summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2016-10-23 08:41:53 -0400
committerAnthony G. Basile <blueness@gentoo.org>2016-10-23 08:41:53 -0400
commit577ecfc11feb8d3835b6cc69bb57dac65d5957e6 (patch)
tree5198191ec5024bfd1b924c7edd0130afed5ec761
parentgrsecurity-3.1-4.7.9-201610200819 (diff)
downloadhardened-patchset-20161022.tar.gz
hardened-patchset-20161022.tar.bz2
hardened-patchset-20161022.zip
grsecurity-3.1-4.7.10-20161022203720161022
-rw-r--r--4.7.10/0000_README (renamed from 4.7.9/0000_README)6
-rw-r--r--4.7.10/1007_linux-4.7.8.patch (renamed from 4.7.9/1007_linux-4.7.8.patch)0
-rw-r--r--4.7.10/1008_linux-4.7.9.patch (renamed from 4.7.9/1008_linux-4.7.9.patch)0
-rw-r--r--4.7.10/1009_linux-4.7.10.patch1630
-rw-r--r--4.7.10/4420_grsecurity-3.1-4.7.10-201610222037.patch (renamed from 4.7.9/4420_grsecurity-3.1-4.7.9-201610200819.patch)270
-rw-r--r--4.7.10/4425_grsec_remove_EI_PAX.patch (renamed from 4.7.9/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--4.7.10/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.7.9/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--4.7.10/4430_grsec-remove-localversion-grsec.patch (renamed from 4.7.9/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--4.7.10/4435_grsec-mute-warnings.patch (renamed from 4.7.9/4435_grsec-mute-warnings.patch)0
-rw-r--r--4.7.10/4440_grsec-remove-protected-paths.patch (renamed from 4.7.9/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--4.7.10/4450_grsec-kconfig-default-gids.patch (renamed from 4.7.9/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--4.7.10/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.7.9/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--4.7.10/4470_disable-compat_vdso.patch (renamed from 4.7.9/4470_disable-compat_vdso.patch)0
-rw-r--r--4.7.10/4475_emutramp_default_on.patch (renamed from 4.7.9/4475_emutramp_default_on.patch)0
14 files changed, 1784 insertions, 122 deletions
diff --git a/4.7.9/0000_README b/4.7.10/0000_README
index be33a95..f0806b3 100644
--- a/4.7.9/0000_README
+++ b/4.7.10/0000_README
@@ -10,7 +10,11 @@ Patch: 1008_linux-4.7.9.patch
From: http://www.kernel.org
Desc: Linux 4.7.9
-Patch: 4420_grsecurity-3.1-4.7.9-201610200819.patch
+Patch: 1009_linux-4.7.10.patch
+From: http://www.kernel.org
+Desc: Linux 4.7.10
+
+Patch: 4420_grsecurity-3.1-4.7.10-201610222037.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.7.9/1007_linux-4.7.8.patch b/4.7.10/1007_linux-4.7.8.patch
index dd5c7d8..dd5c7d8 100644
--- a/4.7.9/1007_linux-4.7.8.patch
+++ b/4.7.10/1007_linux-4.7.8.patch
diff --git a/4.7.9/1008_linux-4.7.9.patch b/4.7.10/1008_linux-4.7.9.patch
index 5fd99d3..5fd99d3 100644
--- a/4.7.9/1008_linux-4.7.9.patch
+++ b/4.7.10/1008_linux-4.7.9.patch
diff --git a/4.7.10/1009_linux-4.7.10.patch b/4.7.10/1009_linux-4.7.10.patch
new file mode 100644
index 0000000..2e76abd
--- /dev/null
+++ b/4.7.10/1009_linux-4.7.10.patch
@@ -0,0 +1,1630 @@
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 8c20323..67c42db 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -12620,11 +12620,10 @@ F: arch/x86/xen/*swiotlb*
+ F: drivers/xen/*swiotlb*
+
+ XFS FILESYSTEM
+-P: Silicon Graphics Inc
+ M: Dave Chinner <david@fromorbit.com>
+-M: xfs@oss.sgi.com
+-L: xfs@oss.sgi.com
+-W: http://oss.sgi.com/projects/xfs
++M: linux-xfs@vger.kernel.org
++L: linux-xfs@vger.kernel.org
++W: http://xfs.org/
+ T: git git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs.git
+ S: Supported
+ F: Documentation/filesystems/xfs.txt
+diff --git a/Makefile b/Makefile
+index cb3f64e..219ab6d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 7
+-SUBLEVEL = 9
++SUBLEVEL = 10
+ EXTRAVERSION =
+ NAME = Psychotic Stoned Sheep
+
+diff --git a/arch/arc/include/asm/irqflags-arcv2.h b/arch/arc/include/asm/irqflags-arcv2.h
+index d1ec7f6..e880dfa 100644
+--- a/arch/arc/include/asm/irqflags-arcv2.h
++++ b/arch/arc/include/asm/irqflags-arcv2.h
+@@ -112,7 +112,7 @@ static inline long arch_local_save_flags(void)
+ */
+ temp = (1 << 5) |
+ ((!!(temp & STATUS_IE_MASK)) << CLRI_STATUS_IE_BIT) |
+- (temp & CLRI_STATUS_E_MASK);
++ ((temp >> 1) & CLRI_STATUS_E_MASK);
+ return temp;
+ }
+
+diff --git a/arch/arc/kernel/intc-arcv2.c b/arch/arc/kernel/intc-arcv2.c
+index 6c24faf..62b59409 100644
+--- a/arch/arc/kernel/intc-arcv2.c
++++ b/arch/arc/kernel/intc-arcv2.c
+@@ -74,7 +74,7 @@ void arc_init_IRQ(void)
+ tmp = read_aux_reg(0xa);
+ tmp |= STATUS_AD_MASK | (irq_prio << 1);
+ tmp &= ~STATUS_IE_MASK;
+- asm volatile("flag %0 \n"::"r"(tmp));
++ asm volatile("kflag %0 \n"::"r"(tmp));
+ }
+
+ static void arcv2_irq_mask(struct irq_data *data)
+diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
+index 4a34978..73a277d 100644
+--- a/block/cfq-iosched.c
++++ b/block/cfq-iosched.c
+@@ -3021,7 +3021,6 @@ static struct request *cfq_check_fifo(struct cfq_queue *cfqq)
+ if (time_before(jiffies, rq->fifo_time))
+ rq = NULL;
+
+- cfq_log_cfqq(cfqq->cfqd, cfqq, "fifo=%p", rq);
+ return rq;
+ }
+
+@@ -3395,6 +3394,9 @@ static bool cfq_may_dispatch(struct cfq_data *cfqd, struct cfq_queue *cfqq)
+ {
+ unsigned int max_dispatch;
+
++ if (cfq_cfqq_must_dispatch(cfqq))
++ return true;
++
+ /*
+ * Drain async requests before we start sync IO
+ */
+@@ -3486,15 +3488,20 @@ static bool cfq_dispatch_request(struct cfq_data *cfqd, struct cfq_queue *cfqq)
+
+ BUG_ON(RB_EMPTY_ROOT(&cfqq->sort_list));
+
++ rq = cfq_check_fifo(cfqq);
++ if (rq)
++ cfq_mark_cfqq_must_dispatch(cfqq);
++
+ if (!cfq_may_dispatch(cfqd, cfqq))
+ return false;
+
+ /*
+ * follow expired path, else get first next available
+ */
+- rq = cfq_check_fifo(cfqq);
+ if (!rq)
+ rq = cfqq->next_rq;
++ else
++ cfq_log_cfqq(cfqq->cfqd, cfqq, "fifo=%p", rq);
+
+ /*
+ * insert request into driver dispatch list
+@@ -3962,7 +3969,7 @@ cfq_should_preempt(struct cfq_data *cfqd, struct cfq_queue *new_cfqq,
+ * if the new request is sync, but the currently running queue is
+ * not, let the sync request have priority.
+ */
+- if (rq_is_sync(rq) && !cfq_cfqq_sync(cfqq))
++ if (rq_is_sync(rq) && !cfq_cfqq_sync(cfqq) && !cfq_cfqq_must_dispatch(cfqq))
+ return true;
+
+ /*
+diff --git a/crypto/async_tx/async_pq.c b/crypto/async_tx/async_pq.c
+index 08b3ac6..f83de99 100644
+--- a/crypto/async_tx/async_pq.c
++++ b/crypto/async_tx/async_pq.c
+@@ -368,8 +368,6 @@ async_syndrome_val(struct page **blocks, unsigned int offset, int disks,
+
+ dma_set_unmap(tx, unmap);
+ async_tx_submit(chan, tx, submit);
+-
+- return tx;
+ } else {
+ struct page *p_src = P(blocks, disks);
+ struct page *q_src = Q(blocks, disks);
+@@ -424,9 +422,11 @@ async_syndrome_val(struct page **blocks, unsigned int offset, int disks,
+ submit->cb_param = cb_param_orig;
+ submit->flags = flags_orig;
+ async_tx_sync_epilog(submit);
+-
+- return NULL;
++ tx = NULL;
+ }
++ dmaengine_unmap_put(unmap);
++
++ return tx;
+ }
+ EXPORT_SYMBOL_GPL(async_syndrome_val);
+
+diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c
+index bac7099..12ad3e3 100644
+--- a/crypto/ghash-generic.c
++++ b/crypto/ghash-generic.c
+@@ -14,24 +14,13 @@
+
+ #include <crypto/algapi.h>
+ #include <crypto/gf128mul.h>
++#include <crypto/ghash.h>
+ #include <crypto/internal/hash.h>
+ #include <linux/crypto.h>
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+
+-#define GHASH_BLOCK_SIZE 16
+-#define GHASH_DIGEST_SIZE 16
+-
+-struct ghash_ctx {
+- struct gf128mul_4k *gf128;
+-};
+-
+-struct ghash_desc_ctx {
+- u8 buffer[GHASH_BLOCK_SIZE];
+- u32 bytes;
+-};
+-
+ static int ghash_init(struct shash_desc *desc)
+ {
+ struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+diff --git a/drivers/base/dma-mapping.c b/drivers/base/dma-mapping.c
+index d799662..261420d 100644
+--- a/drivers/base/dma-mapping.c
++++ b/drivers/base/dma-mapping.c
+@@ -334,7 +334,7 @@ void dma_common_free_remap(void *cpu_addr, size_t size, unsigned long vm_flags)
+ return;
+ }
+
+- unmap_kernel_range((unsigned long)cpu_addr, size);
++ unmap_kernel_range((unsigned long)cpu_addr, PAGE_ALIGN(size));
+ vunmap(cpu_addr);
+ }
+ #endif
+diff --git a/drivers/clk/mvebu/cp110-system-controller.c b/drivers/clk/mvebu/cp110-system-controller.c
+index 7fa42d6..f2303da 100644
+--- a/drivers/clk/mvebu/cp110-system-controller.c
++++ b/drivers/clk/mvebu/cp110-system-controller.c
+@@ -81,13 +81,6 @@ enum {
+ #define CP110_GATE_EIP150 25
+ #define CP110_GATE_EIP197 26
+
+-static struct clk *cp110_clks[CP110_CLK_NUM];
+-
+-static struct clk_onecell_data cp110_clk_data = {
+- .clks = cp110_clks,
+- .clk_num = CP110_CLK_NUM,
+-};
+-
+ struct cp110_gate_clk {
+ struct clk_hw hw;
+ struct regmap *regmap;
+@@ -142,6 +135,8 @@ static struct clk *cp110_register_gate(const char *name,
+ if (!gate)
+ return ERR_PTR(-ENOMEM);
+
++ memset(&init, 0, sizeof(init));
++
+ init.name = name;
+ init.ops = &cp110_gate_ops;
+ init.parent_names = &parent_name;
+@@ -194,7 +189,8 @@ static int cp110_syscon_clk_probe(struct platform_device *pdev)
+ struct regmap *regmap;
+ struct device_node *np = pdev->dev.of_node;
+ const char *ppv2_name, *apll_name, *core_name, *eip_name, *nand_name;
+- struct clk *clk;
++ struct clk_onecell_data *cp110_clk_data;
++ struct clk *clk, **cp110_clks;
+ u32 nand_clk_ctrl;
+ int i, ret;
+
+@@ -207,6 +203,20 @@ static int cp110_syscon_clk_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
++ cp110_clks = devm_kcalloc(&pdev->dev, sizeof(struct clk *),
++ CP110_CLK_NUM, GFP_KERNEL);
++ if (!cp110_clks)
++ return -ENOMEM;
++
++ cp110_clk_data = devm_kzalloc(&pdev->dev,
++ sizeof(*cp110_clk_data),
++ GFP_KERNEL);
++ if (!cp110_clk_data)
++ return -ENOMEM;
++
++ cp110_clk_data->clks = cp110_clks;
++ cp110_clk_data->clk_num = CP110_CLK_NUM;
++
+ /* Register the APLL which is the root of the clk tree */
+ of_property_read_string_index(np, "core-clock-output-names",
+ CP110_CORE_APLL, &apll_name);
+@@ -334,10 +344,12 @@ static int cp110_syscon_clk_probe(struct platform_device *pdev)
+ cp110_clks[CP110_MAX_CORE_CLOCKS + i] = clk;
+ }
+
+- ret = of_clk_add_provider(np, cp110_of_clk_get, &cp110_clk_data);
++ ret = of_clk_add_provider(np, cp110_of_clk_get, cp110_clk_data);
+ if (ret)
+ goto fail_clk_add;
+
++ platform_set_drvdata(pdev, cp110_clks);
++
+ return 0;
+
+ fail_clk_add:
+@@ -364,6 +376,7 @@ static int cp110_syscon_clk_probe(struct platform_device *pdev)
+
+ static int cp110_syscon_clk_remove(struct platform_device *pdev)
+ {
++ struct clk **cp110_clks = platform_get_drvdata(pdev);
+ int i;
+
+ of_clk_del_provider(pdev->dev.of_node);
+diff --git a/drivers/crypto/vmx/ghash.c b/drivers/crypto/vmx/ghash.c
+index 6c999cb0..27a94a1 100644
+--- a/drivers/crypto/vmx/ghash.c
++++ b/drivers/crypto/vmx/ghash.c
+@@ -26,16 +26,13 @@
+ #include <linux/hardirq.h>
+ #include <asm/switch_to.h>
+ #include <crypto/aes.h>
++#include <crypto/ghash.h>
+ #include <crypto/scatterwalk.h>
+ #include <crypto/internal/hash.h>
+ #include <crypto/b128ops.h>
+
+ #define IN_INTERRUPT in_interrupt()
+
+-#define GHASH_BLOCK_SIZE (16)
+-#define GHASH_DIGEST_SIZE (16)
+-#define GHASH_KEY_LEN (16)
+-
+ void gcm_init_p8(u128 htable[16], const u64 Xi[2]);
+ void gcm_gmult_p8(u64 Xi[2], const u128 htable[16]);
+ void gcm_ghash_p8(u64 Xi[2], const u128 htable[16],
+@@ -55,16 +52,11 @@ struct p8_ghash_desc_ctx {
+
+ static int p8_ghash_init_tfm(struct crypto_tfm *tfm)
+ {
+- const char *alg;
++ const char *alg = "ghash-generic";
+ struct crypto_shash *fallback;
+ struct crypto_shash *shash_tfm = __crypto_shash_cast(tfm);
+ struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm);
+
+- if (!(alg = crypto_tfm_alg_name(tfm))) {
+- printk(KERN_ERR "Failed to get algorithm name.\n");
+- return -ENOENT;
+- }
+-
+ fallback = crypto_alloc_shash(alg, 0, CRYPTO_ALG_NEED_FALLBACK);
+ if (IS_ERR(fallback)) {
+ printk(KERN_ERR
+@@ -78,10 +70,18 @@ static int p8_ghash_init_tfm(struct crypto_tfm *tfm)
+ crypto_shash_set_flags(fallback,
+ crypto_shash_get_flags((struct crypto_shash
+ *) tfm));
+- ctx->fallback = fallback;
+
+- shash_tfm->descsize = sizeof(struct p8_ghash_desc_ctx)
+- + crypto_shash_descsize(fallback);
++ /* Check if the descsize defined in the algorithm is still enough. */
++ if (shash_tfm->descsize < sizeof(struct p8_ghash_desc_ctx)
++ + crypto_shash_descsize(fallback)) {
++ printk(KERN_ERR
++ "Desc size of the fallback implementation (%s) does not match the expected value: %lu vs %u\n",
++ alg,
++ shash_tfm->descsize - sizeof(struct p8_ghash_desc_ctx),
++ crypto_shash_descsize(fallback));
++ return -EINVAL;
++ }
++ ctx->fallback = fallback;
+
+ return 0;
+ }
+@@ -113,7 +113,7 @@ static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key,
+ {
+ struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(tfm));
+
+- if (keylen != GHASH_KEY_LEN)
++ if (keylen != GHASH_BLOCK_SIZE)
+ return -EINVAL;
+
+ preempt_disable();
+@@ -211,7 +211,8 @@ struct shash_alg p8_ghash_alg = {
+ .update = p8_ghash_update,
+ .final = p8_ghash_final,
+ .setkey = p8_ghash_setkey,
+- .descsize = sizeof(struct p8_ghash_desc_ctx),
++ .descsize = sizeof(struct p8_ghash_desc_ctx)
++ + sizeof(struct ghash_desc_ctx),
+ .base = {
+ .cra_name = "ghash",
+ .cra_driver_name = "p8_ghash",
+diff --git a/drivers/infiniband/hw/hfi1/rc.c b/drivers/infiniband/hw/hfi1/rc.c
+index 792f15e..29e3ce2 100644
+--- a/drivers/infiniband/hw/hfi1/rc.c
++++ b/drivers/infiniband/hw/hfi1/rc.c
+@@ -889,8 +889,10 @@ void hfi1_send_rc_ack(struct hfi1_ctxtdata *rcd, struct rvt_qp *qp,
+ return;
+
+ queue_ack:
+- this_cpu_inc(*ibp->rvp.rc_qacks);
+ spin_lock_irqsave(&qp->s_lock, flags);
++ if (!(ib_rvt_state_ops[qp->state] & RVT_PROCESS_RECV_OK))
++ goto unlock;
++ this_cpu_inc(*ibp->rvp.rc_qacks);
+ qp->s_flags |= RVT_S_ACK_PENDING | RVT_S_RESP_PENDING;
+ qp->s_nak_state = qp->r_nak_state;
+ qp->s_ack_psn = qp->r_ack_psn;
+@@ -899,6 +901,7 @@ void hfi1_send_rc_ack(struct hfi1_ctxtdata *rcd, struct rvt_qp *qp,
+
+ /* Schedule the send tasklet. */
+ hfi1_schedule_send(qp);
++unlock:
+ spin_unlock_irqrestore(&qp->s_lock, flags);
+ }
+
+diff --git a/drivers/misc/mei/amthif.c b/drivers/misc/mei/amthif.c
+index a039a5d..fd9271b 100644
+--- a/drivers/misc/mei/amthif.c
++++ b/drivers/misc/mei/amthif.c
+@@ -67,8 +67,12 @@ int mei_amthif_host_init(struct mei_device *dev, struct mei_me_client *me_cl)
+ struct mei_cl *cl = &dev->iamthif_cl;
+ int ret;
+
+- if (mei_cl_is_connected(cl))
+- return 0;
++ mutex_lock(&dev->device_lock);
++
++ if (mei_cl_is_connected(cl)) {
++ ret = 0;
++ goto out;
++ }
+
+ dev->iamthif_state = MEI_IAMTHIF_IDLE;
+
+@@ -77,11 +81,13 @@ int mei_amthif_host_init(struct mei_device *dev, struct mei_me_client *me_cl)
+ ret = mei_cl_link(cl);
+ if (ret < 0) {
+ dev_err(dev->dev, "amthif: failed cl_link %d\n", ret);
+- return ret;
++ goto out;
+ }
+
+ ret = mei_cl_connect(cl, me_cl, NULL);
+
++out:
++ mutex_unlock(&dev->device_lock);
+ return ret;
+ }
+
+diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
+index 1f33fea..e094df3 100644
+--- a/drivers/misc/mei/bus.c
++++ b/drivers/misc/mei/bus.c
+@@ -983,12 +983,10 @@ void mei_cl_bus_rescan_work(struct work_struct *work)
+ container_of(work, struct mei_device, bus_rescan_work);
+ struct mei_me_client *me_cl;
+
+- mutex_lock(&bus->device_lock);
+ me_cl = mei_me_cl_by_uuid(bus, &mei_amthif_guid);
+ if (me_cl)
+ mei_amthif_host_init(bus, me_cl);
+ mei_me_cl_put(me_cl);
+- mutex_unlock(&bus->device_lock);
+
+ mei_cl_bus_rescan(bus);
+ }
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 501f15d..e7ba731 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -11415,6 +11415,12 @@ static pci_ers_result_t i40e_pci_error_detected(struct pci_dev *pdev,
+
+ dev_info(&pdev->dev, "%s: error %d\n", __func__, error);
+
++ if (!pf) {
++ dev_info(&pdev->dev,
++ "Cannot recover - error happened during device probe\n");
++ return PCI_ERS_RESULT_DISCONNECT;
++ }
++
+ /* shutdown all operations */
+ if (!test_bit(__I40E_SUSPENDED, &pf->state)) {
+ rtnl_lock();
+diff --git a/drivers/net/wireless/ath/carl9170/debug.c b/drivers/net/wireless/ath/carl9170/debug.c
+index 6808db4..ec3a64e 100644
+--- a/drivers/net/wireless/ath/carl9170/debug.c
++++ b/drivers/net/wireless/ath/carl9170/debug.c
+@@ -75,7 +75,8 @@ static ssize_t carl9170_debugfs_read(struct file *file, char __user *userbuf,
+
+ if (!ar)
+ return -ENODEV;
+- dfops = container_of(file->f_op, struct carl9170_debugfs_fops, fops);
++ dfops = container_of(debugfs_real_fops(file),
++ struct carl9170_debugfs_fops, fops);
+
+ if (!dfops->read)
+ return -ENOSYS;
+@@ -127,7 +128,8 @@ static ssize_t carl9170_debugfs_write(struct file *file,
+
+ if (!ar)
+ return -ENODEV;
+- dfops = container_of(file->f_op, struct carl9170_debugfs_fops, fops);
++ dfops = container_of(debugfs_real_fops(file),
++ struct carl9170_debugfs_fops, fops);
+
+ if (!dfops->write)
+ return -ENOSYS;
+diff --git a/drivers/net/wireless/broadcom/b43/debugfs.c b/drivers/net/wireless/broadcom/b43/debugfs.c
+index b4bcd94..7704638 100644
+--- a/drivers/net/wireless/broadcom/b43/debugfs.c
++++ b/drivers/net/wireless/broadcom/b43/debugfs.c
+@@ -524,7 +524,8 @@ static ssize_t b43_debugfs_read(struct file *file, char __user *userbuf,
+ goto out_unlock;
+ }
+
+- dfops = container_of(file->f_op, struct b43_debugfs_fops, fops);
++ dfops = container_of(debugfs_real_fops(file),
++ struct b43_debugfs_fops, fops);
+ if (!dfops->read) {
+ err = -ENOSYS;
+ goto out_unlock;
+@@ -585,7 +586,8 @@ static ssize_t b43_debugfs_write(struct file *file,
+ goto out_unlock;
+ }
+
+- dfops = container_of(file->f_op, struct b43_debugfs_fops, fops);
++ dfops = container_of(debugfs_real_fops(file),
++ struct b43_debugfs_fops, fops);
+ if (!dfops->write) {
+ err = -ENOSYS;
+ goto out_unlock;
+diff --git a/drivers/net/wireless/broadcom/b43legacy/debugfs.c b/drivers/net/wireless/broadcom/b43legacy/debugfs.c
+index 090910e..82ef56e 100644
+--- a/drivers/net/wireless/broadcom/b43legacy/debugfs.c
++++ b/drivers/net/wireless/broadcom/b43legacy/debugfs.c
+@@ -221,7 +221,8 @@ static ssize_t b43legacy_debugfs_read(struct file *file, char __user *userbuf,
+ goto out_unlock;
+ }
+
+- dfops = container_of(file->f_op, struct b43legacy_debugfs_fops, fops);
++ dfops = container_of(debugfs_real_fops(file),
++ struct b43legacy_debugfs_fops, fops);
+ if (!dfops->read) {
+ err = -ENOSYS;
+ goto out_unlock;
+@@ -287,7 +288,8 @@ static ssize_t b43legacy_debugfs_write(struct file *file,
+ goto out_unlock;
+ }
+
+- dfops = container_of(file->f_op, struct b43legacy_debugfs_fops, fops);
++ dfops = container_of(debugfs_real_fops(file),
++ struct b43legacy_debugfs_fops, fops);
+ if (!dfops->write) {
+ err = -ENOSYS;
+ goto out_unlock;
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 121baba..9014bf4 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -2473,7 +2473,7 @@ static void brcmf_fill_bss_param(struct brcmf_if *ifp, struct station_info *si)
+ WL_BSS_INFO_MAX);
+ if (err) {
+ brcmf_err("Failed to get bss info (%d)\n", err);
+- return;
++ goto out_kfree;
+ }
+ si->filled |= BIT(NL80211_STA_INFO_BSS_PARAM);
+ si->bss_param.beacon_interval = le16_to_cpu(buf->bss_le.beacon_period);
+@@ -2485,6 +2485,9 @@ static void brcmf_fill_bss_param(struct brcmf_if *ifp, struct station_info *si)
+ si->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_PREAMBLE;
+ if (capability & WLAN_CAPABILITY_SHORT_SLOT_TIME)
+ si->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_SLOT_TIME;
++
++out_kfree:
++ kfree(buf);
+ }
+
+ static s32
+@@ -3824,11 +3827,11 @@ brcmf_cfg80211_del_pmksa(struct wiphy *wiphy, struct net_device *ndev,
+ if (!check_vif_up(ifp->vif))
+ return -EIO;
+
+- brcmf_dbg(CONN, "del_pmksa - PMK bssid = %pM\n", &pmksa->bssid);
++ brcmf_dbg(CONN, "del_pmksa - PMK bssid = %pM\n", pmksa->bssid);
+
+ npmk = le32_to_cpu(cfg->pmk_list.npmk);
+ for (i = 0; i < npmk; i++)
+- if (!memcmp(&pmksa->bssid, &pmk[i].bssid, ETH_ALEN))
++ if (!memcmp(pmksa->bssid, pmk[i].bssid, ETH_ALEN))
+ break;
+
+ if ((npmk > 0) && (i < npmk)) {
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c
+index 7e269f9..6366444 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c
+@@ -234,13 +234,20 @@ static void brcmf_flowring_block(struct brcmf_flowring *flow, u16 flowid,
+
+ void brcmf_flowring_delete(struct brcmf_flowring *flow, u16 flowid)
+ {
++ struct brcmf_bus *bus_if = dev_get_drvdata(flow->dev);
+ struct brcmf_flowring_ring *ring;
++ struct brcmf_if *ifp;
+ u16 hash_idx;
++ u8 ifidx;
+ struct sk_buff *skb;
+
+ ring = flow->rings[flowid];
+ if (!ring)
+ return;
++
++ ifidx = brcmf_flowring_ifidx_get(flow, flowid);
++ ifp = brcmf_get_ifp(bus_if->drvr, ifidx);
++
+ brcmf_flowring_block(flow, flowid, false);
+ hash_idx = ring->hash_id;
+ flow->hash[hash_idx].ifidx = BRCMF_FLOWRING_INVALID_IFIDX;
+@@ -249,7 +256,7 @@ void brcmf_flowring_delete(struct brcmf_flowring *flow, u16 flowid)
+
+ skb = skb_dequeue(&ring->skblist);
+ while (skb) {
+- brcmu_pkt_buf_free_skb(skb);
++ brcmf_txfinalize(ifp, skb, false);
+ skb = skb_dequeue(&ring->skblist);
+ }
+
+diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
+index 7640498..3d53d63 100644
+--- a/drivers/scsi/arcmsr/arcmsr_hba.c
++++ b/drivers/scsi/arcmsr/arcmsr_hba.c
+@@ -2388,15 +2388,23 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
+ }
+ case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
+ unsigned char *ver_addr;
+- int32_t user_len, cnt2end;
++ uint32_t user_len;
++ int32_t cnt2end;
+ uint8_t *pQbuffer, *ptmpuserbuffer;
++
++ user_len = pcmdmessagefld->cmdmessage.Length;
++ if (user_len > ARCMSR_API_DATA_BUFLEN) {
++ retvalue = ARCMSR_MESSAGE_FAIL;
++ goto message_out;
++ }
++
+ ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
+ if (!ver_addr) {
+ retvalue = ARCMSR_MESSAGE_FAIL;
+ goto message_out;
+ }
+ ptmpuserbuffer = ver_addr;
+- user_len = pcmdmessagefld->cmdmessage.Length;
++
+ memcpy(ptmpuserbuffer,
+ pcmdmessagefld->messagedatabuffer, user_len);
+ spin_lock_irqsave(&acb->wqbuffer_lock, flags);
+diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
+index fc523c3..6398f3d 100644
+--- a/drivers/scsi/ibmvscsi/ibmvfc.c
++++ b/drivers/scsi/ibmvscsi/ibmvfc.c
+@@ -717,7 +717,6 @@ static int ibmvfc_reset_crq(struct ibmvfc_host *vhost)
+ spin_lock_irqsave(vhost->host->host_lock, flags);
+ vhost->state = IBMVFC_NO_CRQ;
+ vhost->logged_in = 0;
+- ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_NONE);
+
+ /* Clean out the queue */
+ memset(crq->msgs, 0, PAGE_SIZE);
+diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c
+index e199696..b022f5a 100644
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -462,7 +462,7 @@ static int dw8250_probe(struct platform_device *pdev)
+ }
+
+ data->pclk = devm_clk_get(&pdev->dev, "apb_pclk");
+- if (IS_ERR(data->clk) && PTR_ERR(data->clk) == -EPROBE_DEFER) {
++ if (IS_ERR(data->pclk) && PTR_ERR(data->pclk) == -EPROBE_DEFER) {
+ err = -EPROBE_DEFER;
+ goto err_clk;
+ }
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index d403603..427dd78 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1415,12 +1415,8 @@ static void __do_stop_tx_rs485(struct uart_8250_port *p)
+ if (!(p->port.rs485.flags & SER_RS485_RX_DURING_TX)) {
+ serial8250_clear_fifos(p);
+
+- serial8250_rpm_get(p);
+-
+ p->ier |= UART_IER_RLSI | UART_IER_RDI;
+ serial_port_out(&p->port, UART_IER, p->ier);
+-
+- serial8250_rpm_put(p);
+ }
+ }
+
+@@ -1430,6 +1426,7 @@ static void serial8250_em485_handle_stop_tx(unsigned long arg)
+ struct uart_8250_em485 *em485 = p->em485;
+ unsigned long flags;
+
++ serial8250_rpm_get(p);
+ spin_lock_irqsave(&p->port.lock, flags);
+ if (em485 &&
+ em485->active_timer == &em485->stop_tx_timer) {
+@@ -1437,6 +1434,7 @@ static void serial8250_em485_handle_stop_tx(unsigned long arg)
+ em485->active_timer = NULL;
+ }
+ spin_unlock_irqrestore(&p->port.lock, flags);
++ serial8250_rpm_put(p);
+ }
+
+ static void __stop_tx_rs485(struct uart_8250_port *p)
+@@ -1476,7 +1474,7 @@ static inline void __stop_tx(struct uart_8250_port *p)
+ unsigned char lsr = serial_in(p, UART_LSR);
+ /*
+ * To provide required timeing and allow FIFO transfer,
+- * __stop_tx_rs485 must be called only when both FIFO and
++ * __stop_tx_rs485() must be called only when both FIFO and
+ * shift register are empty. It is for device driver to enable
+ * interrupt on TEMT.
+ */
+@@ -1485,9 +1483,10 @@ static inline void __stop_tx(struct uart_8250_port *p)
+
+ del_timer(&em485->start_tx_timer);
+ em485->active_timer = NULL;
++
++ __stop_tx_rs485(p);
+ }
+ __do_stop_tx(p);
+- __stop_tx_rs485(p);
+ }
+
+ static void serial8250_stop_tx(struct uart_port *port)
+diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
+index 0df2b1c..615c027 100644
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -740,12 +740,13 @@ static unsigned int imx_get_hwmctrl(struct imx_port *sport)
+ {
+ unsigned int tmp = TIOCM_DSR;
+ unsigned usr1 = readl(sport->port.membase + USR1);
++ unsigned usr2 = readl(sport->port.membase + USR2);
+
+ if (usr1 & USR1_RTSS)
+ tmp |= TIOCM_CTS;
+
+ /* in DCE mode DCDIN is always 0 */
+- if (!(usr1 & USR2_DCDIN))
++ if (!(usr2 & USR2_DCDIN))
+ tmp |= TIOCM_CAR;
+
+ if (sport->dte_mode)
+diff --git a/fs/attr.c b/fs/attr.c
+index 25b24d0..ccde270 100644
+--- a/fs/attr.c
++++ b/fs/attr.c
+@@ -202,6 +202,21 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de
+ return -EPERM;
+ }
+
++ /*
++ * If utimes(2) and friends are called with times == NULL (or both
++ * times are UTIME_NOW), then we need to check for write permission
++ */
++ if (ia_valid & ATTR_TOUCH) {
++ if (IS_IMMUTABLE(inode))
++ return -EPERM;
++
++ if (!inode_owner_or_capable(inode)) {
++ error = inode_permission(inode, MAY_WRITE);
++ if (error)
++ return error;
++ }
++ }
++
+ if ((ia_valid & ATTR_MODE)) {
+ umode_t amode = attr->ia_mode;
+ /* Flag setting protected by i_mutex */
+diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
+index 658c39b..702e583 100644
+--- a/fs/btrfs/compression.c
++++ b/fs/btrfs/compression.c
+@@ -690,7 +690,7 @@ int btrfs_submit_compressed_read(struct inode *inode, struct bio *bio,
+ ret = btrfs_map_bio(root, READ, comp_bio,
+ mirror_num, 0);
+ if (ret) {
+- bio->bi_error = ret;
++ comp_bio->bi_error = ret;
+ bio_endio(comp_bio);
+ }
+
+@@ -719,7 +719,7 @@ int btrfs_submit_compressed_read(struct inode *inode, struct bio *bio,
+
+ ret = btrfs_map_bio(root, READ, comp_bio, mirror_num, 0);
+ if (ret) {
+- bio->bi_error = ret;
++ comp_bio->bi_error = ret;
+ bio_endio(comp_bio);
+ }
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 72f5048..699ee7c 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -265,7 +265,8 @@ struct btrfs_super_block {
+ #define BTRFS_FEATURE_COMPAT_SAFE_CLEAR 0ULL
+
+ #define BTRFS_FEATURE_COMPAT_RO_SUPP \
+- (BTRFS_FEATURE_COMPAT_RO_FREE_SPACE_TREE)
++ (BTRFS_FEATURE_COMPAT_RO_FREE_SPACE_TREE | \
++ BTRFS_FEATURE_COMPAT_RO_FREE_SPACE_TREE_VALID)
+
+ #define BTRFS_FEATURE_COMPAT_RO_SAFE_SET 0ULL
+ #define BTRFS_FEATURE_COMPAT_RO_SAFE_CLEAR 0ULL
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 864cf3b..c14e8c7 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2528,6 +2528,7 @@ int open_ctree(struct super_block *sb,
+ int num_backups_tried = 0;
+ int backup_index = 0;
+ int max_active;
++ int clear_free_space_tree = 0;
+
+ tree_root = fs_info->tree_root = btrfs_alloc_root(fs_info, GFP_KERNEL);
+ chunk_root = fs_info->chunk_root = btrfs_alloc_root(fs_info, GFP_KERNEL);
+@@ -3129,6 +3130,14 @@ int open_ctree(struct super_block *sb,
+
+ if (btrfs_test_opt(tree_root, CLEAR_CACHE) &&
+ btrfs_fs_compat_ro(fs_info, FREE_SPACE_TREE)) {
++ clear_free_space_tree = 1;
++ } else if (btrfs_fs_compat_ro(fs_info, FREE_SPACE_TREE) &&
++ !btrfs_fs_compat_ro(fs_info, FREE_SPACE_TREE_VALID)) {
++ btrfs_warn(fs_info, "free space tree is invalid");
++ clear_free_space_tree = 1;
++ }
++
++ if (clear_free_space_tree) {
+ btrfs_info(fs_info, "clearing free space tree");
+ ret = btrfs_clear_free_space_tree(fs_info);
+ if (ret) {
+diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
+index 92fe3f8..28f60fc 100644
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -5508,17 +5508,45 @@ void copy_extent_buffer(struct extent_buffer *dst, struct extent_buffer *src,
+ }
+ }
+
+-/*
+- * The extent buffer bitmap operations are done with byte granularity because
+- * bitmap items are not guaranteed to be aligned to a word and therefore a
+- * single word in a bitmap may straddle two pages in the extent buffer.
+- */
+-#define BIT_BYTE(nr) ((nr) / BITS_PER_BYTE)
+-#define BYTE_MASK ((1 << BITS_PER_BYTE) - 1)
+-#define BITMAP_FIRST_BYTE_MASK(start) \
+- ((BYTE_MASK << ((start) & (BITS_PER_BYTE - 1))) & BYTE_MASK)
+-#define BITMAP_LAST_BYTE_MASK(nbits) \
+- (BYTE_MASK >> (-(nbits) & (BITS_PER_BYTE - 1)))
++void le_bitmap_set(u8 *map, unsigned int start, int len)
++{
++ u8 *p = map + BIT_BYTE(start);
++ const unsigned int size = start + len;
++ int bits_to_set = BITS_PER_BYTE - (start % BITS_PER_BYTE);
++ u8 mask_to_set = BITMAP_FIRST_BYTE_MASK(start);
++
++ while (len - bits_to_set >= 0) {
++ *p |= mask_to_set;
++ len -= bits_to_set;
++ bits_to_set = BITS_PER_BYTE;
++ mask_to_set = ~(u8)0;
++ p++;
++ }
++ if (len) {
++ mask_to_set &= BITMAP_LAST_BYTE_MASK(size);
++ *p |= mask_to_set;
++ }
++}
++
++void le_bitmap_clear(u8 *map, unsigned int start, int len)
++{
++ u8 *p = map + BIT_BYTE(start);
++ const unsigned int size = start + len;
++ int bits_to_clear = BITS_PER_BYTE - (start % BITS_PER_BYTE);
++ u8 mask_to_clear = BITMAP_FIRST_BYTE_MASK(start);
++
++ while (len - bits_to_clear >= 0) {
++ *p &= ~mask_to_clear;
++ len -= bits_to_clear;
++ bits_to_clear = BITS_PER_BYTE;
++ mask_to_clear = ~(u8)0;
++ p++;
++ }
++ if (len) {
++ mask_to_clear &= BITMAP_LAST_BYTE_MASK(size);
++ *p &= ~mask_to_clear;
++ }
++}
+
+ /*
+ * eb_bitmap_offset() - calculate the page and offset of the byte containing the
+@@ -5562,7 +5590,7 @@ static inline void eb_bitmap_offset(struct extent_buffer *eb,
+ int extent_buffer_test_bit(struct extent_buffer *eb, unsigned long start,
+ unsigned long nr)
+ {
+- char *kaddr;
++ u8 *kaddr;
+ struct page *page;
+ unsigned long i;
+ size_t offset;
+@@ -5584,13 +5612,13 @@ int extent_buffer_test_bit(struct extent_buffer *eb, unsigned long start,
+ void extent_buffer_bitmap_set(struct extent_buffer *eb, unsigned long start,
+ unsigned long pos, unsigned long len)
+ {
+- char *kaddr;
++ u8 *kaddr;
+ struct page *page;
+ unsigned long i;
+ size_t offset;
+ const unsigned int size = pos + len;
+ int bits_to_set = BITS_PER_BYTE - (pos % BITS_PER_BYTE);
+- unsigned int mask_to_set = BITMAP_FIRST_BYTE_MASK(pos);
++ u8 mask_to_set = BITMAP_FIRST_BYTE_MASK(pos);
+
+ eb_bitmap_offset(eb, start, pos, &i, &offset);
+ page = eb->pages[i];
+@@ -5601,7 +5629,7 @@ void extent_buffer_bitmap_set(struct extent_buffer *eb, unsigned long start,
+ kaddr[offset] |= mask_to_set;
+ len -= bits_to_set;
+ bits_to_set = BITS_PER_BYTE;
+- mask_to_set = ~0U;
++ mask_to_set = ~(u8)0;
+ if (++offset >= PAGE_SIZE && len > 0) {
+ offset = 0;
+ page = eb->pages[++i];
+@@ -5626,13 +5654,13 @@ void extent_buffer_bitmap_set(struct extent_buffer *eb, unsigned long start,
+ void extent_buffer_bitmap_clear(struct extent_buffer *eb, unsigned long start,
+ unsigned long pos, unsigned long len)
+ {
+- char *kaddr;
++ u8 *kaddr;
+ struct page *page;
+ unsigned long i;
+ size_t offset;
+ const unsigned int size = pos + len;
+ int bits_to_clear = BITS_PER_BYTE - (pos % BITS_PER_BYTE);
+- unsigned int mask_to_clear = BITMAP_FIRST_BYTE_MASK(pos);
++ u8 mask_to_clear = BITMAP_FIRST_BYTE_MASK(pos);
+
+ eb_bitmap_offset(eb, start, pos, &i, &offset);
+ page = eb->pages[i];
+@@ -5643,7 +5671,7 @@ void extent_buffer_bitmap_clear(struct extent_buffer *eb, unsigned long start,
+ kaddr[offset] &= ~mask_to_clear;
+ len -= bits_to_clear;
+ bits_to_clear = BITS_PER_BYTE;
+- mask_to_clear = ~0U;
++ mask_to_clear = ~(u8)0;
+ if (++offset >= PAGE_SIZE && len > 0) {
+ offset = 0;
+ page = eb->pages[++i];
+diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h
+index c0c1c4f..d190107 100644
+--- a/fs/btrfs/extent_io.h
++++ b/fs/btrfs/extent_io.h
+@@ -58,6 +58,28 @@
+ */
+ #define EXTENT_PAGE_PRIVATE 1
+
++/*
++ * The extent buffer bitmap operations are done with byte granularity instead of
++ * word granularity for two reasons:
++ * 1. The bitmaps must be little-endian on disk.
++ * 2. Bitmap items are not guaranteed to be aligned to a word and therefore a
++ * single word in a bitmap may straddle two pages in the extent buffer.
++ */
++#define BIT_BYTE(nr) ((nr) / BITS_PER_BYTE)
++#define BYTE_MASK ((1 << BITS_PER_BYTE) - 1)
++#define BITMAP_FIRST_BYTE_MASK(start) \
++ ((BYTE_MASK << ((start) & (BITS_PER_BYTE - 1))) & BYTE_MASK)
++#define BITMAP_LAST_BYTE_MASK(nbits) \
++ (BYTE_MASK >> (-(nbits) & (BITS_PER_BYTE - 1)))
++
++static inline int le_test_bit(int nr, const u8 *addr)
++{
++ return 1U & (addr[BIT_BYTE(nr)] >> (nr & (BITS_PER_BYTE-1)));
++}
++
++extern void le_bitmap_set(u8 *map, unsigned int start, int len);
++extern void le_bitmap_clear(u8 *map, unsigned int start, int len);
++
+ struct extent_state;
+ struct btrfs_root;
+ struct btrfs_io_bio;
+diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c
+index 53dbeaf..0e041bf 100644
+--- a/fs/btrfs/free-space-tree.c
++++ b/fs/btrfs/free-space-tree.c
+@@ -151,7 +151,7 @@ static inline u32 free_space_bitmap_size(u64 size, u32 sectorsize)
+ return DIV_ROUND_UP((u32)div_u64(size, sectorsize), BITS_PER_BYTE);
+ }
+
+-static unsigned long *alloc_bitmap(u32 bitmap_size)
++static u8 *alloc_bitmap(u32 bitmap_size)
+ {
+ void *mem;
+
+@@ -180,8 +180,7 @@ int convert_free_space_to_bitmaps(struct btrfs_trans_handle *trans,
+ struct btrfs_free_space_info *info;
+ struct btrfs_key key, found_key;
+ struct extent_buffer *leaf;
+- unsigned long *bitmap;
+- char *bitmap_cursor;
++ u8 *bitmap, *bitmap_cursor;
+ u64 start, end;
+ u64 bitmap_range, i;
+ u32 bitmap_size, flags, expected_extent_count;
+@@ -231,7 +230,7 @@ int convert_free_space_to_bitmaps(struct btrfs_trans_handle *trans,
+ block_group->sectorsize);
+ last = div_u64(found_key.objectid + found_key.offset - start,
+ block_group->sectorsize);
+- bitmap_set(bitmap, first, last - first);
++ le_bitmap_set(bitmap, first, last - first);
+
+ extent_count++;
+ nr++;
+@@ -269,7 +268,7 @@ int convert_free_space_to_bitmaps(struct btrfs_trans_handle *trans,
+ goto out;
+ }
+
+- bitmap_cursor = (char *)bitmap;
++ bitmap_cursor = bitmap;
+ bitmap_range = block_group->sectorsize * BTRFS_FREE_SPACE_BITMAP_BITS;
+ i = start;
+ while (i < end) {
+@@ -318,7 +317,7 @@ int convert_free_space_to_extents(struct btrfs_trans_handle *trans,
+ struct btrfs_free_space_info *info;
+ struct btrfs_key key, found_key;
+ struct extent_buffer *leaf;
+- unsigned long *bitmap;
++ u8 *bitmap;
+ u64 start, end;
+ /* Initialize to silence GCC. */
+ u64 extent_start = 0;
+@@ -362,7 +361,7 @@ int convert_free_space_to_extents(struct btrfs_trans_handle *trans,
+ break;
+ } else if (found_key.type == BTRFS_FREE_SPACE_BITMAP_KEY) {
+ unsigned long ptr;
+- char *bitmap_cursor;
++ u8 *bitmap_cursor;
+ u32 bitmap_pos, data_size;
+
+ ASSERT(found_key.objectid >= start);
+@@ -372,7 +371,7 @@ int convert_free_space_to_extents(struct btrfs_trans_handle *trans,
+ bitmap_pos = div_u64(found_key.objectid - start,
+ block_group->sectorsize *
+ BITS_PER_BYTE);
+- bitmap_cursor = ((char *)bitmap) + bitmap_pos;
++ bitmap_cursor = bitmap + bitmap_pos;
+ data_size = free_space_bitmap_size(found_key.offset,
+ block_group->sectorsize);
+
+@@ -409,7 +408,7 @@ int convert_free_space_to_extents(struct btrfs_trans_handle *trans,
+ offset = start;
+ bitnr = 0;
+ while (offset < end) {
+- bit = !!test_bit(bitnr, bitmap);
++ bit = !!le_test_bit(bitnr, bitmap);
+ if (prev_bit == 0 && bit == 1) {
+ extent_start = offset;
+ } else if (prev_bit == 1 && bit == 0) {
+@@ -1183,6 +1182,7 @@ int btrfs_create_free_space_tree(struct btrfs_fs_info *fs_info)
+ }
+
+ btrfs_set_fs_compat_ro(fs_info, FREE_SPACE_TREE);
++ btrfs_set_fs_compat_ro(fs_info, FREE_SPACE_TREE_VALID);
+ fs_info->creating_free_space_tree = 0;
+
+ ret = btrfs_commit_transaction(trans, tree_root);
+@@ -1251,6 +1251,7 @@ int btrfs_clear_free_space_tree(struct btrfs_fs_info *fs_info)
+ return PTR_ERR(trans);
+
+ btrfs_clear_fs_compat_ro(fs_info, FREE_SPACE_TREE);
++ btrfs_clear_fs_compat_ro(fs_info, FREE_SPACE_TREE_VALID);
+ fs_info->free_space_root = NULL;
+
+ ret = clear_free_space_tree(trans, free_space_root);
+diff --git a/fs/cachefiles/interface.c b/fs/cachefiles/interface.c
+index ce5f345..e7f16a7 100644
+--- a/fs/cachefiles/interface.c
++++ b/fs/cachefiles/interface.c
+@@ -253,6 +253,8 @@ static void cachefiles_drop_object(struct fscache_object *_object)
+ struct cachefiles_object *object;
+ struct cachefiles_cache *cache;
+ const struct cred *saved_cred;
++ struct inode *inode;
++ blkcnt_t i_blocks = 0;
+
+ ASSERT(_object);
+
+@@ -279,6 +281,10 @@ static void cachefiles_drop_object(struct fscache_object *_object)
+ _object != cache->cache.fsdef
+ ) {
+ _debug("- retire object OBJ%x", object->fscache.debug_id);
++ inode = d_backing_inode(object->dentry);
++ if (inode)
++ i_blocks = inode->i_blocks;
++
+ cachefiles_begin_secure(cache, &saved_cred);
+ cachefiles_delete_object(cache, object);
+ cachefiles_end_secure(cache, saved_cred);
+@@ -292,7 +298,7 @@ static void cachefiles_drop_object(struct fscache_object *_object)
+
+ /* note that the object is now inactive */
+ if (test_bit(CACHEFILES_OBJECT_ACTIVE, &object->flags))
+- cachefiles_mark_object_inactive(cache, object);
++ cachefiles_mark_object_inactive(cache, object, i_blocks);
+
+ dput(object->dentry);
+ object->dentry = NULL;
+diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h
+index 2fcde1a..cd1effe 100644
+--- a/fs/cachefiles/internal.h
++++ b/fs/cachefiles/internal.h
+@@ -160,7 +160,8 @@ extern char *cachefiles_cook_key(const u8 *raw, int keylen, uint8_t type);
+ * namei.c
+ */
+ extern void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
+- struct cachefiles_object *object);
++ struct cachefiles_object *object,
++ blkcnt_t i_blocks);
+ extern int cachefiles_delete_object(struct cachefiles_cache *cache,
+ struct cachefiles_object *object);
+ extern int cachefiles_walk_to_object(struct cachefiles_object *parent,
+diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
+index 3f7c2cd..c6ee4b5 100644
+--- a/fs/cachefiles/namei.c
++++ b/fs/cachefiles/namei.c
+@@ -261,10 +261,9 @@ static int cachefiles_mark_object_active(struct cachefiles_cache *cache,
+ * Mark an object as being inactive.
+ */
+ void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
+- struct cachefiles_object *object)
++ struct cachefiles_object *object,
++ blkcnt_t i_blocks)
+ {
+- blkcnt_t i_blocks = d_backing_inode(object->dentry)->i_blocks;
+-
+ write_lock(&cache->active_lock);
+ rb_erase(&object->active_node, &cache->active_nodes);
+ clear_bit(CACHEFILES_OBJECT_ACTIVE, &object->flags);
+@@ -707,7 +706,8 @@ int cachefiles_walk_to_object(struct cachefiles_object *parent,
+
+ check_error:
+ _debug("check error %d", ret);
+- cachefiles_mark_object_inactive(cache, object);
++ cachefiles_mark_object_inactive(
++ cache, object, d_backing_inode(object->dentry)->i_blocks);
+ release_dentry:
+ dput(object->dentry);
+ object->dentry = NULL;
+diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
+index 592059f..309f4e9 100644
+--- a/fs/debugfs/file.c
++++ b/fs/debugfs/file.c
+@@ -97,9 +97,6 @@ EXPORT_SYMBOL_GPL(debugfs_use_file_finish);
+
+ #define F_DENTRY(filp) ((filp)->f_path.dentry)
+
+-#define REAL_FOPS_DEREF(dentry) \
+- ((const struct file_operations *)(dentry)->d_fsdata)
+-
+ static int open_proxy_open(struct inode *inode, struct file *filp)
+ {
+ const struct dentry *dentry = F_DENTRY(filp);
+@@ -112,7 +109,7 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
+ goto out;
+ }
+
+- real_fops = REAL_FOPS_DEREF(dentry);
++ real_fops = debugfs_real_fops(filp);
+ real_fops = fops_get(real_fops);
+ if (!real_fops) {
+ /* Huh? Module did not clean up after itself at exit? */
+@@ -143,7 +140,7 @@ static ret_type full_proxy_ ## name(proto) \
+ { \
+ const struct dentry *dentry = F_DENTRY(filp); \
+ const struct file_operations *real_fops = \
+- REAL_FOPS_DEREF(dentry); \
++ debugfs_real_fops(filp); \
+ int srcu_idx; \
+ ret_type r; \
+ \
+@@ -176,7 +173,7 @@ static unsigned int full_proxy_poll(struct file *filp,
+ struct poll_table_struct *wait)
+ {
+ const struct dentry *dentry = F_DENTRY(filp);
+- const struct file_operations *real_fops = REAL_FOPS_DEREF(dentry);
++ const struct file_operations *real_fops = debugfs_real_fops(filp);
+ int srcu_idx;
+ unsigned int r = 0;
+
+@@ -193,7 +190,7 @@ static unsigned int full_proxy_poll(struct file *filp,
+ static int full_proxy_release(struct inode *inode, struct file *filp)
+ {
+ const struct dentry *dentry = F_DENTRY(filp);
+- const struct file_operations *real_fops = REAL_FOPS_DEREF(dentry);
++ const struct file_operations *real_fops = debugfs_real_fops(filp);
+ const struct file_operations *proxy_fops = filp->f_op;
+ int r = 0;
+
+@@ -241,7 +238,7 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
+ goto out;
+ }
+
+- real_fops = REAL_FOPS_DEREF(dentry);
++ real_fops = debugfs_real_fops(filp);
+ real_fops = fops_get(real_fops);
+ if (!real_fops) {
+ /* Huh? Module did not cleanup after itself at exit? */
+diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
+index 1ab012a..be14bea 100644
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -1657,16 +1657,12 @@ void dlm_lowcomms_stop(void)
+ mutex_lock(&connections_lock);
+ dlm_allow_conn = 0;
+ foreach_conn(stop_conn);
++ clean_writequeues();
++ foreach_conn(free_conn);
+ mutex_unlock(&connections_lock);
+
+ work_stop();
+
+- mutex_lock(&connections_lock);
+- clean_writequeues();
+-
+- foreach_conn(free_conn);
+-
+- mutex_unlock(&connections_lock);
+ kmem_cache_destroy(con_cache);
+ }
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index d7ccb7f..7f69347 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -5734,6 +5734,9 @@ int ext4_insert_range(struct inode *inode, loff_t offset, loff_t len)
+ up_write(&EXT4_I(inode)->i_data_sem);
+ goto out_stop;
+ }
++ } else {
++ ext4_ext_drop_refs(path);
++ kfree(path);
+ }
+
+ ret = ext4_es_remove_extent(inode, offset_lblk,
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index ea628af..8fa01cb 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -647,11 +647,19 @@ int ext4_map_blocks(handle_t *handle, struct inode *inode,
+ /*
+ * We have to zeroout blocks before inserting them into extent
+ * status tree. Otherwise someone could look them up there and
+- * use them before they are really zeroed.
++ * use them before they are really zeroed. We also have to
++ * unmap metadata before zeroing as otherwise writeback can
++ * overwrite zeros with stale data from block device.
+ */
+ if (flags & EXT4_GET_BLOCKS_ZERO &&
+ map->m_flags & EXT4_MAP_MAPPED &&
+ map->m_flags & EXT4_MAP_NEW) {
++ ext4_lblk_t i;
++
++ for (i = 0; i < map->m_len; i++) {
++ unmap_underlying_metadata(inode->i_sb->s_bdev,
++ map->m_pblk + i);
++ }
+ ret = ext4_issue_zeroout(inode, map->m_lblk,
+ map->m_pblk, map->m_len);
+ if (ret) {
+@@ -1649,6 +1657,8 @@ static void mpage_release_unused_pages(struct mpage_da_data *mpd,
+ BUG_ON(!PageLocked(page));
+ BUG_ON(PageWriteback(page));
+ if (invalidate) {
++ if (page_mapped(page))
++ clear_page_dirty_for_io(page);
+ block_invalidatepage(page, 0, PAGE_SIZE);
+ ClearPageUptodate(page);
+ }
+@@ -3890,7 +3900,7 @@ int ext4_update_disksize_before_punch(struct inode *inode, loff_t offset,
+ }
+
+ /*
+- * ext4_punch_hole: punches a hole in a file by releaseing the blocks
++ * ext4_punch_hole: punches a hole in a file by releasing the blocks
+ * associated with the given offset and length
+ *
+ * @inode: File inode
+@@ -3919,7 +3929,7 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length)
+ * Write out all dirty pages to avoid race conditions
+ * Then release them.
+ */
+- if (mapping->nrpages && mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) {
++ if (mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) {
+ ret = filemap_write_and_wait_range(mapping, offset,
+ offset + length - 1);
+ if (ret)
+@@ -4814,14 +4824,14 @@ static int ext4_do_update_inode(handle_t *handle,
+ * Fix up interoperability with old kernels. Otherwise, old inodes get
+ * re-used with the upper 16 bits of the uid/gid intact
+ */
+- if (!ei->i_dtime) {
++ if (ei->i_dtime && list_empty(&ei->i_orphan)) {
++ raw_inode->i_uid_high = 0;
++ raw_inode->i_gid_high = 0;
++ } else {
+ raw_inode->i_uid_high =
+ cpu_to_le16(high_16_bits(i_uid));
+ raw_inode->i_gid_high =
+ cpu_to_le16(high_16_bits(i_gid));
+- } else {
+- raw_inode->i_uid_high = 0;
+- raw_inode->i_gid_high = 0;
+ }
+ } else {
+ raw_inode->i_uid_low = cpu_to_le16(fs_high2lowuid(i_uid));
+diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
+index a920c5d..6fc14de 100644
+--- a/fs/ext4/move_extent.c
++++ b/fs/ext4/move_extent.c
+@@ -598,6 +598,13 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk,
+ return -EOPNOTSUPP;
+ }
+
++ if (ext4_encrypted_inode(orig_inode) ||
++ ext4_encrypted_inode(donor_inode)) {
++ ext4_msg(orig_inode->i_sb, KERN_ERR,
++ "Online defrag not supported for encrypted files");
++ return -EOPNOTSUPP;
++ }
++
+ /* Protect orig and donor inodes against a truncate */
+ lock_two_nondirectories(orig_inode, donor_inode);
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 5bb46b6..593f32b 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2043,33 +2043,31 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname,
+ frame->entries = entries;
+ frame->at = entries;
+ frame->bh = bh;
+- bh = bh2;
+
+ retval = ext4_handle_dirty_dx_node(handle, dir, frame->bh);
+ if (retval)
+ goto out_frames;
+- retval = ext4_handle_dirty_dirent_node(handle, dir, bh);
++ retval = ext4_handle_dirty_dirent_node(handle, dir, bh2);
+ if (retval)
+ goto out_frames;
+
+- de = do_split(handle,dir, &bh, frame, &fname->hinfo);
++ de = do_split(handle,dir, &bh2, frame, &fname->hinfo);
+ if (IS_ERR(de)) {
+ retval = PTR_ERR(de);
+ goto out_frames;
+ }
+- dx_release(frames);
+
+- retval = add_dirent_to_buf(handle, fname, dir, inode, de, bh);
+- brelse(bh);
+- return retval;
++ retval = add_dirent_to_buf(handle, fname, dir, inode, de, bh2);
+ out_frames:
+ /*
+ * Even if the block split failed, we have to properly write
+ * out all the changes we did so far. Otherwise we can end up
+ * with corrupted filesystem.
+ */
+- ext4_mark_inode_dirty(handle, dir);
++ if (retval)
++ ext4_mark_inode_dirty(handle, dir);
+ dx_release(frames);
++ brelse(bh2);
+ return retval;
+ }
+
+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
+index cca7b04..31145d6 100644
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1701,14 +1701,46 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr,
+ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
+ {
+ struct inode *inode = d_inode(entry);
++ struct file *file = (attr->ia_valid & ATTR_FILE) ? attr->ia_file : NULL;
++ int ret;
+
+ if (!fuse_allow_current_process(get_fuse_conn(inode)))
+ return -EACCES;
+
+- if (attr->ia_valid & ATTR_FILE)
+- return fuse_do_setattr(inode, attr, attr->ia_file);
+- else
+- return fuse_do_setattr(inode, attr, NULL);
++ if (attr->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID)) {
++ int kill;
++
++ attr->ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID |
++ ATTR_MODE);
++ /*
++ * ia_mode calculation may have used stale i_mode. Refresh and
++ * recalculate.
++ */
++ ret = fuse_do_getattr(inode, NULL, file);
++ if (ret)
++ return ret;
++
++ attr->ia_mode = inode->i_mode;
++ kill = should_remove_suid(entry);
++ if (kill & ATTR_KILL_SUID) {
++ attr->ia_valid |= ATTR_MODE;
++ attr->ia_mode &= ~S_ISUID;
++ }
++ if (kill & ATTR_KILL_SGID) {
++ attr->ia_valid |= ATTR_MODE;
++ attr->ia_mode &= ~S_ISGID;
++ }
++ }
++ if (!attr->ia_valid)
++ return 0;
++
++ ret = fuse_do_setattr(inode, attr, file);
++ if (!ret) {
++ /* Directory mode changed, may need to revalidate access */
++ if (d_is_dir(entry) && (attr->ia_valid & ATTR_MODE))
++ fuse_invalidate_entry_cache(entry);
++ }
++ return ret;
+ }
+
+ static int fuse_getattr(struct vfsmount *mnt, struct dentry *entry,
+@@ -1800,6 +1832,23 @@ static ssize_t fuse_getxattr(struct dentry *entry, struct inode *inode,
+ return ret;
+ }
+
++static int fuse_verify_xattr_list(char *list, size_t size)
++{
++ size_t origsize = size;
++
++ while (size) {
++ size_t thislen = strnlen(list, size);
++
++ if (!thislen || thislen == size)
++ return -EIO;
++
++ size -= thislen + 1;
++ list += thislen + 1;
++ }
++
++ return origsize;
++}
++
+ static ssize_t fuse_listxattr(struct dentry *entry, char *list, size_t size)
+ {
+ struct inode *inode = d_inode(entry);
+@@ -1835,6 +1884,8 @@ static ssize_t fuse_listxattr(struct dentry *entry, char *list, size_t size)
+ ret = fuse_simple_request(fc, &args);
+ if (!ret && !size)
+ ret = outarg.size;
++ if (ret > 0 && size)
++ ret = fuse_verify_xattr_list(list, ret);
+ if (ret == -ENOSYS) {
+ fc->no_listxattr = 1;
+ ret = -EOPNOTSUPP;
+diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
+index c72c16c..b810826 100644
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -190,7 +190,15 @@ static int remove_save_link_only(struct super_block *s,
+ static int reiserfs_quota_on_mount(struct super_block *, int);
+ #endif
+
+-/* look for uncompleted unlinks and truncates and complete them */
++/*
++ * Look for uncompleted unlinks and truncates and complete them
++ *
++ * Called with superblock write locked. If quotas are enabled, we have to
++ * release/retake lest we call dquot_quota_on_mount(), proceed to
++ * schedule_on_each_cpu() in invalidate_bdev() and deadlock waiting for the per
++ * cpu worklets to complete flush_async_commits() that in turn wait for the
++ * superblock write lock.
++ */
+ static int finish_unfinished(struct super_block *s)
+ {
+ INITIALIZE_PATH(path);
+@@ -237,7 +245,9 @@ static int finish_unfinished(struct super_block *s)
+ quota_enabled[i] = 0;
+ continue;
+ }
++ reiserfs_write_unlock(s);
+ ret = reiserfs_quota_on_mount(s, i);
++ reiserfs_write_lock(s);
+ if (ret < 0)
+ reiserfs_warning(s, "reiserfs-2500",
+ "cannot turn on journaled "
+diff --git a/fs/utimes.c b/fs/utimes.c
+index 85c40f4..ba54b9e 100644
+--- a/fs/utimes.c
++++ b/fs/utimes.c
+@@ -87,20 +87,7 @@ static int utimes_common(struct path *path, struct timespec *times)
+ */
+ newattrs.ia_valid |= ATTR_TIMES_SET;
+ } else {
+- /*
+- * If times is NULL (or both times are UTIME_NOW),
+- * then we need to check permissions, because
+- * inode_change_ok() won't do it.
+- */
+- error = -EACCES;
+- if (IS_IMMUTABLE(inode))
+- goto mnt_drop_write_and_out;
+-
+- if (!inode_owner_or_capable(inode)) {
+- error = inode_permission(inode, MAY_WRITE);
+- if (error)
+- goto mnt_drop_write_and_out;
+- }
++ newattrs.ia_valid |= ATTR_TOUCH;
+ }
+ retry_deleg:
+ inode_lock(inode);
+@@ -112,7 +99,6 @@ static int utimes_common(struct path *path, struct timespec *times)
+ goto retry_deleg;
+ }
+
+-mnt_drop_write_and_out:
+ mnt_drop_write(path->mnt);
+ out:
+ return error;
+diff --git a/include/crypto/ghash.h b/include/crypto/ghash.h
+new file mode 100644
+index 0000000..2a61c9b
+--- /dev/null
++++ b/include/crypto/ghash.h
+@@ -0,0 +1,23 @@
++/*
++ * Common values for GHASH algorithms
++ */
++
++#ifndef __CRYPTO_GHASH_H__
++#define __CRYPTO_GHASH_H__
++
++#include <linux/types.h>
++#include <crypto/gf128mul.h>
++
++#define GHASH_BLOCK_SIZE 16
++#define GHASH_DIGEST_SIZE 16
++
++struct ghash_ctx {
++ struct gf128mul_4k *gf128;
++};
++
++struct ghash_desc_ctx {
++ u8 buffer[GHASH_BLOCK_SIZE];
++ u32 bytes;
++};
++
++#endif
+diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h
+index 1438e23..4d3f0d1 100644
+--- a/include/linux/debugfs.h
++++ b/include/linux/debugfs.h
+@@ -45,6 +45,23 @@ extern struct dentry *arch_debugfs_dir;
+
+ extern struct srcu_struct debugfs_srcu;
+
++/**
++ * debugfs_real_fops - getter for the real file operation
++ * @filp: a pointer to a struct file
++ *
++ * Must only be called under the protection established by
++ * debugfs_use_file_start().
++ */
++static inline const struct file_operations *debugfs_real_fops(struct file *filp)
++ __must_hold(&debugfs_srcu)
++{
++ /*
++ * Neither the pointer to the struct file_operations, nor its
++ * contents ever change -- srcu_dereference() is not needed here.
++ */
++ return filp->f_path.dentry->d_fsdata;
++}
++
+ #if defined(CONFIG_DEBUG_FS)
+
+ struct dentry *debugfs_create_file(const char *name, umode_t mode,
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index dd28814..cf27c88 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -228,6 +228,7 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
+ #define ATTR_KILL_PRIV (1 << 14)
+ #define ATTR_OPEN (1 << 15) /* Truncating from open(O_TRUNC) */
+ #define ATTR_TIMES_SET (1 << 16)
++#define ATTR_TOUCH (1 << 17)
+
+ /*
+ * Whiteout is represented by a char device. The following constants define the
+diff --git a/include/uapi/linux/btrfs.h b/include/uapi/linux/btrfs.h
+index 2bdd1e3..409be35 100644
+--- a/include/uapi/linux/btrfs.h
++++ b/include/uapi/linux/btrfs.h
+@@ -239,7 +239,17 @@ struct btrfs_ioctl_fs_info_args {
+ * Used by:
+ * struct btrfs_ioctl_feature_flags
+ */
+-#define BTRFS_FEATURE_COMPAT_RO_FREE_SPACE_TREE (1ULL << 0)
++#define BTRFS_FEATURE_COMPAT_RO_FREE_SPACE_TREE (1ULL << 0)
++/*
++ * Older kernels (< 4.9) on big-endian systems produced broken free space tree
++ * bitmaps, and btrfs-progs also used to corrupt the free space tree (versions
++ * < 4.7.3). If this bit is clear, then the free space tree cannot be trusted.
++ * btrfs-progs can also intentionally clear this bit to ask the kernel to
++ * rebuild the free space tree, however this might not work on older kernels
++ * that do not know about this bit. If not sure, clear the cache manually on
++ * first mount when booting older kernel versions.
++ */
++#define BTRFS_FEATURE_COMPAT_RO_FREE_SPACE_TREE_VALID (1ULL << 1)
+
+ #define BTRFS_FEATURE_INCOMPAT_MIXED_BACKREF (1ULL << 0)
+ #define BTRFS_FEATURE_INCOMPAT_DEFAULT_SUBVOL (1ULL << 1)
+diff --git a/mm/filemap.c b/mm/filemap.c
+index 20f3b1f..b510542 100644
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -1609,6 +1609,10 @@ static ssize_t do_generic_file_read(struct file *filp, loff_t *ppos,
+ unsigned int prev_offset;
+ int error = 0;
+
++ if (unlikely(*ppos >= inode->i_sb->s_maxbytes))
++ return -EINVAL;
++ iov_iter_truncate(iter, inode->i_sb->s_maxbytes);
++
+ index = *ppos >> PAGE_SHIFT;
+ prev_index = ra->prev_pos >> PAGE_SHIFT;
+ prev_offset = ra->prev_pos & (PAGE_SIZE-1);
+diff --git a/sound/soc/intel/atom/sst/sst_pvt.c b/sound/soc/intel/atom/sst/sst_pvt.c
+index adb32fe..b1e6b8f 100644
+--- a/sound/soc/intel/atom/sst/sst_pvt.c
++++ b/sound/soc/intel/atom/sst/sst_pvt.c
+@@ -279,17 +279,15 @@ int sst_prepare_and_post_msg(struct intel_sst_drv *sst,
+
+ if (response) {
+ ret = sst_wait_timeout(sst, block);
+- if (ret < 0) {
++ if (ret < 0)
+ goto out;
+- } else if(block->data) {
+- if (!data)
+- goto out;
+- *data = kzalloc(block->size, GFP_KERNEL);
+- if (!(*data)) {
++
++ if (data && block->data) {
++ *data = kmemdup(block->data, block->size, GFP_KERNEL);
++ if (!*data) {
+ ret = -ENOMEM;
+ goto out;
+- } else
+- memcpy(data, (void *) block->data, block->size);
++ }
+ }
+ }
+ out:
diff --git a/4.7.9/4420_grsecurity-3.1-4.7.9-201610200819.patch b/4.7.10/4420_grsecurity-3.1-4.7.10-201610222037.patch
index dd0fc99..04a81c6 100644
--- a/4.7.9/4420_grsecurity-3.1-4.7.9-201610200819.patch
+++ b/4.7.10/4420_grsecurity-3.1-4.7.10-201610222037.patch
@@ -425,7 +425,7 @@ index a3683ce..5ec8bf4 100644
A toggle value indicating if modules are allowed to be loaded
diff --git a/Makefile b/Makefile
-index cb3f64e..203a122 100644
+index 219ab6d..79d7414 100644
--- a/Makefile
+++ b/Makefile
@@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -39938,7 +39938,7 @@ index d214e92..9649863 100644
if (blk_verify_command(rq->cmd, has_write_perm))
return -EPERM;
diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
-index 4a34978..d102252 100644
+index 73a277d..63b2685 100644
--- a/block/cfq-iosched.c
+++ b/block/cfq-iosched.c
@@ -1953,8 +1953,8 @@ static u64 cfqg_prfill_sectors_recursive(struct seq_file *sf,
@@ -40667,9 +40667,65 @@ index ab23479..9aa32bf 100644
enum acpi_battery_files {
info_tag = 0,
diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c
-index 75f128e..72b03af 100644
+index 75f128e..0fbae68 100644
--- a/drivers/acpi/bgrt.c
+++ b/drivers/acpi/bgrt.c
+@@ -17,40 +17,40 @@
+
+ static struct kobject *bgrt_kobj;
+
+-static ssize_t show_version(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t show_version(struct kobject *kobj,
++ struct kobj_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab->version);
+ }
+-static DEVICE_ATTR(version, S_IRUGO, show_version, NULL);
++static KOBJECT_ATTR(version, S_IRUGO, show_version, NULL);
+
+-static ssize_t show_status(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t show_status(struct kobject *kobj,
++ struct kobj_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab->status);
+ }
+-static DEVICE_ATTR(status, S_IRUGO, show_status, NULL);
++static KOBJECT_ATTR(status, S_IRUGO, show_status, NULL);
+
+-static ssize_t show_type(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t show_type(struct kobject *kobj,
++ struct kobj_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab->image_type);
+ }
+-static DEVICE_ATTR(type, S_IRUGO, show_type, NULL);
++static KOBJECT_ATTR(type, S_IRUGO, show_type, NULL);
+
+-static ssize_t show_xoffset(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t show_xoffset(struct kobject *kobj,
++ struct kobj_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab->image_offset_x);
+ }
+-static DEVICE_ATTR(xoffset, S_IRUGO, show_xoffset, NULL);
++static KOBJECT_ATTR(xoffset, S_IRUGO, show_xoffset, NULL);
+
+-static ssize_t show_yoffset(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t show_yoffset(struct kobject *kobj,
++ struct kobj_attribute *attr, char *buf)
+ {
+ return snprintf(buf, PAGE_SIZE, "%d\n", bgrt_tab->image_offset_y);
+ }
+-static DEVICE_ATTR(yoffset, S_IRUGO, show_yoffset, NULL);
++static KOBJECT_ATTR(yoffset, S_IRUGO, show_yoffset, NULL);
+
+ static ssize_t image_read(struct file *file, struct kobject *kobj,
+ struct bin_attribute *attr, char *buf, loff_t off, size_t count)
@@ -87,8 +87,10 @@ static int __init bgrt_init(void)
if (!bgrt_image)
return -ENODEV;
@@ -65257,10 +65313,10 @@ index 237d0cd..6c094fd 100644
/* rxstream mpdu merge */
struct ar9170_rx_head rx_plcp;
diff --git a/drivers/net/wireless/ath/carl9170/debug.c b/drivers/net/wireless/ath/carl9170/debug.c
-index 6808db4..3a5df05 100644
+index ec3a64e..4d4a4e2 100644
--- a/drivers/net/wireless/ath/carl9170/debug.c
+++ b/drivers/net/wireless/ath/carl9170/debug.c
-@@ -221,7 +221,7 @@ static char *carl9170_debugfs_mem_usage_read(struct ar9170 *ar, char *buf,
+@@ -223,7 +223,7 @@ static char *carl9170_debugfs_mem_usage_read(struct ar9170 *ar, char *buf,
ADD(buf, *len, bufsize, "cookies: used:%3d / total:%3d, allocs:%d\n",
bitmap_weight(ar->mem_bitmap, ar->fw.mem_blocks),
@@ -65269,7 +65325,7 @@ index 6808db4..3a5df05 100644
ADD(buf, *len, bufsize, "memory: free:%3d (%3d KiB) / total:%3d KiB)\n",
atomic_read(&ar->mem_free_blocks),
-@@ -672,7 +672,7 @@ static char *carl9170_debugfs_bug_read(struct ar9170 *ar, char *buf,
+@@ -674,7 +674,7 @@ static char *carl9170_debugfs_bug_read(struct ar9170 *ar, char *buf,
ADD(buf, *ret, bufsize, "reported firmware BUGs:%d\n",
ar->fw.bug_counter);
ADD(buf, *ret, bufsize, "pending restart requests:%d\n",
@@ -65278,7 +65334,7 @@ index 6808db4..3a5df05 100644
return buf;
}
__DEBUGFS_DECLARE_RW_FILE(bug, 400, CARL9170_STOPPED);
-@@ -779,7 +779,7 @@ DEBUGFS_READONLY_FILE(usb_rx_pool_urbs, 20, "%d",
+@@ -781,7 +781,7 @@ DEBUGFS_READONLY_FILE(usb_rx_pool_urbs, 20, "%d",
DEBUGFS_READONLY_FILE(tx_total_queued, 20, "%d",
atomic_read(&ar->tx_total_queued));
DEBUGFS_READONLY_FILE(tx_ampdu_scheduler, 20, "%d",
@@ -65849,10 +65905,10 @@ index 83770d2..3ec8a40 100644
if (modparam_pio)
wldev->__using_pio = true;
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-index 121baba..80f9d55 100644
+index 9014bf4..da14293 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -5077,6 +5077,50 @@ static struct cfg80211_ops brcmf_cfg80211_ops = {
+@@ -5080,6 +5080,50 @@ static struct cfg80211_ops brcmf_cfg80211_ops = {
.tdls_oper = brcmf_cfg80211_tdls_oper,
};
@@ -65903,7 +65959,7 @@ index 121baba..80f9d55 100644
struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
enum nl80211_iftype type,
bool pm_block)
-@@ -6703,7 +6747,7 @@ struct brcmf_cfg80211_info *brcmf_cfg80211_attach(struct brcmf_pub *drvr,
+@@ -6706,7 +6750,7 @@ struct brcmf_cfg80211_info *brcmf_cfg80211_attach(struct brcmf_pub *drvr,
struct net_device *ndev = brcmf_get_ifp(drvr, 0)->ndev;
struct brcmf_cfg80211_info *cfg;
struct wiphy *wiphy;
@@ -65912,7 +65968,7 @@ index 121baba..80f9d55 100644
struct brcmf_cfg80211_vif *vif;
struct brcmf_if *ifp;
s32 err = 0;
-@@ -6715,15 +6759,10 @@ struct brcmf_cfg80211_info *brcmf_cfg80211_attach(struct brcmf_pub *drvr,
+@@ -6718,15 +6762,10 @@ struct brcmf_cfg80211_info *brcmf_cfg80211_attach(struct brcmf_pub *drvr,
return NULL;
}
@@ -65929,7 +65985,7 @@ index 121baba..80f9d55 100644
#endif
wiphy = wiphy_new(ops, sizeof(struct brcmf_cfg80211_info));
if (!wiphy) {
-@@ -6862,7 +6901,6 @@ priv_out:
+@@ -6865,7 +6904,6 @@ priv_out:
ifp->vif = NULL;
wiphy_out:
brcmf_free_wiphy(wiphy);
@@ -65937,7 +65993,7 @@ index 121baba..80f9d55 100644
return NULL;
}
-@@ -6873,7 +6911,6 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg)
+@@ -6876,7 +6914,6 @@ void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg)
brcmf_btcoex_detach(cfg);
wiphy_unregister(cfg->wiphy);
@@ -71254,32 +71310,6 @@ index 109e2c9..7d3c9b5 100644
u_long s;
int enint_coal;
-diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
-index 7640498..110eca9 100644
---- a/drivers/scsi/arcmsr/arcmsr_hba.c
-+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
-@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
- }
- case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
- unsigned char *ver_addr;
-- int32_t user_len, cnt2end;
-+ uint32_t user_len;
-+ int32_t cnt2end;
- uint8_t *pQbuffer, *ptmpuserbuffer;
- ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
- if (!ver_addr) {
-@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
- }
- ptmpuserbuffer = ver_addr;
- user_len = pcmdmessagefld->cmdmessage.Length;
-+ if (user_len > ARCMSR_API_DATA_BUFLEN) {
-+ retvalue = ARCMSR_MESSAGE_FAIL;
-+ kfree(ver_addr);
-+ goto message_out;
-+ }
- memcpy(ptmpuserbuffer,
- pcmdmessagefld->messagedatabuffer, user_len);
- spin_lock_irqsave(&acb->wqbuffer_lock, flags);
diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
index f05e773..b48c418 100644
--- a/drivers/scsi/be2iscsi/be_main.c
@@ -96484,7 +96514,7 @@ index 4fe81d1..85f39a0 100644
file = aio_private_file(ctx, nr_pages);
diff --git a/fs/attr.c b/fs/attr.c
-index 25b24d0..85550fc 100644
+index ccde270..659020c 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -102,6 +102,10 @@ int inode_newsize_ok(const struct inode *inode, loff_t offset)
@@ -97667,10 +97697,10 @@ index a85cf7d..bf8fc07 100644
WARN_ON(trans->transid != btrfs_header_generation(parent));
diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
-index 72f5048..80a0451 100644
+index 699ee7c..2ba3c2f 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
-@@ -358,8 +358,8 @@ struct btrfs_dev_replace {
+@@ -359,8 +359,8 @@ struct btrfs_dev_replace {
u64 replace_state; /* see #define above */
u64 time_started; /* seconds since 1-Jan-1970 */
u64 time_stopped; /* seconds since 1-Jan-1970 */
@@ -97681,7 +97711,7 @@ index 72f5048..80a0451 100644
u64 cursor_left;
u64 committed_cursor_left;
-@@ -846,7 +846,7 @@ struct btrfs_fs_info {
+@@ -847,7 +847,7 @@ struct btrfs_fs_info {
/* this protects tree_mod_seq_list */
spinlock_t tree_mod_seq_lock;
@@ -97690,7 +97720,7 @@ index 72f5048..80a0451 100644
struct list_head tree_mod_seq_list;
/* this protects tree_mod_log */
-@@ -1157,7 +1157,7 @@ struct btrfs_root {
+@@ -1158,7 +1158,7 @@ struct btrfs_root {
struct list_head log_ctxs[2];
atomic_t log_writers;
atomic_t log_commit[2];
@@ -97852,7 +97882,7 @@ index e922b42..2a5a145 100644
}
#endif
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
-index 864cf3b..0dde743 100644
+index c14e8c7..3463a87 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -1279,7 +1279,7 @@ static void __setup_root(u32 nodesize, u32 sectorsize, u32 stripesize,
@@ -97864,7 +97894,7 @@ index 864cf3b..0dde743 100644
atomic_set(&root->orphan_inodes, 0);
atomic_set(&root->refs, 1);
atomic_set(&root->will_be_snapshoted, 0);
-@@ -2623,7 +2623,7 @@ int open_ctree(struct super_block *sb,
+@@ -2624,7 +2624,7 @@ int open_ctree(struct super_block *sb,
atomic_set(&fs_info->defrag_running, 0);
atomic_set(&fs_info->qgroup_op_seq, 0);
atomic_set(&fs_info->reada_works_cnt, 0);
@@ -98419,7 +98449,7 @@ index 1ee54ff..ba89748 100644
cache->bstop_percent = bstop;
diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h
-index 2fcde1a..5986a27 100644
+index cd1effe..73f8767 100644
--- a/fs/cachefiles/internal.h
+++ b/fs/cachefiles/internal.h
@@ -65,9 +65,9 @@ struct cachefiles_cache {
@@ -98435,7 +98465,7 @@ index 2fcde1a..5986a27 100644
unsigned frun_percent; /* when to stop culling (% files) */
unsigned fcull_percent; /* when to start culling (% files) */
unsigned fstop_percent; /* when to stop allocating (% files) */
-@@ -181,19 +181,19 @@ extern int cachefiles_check_in_use(struct cachefiles_cache *cache,
+@@ -182,19 +182,19 @@ extern int cachefiles_check_in_use(struct cachefiles_cache *cache,
* proc.c
*/
#ifdef CONFIG_CACHEFILES_HISTOGRAM
@@ -98461,10 +98491,10 @@ index 2fcde1a..5986a27 100644
#else
diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
-index 3f7c2cd..6014026 100644
+index c6ee4b5..de05717 100644
--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
-@@ -275,8 +275,8 @@ void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
+@@ -274,8 +274,8 @@ void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
/* This object can now be culled, so we need to let the daemon know
* that there is something it can remove if it needs to.
*/
@@ -98475,7 +98505,7 @@ index 3f7c2cd..6014026 100644
cachefiles_state_changed(cache);
}
-@@ -335,7 +335,7 @@ try_again:
+@@ -334,7 +334,7 @@ try_again:
/* first step is to make up a grave dentry in the graveyard */
sprintf(nbuffer, "%08x%08x",
(uint32_t) get_seconds(),
@@ -99705,10 +99735,10 @@ index 1ed81bb..3d8fde8 100644
dcache_init();
inode_init();
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
-index 592059f..8faaef38 100644
+index 309f4e9..de9bafa 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
-@@ -212,7 +212,7 @@ static int full_proxy_release(struct inode *inode, struct file *filp)
+@@ -209,7 +209,7 @@ static int full_proxy_release(struct inode *inode, struct file *filp)
return 0;
}
@@ -99717,7 +99747,7 @@ index 592059f..8faaef38 100644
const struct file_operations *real_fops)
{
proxy_fops->release = full_proxy_release;
-@@ -232,7 +232,7 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
+@@ -229,7 +229,7 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
{
const struct dentry *dentry = F_DENTRY(filp);
const struct file_operations *real_fops = NULL;
@@ -100789,7 +100819,7 @@ index b84aa1c..36fd3b0 100644
/* locality groups */
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
-index d7ccb7f..1b9329a 100644
+index 7f69347..7fb5e14 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -876,7 +876,7 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
@@ -116685,10 +116715,10 @@ index 2adcde1..7d27bc8 100644
#define __fs_changed(gen,s) (gen != get_generation (s))
#define fs_changed(gen,s) \
diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
-index c72c16c..9b21de1 100644
+index b810826..75f0e6d 100644
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
-@@ -1877,6 +1877,10 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
+@@ -1887,6 +1887,10 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
sbi->s_mount_opt |= (1 << REISERFS_SMALLTAIL);
sbi->s_mount_opt |= (1 << REISERFS_ERROR_RO);
sbi->s_mount_opt |= (1 << REISERFS_BARRIER_FLUSH);
@@ -117387,7 +117417,7 @@ index 2d97952..115b9d9 100644
if (!mmget_not_zero(mm))
goto wakeup;
diff --git a/fs/utimes.c b/fs/utimes.c
-index 85c40f4..52fcd23 100644
+index ba54b9e..49fc4d8 100644
--- a/fs/utimes.c
+++ b/fs/utimes.c
@@ -1,6 +1,7 @@
@@ -117398,8 +117428,8 @@ index 85c40f4..52fcd23 100644
#include <linux/linkage.h>
#include <linux/mount.h>
#include <linux/namei.h>
-@@ -103,6 +104,12 @@ static int utimes_common(struct path *path, struct timespec *times)
- }
+@@ -90,6 +91,12 @@ static int utimes_common(struct path *path, struct timespec *times)
+ newattrs.ia_valid |= ATTR_TOUCH;
}
retry_deleg:
+
@@ -117411,6 +117441,14 @@ index 85c40f4..52fcd23 100644
inode_lock(inode);
error = notify_change(path->dentry, &newattrs, &delegated_inode);
inode_unlock(inode);
+@@ -99,6 +106,7 @@ retry_deleg:
+ goto retry_deleg;
+ }
+
++mnt_drop_write_and_out:
+ mnt_drop_write(path->mnt);
+ out:
+ return error;
diff --git a/fs/xattr.c b/fs/xattr.c
index 4beafc4..02b5e0d 100644
--- a/fs/xattr.c
@@ -131353,10 +131391,10 @@ index d4b7683..9feb066 100644
int fw_iso_context_queue(struct fw_iso_context *ctx,
struct fw_iso_packet *packet,
diff --git a/include/linux/fs.h b/include/linux/fs.h
-index dd28814..1bf4623 100644
+index cf27c88..029fc3e 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
-@@ -331,7 +331,7 @@ struct kiocb {
+@@ -332,7 +332,7 @@ struct kiocb {
void (*ki_complete)(struct kiocb *iocb, long ret, long ret2);
void *private;
int ki_flags;
@@ -131365,7 +131403,7 @@ index dd28814..1bf4623 100644
static inline bool is_sync_kiocb(struct kiocb *kiocb)
{
-@@ -445,7 +445,7 @@ struct address_space {
+@@ -446,7 +446,7 @@ struct address_space {
spinlock_t private_lock; /* for use by the address_space */
struct list_head private_list; /* ditto */
void *private_data; /* ditto */
@@ -131374,7 +131412,7 @@ index dd28814..1bf4623 100644
/*
* On most architectures that alignment is already the case; but
* must be enforced here for CRIS, to let the least significant bit
-@@ -488,7 +488,7 @@ struct block_device {
+@@ -489,7 +489,7 @@ struct block_device {
int bd_fsfreeze_count;
/* Mutex for freeze */
struct mutex bd_fsfreeze_mutex;
@@ -131383,7 +131421,7 @@ index dd28814..1bf4623 100644
/*
* Radix-tree tags, for tagging dirty and writeback pages within the pagecache
-@@ -700,7 +700,7 @@ struct inode {
+@@ -701,7 +701,7 @@ struct inode {
#endif
void *i_private; /* fs or device private pointer */
@@ -131392,7 +131430,7 @@ index dd28814..1bf4623 100644
static inline int inode_unhashed(struct inode *inode)
{
-@@ -935,7 +935,7 @@ struct file {
+@@ -936,7 +936,7 @@ struct file {
struct list_head f_tfile_llink;
#endif /* #ifdef CONFIG_EPOLL */
struct address_space *f_mapping;
@@ -131401,7 +131439,7 @@ index dd28814..1bf4623 100644
struct file_handle {
__u32 handle_bytes;
-@@ -1070,7 +1070,7 @@ struct file_lock {
+@@ -1071,7 +1071,7 @@ struct file_lock {
int state; /* state of grant or error if -ve */
} afs;
} fl_u;
@@ -131410,7 +131448,7 @@ index dd28814..1bf4623 100644
struct file_lock_context {
spinlock_t flc_lock;
-@@ -1448,7 +1448,7 @@ struct super_block {
+@@ -1449,7 +1449,7 @@ struct super_block {
/* s_inode_list_lock protects s_inodes */
spinlock_t s_inode_list_lock ____cacheline_aligned_in_smp;
struct list_head s_inodes; /* all inodes */
@@ -131419,7 +131457,7 @@ index dd28814..1bf4623 100644
extern struct timespec current_fs_time(struct super_block *sb);
-@@ -1706,7 +1706,8 @@ struct file_operations {
+@@ -1707,7 +1707,8 @@ struct file_operations {
u64);
ssize_t (*dedupe_file_range)(struct file *, u64, u64, struct file *,
u64);
@@ -131429,7 +131467,7 @@ index dd28814..1bf4623 100644
struct inode_operations {
struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int);
-@@ -2421,12 +2422,12 @@ static inline void bd_unlink_disk_holder(struct block_device *bdev,
+@@ -2422,12 +2423,12 @@ static inline void bd_unlink_disk_holder(struct block_device *bdev,
#define CHRDEV_MAJOR_HASH_SIZE 255
/* Marks the bottom of the first segment of free char majors */
#define CHRDEV_MAJOR_DYN_END 234
@@ -131444,7 +131482,7 @@ index dd28814..1bf4623 100644
unsigned int count, const char *name);
extern void unregister_chrdev_region(dev_t, unsigned);
extern void chrdev_show(struct seq_file *,off_t);
-@@ -3174,4 +3175,14 @@ static inline bool dir_relax_shared(struct inode *inode)
+@@ -3175,4 +3176,14 @@ static inline bool dir_relax_shared(struct inode *inode)
extern bool path_noexec(const struct path *path);
extern void inode_nohighmem(struct inode *inode);
@@ -133527,7 +133565,7 @@ index fcfd2bf..e4f5edb 100644
extern int
call_usermodehelper(char *path, char **argv, char **envp, int wait);
diff --git a/include/linux/kobject.h b/include/linux/kobject.h
-index e628459..5985b6e 100644
+index e628459..9d45d56 100644
--- a/include/linux/kobject.h
+++ b/include/linux/kobject.h
@@ -119,7 +119,7 @@ struct kobj_type {
@@ -133539,15 +133577,22 @@ index e628459..5985b6e 100644
struct kobj_uevent_env {
char *argv[3];
-@@ -143,6 +143,7 @@ struct kobj_attribute {
+@@ -143,6 +143,14 @@ struct kobj_attribute {
ssize_t (*store)(struct kobject *kobj, struct kobj_attribute *attr,
const char *buf, size_t count);
};
+typedef struct kobj_attribute __no_const kobj_attribute_no_const;
++
++#define KOBJECT_ATTR(_name, _mode, _show, _store) \
++ struct kobj_attribute dev_attr_##_name = __ATTR(_name, _mode, _show, _store)
++#define KOBJECT_ATTR_RW(_name) \
++ struct kobj_attribute dev_attr_##_name = __ATTR_RW(_name)
++#define KOBJECT_ATTR_RO(_name) \
++ struct kobj_attribute dev_attr_##_name = __ATTR_RO(_name)
extern const struct sysfs_ops kobj_sysfs_ops;
-@@ -170,7 +171,7 @@ struct kset {
+@@ -170,7 +178,7 @@ struct kset {
spinlock_t list_lock;
struct kobject kobj;
const struct kset_uevent_ops *uevent_ops;
@@ -148752,10 +148797,10 @@ index 6c707bf..c8d0529 100644
return sys_fadvise64_64(fd, offset, len, advice);
}
diff --git a/mm/filemap.c b/mm/filemap.c
-index 20f3b1f..10fc7ab 100644
+index b510542..a6399eb 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
-@@ -2241,7 +2241,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
+@@ -2245,7 +2245,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
struct address_space *mapping = file->f_mapping;
if (!mapping->a_ops->readpage)
@@ -148764,7 +148809,7 @@ index 20f3b1f..10fc7ab 100644
file_accessed(file);
vma->vm_ops = &generic_file_vm_ops;
return 0;
-@@ -2284,7 +2284,7 @@ static struct page *wait_on_page_read(struct page *page)
+@@ -2288,7 +2288,7 @@ static struct page *wait_on_page_read(struct page *page)
static struct page *do_read_cache_page(struct address_space *mapping,
pgoff_t index,
@@ -148773,7 +148818,7 @@ index 20f3b1f..10fc7ab 100644
void *data,
gfp_t gfp)
{
-@@ -2391,7 +2391,7 @@ out:
+@@ -2395,7 +2395,7 @@ out:
*/
struct page *read_cache_page(struct address_space *mapping,
pgoff_t index,
@@ -148782,7 +148827,7 @@ index 20f3b1f..10fc7ab 100644
void *data)
{
return do_read_cache_page(mapping, index, filler, data, mapping_gfp_mask(mapping));
-@@ -2413,7 +2413,7 @@ struct page *read_cache_page_gfp(struct address_space *mapping,
+@@ -2417,7 +2417,7 @@ struct page *read_cache_page_gfp(struct address_space *mapping,
pgoff_t index,
gfp_t gfp)
{
@@ -148791,7 +148836,7 @@ index 20f3b1f..10fc7ab 100644
return do_read_cache_page(mapping, index, filler, NULL, gfp);
}
-@@ -2443,6 +2443,7 @@ inline ssize_t generic_write_checks(struct kiocb *iocb, struct iov_iter *from)
+@@ -2447,6 +2447,7 @@ inline ssize_t generic_write_checks(struct kiocb *iocb, struct iov_iter *from)
pos = iocb->ki_pos;
if (limit != RLIM_INFINITY) {
@@ -173094,55 +173139,38 @@ index 0000000..36211fb
+e_*.h
diff --git a/scripts/gcc-plugins/size_overflow_plugin/Makefile b/scripts/gcc-plugins/size_overflow_plugin/Makefile
new file mode 100644
-index 0000000..4363d14
+index 0000000..62c26c9
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/Makefile
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,22 @@
+HOST_EXTRACXXFLAGS += $(call hostcc-option, -fno-ipa-icf)
+
+$(HOSTLIBS)-$(CONFIG_PAX_SIZE_OVERFLOW) += size_overflow_plugin.so
+always := $($(HOSTLIBS)-y)
+
-+targets += $(objtree)/$(obj)/e_fns.h \
-+ $(objtree)/$(obj)/e_fields.h \
-+ $(objtree)/$(obj)/e_fptrs.h \
-+ $(objtree)/$(obj)/e_vars.h \
-+ $(objtree)/$(obj)/e_aux.h \
-+ $(objtree)/$(obj)/disable.h
-+
-+$(srctree)/$(src)/size_overflow_plugin_hash.c: $(objtree)/$(obj)/e_fns.h \
-+ $(objtree)/$(obj)/e_fields.h \
-+ $(objtree)/$(obj)/e_fptrs.h \
-+ $(objtree)/$(obj)/e_vars.h \
-+ $(objtree)/$(obj)/e_aux.h \
-+ $(objtree)/$(obj)/disable.h
-+
+size_overflow_plugin-objs := $(patsubst $(srctree)/$(src)/%.c,%.o,$(wildcard $(srctree)/$(src)/*.c))
+
+quiet_cmd_build_size_overflow_hash = GENHASH $@
+ cmd_build_size_overflow_hash = \
+ $(CONFIG_SHELL) $(srctree)/$(src)/generate_size_overflow_hash.sh -s $(patsubst e_%,%,$(patsubst $(obj)/%.h,%,$@))_hash -d $< -o $@
+
-+$(objtree)/$(obj)/e_fns.h: $(srctree)/$(src)/e_fns.data
-+ $(call if_changed,build_size_overflow_hash)
-+$(objtree)/$(obj)/e_fields.h: $(srctree)/$(src)/e_fields.data
-+ $(call if_changed,build_size_overflow_hash)
-+$(objtree)/$(obj)/e_fptrs.h: $(srctree)/$(src)/e_fptrs.data
-+ $(call if_changed,build_size_overflow_hash)
-+$(objtree)/$(obj)/e_vars.h: $(srctree)/$(src)/e_vars.data
-+ $(call if_changed,build_size_overflow_hash)
-+$(objtree)/$(obj)/e_aux.h: $(srctree)/$(src)/e_aux.data
-+ $(call if_changed,build_size_overflow_hash)
-+$(objtree)/$(obj)/disable.h: $(srctree)/$(src)/disable.data
-+ $(call if_changed,build_size_overflow_hash)
++define build_size_overflow_hash
++targets += $(addsuffix .h,$(1))
++$(srctree)/$(src)/size_overflow_plugin_hash.c: $(addprefix $(objtree)/$(obj)/,$(addsuffix .h,$(1)))
++$(addprefix $(objtree)/$(obj)/,$(addsuffix .h,$(1))): $(addprefix $(src)/,$(addsuffix .data,$(1)))
++ $$(call if_changed,build_size_overflow_hash)
++endef
++
++size_overflow_hash_tables := e_fns e_fields e_fptrs e_vars e_aux disable
++$(foreach h,$(size_overflow_hash_tables),$(eval $(call build_size_overflow_hash,$(h))))
+
+clean-files += *.so
diff --git a/scripts/gcc-plugins/size_overflow_plugin/disable.data b/scripts/gcc-plugins/size_overflow_plugin/disable.data
new file mode 100644
-index 0000000..2554418
+index 0000000..9ef004f
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/disable.data
-@@ -0,0 +1,12463 @@
+@@ -0,0 +1,12469 @@
+disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL
+disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL
+disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray
@@ -176722,7 +176750,8 @@ index 0000000..2554418
+disable_so_timestamp_batadv_nc_packet_19027 timestamp batadv_nc_packet 0 19027 NULL
+disable_so_addr_high_ssp_ini_io_start_req_19029 addr_high ssp_ini_io_start_req 0 19029 NULL
+disable_so_n_addresses_rxk5_key_19030 n_addresses rxk5_key 0 19030 NULL
-+disable_so_ccp_crypto_enqueue_request_fndecl_19035 ccp_crypto_enqueue_request fndecl 0 19035 NULL
++e_old_decode_dev_fndecl_19035 old_decode_dev fndecl 0-1 19035 NULL nohasharray
++disable_so_ccp_crypto_enqueue_request_fndecl_19035 ccp_crypto_enqueue_request fndecl 0 19035 &e_old_decode_dev_fndecl_19035
+disable_so_timeout_mxser_port_19037 timeout mxser_port 0 19037 NULL
+disable_so_xfs_btree_rec_addr_fndecl_19048 xfs_btree_rec_addr fndecl 2 19048 NULL
+disable_so_sz_qat_crypto_request_buffs_19050 sz qat_crypto_request_buffs 0 19050 NULL
@@ -185606,6 +185635,11 @@ index 0000000..2554418
+e_rtt0_vardecl_tcp_hybla_c_51134 rtt0 vardecl_tcp_hybla.c 0 51134 NULL
+e_rtt_win_sx_westwood_41723 rtt_win_sx westwood 0 41723 NULL
+e_baseRTT_vegas_18174 baseRTT vegas 0 18174 NULL
++e_init_special_inode_fndecl_7054 init_special_inode fndecl 3 7054 NULL
++e_new_decode_dev_fndecl_38477 new_decode_dev fndecl 0-1 38477 NULL
++e_new_encode_dev_fndecl_48964 new_encode_dev fndecl 0-1 48964 NULL
++e_jffs2_encode_dev_fndecl_39156 jffs2_encode_dev fndecl 2-0 39156 NULL
++e_seq_rxrpc_host_header_57996 seq rxrpc_host_header 0 57996 NULL
diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_aux.data b/scripts/gcc-plugins/size_overflow_plugin/e_aux.data
new file mode 100644
index 0000000..74e91b2
@@ -185711,10 +185745,10 @@ index 0000000..74e91b2
+enable_so_zpios_read_fndecl_64734 zpios_read fndecl 3 64734 NULL
diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fields.data b/scripts/gcc-plugins/size_overflow_plugin/e_fields.data
new file mode 100644
-index 0000000..6006250
+index 0000000..ac86364
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/e_fields.data
-@@ -0,0 +1,18888 @@
+@@ -0,0 +1,18882 @@
+e_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL
+e_size_ttm_mem_reg_8 size ttm_mem_reg 0 8 NULL
+e_char2uni_nls_table_12 char2uni nls_table 0 12 NULL
@@ -187731,7 +187765,6 @@ index 0000000..6006250
+e_fp_msix_cnt_qed_int_params_7045 fp_msix_cnt qed_int_params 0 7045 NULL
+e_kvm_read_guest_page_fndecl_7049 kvm_read_guest_page fndecl 2 7049 NULL
+e_iforce_send_packet_fndecl_7050 iforce_send_packet fndecl 2 7050 NULL
-+e_init_special_inode_fndecl_7054 init_special_inode fndecl 3 7054 NULL
+e_SYSC_pselect6_fndecl_7055 SYSC_pselect6 fndecl 1 7055 NULL
+e_packet_size_usbatm_channel_7056 packet_size usbatm_channel 0 7056 NULL
+e___btrfs_drop_extents_fndecl_7058 __btrfs_drop_extents fndecl 6-5 7058 NULL nohasharray
@@ -191218,7 +191251,6 @@ index 0000000..6006250
+e_rsxx_queue_discard_fndecl_19027 rsxx_queue_discard fndecl 0 19027 NULL
+e_tcp_recvmsg_fndecl_19029 tcp_recvmsg fndecl 3 19029 NULL
+e_sge_size_MPT3SAS_ADAPTER_19030 sge_size MPT3SAS_ADAPTER 0 19030 NULL
-+e_old_decode_dev_fndecl_19035 old_decode_dev fndecl 0-1 19035 NULL
+e_next_scan_nid_f2fs_nm_info_19036 next_scan_nid f2fs_nm_info 0 19036 NULL
+e_scrollback_max_vardecl_fbcon_c_19040 scrollback_max vardecl_fbcon.c 0 19040 NULL
+e_tsize_nfs2_fsstat_19041 tsize nfs2_fsstat 0 19041 NULL
@@ -196886,8 +196918,7 @@ index 0000000..6006250
+e_test_ofsh_cyttsp4_sysinfo_data_38444 test_ofsh cyttsp4_sysinfo_data 0 38444 &e___ieee80211_tx_skb_tid_band_fndecl_38444
+e_lcd_hdisp_atyfb_par_38462 lcd_hdisp atyfb_par 0 38462 NULL
+e_dvb_ringbuffer_avail_fndecl_38474 dvb_ringbuffer_avail fndecl 0 38474 NULL
-+e_new_decode_dev_fndecl_38477 new_decode_dev fndecl 0-1 38477 NULL nohasharray
-+e_blocksize_gss_krb5_enctype_38477 blocksize gss_krb5_enctype 0 38477 &e_new_decode_dev_fndecl_38477
++e_blocksize_gss_krb5_enctype_38477 blocksize gss_krb5_enctype 0 38477 NULL
+e___fuse_request_alloc_fndecl_38479 __fuse_request_alloc fndecl 1 38479 NULL
+e_min_pfn_mapped_vardecl_init_c_38481 min_pfn_mapped vardecl_init.c 0 38481 NULL
+e_pnfs_update_layout_fndecl_38495 pnfs_update_layout fndecl 3-4 38495 NULL
@@ -197101,7 +197132,6 @@ index 0000000..6006250
+e_drvr_sglimit_blogic_adapter_39142 drvr_sglimit blogic_adapter 0 39142 NULL
+e_mmc_test_buffer_transfer_fndecl_39150 mmc_test_buffer_transfer fndecl 4 39150 NULL
+e_size_intel_initial_plane_config_39155 size intel_initial_plane_config 0 39155 NULL
-+e_jffs2_encode_dev_fndecl_39156 jffs2_encode_dev fndecl 2-0 39156 NULL
+e_log_root_btrfs_super_block_39157 log_root btrfs_super_block 0 39157 NULL
+e_fcoe_start_cid_cnic_local_39162 fcoe_start_cid cnic_local 0 39162 NULL
+e_sys_readv_fndecl_39163 sys_readv fndecl 3 39163 NULL nohasharray
@@ -199888,7 +199918,6 @@ index 0000000..6006250
+e_xt_alloc_table_info_fndecl_48956 xt_alloc_table_info fndecl 1 48956 NULL
+e_user_dlm_lock_fndecl_48959 user_dlm_lock fndecl 6 48959 NULL nohasharray
+e_wptr_radeon_ring_48959 wptr radeon_ring 0 48959 &e_user_dlm_lock_fndecl_48959
-+e_new_encode_dev_fndecl_48964 new_encode_dev fndecl 0-1 48964 NULL
+e_block_size_sm_ftl_48967 block_size sm_ftl 0 48967 NULL
+e_rx_fndecl_48971 rx fndecl 4 48971 NULL
+e_twl_i2c_write_fndecl_48976 twl_i2c_write fndecl 0 48976 NULL
@@ -202463,8 +202492,7 @@ index 0000000..6006250
+e_hpfs_map_anode_fndecl_57993 hpfs_map_anode fndecl 2 57993 NULL
+e_faultin_page_fndecl_57994 faultin_page fndecl 3 57994 NULL
+e_perf_sample_ustack_size_fndecl_57995 perf_sample_ustack_size fndecl 0-2-1 57995 NULL
-+e_codes_size_input_mask_57996 codes_size input_mask 0 57996 NULL nohasharray
-+e_seq_rxrpc_host_header_57996 seq rxrpc_host_header 0 57996 &e_codes_size_input_mask_57996
++e_codes_size_input_mask_57996 codes_size input_mask 0 57996 NULL
+e_max_idx_node_sz_ubifs_info_57997 max_idx_node_sz ubifs_info 0 57997 NULL
+e_status_orangefs_downcall_s_57998 status orangefs_downcall_s 0 57998 NULL
+e_SSIDlen_StatusRid_58002 SSIDlen StatusRid 0 58002 NULL nohasharray
diff --git a/4.7.9/4425_grsec_remove_EI_PAX.patch b/4.7.10/4425_grsec_remove_EI_PAX.patch
index ba92792..ba92792 100644
--- a/4.7.9/4425_grsec_remove_EI_PAX.patch
+++ b/4.7.10/4425_grsec_remove_EI_PAX.patch
diff --git a/4.7.9/4427_force_XATTR_PAX_tmpfs.patch b/4.7.10/4427_force_XATTR_PAX_tmpfs.patch
index b4714fc..b4714fc 100644
--- a/4.7.9/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.7.10/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.7.9/4430_grsec-remove-localversion-grsec.patch b/4.7.10/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.7.9/4430_grsec-remove-localversion-grsec.patch
+++ b/4.7.10/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.7.9/4435_grsec-mute-warnings.patch b/4.7.10/4435_grsec-mute-warnings.patch
index 8929222..8929222 100644
--- a/4.7.9/4435_grsec-mute-warnings.patch
+++ b/4.7.10/4435_grsec-mute-warnings.patch
diff --git a/4.7.9/4440_grsec-remove-protected-paths.patch b/4.7.10/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.7.9/4440_grsec-remove-protected-paths.patch
+++ b/4.7.10/4440_grsec-remove-protected-paths.patch
diff --git a/4.7.9/4450_grsec-kconfig-default-gids.patch b/4.7.10/4450_grsec-kconfig-default-gids.patch
index e892c8a..e892c8a 100644
--- a/4.7.9/4450_grsec-kconfig-default-gids.patch
+++ b/4.7.10/4450_grsec-kconfig-default-gids.patch
diff --git a/4.7.9/4465_selinux-avc_audit-log-curr_ip.patch b/4.7.10/4465_selinux-avc_audit-log-curr_ip.patch
index 7248385..7248385 100644
--- a/4.7.9/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.7.10/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.7.9/4470_disable-compat_vdso.patch b/4.7.10/4470_disable-compat_vdso.patch
index 0f82d7e..0f82d7e 100644
--- a/4.7.9/4470_disable-compat_vdso.patch
+++ b/4.7.10/4470_disable-compat_vdso.patch
diff --git a/4.7.9/4475_emutramp_default_on.patch b/4.7.10/4475_emutramp_default_on.patch
index 2db58ab..2db58ab 100644
--- a/4.7.9/4475_emutramp_default_on.patch
+++ b/4.7.10/4475_emutramp_default_on.patch