ unsigned int elem_size)
+diff --git a/drivers/infiniband/sw/rxe/rxe_queue.h
b/drivers/infiniband/sw/rxe/rxe_queue.h
+index 239fd60..8c8641c 100644
+--- a/drivers/infiniband/sw/rxe/rxe_queue.h
++++ b/drivers/infiniband/sw/rxe/rxe_queue.h
+@@ -84,6 +84,8 @@ int do_mmap_info(struct rxe_dev *rxe,
+ size_t buf_size,
+ struct rxe_mmap_info **ip_p);
+
++void rxe_queue_reset(struct rxe_queue *q);
++
+ struct rxe_queue *rxe_queue_init(struct rxe_dev *rxe,
+ int *num_elem,
+ unsigned int elem_size);
+diff --git a/drivers/infiniband/sw/rxe/rxe_req.c
b/drivers/infiniband/sw/rxe/rxe_req.c
+index 13a848a..43bb166 100644
+--- a/drivers/infiniband/sw/rxe/rxe_req.c
++++ b/drivers/infiniband/sw/rxe/rxe_req.c
+@@ -695,7 +695,8 @@ int rxe_requester(void *arg)
+ qp->req.wqe_index);
+ wqe->state = wqe_state_done;
+ wqe->status = IB_WC_SUCCESS;
+- goto complete;
++ __rxe_do_task(&qp->comp.task);
++ return 0;
+ }
+ payload = mtu;
+ }
+@@ -744,13 +745,17 @@ int rxe_requester(void *arg)
+ wqe->status = IB_WC_LOC_PROT_ERR;
+ wqe->state = wqe_state_error;
+
+-complete:
+- if (qp_type(qp) != IB_QPT_RC) {
+- while (rxe_completer(qp) == 0)
+- ;
+- }
+-
+- return 0;
++ /*
++ * IBA Spec. Section 10.7.3.1 SIGNALED COMPLETIONS
++ * ---------8<---------8<-------------
++ * ...Note that if a completion error occurs, a Work Completion
++ * will always be generated, even if the signaling
++ * indicator requests an Unsignaled Completion.
++ * ---------8<---------8<-------------
++ */
++ wqe->wr.send_flags |= IB_SEND_SIGNALED;
++ __rxe_do_task(&qp->comp.task);
++ return -EAGAIN;
+
+ exit:
+ return -EAGAIN;
+diff --git a/drivers/mfd/intel-lpss.c b/drivers/mfd/intel-lpss.c
+index 41b1138..70c646b 100644
+--- a/drivers/mfd/intel-lpss.c
++++ b/drivers/mfd/intel-lpss.c
+@@ -502,9 +502,6 @@ int intel_lpss_suspend(struct device *dev)
+ for (i = 0; i < LPSS_PRIV_REG_COUNT; i++)
+ lpss->priv_ctx[i] = readl(lpss->priv + i * 4);
+
+- /* Put the device into reset state */
+- writel(0, lpss->priv + LPSS_PRIV_RESETS);
+-
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(intel_lpss_suspend);
+diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
+index 3ac486a..c57e407 100644
+--- a/drivers/mfd/mfd-core.c
++++ b/drivers/mfd/mfd-core.c
+@@ -399,6 +399,8 @@ int mfd_clone_cell(const char *cell, const char **clones,
size_t n_clones)
+ clones[i]);
+ }
+
++ put_device(dev);
++
+ return 0;
+ }
+ EXPORT_SYMBOL(mfd_clone_cell);
+diff --git a/drivers/mfd/stmpe.c b/drivers/mfd/stmpe.c
+index 94c7cc0..00dd7ff 100644
+--- a/drivers/mfd/stmpe.c
++++ b/drivers/mfd/stmpe.c
+@@ -761,6 +761,8 @@ static int stmpe1801_reset(struct stmpe *stmpe)
+ if (ret < 0)
+ return ret;
+
++ msleep(10);
++
+ timeout = jiffies + msecs_to_jiffies(100);
+ while (time_before(jiffies, timeout)) {
+ ret = __stmpe_reg_read(stmpe, STMPE1801_REG_SYS_CTRL);
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 1b5f531..bf3fd34 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -2010,23 +2010,33 @@ static struct virtio_device_id id_table[] = {
+ { 0 },
+ };
+
++#define VIRTNET_FEATURES \
++ VIRTIO_NET_F_CSUM, VIRTIO_NET_F_GUEST_CSUM, \
++ VIRTIO_NET_F_MAC, \
++ VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_UFO, VIRTIO_NET_F_HOST_TSO6, \
++ VIRTIO_NET_F_HOST_ECN, VIRTIO_NET_F_GUEST_TSO4,
VIRTIO_NET_F_GUEST_TSO6, \
++ VIRTIO_NET_F_GUEST_ECN, VIRTIO_NET_F_GUEST_UFO, \
++ VIRTIO_NET_F_MRG_RXBUF, VIRTIO_NET_F_STATUS, VIRTIO_NET_F_CTRL_VQ, \
++ VIRTIO_NET_F_CTRL_RX, VIRTIO_NET_F_CTRL_VLAN, \
++ VIRTIO_NET_F_GUEST_ANNOUNCE, VIRTIO_NET_F_MQ, \
++ VIRTIO_NET_F_CTRL_MAC_ADDR, \
++ VIRTIO_NET_F_MTU
++
+ static unsigned int features[] = {
+- VIRTIO_NET_F_CSUM, VIRTIO_NET_F_GUEST_CSUM,
+- VIRTIO_NET_F_GSO, VIRTIO_NET_F_MAC,
+- VIRTIO_NET_F_HOST_TSO4, VIRTIO_NET_F_HOST_UFO, VIRTIO_NET_F_HOST_TSO6,
+- VIRTIO_NET_F_HOST_ECN, VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6,
+- VIRTIO_NET_F_GUEST_ECN, VIRTIO_NET_F_GUEST_UFO,
+- VIRTIO_NET_F_MRG_RXBUF, VIRTIO_NET_F_STATUS, VIRTIO_NET_F_CTRL_VQ,
+- VIRTIO_NET_F_CTRL_RX, VIRTIO_NET_F_CTRL_VLAN,
+- VIRTIO_NET_F_GUEST_ANNOUNCE, VIRTIO_NET_F_MQ,
+- VIRTIO_NET_F_CTRL_MAC_ADDR,
++ VIRTNET_FEATURES,
++};
++
++static unsigned int features_legacy[] = {
++ VIRTNET_FEATURES,
++ VIRTIO_NET_F_GSO,
+ VIRTIO_F_ANY_LAYOUT,
+- VIRTIO_NET_F_MTU,
+ };
+
+ static struct virtio_driver virtio_net_driver = {
+ .feature_table = features,
+ .feature_table_size = ARRAY_SIZE(features),
++ .feature_table_legacy = features_legacy,
++ .feature_table_size_legacy = ARRAY_SIZE(features_legacy),
+ .driver.name = KBUILD_MODNAME,
+ .driver.owner = THIS_MODULE,
+ .id_table = id_table,
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+index 4fdc3da..ea67ae9 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+@@ -1087,6 +1087,15 @@ iwl_mvm_netdetect_config(struct iwl_mvm *mvm,
+ ret = iwl_mvm_switch_to_d3(mvm);
+ if (ret)
+ return ret;
++ } else {
++ /* In theory, we wouldn't have to stop a running sched
++ * scan in order to start another one (for
++ * net-detect). But in practice this doesn't seem to
++ * work properly, so stop any running sched_scan now.
++ */
++ ret = iwl_mvm_scan_stop(mvm, IWL_MVM_SCAN_SCHED, true);
++ if (ret)
++ return ret;
+ }
+
+ /* rfkill release can be either for wowlan or netdetect */
+@@ -2088,6 +2097,16 @@ static int __iwl_mvm_resume(struct iwl_mvm *mvm, bool
test)
+ iwl_mvm_update_changed_regdom(mvm);
+
+ if (mvm->net_detect) {
++ /* If this is a non-unified image, we restart the FW,
++ * so no need to stop the netdetect scan. If that
++ * fails, continue and try to get the wake-up reasons,
++ * but trigger a HW restart by keeping a failure code
++ * in ret.
++ */
++ if (unified_image)
++ ret = iwl_mvm_scan_stop(mvm, IWL_MVM_SCAN_NETDETECT,
++ false);
++
+ iwl_mvm_query_netdetect_reasons(mvm, vif);
+ /* has unlocked the mutex, so skip that */
+ goto out;
+@@ -2271,7 +2290,8 @@ static void iwl_mvm_d3_test_disconn_work_iter(void
*_data, u8 *mac,
+ static int iwl_mvm_d3_test_release(struct inode *inode, struct file *file)
+ {
+ struct iwl_mvm *mvm = inode->i_private;
+- int remaining_time = 10;
++ bool unified_image = fw_has_capa(&mvm->fw->ucode_capa,
++ IWL_UCODE_TLV_CAPA_CNSLDTD_D3_D0_IMG);
+
+ mvm->d3_test_active = false;
+
+@@ -2282,17 +2302,21 @@ static int iwl_mvm_d3_test_release(struct inode
*inode, struct file *file)
+ mvm->trans->system_pm_mode = IWL_PLAT_PM_MODE_DISABLED;
+
+ iwl_abort_notification_waits(&mvm->notif_wait);
+- ieee80211_restart_hw(mvm->hw);
++ if (!unified_image) {
++ int remaining_time = 10;
+
+- /* wait for restart and disconnect all interfaces */
+- while (test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status) &&
+- remaining_time > 0) {
+- remaining_time--;
+- msleep(1000);
+- }
++ ieee80211_restart_hw(mvm->hw);
+
+- if (remaining_time == 0)
+- IWL_ERR(mvm, "Timed out waiting for HW restart to finish!\n");
++ /* wait for restart and disconnect all interfaces */
++ while (test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status) &&
++ remaining_time > 0) {
++ remaining_time--;
++ msleep(1000);
++ }
++
++ if (remaining_time == 0)
++ IWL_ERR(mvm, "Timed out waiting for HW restart!\n");
++ }
+
+ ieee80211_iterate_active_interfaces_atomic(
+ mvm->hw, IEEE80211_IFACE_ITER_NORMAL,
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index 5dd77e3..90a1f4a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -4097,7 +4097,6 @@ void iwl_mvm_sync_rx_queues_internal(struct iwl_mvm *mvm,
+ struct iwl_mvm_internal_rxq_notif *notif,
+ u32 size)
+ {
+- DECLARE_WAIT_QUEUE_HEAD_ONSTACK(notif_waitq);
+ u32 qmask = BIT(mvm->trans->num_rx_queues) - 1;
+ int ret;
+
+@@ -4119,7 +4118,7 @@ void iwl_mvm_sync_rx_queues_internal(struct iwl_mvm *mvm,
+ }
+
+ if (notif->sync)
+- ret = wait_event_timeout(notif_waitq,
++ ret = wait_event_timeout(mvm->rx_sync_waitq,
+ atomic_read(&mvm->queue_sync_counter)
== 0,
+ HZ);
+ WARN_ON_ONCE(!ret);
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+index 6a615bb..e9cb970 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -932,6 +932,7 @@ struct iwl_mvm {
+ /* sync d0i3_tx queue and IWL_MVM_STATUS_IN_D0I3 status flag */
+ spinlock_t d0i3_tx_lock;
+ wait_queue_head_t d0i3_exit_waitq;
++ wait_queue_head_t rx_sync_waitq;
+
+ /* BT-Coex */
+ struct iwl_bt_coex_profile_notif last_bt_notif;
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index 55d9096..30bbdec 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -618,6 +618,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const
struct iwl_cfg *cfg,
+ spin_lock_init(&mvm->refs_lock);
+ skb_queue_head_init(&mvm->d0i3_tx);
+ init_waitqueue_head(&mvm->d0i3_exit_waitq);
++ init_waitqueue_head(&mvm->rx_sync_waitq);
+
+ atomic_set(&mvm->queue_sync_counter, 0);
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+index afb7eb6..2b994be 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -545,7 +545,8 @@ void iwl_mvm_rx_queue_notif(struct iwl_mvm *mvm, struct
iwl_rx_cmd_buffer *rxb,
+ "Received expired RX queue sync message\n");
+ return;
+ }
+- atomic_dec(&mvm->queue_sync_counter);
++ if (!atomic_dec_return(&mvm->queue_sync_counter))
++ wake_up(&mvm->rx_sync_waitq);
+ }
+
+ switch (internal_notif->type) {
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+index dac120f..3707ec6 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+@@ -1185,6 +1185,9 @@ static int iwl_mvm_num_scans(struct iwl_mvm *mvm)
+
+ static int iwl_mvm_check_running_scans(struct iwl_mvm *mvm, int type)
+ {
++ bool unified_image = fw_has_capa(&mvm->fw->ucode_capa,
++ IWL_UCODE_TLV_CAPA_CNSLDTD_D3_D0_IMG);
++
+ /* This looks a bit arbitrary, but the idea is that if we run
+ * out of possible simultaneous scans and the userspace is
+ * trying to run a scan type that is already running, we
+@@ -1211,12 +1214,30 @@ static int iwl_mvm_check_running_scans(struct iwl_mvm
*mvm, int type)
+ return -EBUSY;
+ return iwl_mvm_scan_stop(mvm, IWL_MVM_SCAN_REGULAR, true);
+ case IWL_MVM_SCAN_NETDETECT:
+- /* No need to stop anything for net-detect since the
+- * firmware is restarted anyway. This way, any sched
+- * scans that were running will be restarted when we
+- * resume.
+- */
+- return 0;
++ /* For non-unified images, there's no need to stop
++ * anything for net-detect since the firmware is
++ * restarted anyway. This way, any sched scans that
++ * were running will be restarted when we resume.
++ */
++ if (!unified_image)
++ return 0;
++
++ /* If this is a unified image and we ran out of scans,
++ * we need to stop something. Prefer stopping regular
++ * scans, because the results are useless at this
++ * point, and we should be able to keep running
++ * another scheduled scan while suspended.
++ */
++ if (mvm->scan_status & IWL_MVM_SCAN_REGULAR_MASK)
++ return iwl_mvm_scan_stop(mvm, IWL_MVM_SCAN_REGULAR,
++ true);
++ if (mvm->scan_status & IWL_MVM_SCAN_SCHED_MASK)
++ return iwl_mvm_scan_stop(mvm, IWL_MVM_SCAN_SCHED,
++ true);
++
++ /* fall through, something is wrong if no scan was
++ * running but we ran out of scans.
++ */
+ default:
+ WARN_ON(1);
+ break;
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index 78cf9a7..13842ca 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -526,48 +526,64 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
+ MODULE_DEVICE_TABLE(pci, iwl_hw_card_ids);
+
+ #ifdef CONFIG_ACPI
+-#define SPL_METHOD "SPLC"
+-#define SPL_DOMAINTYPE_MODULE BIT(0)
+-#define SPL_DOMAINTYPE_WIFI BIT(1)
+-#define SPL_DOMAINTYPE_WIGIG BIT(2)
+-#define SPL_DOMAINTYPE_RFEM BIT(3)
++#define ACPI_SPLC_METHOD "SPLC"
++#define ACPI_SPLC_DOMAIN_WIFI (0x07)
+
+-static u64 splx_get_pwr_limit(struct iwl_trans *trans, union acpi_object
*splx)
++static u64 splc_get_pwr_limit(struct iwl_trans *trans, union acpi_object
*splc)
+ {
+- union acpi_object *limits, *domain_type, *power_limit;
+-
+- if (splx->type != ACPI_TYPE_PACKAGE ||
+- splx->package.count != 2 ||
+- splx->package.elements[0].type != ACPI_TYPE_INTEGER ||
+- splx->package.elements[0].integer.value != 0) {
+- IWL_ERR(trans, "Unsupported splx structure\n");
++ union acpi_object *data_pkg, *dflt_pwr_limit;
++ int i;
++
++ /* We need at least two elements, one for the revision and one
++ * for the data itself. Also check that the revision is
++ * supported (currently only revision 0).
++ */
++ if (splc->type != ACPI_TYPE_PACKAGE ||
++ splc->package.count < 2 ||
++ splc->package.elements[0].type != ACPI_TYPE_INTEGER ||
++ splc->package.elements[0].integer.value != 0) {
++ IWL_DEBUG_INFO(trans,
++ "Unsupported structure returned by the SPLC
method. Ignoring.\n");
+ return 0;
+ }
+
+- limits = &splx->package.elements[1];
+- if (limits->type != ACPI_TYPE_PACKAGE ||
+- limits->package.count < 2 ||
+- limits->package.elements[0].type != ACPI_TYPE_INTEGER ||
+- limits->package.elements[1].type != ACPI_TYPE_INTEGER) {
+- IWL_ERR(trans, "Invalid limits element\n");
+- return 0;
++ /* loop through all the packages to find the one for WiFi */
++ for (i = 1; i < splc->package.count; i++) {
++ union acpi_object *domain;
++
++ data_pkg = &splc->package.elements[i];
++
++ /* Skip anything that is not a package with the right
++ * amount of elements (i.e. at least 2 integers).
++ */
++ if (data_pkg->type != ACPI_TYPE_PACKAGE ||
++ data_pkg->package.count < 2 ||
++ data_pkg->package.elements[0].type != ACPI_TYPE_INTEGER ||
++ data_pkg->package.elements[1].type != ACPI_TYPE_INTEGER)
++ continue;
++
++ domain = &data_pkg->package.elements[0];
++ if (domain->integer.value == ACPI_SPLC_DOMAIN_WIFI)
++ break;
++
++ data_pkg = NULL;
+ }
+
+- domain_type = &limits->package.elements[0];
+- power_limit = &limits->package.elements[1];
+- if (!(domain_type->integer.value & SPL_DOMAINTYPE_WIFI)) {
+- IWL_DEBUG_INFO(trans, "WiFi power is not limited\n");
++ if (!data_pkg) {
++ IWL_DEBUG_INFO(trans,
++ "No element for the WiFi domain returned by the
SPLC method.\n");
+ return 0;
+ }
+
+- return power_limit->integer.value;
++ dflt_pwr_limit = &data_pkg->package.elements[1];
++ return dflt_pwr_limit->integer.value;
+ }
+
+ static void set_dflt_pwr_limit(struct iwl_trans *trans, struct pci_dev *pdev)
+ {
+ acpi_handle pxsx_handle;
+ acpi_handle handle;
+- struct acpi_buffer splx = {ACPI_ALLOCATE_BUFFER, NULL};
++ struct acpi_buffer splc = {ACPI_ALLOCATE_BUFFER, NULL};
+ acpi_status status;
+
+ pxsx_handle = ACPI_HANDLE(&pdev->dev);
+@@ -578,23 +594,24 @@ static void set_dflt_pwr_limit(struct iwl_trans *trans,
struct pci_dev *pdev)
+ }
+
+ /* Get the method's handle */
+- status = acpi_get_handle(pxsx_handle, (acpi_string)SPL_METHOD, &handle);
++ status = acpi_get_handle(pxsx_handle, (acpi_string)ACPI_SPLC_METHOD,
++ &handle);
+ if (ACPI_FAILURE(status)) {
+- IWL_DEBUG_INFO(trans, "SPL method not found\n");
++ IWL_DEBUG_INFO(trans, "SPLC method not found\n");
+ return;
+ }
+
+ /* Call SPLC with no arguments */
+- status = acpi_evaluate_object(handle, NULL, NULL, &splx);
++ status = acpi_evaluate_object(handle, NULL, NULL, &splc);
+ if (ACPI_FAILURE(status)) {
+ IWL_ERR(trans, "SPLC invocation failed (0x%x)\n", status);
+ return;
+ }
+
+- trans->dflt_pwr_limit = splx_get_pwr_limit(trans, splx.pointer);
++ trans->dflt_pwr_limit = splc_get_pwr_limit(trans, splc.pointer);
+ IWL_DEBUG_INFO(trans, "Default power limit set to %lld\n",
+ trans->dflt_pwr_limit);
+- kfree(splx.pointer);
++ kfree(splc.pointer);
+ }
+
+ #else /* CONFIG_ACPI */
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+index 18650dc..478bba5 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+@@ -522,6 +522,7 @@ static int iwl_pcie_txq_alloc(struct iwl_trans *trans,
+ static int iwl_pcie_txq_init(struct iwl_trans *trans, struct iwl_txq *txq,
+ int slots_num, u32 txq_id)
+ {
++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+ int ret;
+
+ txq->need_update = false;
+@@ -536,6 +537,13 @@ static int iwl_pcie_txq_init(struct iwl_trans *trans,
struct iwl_txq *txq,
+ return ret;
+
+ spin_lock_init(&txq->lock);
++
++ if (txq_id == trans_pcie->cmd_queue) {
++ static struct lock_class_key iwl_pcie_cmd_queue_lock_class;
++
++ lockdep_set_class(&txq->lock, &iwl_pcie_cmd_queue_lock_class);
++ }
++
+ __skb_queue_head_init(&txq->overflow_q);
+
+ /*
+diff --git a/drivers/rtc/rtc-omap.c b/drivers/rtc/rtc-omap.c
+index ec2e9c5..22394fe 100644
+--- a/drivers/rtc/rtc-omap.c
++++ b/drivers/rtc/rtc-omap.c
+@@ -109,6 +109,7 @@
+ /* OMAP_RTC_OSC_REG bit fields: */
+ #define OMAP_RTC_OSC_32KCLK_EN BIT(6)
+ #define OMAP_RTC_OSC_SEL_32KCLK_SRC BIT(3)
++#define OMAP_RTC_OSC_OSC32K_GZ_DISABLE BIT(4)
+
+ /* OMAP_RTC_IRQWAKEEN bit fields: */
+ #define OMAP_RTC_IRQWAKEEN_ALARM_WAKEEN BIT(1)
+@@ -646,8 +647,9 @@ static int omap_rtc_probe(struct platform_device *pdev)
+ */
+ if (rtc->has_ext_clk) {
+ reg = rtc_read(rtc, OMAP_RTC_OSC_REG);
+- rtc_write(rtc, OMAP_RTC_OSC_REG,
+- reg | OMAP_RTC_OSC_SEL_32KCLK_SRC);
++ reg &= ~OMAP_RTC_OSC_OSC32K_GZ_DISABLE;
++ reg |= OMAP_RTC_OSC_32KCLK_EN | OMAP_RTC_OSC_SEL_32KCLK_SRC;
++ rtc_writel(rtc, OMAP_RTC_OSC_REG, reg);
+ }
+
+ rtc->type->lock(rtc);
+diff --git a/drivers/uwb/lc-rc.c b/drivers/uwb/lc-rc.c
+index d059ad4..97ee1b4 100644
+--- a/drivers/uwb/lc-rc.c
++++ b/drivers/uwb/lc-rc.c
+@@ -56,8 +56,11 @@ static struct uwb_rc *uwb_rc_find_by_index(int index)
+ struct uwb_rc *rc = NULL;
+
+ dev = class_find_device(&uwb_rc_class, NULL, &index,
uwb_rc_index_match);
+- if (dev)
++ if (dev) {
+ rc = dev_get_drvdata(dev);
++ put_device(dev);
++ }
++
+ return rc;
+ }
+
+@@ -467,7 +470,9 @@ struct uwb_rc *__uwb_rc_try_get(struct uwb_rc *target_rc)
+ if (dev) {
+ rc = dev_get_drvdata(dev);
+ __uwb_rc_get(rc);
++ put_device(dev);
+ }
++
+ return rc;
+ }
+ EXPORT_SYMBOL_GPL(__uwb_rc_try_get);
+@@ -520,8 +525,11 @@ struct uwb_rc *uwb_rc_get_by_grandpa(const struct device
*grandpa_dev)
+
+ dev = class_find_device(&uwb_rc_class, NULL, grandpa_dev,
+ find_rc_grandpa);
+- if (dev)
++ if (dev) {
+ rc = dev_get_drvdata(dev);
++ put_device(dev);
++ }
++
+ return rc;
+ }
+ EXPORT_SYMBOL_GPL(uwb_rc_get_by_grandpa);
+@@ -553,8 +561,10 @@ struct uwb_rc *uwb_rc_get_by_dev(const struct
uwb_dev_addr *addr)
+ struct uwb_rc *rc = NULL;
+
+ dev = class_find_device(&uwb_rc_class, NULL, addr, find_rc_dev);
+- if (dev)
++ if (dev) {
+ rc = dev_get_drvdata(dev);
++ put_device(dev);
++ }
+
+ return rc;
+ }
+diff --git a/drivers/uwb/pal.c b/drivers/uwb/pal.c
+index c1304b8..678e937 100644
+--- a/drivers/uwb/pal.c
++++ b/drivers/uwb/pal.c
+@@ -97,6 +97,8 @@ static bool uwb_rc_class_device_exists(struct uwb_rc
*target_rc)
+
+ dev = class_find_device(&uwb_rc_class, NULL, target_rc, find_rc);
+
++ put_device(dev);
++
+ return (dev != NULL);
+ }
+
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index ea31931..7bd21aa 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -235,6 +235,7 @@ struct ext4_io_submit {
+ #define EXT4_MAX_BLOCK_SIZE 65536
+ #define EXT4_MIN_BLOCK_LOG_SIZE 10
+ #define EXT4_MAX_BLOCK_LOG_SIZE 16
++#define EXT4_MAX_CLUSTER_LOG_SIZE 30
+ #ifdef __KERNEL__
+ # define EXT4_BLOCK_SIZE(s) ((s)->s_blocksize)
+ #else
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 3ec8708..ec89f50 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3518,7 +3518,15 @@ static int ext4_fill_super(struct super_block *sb, void
*data, int silent)
+ if (blocksize < EXT4_MIN_BLOCK_SIZE ||
+ blocksize > EXT4_MAX_BLOCK_SIZE) {
+ ext4_msg(sb, KERN_ERR,
+- "Unsupported filesystem blocksize %d", blocksize);
++ "Unsupported filesystem blocksize %d (%d
log_block_size)",
++ blocksize, le32_to_cpu(es->s_log_block_size));
++ goto failed_mount;
++ }
++ if (le32_to_cpu(es->s_log_block_size) >
++ (EXT4_MAX_BLOCK_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
++ ext4_msg(sb, KERN_ERR,
++ "Invalid log block size: %u",
++ le32_to_cpu(es->s_log_block_size));
+ goto failed_mount;
+ }
+
+@@ -3650,6 +3658,13 @@ static int ext4_fill_super(struct super_block *sb, void
*data, int silent)
+ "block size (%d)", clustersize, blocksize);
+ goto failed_mount;
+ }
++ if (le32_to_cpu(es->s_log_cluster_size) >
++ (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
++ ext4_msg(sb, KERN_ERR,
++ "Invalid log cluster size: %u",
++ le32_to_cpu(es->s_log_cluster_size));
++ goto failed_mount;
++ }
+ sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) -
+ le32_to_cpu(es->s_log_block_size);
+ sbi->s_clusters_per_group =
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 3988b43..a621dd9 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1985,6 +1985,10 @@ static int fuse_write_end(struct file *file, struct
address_space *mapping,
+ {
+ struct inode *inode = page->mapping->host;
+
++ /* Haven't copied anything? Skip zeroing, size extending, dirtying. */
++ if (!copied)
++ goto unlock;
++
+ if (!PageUptodate(page)) {
+ /* Zero any unwritten bytes at the end of the page */
+ size_t endoff = (pos + copied) & ~PAGE_MASK;
+@@ -1995,6 +1999,8 @@ static int fuse_write_end(struct file *file, struct
address_space *mapping,
+
+ fuse_write_update_size(inode, pos + copied);
+ set_page_dirty(page);
++
++unlock:
+ unlock_page(page);
+ put_page(page);
+
+diff --git a/include/linux/sunrpc/svc_xprt.h b/include/linux/sunrpc/svc_xprt.h
+index ab02a45..e5d1934 100644
+--- a/include/linux/sunrpc/svc_xprt.h
++++ b/include/linux/sunrpc/svc_xprt.h
+@@ -25,6 +25,7 @@ struct svc_xprt_ops {
+ void (*xpo_detach)(struct svc_xprt *);
+ void (*xpo_free)(struct svc_xprt *);
+ int (*xpo_secure_port)(struct svc_rqst *);
++ void (*xpo_kill_temp_xprt)(struct svc_xprt *);
+ };
+
+ struct svc_xprt_class {
+diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
+index 9530fcd..9d592c6 100644
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -1341,12 +1341,12 @@ __setup_irq(unsigned int irq, struct irq_desc *desc,
struct irqaction *new)
+
+ } else if (new->flags & IRQF_TRIGGER_MASK) {
+ unsigned int nmsk = new->flags & IRQF_TRIGGER_MASK;
+- unsigned int omsk = irq_settings_get_trigger_mask(desc);
++ unsigned int omsk = irqd_get_trigger_type(&desc->irq_data);
+
+ if (nmsk != omsk)
+ /* hope the handler works with current trigger mode */
+ pr_warn("irq %d uses trigger mode %u; requested %u\n",
+- irq, nmsk, omsk);
++ irq, omsk, nmsk);
+ }
+
+ *old_ptr = new;
+diff --git a/kernel/power/suspend_test.c b/kernel/power/suspend_test.c
+index 084452e..bdff5ed 100644
+--- a/kernel/power/suspend_test.c
++++ b/kernel/power/suspend_test.c
+@@ -203,8 +203,10 @@ static int __init test_suspend(void)
+
+ /* RTCs have initialized by now too ... can we use one? */
+ dev = class_find_device(rtc_class, NULL, NULL, has_wakealarm);
+- if (dev)
++ if (dev) {
+ rtc = rtc_class_open(dev_name(dev));
++ put_device(dev);
++ }
+ if (!rtc) {
+ printk(warn_no_rtc);
+ return 0;
+diff --git a/kernel/trace/Makefile b/kernel/trace/Makefile
+index d0a1617..979e7bf 100644
+--- a/kernel/trace/Makefile
++++ b/kernel/trace/Makefile
+@@ -1,8 +1,4 @@
+
+-# We are fully aware of the dangers of __builtin_return_address()
+-FRAME_CFLAGS := $(call cc-disable-warning,frame-address)
+-KBUILD_CFLAGS += $(FRAME_CFLAGS)
+-
+ # Do not instrument the tracer itself:
+
+ ifdef CONFIG_FUNCTION_TRACER
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 84752c8..b1d7f1b 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -1856,6 +1856,10 @@ static int __ftrace_hash_update_ipmodify(struct
ftrace_ops *ops,
+
+ /* Update rec->flags */
+ do_for_each_ftrace_rec(pg, rec) {
++
++ if (rec->flags & FTRACE_FL_DISABLED)
++ continue;
++
+ /* We need to update only differences of filter_hash */
+ in_old = !!ftrace_lookup_ip(old_hash, rec->ip);
+ in_new = !!ftrace_lookup_ip(new_hash, rec->ip);
+@@ -1878,6 +1882,10 @@ static int __ftrace_hash_update_ipmodify(struct
ftrace_ops *ops,
+
+ /* Roll back what we did above */
+ do_for_each_ftrace_rec(pg, rec) {
++
++ if (rec->flags & FTRACE_FL_DISABLED)
++ continue;
++
+ if (rec == end)
+ goto err_out;
+
+@@ -2391,6 +2399,10 @@ void __weak ftrace_replace_code(int enable)
+ return;
+
+ do_for_each_ftrace_rec(pg, rec) {
++
++ if (rec->flags & FTRACE_FL_DISABLED)
++ continue;
++
+ failed = __ftrace_replace_code(rec, enable);
+ if (failed) {
+ ftrace_bug(failed, rec);
+@@ -2757,7 +2769,7 @@ static int ftrace_shutdown(struct ftrace_ops *ops, int
command)
+ struct dyn_ftrace *rec;
+
+ do_for_each_ftrace_rec(pg, rec) {
+- if (FTRACE_WARN_ON_ONCE(rec->flags))
++ if (FTRACE_WARN_ON_ONCE(rec->flags &
~FTRACE_FL_DISABLED))
+ pr_warn(" %pS flags:%lx\n",
+ (void *)rec->ip, rec->flags);
+ } while_for_each_ftrace_rec();
+@@ -3592,6 +3604,10 @@ match_records(struct ftrace_hash *hash, char *func, int
len, char *mod)
+ goto out_unlock;
+
+ do_for_each_ftrace_rec(pg, rec) {
++
++ if (rec->flags & FTRACE_FL_DISABLED)
++ continue;
++
+ if (ftrace_match_record(rec, &func_g, mod_match, exclude_mod)) {
+ ret = enter_record(hash, rec, clear_filter);
+ if (ret < 0) {
+@@ -3787,6 +3803,9 @@ register_ftrace_function_probe(char *glob, struct
ftrace_probe_ops *ops,
+
+ do_for_each_ftrace_rec(pg, rec) {
+
++ if (rec->flags & FTRACE_FL_DISABLED)
++ continue;
++
+ if (!ftrace_match_record(rec, &func_g, NULL, 0))
+ continue;
+
+@@ -4679,6 +4698,9 @@ ftrace_set_func(unsigned long *array, int *idx, int
size, char *buffer)
+
+ do_for_each_ftrace_rec(pg, rec) {
+
++ if (rec->flags & FTRACE_FL_DISABLED)
++ continue;
++
+ if (ftrace_match_record(rec, &func_g, NULL, 0)) {
+ /* if it is in the array */
+ exists = false;
+diff --git a/mm/Makefile b/mm/Makefile
+index 2ca1faf..295bd7a 100644
+--- a/mm/Makefile
++++ b/mm/Makefile
+@@ -21,9 +21,6 @@ KCOV_INSTRUMENT_memcontrol.o := n
+ KCOV_INSTRUMENT_mmzone.o := n
+ KCOV_INSTRUMENT_vmstat.o := n
+
+-# Since __builtin_frame_address does work as used, disable the warning.
+-CFLAGS_usercopy.o += $(call cc-disable-warning, frame-address)
+-
+ mmu-y := nommu.o
+ mmu-$(CONFIG_MMU) := gup.o highmem.o memory.o mincore.o \
+ mlock.o mmap.o mprotect.o mremap.o msync.o rmap.o \
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 8e999ff..8af9d25 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1549,24 +1549,31 @@ static int bcm_connect(struct socket *sock, struct
sockaddr *uaddr, int len,
+ struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
+ struct sock *sk = sock->sk;
+ struct bcm_sock *bo = bcm_sk(sk);
++ int ret = 0;
+
+ if (len < sizeof(*addr))
+ return -EINVAL;
+
+- if (bo->bound)
+- return -EISCONN;
++ lock_sock(sk);
++
++ if (bo->bound) {
++ ret = -EISCONN;
++ goto fail;
++ }
+
+ /* bind a device to this socket */
+ if (addr->can_ifindex) {
+ struct net_device *dev;
+
+ dev = dev_get_by_index(&init_net, addr->can_ifindex);
+- if (!dev)
+- return -ENODEV;
+-
++ if (!dev) {
++ ret = -ENODEV;
++ goto fail;
++ }
+ if (dev->type != ARPHRD_CAN) {
+ dev_put(dev);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto fail;
+ }
+
+ bo->ifindex = dev->ifindex;
+@@ -1577,17 +1584,24 @@ static int bcm_connect(struct socket *sock, struct
sockaddr *uaddr, int len,
+ bo->ifindex = 0;
+ }
+
+- bo->bound = 1;
+-
+ if (proc_dir) {
+ /* unique socket address as filename */
+ sprintf(bo->procname, "%lu", sock_i_ino(sk));
+ bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
+ proc_dir,
+ &bcm_proc_fops, sk);
++ if (!bo->bcm_proc_read) {
++ ret = -ENOMEM;
++ goto fail;
++ }
+ }
+
+- return 0;
++ bo->bound = 1;
++
++fail:
++ release_sock(sk);
++
++ return ret;
+ }
+
+ static int bcm_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index 0af2669..584ac76 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -143,7 +143,8 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
+ if (tb[NFTA_DYNSET_TIMEOUT] != NULL) {
+ if (!(set->flags & NFT_SET_TIMEOUT))
+ return -EINVAL;
+- timeout = be64_to_cpu(nla_get_be64(tb[NFTA_DYNSET_TIMEOUT]));
++ timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
++ tb[NFTA_DYNSET_TIMEOUT])));
+ }
+
+ priv->sreg_key = nft_parse_register(tb[NFTA_DYNSET_SREG_KEY]);
+@@ -230,7 +231,8 @@ static int nft_dynset_dump(struct sk_buff *skb, const
struct nft_expr *expr)
+ goto nla_put_failure;
+ if (nla_put_string(skb, NFTA_DYNSET_SET_NAME, priv->set->name))
+ goto nla_put_failure;
+- if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT, cpu_to_be64(priv->timeout),
++ if (nla_put_be64(skb, NFTA_DYNSET_TIMEOUT,
++ cpu_to_be64(jiffies_to_msecs(priv->timeout)),
+ NFTA_DYNSET_PAD))
+ goto nla_put_failure;
+ if (priv->expr && nft_expr_dump(skb, NFTA_DYNSET_EXPR, priv->expr))
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index c3f6523..3bc1d61 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -1002,14 +1002,8 @@ static void svc_age_temp_xprts(unsigned long closure)
+ void svc_age_temp_xprts_now(struct svc_serv *serv, struct sockaddr
*server_addr)
+ {
+ struct svc_xprt *xprt;
+- struct svc_sock *svsk;
+- struct socket *sock;
+ struct list_head *le, *next;
+ LIST_HEAD(to_be_closed);
+- struct linger no_linger = {
+- .l_onoff = 1,
+- .l_linger = 0,
+- };
+
+ spin_lock_bh(&serv->sv_lock);
+ list_for_each_safe(le, next, &serv->sv_tempsocks) {
+@@ -1027,10 +1021,7 @@ void svc_age_temp_xprts_now(struct svc_serv *serv,
struct sockaddr *server_addr)
+ list_del_init(le);
+ xprt = list_entry(le, struct svc_xprt, xpt_list);
+ dprintk("svc_age_temp_xprts_now: closing %p\n", xprt);
+- svsk = container_of(xprt, struct svc_sock, sk_xprt);
+- sock = svsk->sk_sock;
+- kernel_setsockopt(sock, SOL_SOCKET, SO_LINGER,
+- (char *)&no_linger, sizeof(no_linger));
++ xprt->xpt_ops->xpo_kill_temp_xprt(xprt);
+ svc_close_xprt(xprt);
+ }
+ }
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 57625f6..a4bc982 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -438,6 +438,21 @@ static int svc_tcp_has_wspace(struct svc_xprt *xprt)
+ return !test_bit(SOCK_NOSPACE, &svsk->sk_sock->flags);
+ }
+
++static void svc_tcp_kill_temp_xprt(struct svc_xprt *xprt)
++{
++ struct svc_sock *svsk;
++ struct socket *sock;
++ struct linger no_linger = {
++ .l_onoff = 1,
++ .l_linger = 0,
++ };
++
++ svsk = container_of(xprt, struct svc_sock, sk_xprt);
++ sock = svsk->sk_sock;
++ kernel_setsockopt(sock, SOL_SOCKET, SO_LINGER,
++ (char *)&no_linger, sizeof(no_linger));
++}
++
+ /*
+ * See net/ipv6/ip_sockglue.c : ip_cmsg_recv_pktinfo
+ */
+@@ -648,6 +663,10 @@ static struct svc_xprt *svc_udp_accept(struct svc_xprt
*xprt)
+ return NULL;
+ }
+
++static void svc_udp_kill_temp_xprt(struct svc_xprt *xprt)
++{
++}
++
+ static struct svc_xprt *svc_udp_create(struct svc_serv *serv,
+ struct net *net,
+ struct sockaddr *sa, int salen,
+@@ -667,6 +686,7 @@ static struct svc_xprt_ops svc_udp_ops = {
+ .xpo_has_wspace = svc_udp_has_wspace,
+ .xpo_accept = svc_udp_accept,
+ .xpo_secure_port = svc_sock_secure_port,
++ .xpo_kill_temp_xprt = svc_udp_kill_temp_xprt,
+ };
+
+ static struct svc_xprt_class svc_udp_class = {
+@@ -1242,6 +1262,7 @@ static struct svc_xprt_ops svc_tcp_ops = {
+ .xpo_has_wspace = svc_tcp_has_wspace,
+ .xpo_accept = svc_tcp_accept,
+ .xpo_secure_port = svc_sock_secure_port,
++ .xpo_kill_temp_xprt = svc_tcp_kill_temp_xprt,
+ };
+
+ static struct svc_xprt_class svc_tcp_class = {
+diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c
b/net/sunrpc/xprtrdma/svc_rdma_transport.c
+index 924271c..a55b809 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
+@@ -67,6 +67,7 @@ static void svc_rdma_detach(struct svc_xprt *xprt);
+ static void svc_rdma_free(struct svc_xprt *xprt);
+ static int svc_rdma_has_wspace(struct svc_xprt *xprt);
+ static int svc_rdma_secure_port(struct svc_rqst *);
++static void svc_rdma_kill_temp_xprt(struct svc_xprt *);
+
+ static struct svc_xprt_ops svc_rdma_ops = {
+ .xpo_create = svc_rdma_create,
+@@ -79,6 +80,7 @@ static struct svc_xprt_ops svc_rdma_ops = {
+ .xpo_has_wspace = svc_rdma_has_wspace,
+ .xpo_accept = svc_rdma_accept,
+ .xpo_secure_port = svc_rdma_secure_port,
++ .xpo_kill_temp_xprt = svc_rdma_kill_temp_xprt,
+ };
+
+ struct svc_xprt_class svc_rdma_class = {
+@@ -1285,6 +1287,10 @@ static int svc_rdma_secure_port(struct svc_rqst *rqstp)
+ return 1;
+ }
+
++static void svc_rdma_kill_temp_xprt(struct svc_xprt *xprt)
++{
++}
++
+ int svc_rdma_send(struct svcxprt_rdma *xprt, struct ib_send_wr *wr)
+ {
+ struct ib_send_wr *bad_wr, *n_wr;
+diff --git a/scripts/gcc-x86_64-has-stack-protector.sh
b/scripts/gcc-x86_64-has-stack-protector.sh
+index 973e8c1..17867e7 100755
+--- a/scripts/gcc-x86_64-has-stack-protector.sh
++++ b/scripts/gcc-x86_64-has-stack-protector.sh
+@@ -1,6 +1,6 @@
+ #!/bin/sh
+
+-echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0
-mcmodel=kernel -fstack-protector - -o - 2> /dev/null | grep -q "%gs"
++echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0
-mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs"
+ if [ "$?" -eq "0" ] ; then
+ echo y
+ else
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 26e866f..1628180 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6905,8 +6905,6 @@ static const struct hda_fixup alc662_fixups[] = {
+ .v.pins = (const struct hda_pintbl[]) {
+ { 0x15, 0x40f000f0 }, /* disabled */
+ { 0x16, 0x40f000f0 }, /* disabled */
+- { 0x18, 0x01014011 }, /* LO */
+- { 0x1a, 0x01014012 }, /* LO */
+ { }
+ }
+ },
+diff --git a/sound/pci/hda/thinkpad_helper.c b/sound/pci/hda/thinkpad_helper.c
+index 6a23302..4d9d320 100644
+--- a/sound/pci/hda/thinkpad_helper.c
++++ b/sound/pci/hda/thinkpad_helper.c
+@@ -13,7 +13,8 @@ static void (*old_vmaster_hook)(void *, int);
+ static bool is_thinkpad(struct hda_codec *codec)
+ {
+ return (codec->core.subsystem_id >> 16 == 0x17aa) &&
+- (acpi_dev_found("LEN0068") || acpi_dev_found("IBM0068"));
++ (acpi_dev_found("LEN0068") || acpi_dev_found("LEN0268") ||
++ acpi_dev_found("IBM0068"));
+ }
+
+ static void update_tpacpi_mute_led(void *private_data, int enabled)
+diff --git a/sound/usb/card.c b/sound/usb/card.c
+index 9e5276d..2ddc034 100644
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -315,7 +315,8 @@ static int snd_usb_audio_free(struct snd_usb_audio *chip)
+ snd_usb_endpoint_free(ep);
+
+ mutex_destroy(&chip->mutex);
+- dev_set_drvdata(&chip->dev->dev, NULL);
++ if (!atomic_read(&chip->shutdown))
++ dev_set_drvdata(&chip->dev->dev, NULL);
+ kfree(chip);
+ return 0;
+ }
+diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
+index de15dbc..7214913 100644
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -1596,18 +1596,18 @@ static void hists__hierarchy_output_resort(struct
hists *hists,
+ if (prog)
+ ui_progress__update(prog, 1);
+
++ hists->nr_entries++;
++ if (!he->filtered) {
++ hists->nr_non_filtered_entries++;
++ hists__calc_col_len(hists, he);
++ }
++
+ if (!he->leaf) {
+ hists__hierarchy_output_resort(hists, prog,
+ &he->hroot_in,
+ &he->hroot_out,
+ min_callchain_hits,
+ use_callchain);
+- hists->nr_entries++;
+- if (!he->filtered) {
+- hists->nr_non_filtered_entries++;
+- hists__calc_col_len(hists, he);
+- }
+-
+ continue;
+ }
+
+diff --git a/virt/kvm/arm/pmu.c b/virt/kvm/arm/pmu.c
+index 6e9c40e..69ccce3 100644
+--- a/virt/kvm/arm/pmu.c
++++ b/virt/kvm/arm/pmu.c
+@@ -305,7 +305,7 @@ void kvm_pmu_software_increment(struct kvm_vcpu *vcpu, u64
val)
+ continue;
+ type = vcpu_sys_reg(vcpu, PMEVTYPER0_EL0 + i)
+ & ARMV8_PMU_EVTYPE_EVENT;
+- if ((type == ARMV8_PMU_EVTYPE_EVENT_SW_INCR)
++ if ((type == ARMV8_PMUV3_PERFCTR_SW_INCR)
+ && (enable & BIT(i))) {
+ reg = vcpu_sys_reg(vcpu, PMEVCNTR0_EL0 + i) + 1;
+ reg = lower_32_bits(reg);
+@@ -379,7 +379,8 @@ void kvm_pmu_set_counter_event_type(struct kvm_vcpu *vcpu,
u64 data,
+ eventsel = data & ARMV8_PMU_EVTYPE_EVENT;
+
+ /* Software increment event does't need to be backed by a perf event */
+- if (eventsel == ARMV8_PMU_EVTYPE_EVENT_SW_INCR)
++ if (eventsel == ARMV8_PMUV3_PERFCTR_SW_INCR &&
++ select_idx != ARMV8_PMU_CYCLE_IDX)
+ return;
+
+ memset(&attr, 0, sizeof(struct perf_event_attr));
+@@ -391,7 +392,8 @@ void kvm_pmu_set_counter_event_type(struct kvm_vcpu *vcpu,
u64 data,
+ attr.exclude_kernel = data & ARMV8_PMU_EXCLUDE_EL1 ? 1 : 0;
+ attr.exclude_hv = 1; /* Don't count EL2 events */
+ attr.exclude_host = 1; /* Don't count host events */
+- attr.config = eventsel;
++ attr.config = (select_idx == ARMV8_PMU_CYCLE_IDX) ?
++ ARMV8_PMUV3_PERFCTR_CPU_CYCLES : eventsel;
+
+ counter = kvm_pmu_get_counter_value(vcpu, select_idx);
+ /* The initial sample period (overflow count) of an event. */
diff --git a/4.8.10/4420_grsecurity-3.1-4.8.10-201611232213.patch
b/4.8.11/4420_grsecurity-3.1-4.8.11-201611271225.patch
similarity index 99%
rename from 4.8.10/4420_grsecurity-3.1-4.8.10-201611232213.patch
rename to 4.8.11/4420_grsecurity-3.1-4.8.11-201611271225.patch
index 0149d93..ec53570 100644
--- a/4.8.10/4420_grsecurity-3.1-4.8.10-201611232213.patch
+++ b/4.8.11/4420_grsecurity-3.1-4.8.11-201611271225.patch
@@ -407,7 +407,7 @@ index ffab8b5..b8fcd61 100644
A toggle value indicating if modules are allowed to be loaded
diff --git a/Makefile b/Makefile
-index 7cf2b49..3e3071c 100644
+index 2b1bcba..e6f635b 100644
--- a/Makefile
+++ b/Makefile
@@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo
$$BASH; \
@@ -421,16 +421,7 @@ index 7cf2b49..3e3071c 100644
ifeq ($(shell $(HOSTCC) -v 2>&1 | grep -c "clang version"), 1)
HOSTCFLAGS += -Wno-unused-value -Wno-unused-parameter \
-@@ -621,6 +623,8 @@ include arch/$(SRCARCH)/Makefile
-
- KBUILD_CFLAGS += $(call cc-option,-fno-delete-null-pointer-checks,)
- KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
-+KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
-+KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
-
- ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
- KBUILD_CFLAGS += -Os
-@@ -715,7 +719,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
+@@ -717,7 +719,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
else
KBUILD_CFLAGS += -g
endif
@@ -439,7 +430,7 @@ index 7cf2b49..3e3071c 100644
endif
ifdef CONFIG_DEBUG_INFO_DWARF4
KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,)
-@@ -890,7 +894,7 @@ export mod_sign_cmd
+@@ -892,7 +894,7 @@ export mod_sign_cmd
ifeq ($(KBUILD_EXTMOD),)
@@ -448,7 +439,7 @@ index 7cf2b49..3e3071c 100644
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-@@ -1256,7 +1260,10 @@ MRPROPER_FILES += .config .config.old .version
.old_version \
+@@ -1258,7 +1260,10 @@ MRPROPER_FILES += .config .config.old .version
.old_version \
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
signing_key.pem signing_key.priv signing_key.x509 \
x509.genkey extra_certificates signing_key.x509.keyid \
@@ -460,7 +451,7 @@ index 7cf2b49..3e3071c 100644
# clean - Delete most, but leave enough to build external modules
#
-@@ -1295,7 +1302,7 @@ distclean: mrproper
+@@ -1297,7 +1302,7 @@ distclean: mrproper
@find $(srctree) $(RCS_FIND_IGNORE) \
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
@@ -22648,7 +22639,7 @@ index 904f528..b4d0d24 100644
#ifdef CONFIG_FLATMEM
diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
-index b3bebf9..cb419e7 100644
+index b3bebf9..2c3570f 100644
--- a/arch/x86/include/asm/page_64.h
+++ b/arch/x86/include/asm/page_64.h
@@ -7,9 +7,9 @@
@@ -22659,7 +22650,7 @@ index b3bebf9..cb419e7 100644
+extern const unsigned long phys_base;
-static inline unsigned long __phys_addr_nodebug(unsigned long x)
-+static inline unsigned long __intentional_overflow(-1)
__phys_addr_nodebug(unsigned long x)
++static __always_inline unsigned long __intentional_overflow(-1)
__phys_addr_nodebug(unsigned long x)
{
unsigned long y = x - __START_KERNEL_map;
@@ -26546,10 +26537,10 @@ index 4a8697f..8a13428 100644
obj-y += common.o
obj-y += rdrand.o
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index b81fe2d..fa46eca 100644
+index 1e81a37..7a498d6 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
-@@ -792,7 +792,7 @@ static void init_amd(struct cpuinfo_x86 *c)
+@@ -788,7 +788,7 @@ static void init_amd(struct cpuinfo_x86 *c)
static unsigned int amd_size_cache(struct cpuinfo_x86 *c, unsigned int size)
{
/* AMD errata T13 (order #21922) */
@@ -33161,10 +33152,10 @@ index 5cede40..f932797 100644
.disabled_by_bios = vmx_disabled_by_bios,
.hardware_setup = hardware_setup,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 46f74d4..eca57f1 100644
+index 2fff657..84ea93a 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -1948,8 +1948,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64
data)
+@@ -1957,8 +1957,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64
data)
{
struct kvm *kvm = vcpu->kvm;
int lm = is_long_mode(vcpu);
@@ -33175,7 +33166,7 @@ index 46f74d4..eca57f1 100644
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
: kvm->arch.xen_hvm_config.blob_size_32;
u32 page_num = data & ~PAGE_MASK;
-@@ -2657,6 +2657,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
+@@ -2666,6 +2666,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
if (n < msr_list.nmsrs)
goto out;
r = -EFAULT;
@@ -33184,7 +33175,7 @@ index 46f74d4..eca57f1 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -3073,7 +3075,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct
kvm_vcpu *vcpu,
+@@ -3082,7 +3084,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct
kvm_vcpu *vcpu,
static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
{
@@ -33193,7 +33184,7 @@ index 46f74d4..eca57f1 100644
u64 xstate_bv = xsave->header.xfeatures;
u64 valid;
-@@ -3109,7 +3111,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
+@@ -3118,7 +3120,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
static void load_xsave(struct kvm_vcpu *vcpu, u8 *src)
{
@@ -33202,7 +33193,7 @@ index 46f74d4..eca57f1 100644
u64 xstate_bv = *(u64 *)(src + XSAVE_HDR_OFFSET);
u64 valid;
-@@ -3153,7 +3155,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu
*vcpu,
+@@ -3162,7 +3164,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu
*vcpu,
fill_xsave((u8 *) guest_xsave->region, vcpu);
} else {
memcpy(guest_xsave->region,
@@ -33211,7 +33202,7 @@ index 46f74d4..eca57f1 100644
sizeof(struct fxregs_state));
*(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)] =
XFEATURE_MASK_FPSSE;
-@@ -3178,7 +3180,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu
*vcpu,
+@@ -3187,7 +3189,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu
*vcpu,
} else {
if (xstate_bv & ~XFEATURE_MASK_FPSSE)
return -EINVAL;
@@ -33220,7 +33211,7 @@ index 46f74d4..eca57f1 100644
guest_xsave->region, sizeof(struct fxregs_state));
}
return 0;
-@@ -5739,7 +5741,7 @@ static unsigned long kvm_get_guest_ip(void)
+@@ -5751,7 +5753,7 @@ static unsigned long kvm_get_guest_ip(void)
unsigned long ip = 0;
if (__this_cpu_read(current_vcpu))
@@ -33229,7 +33220,7 @@ index 46f74d4..eca57f1 100644
return ip;
}
-@@ -6462,6 +6464,7 @@ void kvm_arch_mmu_notifier_invalidate_page(struct kvm
*kvm,
+@@ -6474,6 +6476,7 @@ void kvm_arch_mmu_notifier_invalidate_page(struct kvm
*kvm,
* exiting to the userspace. Otherwise, the value will be returned to the
* userspace.
*/
@@ -33237,7 +33228,7 @@ index 46f74d4..eca57f1 100644
static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
{
int r;
-@@ -6737,6 +6740,7 @@ out:
+@@ -6749,6 +6752,7 @@ out:
return r;
}
@@ -33245,7 +33236,7 @@ index 46f74d4..eca57f1 100644
static inline int vcpu_block(struct kvm *kvm, struct kvm_vcpu *vcpu)
{
if (!kvm_arch_vcpu_runnable(vcpu) &&
-@@ -7284,7 +7288,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
+@@ -7296,7 +7300,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
{
struct fxregs_state *fxsave =
@@ -33254,7 +33245,7 @@ index 46f74d4..eca57f1 100644
memcpy(fpu->fpr, fxsave->st_space, 128);
fpu->fcw = fxsave->cwd;
-@@ -7301,7 +7305,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu,
struct kvm_fpu *fpu)
+@@ -7313,7 +7317,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu,
struct kvm_fpu *fpu)
int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
{
struct fxregs_state *fxsave =
@@ -33263,7 +33254,7 @@ index 46f74d4..eca57f1 100644
memcpy(fxsave->st_space, fpu->fpr, 128);
fxsave->cwd = fpu->fcw;
-@@ -7317,9 +7321,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu,
struct kvm_fpu *fpu)
+@@ -7329,9 +7333,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu,
struct kvm_fpu *fpu)
static void fx_init(struct kvm_vcpu *vcpu)
{
@@ -33275,7 +33266,7 @@ index 46f74d4..eca57f1 100644
host_xcr0 | XSTATE_COMPACTION_ENABLED;
/*
-@@ -7342,7 +7346,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
+@@ -7354,7 +7358,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
*/
vcpu->guest_fpu_loaded = 1;
__kernel_fpu_begin();
@@ -33284,7 +33275,7 @@ index 46f74d4..eca57f1 100644
trace_kvm_fpu(1);
}
-@@ -7642,6 +7646,8 @@ bool kvm_vcpu_is_bsp(struct kvm_vcpu *vcpu)
+@@ -7654,6 +7658,8 @@ bool kvm_vcpu_is_bsp(struct kvm_vcpu *vcpu)
struct static_key kvm_no_apic_vcpu __read_mostly;
EXPORT_SYMBOL_GPL(kvm_no_apic_vcpu);
@@ -33293,7 +33284,7 @@ index 46f74d4..eca57f1 100644
int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
{
struct page *page;
-@@ -7659,11 +7665,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+@@ -7671,11 +7677,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
else
vcpu->arch.mp_state = KVM_MP_STATE_UNINITIALIZED;
@@ -33312,7 +33303,7 @@ index 46f74d4..eca57f1 100644
vcpu->arch.pio_data = page_address(page);
kvm_set_tsc_khz(vcpu, max_tsc_khz);
-@@ -7721,6 +7730,9 @@ fail_mmu_destroy:
+@@ -7733,6 +7742,9 @@ fail_mmu_destroy:
kvm_mmu_destroy(vcpu);
fail_free_pio_data:
free_page((unsigned long)vcpu->arch.pio_data);
@@ -33322,7 +33313,7 @@ index 46f74d4..eca57f1 100644
fail:
return r;
}
-@@ -7739,6 +7751,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
+@@ -7751,6 +7763,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
free_page((unsigned long)vcpu->arch.pio_data);
if (!lapic_in_kernel(vcpu))
static_key_slow_dec(&kvm_no_apic_vcpu);
@@ -40915,6 +40906,18 @@ index 0774799..a0012ea 100644
{
return jiffies_to_clock_t(q->sg_timeout);
}
+diff --git a/crypto/asymmetric_keys/x509_cert_parser.c
b/crypto/asymmetric_keys/x509_cert_parser.c
+index 865f46e..c80765b 100644
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -133,7 +133,6 @@ struct x509_certificate *x509_cert_parse(const void *data,
size_t datalen)
+ return cert;
+
+ error_decode:
+- kfree(cert->pub->key);
+ kfree(ctx);
+ error_no_ctx:
+ x509_free_certificate(cert);
diff --git a/crypto/cast6_generic.c b/crypto/cast6_generic.c
index 058c8d7..55229dd 100644
--- a/crypto/cast6_generic.c
@@ -43536,7 +43539,7 @@ index ab62b81..8f38450 100644
}
diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h
-index 4cb8f21..fc2c3e2 100644
+index 4cb8f21..d056229 100644
--- a/drivers/block/drbd/drbd_int.h
+++ b/drivers/block/drbd/drbd_int.h
@@ -383,7 +383,7 @@ struct drbd_epoch {
@@ -43579,6 +43582,15 @@ index 4cb8f21..fc2c3e2 100644
int rs_last_sect_ev; /* counter to compare with */
int rs_last_events; /* counter of read or write "events" (unit sectors)
* on the lower level device when we last looked.
*/
+@@ -1129,7 +1129,7 @@ extern int drbd_send_drequest_csum(struct
drbd_peer_device *, sector_t sector,
+ enum drbd_packet cmd);
+ extern int drbd_send_ov_request(struct drbd_peer_device *, sector_t sector,
int size);
+
+-extern int drbd_send_bitmap(struct drbd_device *device);
++extern int drbd_send_bitmap(struct drbd_device *device)
__intentional_overflow(-1);
+ extern void drbd_send_sr_reply(struct drbd_peer_device *, enum drbd_state_rv
retcode);
+ extern void conn_send_sr_reply(struct drbd_connection *connection, enum
drbd_state_rv retcode);
+ extern int drbd_send_rs_deallocated(struct drbd_peer_device *, struct
drbd_peer_request *);
diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
index 8348272..f2ddf22 100644
--- a/drivers/block/drbd/drbd_main.c
@@ -46604,7 +46616,7 @@ index ac8deb0..f3caa10 100644
return -EINVAL;
}
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
-index b2dee10..fc44efe 100644
+index 15704aa..623f140 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1631,8 +1631,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip
*gpiochip)
@@ -46634,10 +46646,10 @@ index b2dee10..fc44efe 100644
/*
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
-index 700c56b..267fde4 100644
+index e443073..2ce0ad5 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
-@@ -1796,7 +1796,7 @@ int amdgpu_debugfs_firmware_init(struct amdgpu_device
*adev);
+@@ -1797,7 +1797,7 @@ int amdgpu_debugfs_firmware_init(struct amdgpu_device
*adev);
* amdgpu smumgr functions
*/
struct amdgpu_smumgr_funcs {
@@ -51535,10 +51547,10 @@ index d2b8899..5b0e8f5 100644
struct iio_chan_spec const *chan,
ssize_t (*readfunc)(struct device *dev,
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
-index c995255..7de0b49 100644
+index 71c7c4c..f91d896 100644
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
-@@ -115,7 +115,7 @@ static char const counter_group_names[CM_COUNTER_GROUPS]
+@@ -117,7 +117,7 @@ static char const counter_group_names[CM_COUNTER_GROUPS]
struct cm_counter_group {
struct kobject obj;
@@ -51547,7 +51559,7 @@ index c995255..7de0b49 100644
};
struct cm_counter_attribute {
-@@ -1432,7 +1432,7 @@ static void cm_format_mra(struct cm_mra_msg *mra_msg,
+@@ -1495,7 +1495,7 @@ static void cm_format_mra(struct cm_mra_msg *mra_msg,
static void cm_format_rej(struct cm_rej_msg *rej_msg,
struct cm_id_private *cm_id_priv,
enum ib_cm_rej_reason reason,
@@ -51556,7 +51568,7 @@ index c995255..7de0b49 100644
u8 ari_length,
const void *private_data,
u8 private_data_len)
-@@ -1476,7 +1476,7 @@ static void cm_dup_req_handler(struct cm_work *work,
+@@ -1539,7 +1539,7 @@ static void cm_dup_req_handler(struct cm_work *work,
struct ib_mad_send_buf *msg = NULL;
int ret;
@@ -51565,7 +51577,7 @@ index c995255..7de0b49 100644
counter[CM_REQ_COUNTER]);
/* Quick state check to discard duplicate REQs. */
-@@ -1884,7 +1884,7 @@ static void cm_dup_rep_handler(struct cm_work *work)
+@@ -1949,7 +1949,7 @@ static void cm_dup_rep_handler(struct cm_work *work)
if (!cm_id_priv)
return;
@@ -51574,7 +51586,7 @@ index c995255..7de0b49 100644
counter[CM_REP_COUNTER]);
ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
if (ret)
-@@ -2051,7 +2051,7 @@ static int cm_rtu_handler(struct cm_work *work)
+@@ -2116,7 +2116,7 @@ static int cm_rtu_handler(struct cm_work *work)
if (cm_id_priv->id.state != IB_CM_REP_SENT &&
cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
spin_unlock_irq(&cm_id_priv->lock);
@@ -51583,7 +51595,7 @@ index c995255..7de0b49 100644
counter[CM_RTU_COUNTER]);
goto out;
}
-@@ -2234,7 +2234,7 @@ static int cm_dreq_handler(struct cm_work *work)
+@@ -2299,7 +2299,7 @@ static int cm_dreq_handler(struct cm_work *work)
cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
dreq_msg->local_comm_id);
if (!cm_id_priv) {
@@ -51592,7 +51604,7 @@ index c995255..7de0b49 100644
counter[CM_DREQ_COUNTER]);
cm_issue_drep(work->port, work->mad_recv_wc);
return -EINVAL;
-@@ -2259,7 +2259,7 @@ static int cm_dreq_handler(struct cm_work *work)
+@@ -2324,7 +2324,7 @@ static int cm_dreq_handler(struct cm_work *work)
case IB_CM_MRA_REP_RCVD:
break;
case IB_CM_TIMEWAIT:
@@ -51601,7 +51613,7 @@ index c995255..7de0b49 100644
counter[CM_DREQ_COUNTER]);
if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
goto unlock;
-@@ -2273,7 +2273,7 @@ static int cm_dreq_handler(struct cm_work *work)
+@@ -2338,7 +2338,7 @@ static int cm_dreq_handler(struct cm_work *work)
cm_free_msg(msg);
goto deref;
case IB_CM_DREQ_RCVD:
@@ -51610,7 +51622,7 @@ index c995255..7de0b49 100644
counter[CM_DREQ_COUNTER]);
goto unlock;
default:
-@@ -2336,12 +2336,13 @@ out:
+@@ -2401,12 +2401,13 @@ out:
}
int ib_send_cm_rej(struct ib_cm_id *cm_id,
@@ -51626,7 +51638,7 @@ index c995255..7de0b49 100644
struct cm_id_private *cm_id_priv;
struct ib_mad_send_buf *msg;
unsigned long flags;
-@@ -2640,7 +2641,7 @@ static int cm_mra_handler(struct cm_work *work)
+@@ -2705,7 +2706,7 @@ static int cm_mra_handler(struct cm_work *work)
ib_modify_mad(cm_id_priv->av.port->mad_agent,
cm_id_priv->msg, timeout)) {
if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
@@ -51635,7 +51647,7 @@ index c995255..7de0b49 100644
counter_group[CM_RECV_DUPLICATES].
counter[CM_MRA_COUNTER]);
goto out;
-@@ -2649,7 +2650,7 @@ static int cm_mra_handler(struct cm_work *work)
+@@ -2714,7 +2715,7 @@ static int cm_mra_handler(struct cm_work *work)
break;
case IB_CM_MRA_REQ_RCVD:
case IB_CM_MRA_REP_RCVD:
@@ -51644,7 +51656,7 @@ index c995255..7de0b49 100644
counter[CM_MRA_COUNTER]);
/* fall through */
default:
-@@ -2811,7 +2812,7 @@ static int cm_lap_handler(struct cm_work *work)
+@@ -2877,7 +2878,7 @@ static int cm_lap_handler(struct cm_work *work)
case IB_CM_LAP_IDLE:
break;
case IB_CM_MRA_LAP_SENT:
@@ -51653,7 +51665,7 @@ index c995255..7de0b49 100644
counter[CM_LAP_COUNTER]);
if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
goto unlock;
-@@ -2827,7 +2828,7 @@ static int cm_lap_handler(struct cm_work *work)
+@@ -2893,7 +2894,7 @@ static int cm_lap_handler(struct cm_work *work)
cm_free_msg(msg);
goto deref;
case IB_CM_LAP_RCVD:
@@ -51662,7 +51674,7 @@ index c995255..7de0b49 100644
counter[CM_LAP_COUNTER]);
goto unlock;
default:
-@@ -2859,7 +2860,7 @@ deref: cm_deref_id(cm_id_priv);
+@@ -2926,7 +2927,7 @@ deref: cm_deref_id(cm_id_priv);
static void cm_format_apr(struct cm_apr_msg *apr_msg,
struct cm_id_private *cm_id_priv,
enum ib_cm_apr_status status,
@@ -51671,7 +51683,7 @@ index c995255..7de0b49 100644
u8 info_length,
const void *private_data,
u8 private_data_len)
-@@ -2879,12 +2880,13 @@ static void cm_format_apr(struct cm_apr_msg *apr_msg,
+@@ -2946,12 +2947,13 @@ static void cm_format_apr(struct cm_apr_msg *apr_msg,
}
int ib_send_cm_apr(struct ib_cm_id *cm_id,
@@ -51687,7 +51699,7 @@ index c995255..7de0b49 100644
struct cm_id_private *cm_id_priv;
struct ib_mad_send_buf *msg;
unsigned long flags;
-@@ -3113,7 +3115,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
+@@ -3180,7 +3182,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
if (cur_cm_id_priv) {
spin_unlock_irq(&cm.lock);
@@ -51696,7 +51708,7 @@ index c995255..7de0b49 100644
counter[CM_SIDR_REQ_COUNTER]);
goto out; /* Duplicate message. */
}
-@@ -3327,10 +3329,10 @@ static void cm_send_handler(struct ib_mad_agent
*mad_agent,
+@@ -3394,10 +3396,10 @@ static void cm_send_handler(struct ib_mad_agent
*mad_agent,
if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
msg->retries = 1;
@@ -51709,7 +51721,7 @@ index c995255..7de0b49 100644
&port->counter_group[CM_XMIT_RETRIES].
counter[attr_index]);
-@@ -3557,7 +3559,7 @@ static void cm_recv_handler(struct ib_mad_agent
*mad_agent,
+@@ -3633,7 +3635,7 @@ static void cm_recv_handler(struct ib_mad_agent
*mad_agent,
}
attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
@@ -51718,7 +51730,7 @@ index c995255..7de0b49 100644
counter[attr_id - CM_ATTR_ID_OFFSET]);
work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
-@@ -3764,7 +3766,7 @@ static ssize_t cm_show_counter(struct kobject *obj,
struct attribute *attr,
+@@ -3840,7 +3842,7 @@ static ssize_t cm_show_counter(struct kobject *obj,
struct attribute *attr,
cm_attr = container_of(attr, struct cm_counter_attribute, attr);
return sprintf(buf, "%ld\n",
@@ -52805,7 +52817,7 @@ index 6abe1c6..f866a31 100644
struct qib_devdata *dd = pci_get_drvdata(pdev);
pci_ers_result_t ret = PCI_ERS_RESULT_RECOVERED;
diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c
b/drivers/infiniband/sw/rxe/rxe_qp.c
-index 22ba24f..194cc2b 100644
+index f724a7e..18ffc45 100644
--- a/drivers/infiniband/sw/rxe/rxe_qp.c
+++ b/drivers/infiniband/sw/rxe/rxe_qp.c
@@ -219,7 +219,7 @@ static void rxe_qp_init_misc(struct rxe_dev *rxe, struct
rxe_qp *qp,
@@ -52817,7 +52829,7 @@ index 22ba24f..194cc2b 100644
atomic_set(&qp->skb_out, 0);
}
-@@ -525,7 +525,7 @@ static void rxe_qp_reset(struct rxe_qp *qp)
+@@ -526,7 +526,7 @@ static void rxe_qp_reset(struct rxe_qp *qp)
}
/* cleanup attributes */
@@ -66093,7 +66105,7 @@ index a2515887..6d13233 100644
/* we will have to manufacture ethernet headers, prepare template */
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
-index 1b5f531..3c16c42 100644
+index bf3fd34..43d918f 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -48,7 +48,7 @@ module_param(gso, bool, 0444);
@@ -68280,7 +68292,7 @@ index 6c2d6da..4660f39 100644
} else
aes_sc = data->rsc_tsc->all_tsc_rsc.aes.multicast_rsc;
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
-index 4fdc3da..4f63dd9 100644
+index ea67ae9..89be094 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
@@ -258,7 +258,7 @@ static void iwl_mvm_wowlan_program_keys(struct
ieee80211_hw *hw,
@@ -68301,7 +68313,7 @@ index 4fdc3da..4f63dd9 100644
aes_tx_sc->pn = cpu_to_le64(pn64);
} else {
aes_sc = data->rsc_tsc->all_tsc_rsc.aes.multicast_rsc;
-@@ -1610,12 +1610,12 @@ static void iwl_mvm_d3_update_keys(struct ieee80211_hw
*hw,
+@@ -1619,12 +1619,12 @@ static void iwl_mvm_d3_update_keys(struct ieee80211_hw
*hw,
case WLAN_CIPHER_SUITE_CCMP:
iwl_mvm_set_aes_rx_seq(data->mvm, sc->aes.unicast_rsc,
sta, key);
@@ -103477,10 +103489,10 @@ index e04ec86..953c3e6 100644
if (free_clusters >= (nclusters + dirty_clusters +
resv_clusters))
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
-index ea31931..2e49089 100644
+index 7bd21aa..3288330 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
-@@ -1439,19 +1439,19 @@ struct ext4_sb_info {
+@@ -1440,19 +1440,19 @@ struct ext4_sb_info {
unsigned long s_mb_last_start;
/* stats for buddy allocator */
@@ -103683,7 +103695,7 @@ index cf68100..f96c5c0 100644
err = ext4_handle_dirty_metadata(handle, NULL, bh);
if (unlikely(err))
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 3ec8708..f39299c 100644
+index ec89f50..01b055f 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -989,10 +989,12 @@ static void init_once(void *foo)
@@ -105581,7 +105593,7 @@ index a94d2ed..80c8060 100644
}
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
-index 3988b43..c02080c 100644
+index a621dd9..1ac40c9 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -838,9 +838,9 @@ struct fuse_fill_data {
@@ -120331,10 +120343,10 @@ index fd6be45..6be6542 100644
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..821601d
+index 0000000..307ca55
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1205 @@
+@@ -0,0 +1,1206 @@
+#
+# grecurity configuration
+#
@@ -120563,6 +120575,7 @@ index 0000000..821601d
+config GRKERNSEC_RANDSTRUCT
+ bool "Randomize layout of sensitive kernel structures"
+ default y if GRKERNSEC_CONFIG_AUTO
++ depends on GCC_PLUGINS
+ select GRKERNSEC_HIDESYM
+ select MODVERSIONS if MODULES
+ help
@@ -145065,7 +145078,7 @@ index 4ae3232..5adee02 100644
{
compat_uptr_t base = ptr_to_compat(entry);
diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
-index 9530fcd..7f3a521 100644
+index 9d592c6..9f6bd5e 100644
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -972,7 +972,7 @@ static int irq_thread(void *data)
@@ -149664,7 +149677,7 @@ index dbafc5d..819bd5d 100644
ret = -EIO;
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index 84752c8..64513c9 100644
+index b1d7f1b..22e2e5b 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -120,8 +120,9 @@ static void ftrace_ops_list_func(unsigned long ip,
unsigned long parent_ip,
@@ -149679,7 +149692,7 @@ index 84752c8..64513c9 100644
#endif
/*
-@@ -2480,13 +2481,18 @@ ftrace_code_disable(struct module *mod, struct
dyn_ftrace *rec)
+@@ -2492,13 +2493,18 @@ ftrace_code_disable(struct module *mod, struct
dyn_ftrace *rec)
if (unlikely(ftrace_disabled))
return 0;
@@ -149700,7 +149713,7 @@ index 84752c8..64513c9 100644
}
/*
-@@ -4850,8 +4856,10 @@ static int ftrace_process_locs(struct module *mod,
+@@ -4872,8 +4878,10 @@ static int ftrace_process_locs(struct module *mod,
if (!count)
return 0;
@@ -149711,7 +149724,7 @@ index 84752c8..64513c9 100644
start_pg = ftrace_allocate_pages(count);
if (!start_pg)
-@@ -5267,7 +5275,8 @@ static void ftrace_ops_list_func(unsigned long ip,
unsigned long parent_ip,
+@@ -5289,7 +5297,8 @@ static void ftrace_ops_list_func(unsigned long ip,
unsigned long parent_ip,
__ftrace_ops_list_func(ip, parent_ip, NULL, regs);
}
#else
@@ -149721,7 +149734,7 @@ index 84752c8..64513c9 100644
{
__ftrace_ops_list_func(ip, parent_ip, NULL, NULL);
}
-@@ -5690,8 +5699,12 @@ int ftrace_graph_entry_stub(struct ftrace_graph_ent
*trace)
+@@ -5712,8 +5721,12 @@ int ftrace_graph_entry_stub(struct ftrace_graph_ent
*trace)
}
/* The callbacks that hook a function */
@@ -149736,7 +149749,7 @@ index 84752c8..64513c9 100644
trace_func_graph_ent_t ftrace_graph_entry = ftrace_graph_entry_stub;
static trace_func_graph_ent_t __ftrace_graph_entry = ftrace_graph_entry_stub;
-@@ -5724,7 +5737,7 @@ static int alloc_retstack_tasklist(struct
ftrace_ret_stack **ret_stack_list)
+@@ -5746,7 +5759,7 @@ static int alloc_retstack_tasklist(struct
ftrace_ret_stack **ret_stack_list)
if (t->ret_stack == NULL) {
atomic_set(&t->tracing_graph_pause, 0);
@@ -149745,7 +149758,7 @@ index 84752c8..64513c9 100644
t->curr_ret_stack = -1;
/* Make sure the tasks see the -1 first: */
smp_wmb();
-@@ -5919,7 +5932,7 @@ void unregister_ftrace_graph(void)
+@@ -5941,7 +5954,7 @@ void unregister_ftrace_graph(void)
goto out;
ftrace_graph_active--;
@@ -149754,7 +149767,7 @@ index 84752c8..64513c9 100644
ftrace_graph_entry = ftrace_graph_entry_stub;
__ftrace_graph_entry = ftrace_graph_entry_stub;
ftrace_shutdown(&graph_ops, FTRACE_STOP_FUNC_RET);
-@@ -5947,7 +5960,7 @@ static void
+@@ -5969,7 +5982,7 @@ static void
graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
{
atomic_set(&t->tracing_graph_pause, 0);
@@ -150267,10 +150280,10 @@ index 0bb9cf2..f319026 100644
key = event->type & (EVENT_HASHSIZE - 1);
diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
-index ad1d616..139606f 100644
+index ad1d616..da547c1 100644
--- a/kernel/trace/trace_printk.c
+++ b/kernel/trace/trace_printk.c
-@@ -167,6 +167,10 @@ static void format_mod_stop(void)
+@@ -167,13 +167,11 @@ static void format_mod_stop(void)
mutex_unlock(&btrace_mutex);
}
@@ -150279,9 +150292,16 @@ index ad1d616..139606f 100644
+};
+
#else /* !CONFIG_MODULES */
- __init static int
- module_trace_bprintk_format_notify(struct notifier_block *self,
-@@ -190,11 +194,6 @@ void trace_printk_control(bool enabled)
+-__init static int
+-module_trace_bprintk_format_notify(struct notifier_block *self,
+- unsigned long val, void *data)
+-{
+- return 0;
+-}
+ static inline const char **
+ find_next_mod_format(int start_index, void *v, const char **fmt, loff_t *pos)
+ {
+@@ -190,11 +188,6 @@ void trace_printk_control(bool enabled)
trace_printk_enabled = enabled;
}
@@ -150293,7 +150313,7 @@ index ad1d616..139606f 100644
int __trace_bprintk(unsigned long ip, const char *fmt, ...)
{
int ret;
-@@ -373,9 +372,11 @@ static __init int init_trace_printk_function_export(void)
+@@ -373,9 +366,11 @@ static __init int init_trace_printk_function_export(void)
fs_initcall(init_trace_printk_function_export);
@@ -151524,6 +151544,25 @@ index 5a92189..d77978d 100644
retval = 1;
}
spin_unlock(&lockref->lock);
+diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c
+index 5464c87..e24388a 100644
+--- a/lib/mpi/mpi-pow.c
++++ b/lib/mpi/mpi-pow.c
+@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
+ if (!esize) {
+ /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
+ * depending on if MOD equals 1. */
+- rp[0] = 1;
+ res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
++ if (res->nlimbs) {
++ if (mpi_resize(res, 1) < 0)
++ goto enomem;
++ rp = res->d;
++ rp[0] = 1;
++ }
+ res->sign = 0;
+ goto leave;
+ }
diff --git a/lib/nlattr.c b/lib/nlattr.c
index fce1e9a..d44559b 100644
--- a/lib/nlattr.c
@@ -157167,7 +157206,7 @@ index bf262e4..c5bc390 100644
if (S_ISREG(inode->i_mode))
diff --git a/mm/usercopy.c b/mm/usercopy.c
-index 3c8da0a..5c81035 100644
+index 3c8da0a..62823b9 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -16,15 +16,9 @@
@@ -157250,11 +157289,11 @@ index 3c8da0a..5c81035 100644
unsigned long n)
{
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
-+ unsigned long textlow = ktla_ktva((unsigned long)_stext);
++ unsigned long textlow = ktla_ktva((unsigned long)_stext);
+#ifdef CONFIG_MODULES
-+ unsigned long texthigh = (unsigned long)MODULES_EXEC_VADDR;
++ unsigned long texthigh = (unsigned long)MODULES_EXEC_VADDR;
+#else
-+ unsigned long texthigh = ktla_ktva((unsigned long)_etext);
++ unsigned long texthigh = ktla_ktva((unsigned long)_etext);
+#endif
+#else
unsigned long textlow = (unsigned long)_stext;
@@ -158857,10 +158896,10 @@ index 1108079..1871d16 100644
};
diff --git a/net/can/bcm.c b/net/can/bcm.c
-index 8e999ff..684a43e 100644
+index 8af9d25..44e9458 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
-@@ -1674,7 +1674,7 @@ static int __init bcm_module_init(void)
+@@ -1688,7 +1688,7 @@ static int __init bcm_module_init(void)
}
/* create /proc/net/can-bcm directory */
@@ -163504,6 +163543,292 @@ index 29c509c..c19322a 100644
if (!llc_proc_dir)
goto out;
+diff --git a/net/mac80211/aes_ccm.c b/net/mac80211/aes_ccm.c
+index 7663c28..a4e0d59 100644
+--- a/net/mac80211/aes_ccm.c
++++ b/net/mac80211/aes_ccm.c
+@@ -18,21 +18,24 @@
+ #include "key.h"
+ #include "aes_ccm.h"
+
+-void ieee80211_aes_ccm_encrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad,
+- u8 *data, size_t data_len, u8 *mic,
+- size_t mic_len)
++int ieee80211_aes_ccm_encrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad,
++ u8 *data, size_t data_len, u8 *mic,
++ size_t mic_len)
+ {
+ struct scatterlist sg[3];
++ struct aead_request *aead_req;
++ int reqsize = sizeof(*aead_req) + crypto_aead_reqsize(tfm);
++ u8 *__aad;
+
+- char aead_req_data[sizeof(struct aead_request) +
+- crypto_aead_reqsize(tfm)]
+- __aligned(__alignof__(struct aead_request));
+- struct aead_request *aead_req = (void *) aead_req_data;
++ aead_req = kzalloc(reqsize + CCM_AAD_LEN, GFP_ATOMIC);
++ if (!aead_req)
++ return -ENOMEM;
+
+- memset(aead_req, 0, sizeof(aead_req_data));
++ __aad = (u8 *)aead_req + reqsize;
++ memcpy(__aad, aad, CCM_AAD_LEN);
+
+ sg_init_table(sg, 3);
+- sg_set_buf(&sg[0], &aad[2], be16_to_cpup((__be16 *)aad));
++ sg_set_buf(&sg[0], &__aad[2], be16_to_cpup((__be16 *)__aad));
+ sg_set_buf(&sg[1], data, data_len);
+ sg_set_buf(&sg[2], mic, mic_len);
+
+@@ -41,6 +44,9 @@ void ieee80211_aes_ccm_encrypt(struct crypto_aead *tfm, u8
*b_0, u8 *aad,
+ aead_request_set_ad(aead_req, sg[0].length);
+
+ crypto_aead_encrypt(aead_req);
++ kzfree(aead_req);
++
++ return 0;
+ }
+
+ int ieee80211_aes_ccm_decrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad,
+@@ -48,18 +54,23 @@ int ieee80211_aes_ccm_decrypt(struct crypto_aead *tfm, u8
*b_0, u8 *aad,
+ size_t mic_len)
+ {
+ struct scatterlist sg[3];
+- char aead_req_data[sizeof(struct aead_request) +
+- crypto_aead_reqsize(tfm)]
+- __aligned(__alignof__(struct aead_request));
+- struct aead_request *aead_req = (void *) aead_req_data;
++ struct aead_request *aead_req;
++ int reqsize = sizeof(*aead_req) + crypto_aead_reqsize(tfm);
++ u8 *__aad;
++ int err;
+
+ if (data_len == 0)
+ return -EINVAL;
+
+- memset(aead_req, 0, sizeof(aead_req_data));
++ aead_req = kzalloc(reqsize + CCM_AAD_LEN, GFP_ATOMIC);
++ if (!aead_req)
++ return -ENOMEM;
++
++ __aad = (u8 *)aead_req + reqsize;
++ memcpy(__aad, aad, CCM_AAD_LEN);
+
+ sg_init_table(sg, 3);
+- sg_set_buf(&sg[0], &aad[2], be16_to_cpup((__be16 *)aad));
++ sg_set_buf(&sg[0], &__aad[2], be16_to_cpup((__be16 *)__aad));
+ sg_set_buf(&sg[1], data, data_len);
+ sg_set_buf(&sg[2], mic, mic_len);
+
+@@ -67,7 +78,10 @@ int ieee80211_aes_ccm_decrypt(struct crypto_aead *tfm, u8
*b_0, u8 *aad,
+ aead_request_set_crypt(aead_req, sg, sg, data_len + mic_len, b_0);
+ aead_request_set_ad(aead_req, sg[0].length);
+
+- return crypto_aead_decrypt(aead_req);
++ err = crypto_aead_decrypt(aead_req);
++ kzfree(aead_req);
++
++ return err;
+ }
+
+ struct crypto_aead *ieee80211_aes_key_setup_encrypt(const u8 key[],
+diff --git a/net/mac80211/aes_ccm.h b/net/mac80211/aes_ccm.h
+index 6a73d1e..fcd3254 100644
+--- a/net/mac80211/aes_ccm.h
++++ b/net/mac80211/aes_ccm.h
+@@ -12,12 +12,14 @@
+
+ #include <linux/crypto.h>
+
++#define CCM_AAD_LEN 32
++
+ struct crypto_aead *ieee80211_aes_key_setup_encrypt(const u8 key[],
+ size_t key_len,
+ size_t mic_len);
+-void ieee80211_aes_ccm_encrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad,
+- u8 *data, size_t data_len, u8 *mic,
+- size_t mic_len);
++int ieee80211_aes_ccm_encrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad,
++ u8 *data, size_t data_len, u8 *mic,
++ size_t mic_len);
+ int ieee80211_aes_ccm_decrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad,
+ u8 *data, size_t data_len, u8 *mic,
+ size_t mic_len);
+diff --git a/net/mac80211/aes_gcm.c b/net/mac80211/aes_gcm.c
+index 3afe361f..8a4397c 100644
+--- a/net/mac80211/aes_gcm.c
++++ b/net/mac80211/aes_gcm.c
+@@ -15,20 +15,23 @@
+ #include "key.h"
+ #include "aes_gcm.h"
+
+-void ieee80211_aes_gcm_encrypt(struct crypto_aead *tfm, u8 *j_0, u8 *aad,
+- u8 *data, size_t data_len, u8 *mic)
++int ieee80211_aes_gcm_encrypt(struct crypto_aead *tfm, u8 *j_0, u8 *aad,
++ u8 *data, size_t data_len, u8 *mic)
+ {
+ struct scatterlist sg[3];
++ struct aead_request *aead_req;
++ int reqsize = sizeof(*aead_req) + crypto_aead_reqsize(tfm);
++ u8 *__aad;
+
+- char aead_req_data[sizeof(struct aead_request) +
+- crypto_aead_reqsize(tfm)]
+- __aligned(__alignof__(struct aead_request));
+- struct aead_request *aead_req = (void *)aead_req_data;
++ aead_req = kzalloc(reqsize + GCM_AAD_LEN, GFP_ATOMIC);
++ if (!aead_req)
++ return -ENOMEM;
+
+- memset(aead_req, 0, sizeof(aead_req_data));
++ __aad = (u8 *)aead_req + reqsize;
++ memcpy(__aad, aad, GCM_AAD_LEN);
+
+ sg_init_table(sg, 3);
+- sg_set_buf(&sg[0], &aad[2], be16_to_cpup((__be16 *)aad));
++ sg_set_buf(&sg[0], &__aad[2], be16_to_cpup((__be16 *)__aad));
+ sg_set_buf(&sg[1], data, data_len);
+ sg_set_buf(&sg[2], mic, IEEE80211_GCMP_MIC_LEN);
+
+@@ -37,24 +40,31 @@ void ieee80211_aes_gcm_encrypt(struct crypto_aead *tfm, u8
*j_0, u8 *aad,
+ aead_request_set_ad(aead_req, sg[0].length);
+
+ crypto_aead_encrypt(aead_req);
++ kzfree(aead_req);
++ return 0;
+ }
+
+ int ieee80211_aes_gcm_decrypt(struct crypto_aead *tfm, u8 *j_0, u8 *aad,
+ u8 *data, size_t data_len, u8 *mic)
+ {
+ struct scatterlist sg[3];
+- char aead_req_data[sizeof(struct aead_request) +
+- crypto_aead_reqsize(tfm)]
+- __aligned(__alignof__(struct aead_request));
+- struct aead_request *aead_req = (void *)aead_req_data;
++ struct aead_request *aead_req;
++ int reqsize = sizeof(*aead_req) + crypto_aead_reqsize(tfm);
++ u8 *__aad;
++ int err;
+
+ if (data_len == 0)
+ return -EINVAL;
+
+- memset(aead_req, 0, sizeof(aead_req_data));
++ aead_req = kzalloc(reqsize + GCM_AAD_LEN, GFP_ATOMIC);
++ if (!aead_req)
++ return -ENOMEM;
++
++ __aad = (u8 *)aead_req + reqsize;
++ memcpy(__aad, aad, GCM_AAD_LEN);
+
+ sg_init_table(sg, 3);
+- sg_set_buf(&sg[0], &aad[2], be16_to_cpup((__be16 *)aad));
++ sg_set_buf(&sg[0], &__aad[2], be16_to_cpup((__be16 *)__aad));
+ sg_set_buf(&sg[1], data, data_len);
+ sg_set_buf(&sg[2], mic, IEEE80211_GCMP_MIC_LEN);
+
+@@ -63,7 +73,10 @@ int ieee80211_aes_gcm_decrypt(struct crypto_aead *tfm, u8
*j_0, u8 *aad,
+ data_len + IEEE80211_GCMP_MIC_LEN, j_0);
+ aead_request_set_ad(aead_req, sg[0].length);
+
+- return crypto_aead_decrypt(aead_req);
++ err = crypto_aead_decrypt(aead_req);
++ kzfree(aead_req);
++
++ return err;
+ }
+
+ struct crypto_aead *ieee80211_aes_gcm_key_setup_encrypt(const u8 key[],
+diff --git a/net/mac80211/aes_gcm.h b/net/mac80211/aes_gcm.h
+index 1347fda..55aed53 100644
+--- a/net/mac80211/aes_gcm.h
++++ b/net/mac80211/aes_gcm.h
+@@ -11,8 +11,10 @@
+
+ #include <linux/crypto.h>
+
+-void ieee80211_aes_gcm_encrypt(struct crypto_aead *tfm, u8 *j_0, u8 *aad,
+- u8 *data, size_t data_len, u8 *mic);
++#define GCM_AAD_LEN 32
++
++int ieee80211_aes_gcm_encrypt(struct crypto_aead *tfm, u8 *j_0, u8 *aad,
++ u8 *data, size_t data_len, u8 *mic);
+ int ieee80211_aes_gcm_decrypt(struct crypto_aead *tfm, u8 *j_0, u8 *aad,
+ u8 *data, size_t data_len, u8 *mic);
+ struct crypto_aead *ieee80211_aes_gcm_key_setup_encrypt(const u8 key[],
+diff --git a/net/mac80211/aes_gmac.c b/net/mac80211/aes_gmac.c
+index 3ddd927..bd72a86 100644
+--- a/net/mac80211/aes_gmac.c
++++ b/net/mac80211/aes_gmac.c
+@@ -17,28 +17,27 @@
+ #include "key.h"
+ #include "aes_gmac.h"
+
+-#define GMAC_MIC_LEN 16
+-#define GMAC_NONCE_LEN 12
+-#define AAD_LEN 20
+-
+ int ieee80211_aes_gmac(struct crypto_aead *tfm, const u8 *aad, u8 *nonce,
+ const u8 *data, size_t data_len, u8 *mic)
+ {
+ struct scatterlist sg[4];
+- char aead_req_data[sizeof(struct aead_request) +
+- crypto_aead_reqsize(tfm)]
+- __aligned(__alignof__(struct aead_request));
+- struct aead_request *aead_req = (void *)aead_req_data;
+- u8 zero[GMAC_MIC_LEN], iv[AES_BLOCK_SIZE];
++ u8 *zero, *__aad, iv[AES_BLOCK_SIZE];
++ struct aead_request *aead_req;
++ int reqsize = sizeof(*aead_req) + crypto_aead_reqsize(tfm);
+
+ if (data_len < GMAC_MIC_LEN)
+ return -EINVAL;
+
+- memset(aead_req, 0, sizeof(aead_req_data));
++ aead_req = kzalloc(reqsize + GMAC_MIC_LEN + GMAC_AAD_LEN, GFP_ATOMIC);
++ if (!aead_req)
++ return -ENOMEM;
++
++ zero = (u8 *)aead_req + reqsize;
++ __aad = zero + GMAC_MIC_LEN;
++ memcpy(__aad, aad, GMAC_AAD_LEN);
+
+- memset(zero, 0, GMAC_MIC_LEN);
+ sg_init_table(sg, 4);
+- sg_set_buf(&sg[0], aad, AAD_LEN);
++ sg_set_buf(&sg[0], __aad, GMAC_AAD_LEN);
+ sg_set_buf(&sg[1], data, data_len - GMAC_MIC_LEN);
+ sg_set_buf(&sg[2], zero, GMAC_MIC_LEN);
+ sg_set_buf(&sg[3], mic, GMAC_MIC_LEN);
+@@ -49,9 +48,10 @@ int ieee80211_aes_gmac(struct crypto_aead *tfm, const u8
*aad, u8 *nonce,
+
+ aead_request_set_tfm(aead_req, tfm);
+ aead_request_set_crypt(aead_req, sg, sg, 0, iv);
+- aead_request_set_ad(aead_req, AAD_LEN + data_len);
++ aead_request_set_ad(aead_req, GMAC_AAD_LEN + data_len);
+
+ crypto_aead_encrypt(aead_req);
++ kzfree(aead_req);
+
+ return 0;
+ }
+diff --git a/net/mac80211/aes_gmac.h b/net/mac80211/aes_gmac.h
+index d328204..32e6442 100644
+--- a/net/mac80211/aes_gmac.h
++++ b/net/mac80211/aes_gmac.h
+@@ -11,6 +11,10 @@
+
+ #include <linux/crypto.h>
+
++#define GMAC_AAD_LEN 20
++#define GMAC_MIC_LEN 16
++#define GMAC_NONCE_LEN 12
++
+ struct crypto_aead *ieee80211_aes_gmac_key_setup(const u8 key[],
+ size_t key_len);
+ int ieee80211_aes_gmac(struct crypto_aead *tfm, const u8 *aad, u8 *nonce,
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 543b1d4..bead45d 100644
--- a/net/mac80211/cfg.c
@@ -163822,7 +164147,7 @@ index 42bf0b6..8dcf0b2 100644
list_for_each_entry(sdata, &local->interfaces, list) {
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
-index b48c1e1..4c02b5b 100644
+index b48c1e1..36ee4c2 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -223,7 +223,7 @@ static int tkip_encrypt_skb(struct ieee80211_tx_data *tx,
struct sk_buff *skb)
@@ -163834,6 +164159,15 @@ index b48c1e1..4c02b5b 100644
pos = ieee80211_tkip_add_iv(pos, &key->conf, pn);
/* hwaccel - with software IV */
+@@ -405,7 +405,7 @@ static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx,
struct sk_buff *skb,
+ u8 *pos;
+ u8 pn[6];
+ u64 pn64;
+- u8 aad[2 * AES_BLOCK_SIZE];
++ u8 aad[CCM_AAD_LEN];
+ u8 b_0[AES_BLOCK_SIZE];
+
+ if (info->control.hw_key &&
@@ -444,7 +444,7 @@ static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx,
struct sk_buff *skb,
hdr = (struct ieee80211_hdr *) pos;
pos += hdrlen;
@@ -163843,7 +164177,29 @@ index b48c1e1..4c02b5b 100644
pn[5] = pn64;
pn[4] = pn64 >> 8;
-@@ -679,7 +679,7 @@ static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx,
struct sk_buff *skb)
+@@ -461,10 +461,8 @@ static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx,
struct sk_buff *skb,
+
+ pos += IEEE80211_CCMP_HDR_LEN;
+ ccmp_special_blocks(skb, pn, b_0, aad);
+- ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len,
+- skb_put(skb, mic_len), mic_len);
+-
+- return 0;
++ return ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len,
++ skb_put(skb, mic_len), mic_len);
+ }
+
+
+@@ -639,7 +637,7 @@ static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx,
struct sk_buff *skb)
+ u8 *pos;
+ u8 pn[6];
+ u64 pn64;
+- u8 aad[2 * AES_BLOCK_SIZE];
++ u8 aad[GCM_AAD_LEN];
+ u8 j_0[AES_BLOCK_SIZE];
+
+ if (info->control.hw_key &&
+@@ -679,7 +677,7 @@ static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx,
struct sk_buff *skb)
hdr = (struct ieee80211_hdr *)pos;
pos += hdrlen;
@@ -163852,7 +164208,20 @@ index b48c1e1..4c02b5b 100644
pn[5] = pn64;
pn[4] = pn64 >> 8;
-@@ -957,7 +957,7 @@ ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data
*tx)
+@@ -696,10 +694,8 @@ static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx,
struct sk_buff *skb)
+
+ pos += IEEE80211_GCMP_HDR_LEN;
+ gcmp_special_blocks(skb, pn, j_0, aad);
+- ieee80211_aes_gcm_encrypt(key->u.gcmp.tfm, j_0, aad, pos, len,
+- skb_put(skb, IEEE80211_GCMP_MIC_LEN));
+-
+- return 0;
++ return ieee80211_aes_gcm_encrypt(key->u.gcmp.tfm, j_0, aad, pos, len,
++ skb_put(skb, IEEE80211_GCMP_MIC_LEN));
+ }
+
+ ieee80211_tx_result
+@@ -957,7 +953,7 @@ ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data
*tx)
mmie->key_id = cpu_to_le16(key->conf.keyidx);
/* PN = PN + 1 */
@@ -163861,7 +164230,7 @@ index b48c1e1..4c02b5b 100644
bip_ipn_set64(mmie->sequence_number, pn64);
-@@ -1001,7 +1001,7 @@ ieee80211_crypto_aes_cmac_256_encrypt(struct
ieee80211_tx_data *tx)
+@@ -1001,7 +997,7 @@ ieee80211_crypto_aes_cmac_256_encrypt(struct
ieee80211_tx_data *tx)
mmie->key_id = cpu_to_le16(key->conf.keyidx);
/* PN = PN + 1 */
@@ -163870,7 +164239,19 @@ index b48c1e1..4c02b5b 100644
bip_ipn_set64(mmie->sequence_number, pn64);
-@@ -1146,7 +1146,7 @@ ieee80211_crypto_aes_gmac_encrypt(struct
ieee80211_tx_data *tx)
+@@ -1123,9 +1119,9 @@ ieee80211_crypto_aes_gmac_encrypt(struct
ieee80211_tx_data *tx)
+ struct ieee80211_key *key = tx->key;
+ struct ieee80211_mmie_16 *mmie;
+ struct ieee80211_hdr *hdr;
+- u8 aad[20];
++ u8 aad[GMAC_AAD_LEN];
+ u64 pn64;
+- u8 nonce[12];
++ u8 nonce[GMAC_NONCE_LEN];
+
+ if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
+ return TX_DROP;
+@@ -1146,7 +1142,7 @@ ieee80211_crypto_aes_gmac_encrypt(struct
ieee80211_tx_data *tx)
mmie->key_id = cpu_to_le16(key->conf.keyidx);
/* PN = PN + 1 */
@@ -163879,6 +164260,15 @@ index b48c1e1..4c02b5b 100644
bip_ipn_set64(mmie->sequence_number, pn64);
+@@ -1171,7 +1167,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct
ieee80211_rx_data *rx)
+ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+ struct ieee80211_key *key = rx->key;
+ struct ieee80211_mmie_16 *mmie;
+- u8 aad[20], mic[16], ipn[6], nonce[12];
++ u8 aad[GMAC_AAD_LEN], mic[GMAC_MIC_LEN], ipn[6], nonce[GMAC_NONCE_LEN];
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+
+ if (!ieee80211_is_mgmt(hdr->frame_control))
diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 7079cd3..c299f08 100644
--- a/net/mac802154/iface.c
@@ -166863,10 +167253,10 @@ index 3b95b19..914e482 100644
goto err;
return write_len - bc;
diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c
b/net/sunrpc/xprtrdma/svc_rdma_transport.c
-index 924271c..e7a0ab3 100644
+index a55b8093a..c32fb3b 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
-@@ -1304,7 +1304,7 @@ int svc_rdma_send(struct svcxprt_rdma *xprt, struct
ib_send_wr *wr)
+@@ -1310,7 +1310,7 @@ int svc_rdma_send(struct svcxprt_rdma *xprt, struct
ib_send_wr *wr)
spin_lock_bh(&xprt->sc_lock);
if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) +
wr_count) {
spin_unlock_bh(&xprt->sc_lock);
@@ -174998,7 +175388,7 @@ index 0000000..36211fb
+e_*.h
diff --git a/scripts/gcc-plugins/size_overflow_plugin/Makefile
b/scripts/gcc-plugins/size_overflow_plugin/Makefile
new file mode 100644
-index 0000000..62c26c9
+index 0000000..a8039b2
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/Makefile
@@ -0,0 +1,22 @@
@@ -175015,8 +175405,8 @@ index 0000000..62c26c9
+
+define build_size_overflow_hash
+targets += $(addsuffix .h,$(1))
-+$(srctree)/$(src)/size_overflow_plugin_hash.c: $(addprefix
$(objtree)/$(obj)/,$(addsuffix .h,$(1)))
-+$(addprefix $(objtree)/$(obj)/,$(addsuffix .h,$(1))): $(addprefix
$(src)/,$(addsuffix .data,$(1)))
++$(srctree)/$(src)/size_overflow_plugin_hash.c: $(addprefix
$(obj)/,$(addsuffix .h,$(1)))
++$(addprefix $(obj)/,$(addsuffix .h,$(1))): $(addprefix $(src)/,$(addsuffix
.data,$(1)))
+ $$(call if_changed,build_size_overflow_hash)
+endef
+
diff --git a/4.8.10/4425_grsec_remove_EI_PAX.patch
b/4.8.11/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 4.8.10/4425_grsec_remove_EI_PAX.patch
rename to 4.8.11/4425_grsec_remove_EI_PAX.patch
diff --git a/4.8.10/4427_force_XATTR_PAX_tmpfs.patch
b/4.8.11/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 4.8.10/4427_force_XATTR_PAX_tmpfs.patch
rename to 4.8.11/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.8.10/4430_grsec-remove-localversion-grsec.patch
b/4.8.11/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 4.8.10/4430_grsec-remove-localversion-grsec.patch
rename to 4.8.11/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.8.10/4435_grsec-mute-warnings.patch
b/4.8.11/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 4.8.10/4435_grsec-mute-warnings.patch
rename to 4.8.11/4435_grsec-mute-warnings.patch
diff --git a/4.8.10/4440_grsec-remove-protected-paths.patch
b/4.8.11/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 4.8.10/4440_grsec-remove-protected-paths.patch
rename to 4.8.11/4440_grsec-remove-protected-paths.patch
diff --git a/4.8.10/4450_grsec-kconfig-default-gids.patch
b/4.8.11/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 4.8.10/4450_grsec-kconfig-default-gids.patch
rename to 4.8.11/4450_grsec-kconfig-default-gids.patch
diff --git a/4.8.10/4465_selinux-avc_audit-log-curr_ip.patch
b/4.8.11/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 4.8.10/4465_selinux-avc_audit-log-curr_ip.patch
rename to 4.8.11/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.8.10/4470_disable-compat_vdso.patch
b/4.8.11/4470_disable-compat_vdso.patch
similarity index 100%
rename from 4.8.10/4470_disable-compat_vdso.patch
rename to 4.8.11/4470_disable-compat_vdso.patch
diff --git a/4.8.10/4475_emutramp_default_on.patch
b/4.8.11/4475_emutramp_default_on.patch
similarity index 100%
rename from 4.8.10/4475_emutramp_default_on.patch
rename to 4.8.11/4475_emutramp_default_on.patch
