--- /dev/null
+From 63328070eff2f4fd730c86966a0dbc976147c39f Mon Sep 17 00:00:00 2001
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+Date: Thu, 25 Jul 2013 14:38:03 +0100
+Subject: ARM: Correct BUG() assembly to ensure it is endian-agnostic
+
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+
+commit 63328070eff2f4fd730c86966a0dbc976147c39f upstream.
+
+Currently BUG() uses .word or .hword to create the necessary illegal
+instructions. However if we are building BE8 then these get swapped
+by the linker into different illegal instructions in the text. This
+means that the BUG() macro does not get trapped properly.
+
+Change to using <asm/opcodes.h> to provide the necessary ARM instruction
+building as we cannot rely on gcc/gas having the `.inst` instructions
+which where added to try and resolve this issue (reported by Dave Martin
+<Dave.Martin@arm.com>).
+
+Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
+Reviewed-by: Dave Martin <Dave.Martin@arm.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/bug.h | 10 ++++++----
+ arch/arm/kernel/traps.c | 8 +++++---
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+--- a/arch/arm/include/asm/bug.h
++++ b/arch/arm/include/asm/bug.h
+@@ -2,6 +2,8 @@
+ #define _ASMARM_BUG_H
+
+ #include <linux/linkage.h>
++#include <linux/types.h>
++#include <asm/opcodes.h>
+
+ #ifdef CONFIG_BUG
+
+@@ -12,10 +14,10 @@
+ */
+ #ifdef CONFIG_THUMB2_KERNEL
+ #define BUG_INSTR_VALUE 0xde02
+-#define BUG_INSTR_TYPE ".hword "
++#define BUG_INSTR(__value) __inst_thumb16(__value)
+ #else
+ #define BUG_INSTR_VALUE 0xe7f001f2
+-#define BUG_INSTR_TYPE ".word "
++#define BUG_INSTR(__value) __inst_arm(__value)
+ #endif
+
+
+@@ -33,7 +35,7 @@
+
+ #define __BUG(__file, __line, __value) \
+ do { \
+- asm volatile("1:\t" BUG_INSTR_TYPE #__value "\n" \
++ asm volatile("1:\t" BUG_INSTR(__value) "\n" \
+ ".pushsection .rodata.str, \"aMS\", %progbits, 1\n" \
+ "2:\t.asciz " #__file "\n" \
+ ".popsection\n" \
+@@ -48,7 +50,7 @@ do { \
+
+ #define __BUG(__file, __line, __value) \
+ do { \
+- asm volatile(BUG_INSTR_TYPE #__value); \
++ asm volatile(BUG_INSTR(__value) "\n"); \
+ unreachable(); \
+ } while (0)
+ #endif /* CONFIG_DEBUG_BUGVERBOSE */
+--- a/arch/arm/kernel/traps.c
++++ b/arch/arm/kernel/traps.c
+@@ -347,15 +347,17 @@ void arm_notify_die(const char *str, str
+ int is_valid_bugaddr(unsigned long pc)
+ {
+ #ifdef CONFIG_THUMB2_KERNEL
+- unsigned short bkpt;
++ u16 bkpt;
++ u16 insn = __opcode_to_mem_thumb16(BUG_INSTR_VALUE);
+ #else
+- unsigned long bkpt;
++ u32 bkpt;
++ u32 insn = __opcode_to_mem_arm(BUG_INSTR_VALUE);
+ #endif
+
+ if (probe_kernel_address((unsigned *)pc, bkpt))
+ return 0;
+
+- return bkpt == BUG_INSTR_VALUE;
++ return bkpt == insn;
+ }
+
+ #endif
--- /dev/null
+From 888be25402021a425da3e85e2d5a954d7509286e Mon Sep 17 00:00:00 2001
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+Date: Fri, 8 Nov 2013 18:29:25 +0000
+Subject: ARM: probes: fix instruction fetch order with <asm/opcodes.h>
+
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+
+commit 888be25402021a425da3e85e2d5a954d7509286e upstream.
+
+If we are running BE8, the data and instruction endianness do not
+match, so use <asm/opcodes.h> to correctly translate memory accesses
+into ARM instructions.
+
+Acked-by: Jon Medhurst <tixy@linaro.org>
+Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
+[taras.kondratiuk@linaro.org: fixed Thumb instruction fetch order]
+Signed-off-by: Taras Kondratiuk <taras.kondratiuk@linaro.org>
+[wangnan: backport to 3.10 and 3.14:
+ - adjust context
+ - backport all changes on arch/arm/kernel/probes.c to
+ arch/arm/kernel/kprobes-common.c since we don't have
+ commit c18377c303787ded44b7decd7dee694db0f205e9.
+ - After the above adjustments, becomes same to Taras Kondratiuk's
+ original patch:
+ http://lists.linaro.org/pipermail/linaro-kernel/2014-January/010346.html
+]
+Signed-off-by: Wang Nan <wangnan0@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/kernel/kprobes-common.c | 19 +++++++++++--------
+ arch/arm/kernel/kprobes-thumb.c | 20 ++++++++++++--------
+ arch/arm/kernel/kprobes.c | 9 +++++----
+ 3 files changed, 28 insertions(+), 20 deletions(-)
+
+--- a/arch/arm/kernel/kprobes-common.c
++++ b/arch/arm/kernel/kprobes-common.c
+@@ -14,6 +14,7 @@
+ #include <linux/kernel.h>
+ #include <linux/kprobes.h>
+ #include <asm/system_info.h>
++#include <asm/opcodes.h>
+
+ #include "kprobes.h"
+
+@@ -305,7 +306,8 @@ kprobe_decode_ldmstm(kprobe_opcode_t ins
+
+ if (handler) {
+ /* We can emulate the instruction in (possibly) modified form */
+- asi->insn[0] = (insn & 0xfff00000) | (rn << 16) | reglist;
++ asi->insn[0] = __opcode_to_mem_arm((insn & 0xfff00000) |
++ (rn << 16) | reglist);
+ asi->insn_handler = handler;
+ return INSN_GOOD;
+ }
+@@ -334,13 +336,14 @@ prepare_emulated_insn(kprobe_opcode_t in
+ #ifdef CONFIG_THUMB2_KERNEL
+ if (thumb) {
+ u16 *thumb_insn = (u16 *)asi->insn;
+- thumb_insn[1] = 0x4770; /* Thumb bx lr */
+- thumb_insn[2] = 0x4770; /* Thumb bx lr */
++ /* Thumb bx lr */
++ thumb_insn[1] = __opcode_to_mem_thumb16(0x4770);
++ thumb_insn[2] = __opcode_to_mem_thumb16(0x4770);
+ return insn;
+ }
+- asi->insn[1] = 0xe12fff1e; /* ARM bx lr */
++ asi->insn[1] = __opcode_to_mem_arm(0xe12fff1e); /* ARM bx lr */
+ #else
+- asi->insn[1] = 0xe1a0f00e; /* mov pc, lr */
++ asi->insn[1] = __opcode_to_mem_arm(0xe1a0f00e); /* mov pc, lr */
+ #endif
+ /* Make an ARM instruction unconditional */
+ if (insn < 0xe0000000)
+@@ -360,12 +363,12 @@ set_emulated_insn(kprobe_opcode_t insn,
+ if (thumb) {
+ u16 *ip = (u16 *)asi->insn;
+ if (is_wide_instruction(insn))
+- *ip++ = insn >> 16;
+- *ip++ = insn;
++ *ip++ = __opcode_to_mem_thumb16(insn >> 16);
++ *ip++ = __opcode_to_mem_thumb16(insn);
+ return;
+ }
+ #endif
+- asi->insn[0] = insn;
++ asi->insn[0] = __opcode_to_mem_arm(insn);
+ }
+
+ /*
+--- a/arch/arm/kernel/kprobes-thumb.c
++++ b/arch/arm/kernel/kprobes-thumb.c
+@@ -163,9 +163,9 @@ t32_decode_ldmstm(kprobe_opcode_t insn,
+ enum kprobe_insn ret = kprobe_decode_ldmstm(insn, asi);
+
+ /* Fixup modified instruction to have halfwords in correct order...*/
+- insn = asi->insn[0];
+- ((u16 *)asi->insn)[0] = insn >> 16;
+- ((u16 *)asi->insn)[1] = insn & 0xffff;
++ insn = __mem_to_opcode_arm(asi->insn[0]);
++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(insn >> 16);
++ ((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0xffff);
+
+ return ret;
+ }
+@@ -1153,7 +1153,7 @@ t16_decode_hiregs(kprobe_opcode_t insn,
+ {
+ insn &= ~0x00ff;
+ insn |= 0x001; /* Set Rdn = R1 and Rm = R0 */
+- ((u16 *)asi->insn)[0] = insn;
++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(insn);
+ asi->insn_handler = t16_emulate_hiregs;
+ return INSN_GOOD;
+ }
+@@ -1182,8 +1182,10 @@ t16_decode_push(kprobe_opcode_t insn, st
+ * and call it with R9=SP and LR in the register list represented
+ * by R8.
+ */
+- ((u16 *)asi->insn)[0] = 0xe929; /* 1st half STMDB R9!,{} */
+- ((u16 *)asi->insn)[1] = insn & 0x1ff; /* 2nd half (register list) */
++ /* 1st half STMDB R9!,{} */
++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(0xe929);
++ /* 2nd half (register list) */
++ ((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0x1ff);
+ asi->insn_handler = t16_emulate_push;
+ return INSN_GOOD;
+ }
+@@ -1232,8 +1234,10 @@ t16_decode_pop(kprobe_opcode_t insn, str
+ * and call it with R9=SP and PC in the register list represented
+ * by R8.
+ */
+- ((u16 *)asi->insn)[0] = 0xe8b9; /* 1st half LDMIA R9!,{} */
+- ((u16 *)asi->insn)[1] = insn & 0x1ff; /* 2nd half (register list) */
++ /* 1st half LDMIA R9!,{} */
++ ((u16 *)asi->insn)[0] = __opcode_to_mem_thumb16(0xe8b9);
++ /* 2nd half (register list) */
++ ((u16 *)asi->insn)[1] = __opcode_to_mem_thumb16(insn & 0x1ff);
+ asi->insn_handler = insn & 0x100 ? t16_emulate_pop_pc
+ : t16_emulate_pop_nopc;
+ return INSN_GOOD;
+--- a/arch/arm/kernel/kprobes.c
++++ b/arch/arm/kernel/kprobes.c
+@@ -26,6 +26,7 @@
+ #include <linux/stop_machine.h>
+ #include <linux/stringify.h>
+ #include <asm/traps.h>
++#include <asm/opcodes.h>
+ #include <asm/cacheflush.h>
+
+ #include "kprobes.h"
+@@ -62,10 +63,10 @@ int __kprobes arch_prepare_kprobe(struct
+ #ifdef CONFIG_THUMB2_KERNEL
+ thumb = true;
+ addr &= ~1; /* Bit 0 would normally be set to indicate Thumb code */
+- insn = ((u16 *)addr)[0];
++ insn = __mem_to_opcode_thumb16(((u16 *)addr)[0]);
+ if (is_wide_instruction(insn)) {
+- insn <<= 16;
+- insn |= ((u16 *)addr)[1];
++ u16 inst2 = __mem_to_opcode_thumb16(((u16 *)addr)[1]);
++ insn = __opcode_thumb32_compose(insn, inst2);
+ decode_insn = thumb32_kprobe_decode_insn;
+ } else
+ decode_insn = thumb16_kprobe_decode_insn;
+@@ -73,7 +74,7 @@ int __kprobes arch_prepare_kprobe(struct
+ thumb = false;
+ if (addr & 0x3)
+ return -EINVAL;
+- insn = *p->addr;
++ insn = __mem_to_opcode_arm(*p->addr);
+ decode_insn = arm_kprobe_decode_insn;
+ #endif
+
--- /dev/null
+From 859828c0ea476b42f3a93d69d117aaba90994b6f Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri@resnulli.us>
+Date: Thu, 5 Dec 2013 16:27:37 +0100
+Subject: br: fix use of ->rx_handler_data in code executed on non-rx_handler path
+
+From: Jiri Pirko <jiri@resnulli.us>
+
+commit 859828c0ea476b42f3a93d69d117aaba90994b6f upstream.
+
+br_stp_rcv() is reached by non-rx_handler path. That means there is no
+guarantee that dev is bridge port and therefore simple NULL check of
+->rx_handler_data is not enough. There is need to check if dev is really
+bridge port and since only rcu read lock is held here, do it by checking
+->rx_handler pointer.
+
+Note that synchronize_net() in netdev_rx_handler_unregister() ensures
+this approach as valid.
+
+Introduced originally by:
+commit f350a0a87374418635689471606454abc7beaa3a
+ "bridge: use rx_handler_data pointer to store net_bridge_port pointer"
+
+Fixed but not in the best way by:
+commit b5ed54e94d324f17c97852296d61a143f01b227a
+ "bridge: fix RCU races with bridge port"
+
+Reintroduced by:
+commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2
+ "bridge: fix NULL pointer deref of br_port_get_rcu"
+
+Please apply to stable trees as well. Thanks.
+
+RH bugzilla reference: https://bugzilla.redhat.com/show_bug.cgi?id=1025770
+
+Reported-by: Laine Stump <laine@redhat.com>
+Debugged-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jiri Pirko <jiri@resnulli.us>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Andrew Collins <bsderandrew@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/br_private.h | 10 ++++++++++
+ net/bridge/br_stp_bpdu.c | 2 +-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -429,6 +429,16 @@ extern netdev_features_t br_features_rec
+ extern int br_handle_frame_finish(struct sk_buff *skb);
+ extern rx_handler_result_t br_handle_frame(struct sk_buff **pskb);
+
++static inline bool br_rx_handler_check_rcu(const struct net_device *dev)
++{
++ return rcu_dereference(dev->rx_handler) == br_handle_frame;
++}
++
++static inline struct net_bridge_port *br_port_get_check_rcu(const struct net_device *dev)
++{
++ return br_rx_handler_check_rcu(dev) ? br_port_get_rcu(dev) : NULL;
++}
++
+ /* br_ioctl.c */
+ extern int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd);
+ extern int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *arg);
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -153,7 +153,7 @@ void br_stp_rcv(const struct stp_proto *
+ if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0)
+ goto err;
+
+- p = br_port_get_rcu(dev);
++ p = br_port_get_check_rcu(dev);
+ if (!p)
+ goto err;
+
--- /dev/null
+From 96a2adbc6f501996418da9f7afe39bf0e4d006a9 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Mon, 13 Oct 2014 18:59:09 -0600
+Subject: clocksource: Remove "weak" from clocksource_default_clock() declaration
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 96a2adbc6f501996418da9f7afe39bf0e4d006a9 upstream.
+
+kernel/time/jiffies.c provides a default clocksource_default_clock()
+definition explicitly marked "weak". arch/s390 provides its own definition
+intended to override the default, but the "weak" attribute on the
+declaration applied to the s390 definition as well, so the linker chose one
+based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from
+pcibios_get_phb_of_node decl")).
+
+Remove the "weak" attribute from the clocksource_default_clock()
+declaration so we always prefer a non-weak definition over the weak one,
+independent of link order.
+
+Fixes: f1b82746c1e9 ("clocksource: Cleanup clocksource selection")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: John Stultz <john.stultz@linaro.org>
+Acked-by: Ingo Molnar <mingo@kernel.org>
+CC: Daniel Lezcano <daniel.lezcano@linaro.org>
+CC: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/clocksource.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/clocksource.h
++++ b/include/linux/clocksource.h
+@@ -285,7 +285,7 @@ extern struct clocksource* clocksource_g
+ extern void clocksource_change_rating(struct clocksource *cs, int rating);
+ extern void clocksource_suspend(void);
+ extern void clocksource_resume(void);
+-extern struct clocksource * __init __weak clocksource_default_clock(void);
++extern struct clocksource * __init clocksource_default_clock(void);
+ extern void clocksource_mark_unstable(struct clocksource *cs);
+
+ extern void
--- /dev/null
+From a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali.rohar@gmail.com>
+Date: Mon, 29 Sep 2014 15:10:51 +0200
+Subject: dell-wmi: Fix access out of memory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali.rohar@gmail.com>
+
+commit a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959 upstream.
+
+Without this patch, dell-wmi is trying to access elements of dynamically
+allocated array without checking the array size. This can lead to memory
+corruption or a kernel panic. This patch adds the missing checks for
+array size.
+
+Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/dell-wmi.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/x86/dell-wmi.c
++++ b/drivers/platform/x86/dell-wmi.c
+@@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, v
+ const struct key_entry *key;
+ int reported_key;
+ u16 *buffer_entry = (u16 *)obj->buffer.pointer;
++ int buffer_size = obj->buffer.length/2;
+
+- if (dell_new_hk_type && (buffer_entry[1] != 0x10)) {
++ if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) {
+ pr_info("Received unknown WMI event (0x%x)\n",
+ buffer_entry[1]);
+ kfree(obj);
+ return;
+ }
+
+- if (dell_new_hk_type || buffer_entry[1] == 0x0)
++ if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0))
+ reported_key = (int)buffer_entry[2];
+- else
++ else if (buffer_size >= 2)
+ reported_key = (int)buffer_entry[1] & 0xffff;
++ else {
++ pr_info("Received unknown WMI event\n");
++ kfree(obj);
++ return;
++ }
+
+ key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev,
+ reported_key);
--- /dev/null
+From 1195d94e006b23c6292e78857e154872e33b6d7e Mon Sep 17 00:00:00 2001
+From: Andrey Vagin <avagin@openvz.org>
+Date: Mon, 13 Oct 2014 15:54:10 -0700
+Subject: ipc: always handle a new value of auto_msgmni
+
+From: Andrey Vagin <avagin@openvz.org>
+
+commit 1195d94e006b23c6292e78857e154872e33b6d7e upstream.
+
+proc_dointvec_minmax() returns zero if a new value has been set. So we
+don't need to check all charecters have been handled.
+
+Below you can find two examples. In the new value has not been handled
+properly.
+
+$ strace ./a.out
+open("/proc/sys/kernel/auto_msgmni", O_WRONLY) = 3
+write(3, "0\n\0", 3) = 2
+close(3) = 0
+exit_group(0)
+$ cat /sys/kernel/debug/tracing/trace
+
+$strace ./a.out
+open("/proc/sys/kernel/auto_msgmni", O_WRONLY) = 3
+write(3, "0\n", 2) = 2
+close(3) = 0
+
+$ cat /sys/kernel/debug/tracing/trace
+a.out-697 [000] .... 3280.998235: unregister_ipcns_notifier <-proc_ipcauto_dointvec_minmax
+
+Fixes: 9eefe520c814 ("ipc: do not use a negative value to re-enable msgmni automatic recomputin")
+Signed-off-by: Andrey Vagin <avagin@openvz.org>
+Cc: Mathias Krause <minipli@googlemail.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Davidlohr Bueso <davidlohr@hp.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/ipc_sysctl.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/ipc/ipc_sysctl.c
++++ b/ipc/ipc_sysctl.c
+@@ -123,7 +123,6 @@ static int proc_ipcauto_dointvec_minmax(
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+ {
+ struct ctl_table ipc_table;
+- size_t lenp_bef = *lenp;
+ int oldval;
+ int rc;
+
+@@ -133,7 +132,7 @@ static int proc_ipcauto_dointvec_minmax(
+
+ rc = proc_dointvec_minmax(&ipc_table, write, buffer, lenp, ppos);
+
+- if (write && !rc && lenp_bef == *lenp) {
++ if (write && !rc) {
+ int newval = *((int *)(ipc_table.data));
+ /*
+ * The file "auto_msgmni" has correctly been set.
--- /dev/null
+From 107bcc6d566cb40184068d888637f9aefe6252dd Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Mon, 13 Oct 2014 19:00:25 -0600
+Subject: kgdb: Remove "weak" from kgdb_arch_pc() declaration
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 107bcc6d566cb40184068d888637f9aefe6252dd upstream.
+
+kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition
+explicitly marked "weak". Several architectures provide their own
+definitions intended to override the default, but the "weak" attribute on
+the declaration applied to the arch definitions as well, so the linker
+chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak
+annotation from pcibios_get_phb_of_node decl")).
+
+Remove the "weak" attribute from the declaration so we always prefer a
+non-weak definition over the weak one, independent of link order.
+
+Fixes: 688b744d8bc8 ("kgdb: fix signedness mixmatches, add statics, add declaration to header")
+Tested-by: Vineet Gupta <vgupta@synopsys.com> # for ARC build
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Harvey Harrison <harvey.harrison@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/kgdb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/kgdb.h
++++ b/include/linux/kgdb.h
+@@ -283,7 +283,7 @@ struct kgdb_io {
+
+ extern struct kgdb_arch arch_kgdb_ops;
+
+-extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
++extern unsigned long kgdb_arch_pc(int exception, struct pt_regs *regs);
+
+ #ifdef CONFIG_SERIAL_KGDB_NMI
+ extern int kgdb_register_nmi_console(void);
--- /dev/null
+From cfda2794b5afe7ce64ee9605c64bef0e56a48125 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Mon, 25 Aug 2014 16:46:53 +0300
+Subject: mei: bus: fix possible boundaries violation
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit cfda2794b5afe7ce64ee9605c64bef0e56a48125 upstream.
+
+function 'strncpy' will fill whole buffer 'id.name' of fixed size (32)
+with string value and will not leave place for NULL-terminator.
+Possible buffer boundaries violation in following string operations.
+Replace strncpy with strlcpy.
+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/misc/mei/bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/mei/bus.c
++++ b/drivers/misc/mei/bus.c
+@@ -71,7 +71,7 @@ static int mei_cl_device_probe(struct de
+
+ dev_dbg(dev, "Device probe\n");
+
+- strncpy(id.name, dev_name(dev), MEI_CL_NAME_SIZE);
++ strlcpy(id.name, dev_name(dev), sizeof(id.name));
+
+ return driver->probe(device, &id);
+ }
--- /dev/null
+From 5596b0b245fb9d2cefb5023b11061050351c1398 Mon Sep 17 00:00:00 2001
+From: Yoichi Yuasa <yuasa@linux-mips.org>
+Date: Wed, 2 Oct 2013 15:03:03 +0900
+Subject: MIPS: Fix forgotten preempt_enable() when CPU has inclusive
+ pcaches
+
+From: Yoichi Yuasa <yuasa@linux-mips.org>
+
+commit 5596b0b245fb9d2cefb5023b11061050351c1398 upstream.
+
+[ 1.904000] BUG: scheduling while atomic: swapper/1/0x00000002
+[ 1.908000] Modules linked in:
+[ 1.916000] CPU: 0 PID: 1 Comm: swapper Not tainted 3.12.0-rc2-lemote-los.git-5318619-dirty #1
+[ 1.920000] Stack : 0000000031aac000 ffffffff810d0000 0000000000000052 ffffffff802730a4
+ 0000000000000000 0000000000000001 ffffffff810cdf90 ffffffff810d0000
+ ffffffff8068b968 ffffffff806f5537 ffffffff810cdf90 980000009f0782e8
+ 0000000000000001 ffffffff80720000 ffffffff806b0000 980000009f078000
+ 980000009f290000 ffffffff805f312c 980000009f05b5d8 ffffffff80233518
+ 980000009f05b5e8 ffffffff80274b7c 980000009f078000 ffffffff8068b968
+ 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000 980000009f05b520 0000000000000000 ffffffff805f2f6c
+ 0000000000000000 ffffffff80700000 ffffffff80700000 ffffffff806fc758
+ ffffffff80700000 ffffffff8020be98 ffffffff806fceb0 ffffffff805f2f6c
+ ...
+[ 2.028000] Call Trace:
+[ 2.032000] [<ffffffff8020be98>] show_stack+0x80/0x98
+[ 2.036000] [<ffffffff805f2f6c>] __schedule_bug+0x44/0x6c
+[ 2.040000] [<ffffffff805fac58>] __schedule+0x518/0x5b0
+[ 2.044000] [<ffffffff805f8a58>] schedule_timeout+0x128/0x1f0
+[ 2.048000] [<ffffffff80240314>] msleep+0x3c/0x60
+[ 2.052000] [<ffffffff80495400>] do_probe+0x238/0x3a8
+[ 2.056000] [<ffffffff804958b0>] ide_probe_port+0x340/0x7e8
+[ 2.060000] [<ffffffff80496028>] ide_host_register+0x2d0/0x7a8
+[ 2.064000] [<ffffffff8049c65c>] ide_pci_init_two+0x4e4/0x790
+[ 2.068000] [<ffffffff8049f9b8>] amd74xx_probe+0x148/0x2c8
+[ 2.072000] [<ffffffff803f571c>] pci_device_probe+0xc4/0x130
+[ 2.076000] [<ffffffff80478f60>] driver_probe_device+0x98/0x270
+[ 2.080000] [<ffffffff80479298>] __driver_attach+0xe0/0xe8
+[ 2.084000] [<ffffffff80476ab0>] bus_for_each_dev+0x78/0xe0
+[ 2.088000] [<ffffffff80478468>] bus_add_driver+0x230/0x310
+[ 2.092000] [<ffffffff80479b44>] driver_register+0x84/0x158
+[ 2.096000] [<ffffffff80200504>] do_one_initcall+0x104/0x160
+
+Signed-off-by: Yoichi Yuasa <yuasa@linux-mips.org>
+Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: linux-mips@linux-mips.org
+Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
+Patchwork: https://patchwork.linux-mips.org/patch/5941/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Cc: Alexandre Oliva <lxoliva@fsfla.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mm/c-r4k.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/mm/c-r4k.c
++++ b/arch/mips/mm/c-r4k.c
+@@ -608,6 +608,7 @@ static void r4k_dma_cache_wback_inv(unsi
+ r4k_blast_scache();
+ else
+ blast_scache_range(addr, addr + size);
++ preempt_enable();
+ __sync();
+ return;
+ }
+@@ -649,6 +650,7 @@ static void r4k_dma_cache_inv(unsigned l
+ */
+ blast_inv_scache_range(addr, addr + size);
+ }
++ preempt_enable();
+ __sync();
+ return;
+ }
--- /dev/null
+From 2d4b646613d6b12175b017aca18113945af1faf3 Mon Sep 17 00:00:00 2001
+From: Eugenia Emantayev <eugenia@mellanox.com>
+Date: Thu, 25 Jul 2013 19:21:23 +0300
+Subject: net/mlx4_en: Fix BlueFlame race
+
+From: Eugenia Emantayev <eugenia@mellanox.com>
+
+commit 2d4b646613d6b12175b017aca18113945af1faf3 upstream.
+
+Fix a race between BlueFlame flow and stamping in post send flow.
+Example:
+ SW: Build WQE 0 on the TX buffer, except the ownership bit
+ SW: Set ownership for WQE 0 on the TX buffer
+ SW: Ring doorbell for WQE 0
+ SW: Build WQE 1 on the TX buffer, except the ownership bit
+ SW: Set ownership for WQE 1 on the TX buffer
+ HW: Read WQE 0 and then WQE 1, before doorbell was rung/BF was done for WQE 1
+ HW: Produce CQEs for WQE 0 and WQE 1
+ SW: Process the CQEs, and stamp WQE 0 and WQE 1 accordingly (on the TX buffer)
+ SW: Copy WQE 1 from the TX buffer to the BF register - ALREADY STAMPED!
+ HW: CQE error with index 0xFFFF - the BF WQE's control segment is STAMPED,
+ so the BF index is 0xFFFF. Error: Invalid Opcode.
+As a result QP enters the error state and no traffic can be sent.
+
+Solution:
+When stamping - do not stamp last completed wqe.
+
+Signed-off-by: Eugenia Emantayev <eugenia@mellanox.com>
+Signed-off-by: Amir Vadai <amirv@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Vinson Lee <vlee@twopensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlx4/en_tx.c | 61 +++++++++++++++++++----------
+ 1 file changed, 42 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
+@@ -191,6 +191,39 @@ void mlx4_en_deactivate_tx_ring(struct m
+ MLX4_QP_STATE_RST, NULL, 0, 0, &ring->qp);
+ }
+
++static void mlx4_en_stamp_wqe(struct mlx4_en_priv *priv,
++ struct mlx4_en_tx_ring *ring, int index,
++ u8 owner)
++{
++ __be32 stamp = cpu_to_be32(STAMP_VAL | (!!owner << STAMP_SHIFT));
++ struct mlx4_en_tx_desc *tx_desc = ring->buf + index * TXBB_SIZE;
++ struct mlx4_en_tx_info *tx_info = &ring->tx_info[index];
++ void *end = ring->buf + ring->buf_size;
++ __be32 *ptr = (__be32 *)tx_desc;
++ int i;
++
++ /* Optimize the common case when there are no wraparounds */
++ if (likely((void *)tx_desc + tx_info->nr_txbb * TXBB_SIZE <= end)) {
++ /* Stamp the freed descriptor */
++ for (i = 0; i < tx_info->nr_txbb * TXBB_SIZE;
++ i += STAMP_STRIDE) {
++ *ptr = stamp;
++ ptr += STAMP_DWORDS;
++ }
++ } else {
++ /* Stamp the freed descriptor */
++ for (i = 0; i < tx_info->nr_txbb * TXBB_SIZE;
++ i += STAMP_STRIDE) {
++ *ptr = stamp;
++ ptr += STAMP_DWORDS;
++ if ((void *)ptr >= end) {
++ ptr = ring->buf;
++ stamp ^= cpu_to_be32(0x80000000);
++ }
++ }
++ }
++}
++
+
+ static u32 mlx4_en_free_tx_desc(struct mlx4_en_priv *priv,
+ struct mlx4_en_tx_ring *ring,
+@@ -205,8 +238,6 @@ static u32 mlx4_en_free_tx_desc(struct m
+ void *end = ring->buf + ring->buf_size;
+ int frags = skb_shinfo(skb)->nr_frags;
+ int i;
+- __be32 *ptr = (__be32 *)tx_desc;
+- __be32 stamp = cpu_to_be32(STAMP_VAL | (!!owner << STAMP_SHIFT));
+ struct skb_shared_hwtstamps hwts;
+
+ if (timestamp) {
+@@ -232,12 +263,6 @@ static u32 mlx4_en_free_tx_desc(struct m
+ skb_frag_size(frag), PCI_DMA_TODEVICE);
+ }
+ }
+- /* Stamp the freed descriptor */
+- for (i = 0; i < tx_info->nr_txbb * TXBB_SIZE; i += STAMP_STRIDE) {
+- *ptr = stamp;
+- ptr += STAMP_DWORDS;
+- }
+-
+ } else {
+ if (!tx_info->inl) {
+ if ((void *) data >= end) {
+@@ -263,16 +288,6 @@ static u32 mlx4_en_free_tx_desc(struct m
+ ++data;
+ }
+ }
+- /* Stamp the freed descriptor */
+- for (i = 0; i < tx_info->nr_txbb * TXBB_SIZE; i += STAMP_STRIDE) {
+- *ptr = stamp;
+- ptr += STAMP_DWORDS;
+- if ((void *) ptr >= end) {
+- ptr = ring->buf;
+- stamp ^= cpu_to_be32(0x80000000);
+- }
+- }
+-
+ }
+ dev_kfree_skb_any(skb);
+ return tx_info->nr_txbb;
+@@ -318,8 +333,9 @@ static void mlx4_en_process_tx_cq(struct
+ struct mlx4_en_tx_ring *ring = &priv->tx_ring[cq->ring];
+ struct mlx4_cqe *cqe;
+ u16 index;
+- u16 new_index, ring_index;
++ u16 new_index, ring_index, stamp_index;
+ u32 txbbs_skipped = 0;
++ u32 txbbs_stamp = 0;
+ u32 cons_index = mcq->cons_index;
+ int size = cq->size;
+ u32 size_mask = ring->size_mask;
+@@ -335,6 +351,7 @@ static void mlx4_en_process_tx_cq(struct
+ index = cons_index & size_mask;
+ cqe = &buf[(index << factor) + factor];
+ ring_index = ring->cons & size_mask;
++ stamp_index = ring_index;
+
+ /* Process all completed CQEs */
+ while (XNOR(cqe->owner_sr_opcode & MLX4_CQE_OWNER_MASK,
+@@ -359,6 +376,12 @@ static void mlx4_en_process_tx_cq(struct
+ priv, ring, ring_index,
+ !!((ring->cons + txbbs_skipped) &
+ ring->size), timestamp);
++
++ mlx4_en_stamp_wqe(priv, ring, stamp_index,
++ !!((ring->cons + txbbs_stamp) &
++ ring->size));
++ stamp_index = ring_index;
++ txbbs_stamp = txbbs_skipped;
+ packets++;
+ bytes += ring->tx_info[ring_index].nr_bytes;
+ } while (ring_index != new_index);
--- /dev/null
+From 9dfa1dfe4d5e5e66a991321ab08afe69759d797a Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 23 Oct 2014 10:36:06 +0200
+Subject: netfilter: nf_log: account for size of NLMSG_DONE attribute
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 9dfa1dfe4d5e5e66a991321ab08afe69759d797a upstream.
+
+We currently neither account for the nlattr size, nor do we consider
+the size of the trailing NLMSG_DONE when allocating nlmsg skb.
+
+This can result in nflog to stop working, as __nfulnl_send() re-tries
+sending forever if it failed to append NLMSG_DONE (which will never
+work if buffer is not large enough).
+
+Reported-by: Houcheng Lin <houcheng@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_log.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -647,7 +647,8 @@ nfulnl_log_packet(struct net *net,
+ + nla_total_size(sizeof(u_int32_t)) /* gid */
+ + nla_total_size(plen) /* prefix */
+ + nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
+- + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp));
++ + nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp))
++ + nla_total_size(sizeof(struct nfgenmsg)); /* NLMSG_DONE */
+
+ if (in && skb_mac_header_was_set(skb)) {
+ size += nla_total_size(skb->dev->hard_header_len)
+@@ -690,8 +691,7 @@ nfulnl_log_packet(struct net *net,
+ goto unlock_and_release;
+ }
+
+- if (inst->skb &&
+- size > skb_tailroom(inst->skb) - sizeof(struct nfgenmsg)) {
++ if (inst->skb && size > skb_tailroom(inst->skb)) {
+ /* either the queue len is too high or we don't have
+ * enough room in the skb left. flush to userspace. */
+ __nfulnl_flush(inst);
--- /dev/null
+From b51d3fa364885a2c1e1668f88776c67c95291820 Mon Sep 17 00:00:00 2001
+From: Houcheng Lin <houcheng@gmail.com>
+Date: Thu, 23 Oct 2014 10:36:08 +0200
+Subject: netfilter: nf_log: release skbuff on nlmsg put failure
+
+From: Houcheng Lin <houcheng@gmail.com>
+
+commit b51d3fa364885a2c1e1668f88776c67c95291820 upstream.
+
+The kernel should reserve enough room in the skb so that the DONE
+message can always be appended. However, in case of e.g. new attribute
+erronously not being size-accounted for, __nfulnl_send() will still
+try to put next nlmsg into this full skbuf, causing the skb to be stuck
+forever and blocking delivery of further messages.
+
+Fix issue by releasing skb immediately after nlmsg_put error and
+WARN() so we can track down the cause of such size mismatch.
+
+[ fw@strlen.de: add tailroom/len info to WARN ]
+
+Signed-off-by: Houcheng Lin <houcheng@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_log.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -348,26 +348,25 @@ nfulnl_alloc_skb(u32 peer_portid, unsign
+ return skb;
+ }
+
+-static int
++static void
+ __nfulnl_send(struct nfulnl_instance *inst)
+ {
+- int status = -1;
+-
+ if (inst->qlen > 1) {
+ struct nlmsghdr *nlh = nlmsg_put(inst->skb, 0, 0,
+ NLMSG_DONE,
+ sizeof(struct nfgenmsg),
+ 0);
+- if (!nlh)
++ if (WARN_ONCE(!nlh, "bad nlskb size: %u, tailroom %d\n",
++ inst->skb->len, skb_tailroom(inst->skb))) {
++ kfree_skb(inst->skb);
+ goto out;
++ }
+ }
+- status = nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid,
+- MSG_DONTWAIT);
+-
++ nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid,
++ MSG_DONTWAIT);
++out:
+ inst->qlen = 0;
+ inst->skb = NULL;
+-out:
+- return status;
+ }
+
+ static void
--- /dev/null
+From 945b2b2d259d1a4364a2799e80e8ff32f8c6ee6f Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 7 Jun 2014 21:17:04 +0200
+Subject: netfilter: nf_nat: fix oops on netns removal
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 945b2b2d259d1a4364a2799e80e8ff32f8c6ee6f upstream.
+
+Quoting Samu Kallio:
+
+ Basically what's happening is, during netns cleanup,
+ nf_nat_net_exit gets called before ipv4_net_exit. As I understand
+ it, nf_nat_net_exit is supposed to kill any conntrack entries which
+ have NAT context (through nf_ct_iterate_cleanup), but for some
+ reason this doesn't happen (perhaps something else is still holding
+ refs to those entries?).
+
+ When ipv4_net_exit is called, conntrack entries (including those
+ with NAT context) are cleaned up, but the
+ nat_bysource hashtable is long gone - freed in nf_nat_net_exit. The
+ bug happens when attempting to free a conntrack entry whose NAT hash
+ 'prev' field points to a slot in the freed hash table (head for that
+ bin).
+
+We ignore conntracks with null nat bindings. But this is wrong,
+as these are in bysource hash table as well.
+
+Restore nat-cleaning for the netns-is-being-removed case.
+
+bug:
+https://bugzilla.kernel.org/show_bug.cgi?id=65191
+
+Fixes: c2d421e1718 ('netfilter: nf_nat: fix race when unloading protocol modules')
+Reported-by: Samu Kallio <samu.kallio@aberdeencloud.com>
+Debugged-by: Samu Kallio <samu.kallio@aberdeencloud.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Tested-by: Samu Kallio <samu.kallio@aberdeencloud.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[samu.kallio@aberdeencloud.com: backport to 3.10-stable]
+Signed-off-by: Samu Kallio <samu.kallio@aberdeencloud.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_nat_core.c | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -487,6 +487,39 @@ static int nf_nat_proto_remove(struct nf
+ return i->status & IPS_NAT_MASK ? 1 : 0;
+ }
+
++static int nf_nat_proto_clean(struct nf_conn *ct, void *data)
++{
++ struct nf_conn_nat *nat = nfct_nat(ct);
++
++ if (nf_nat_proto_remove(ct, data))
++ return 1;
++
++ if (!nat || !nat->ct)
++ return 0;
++
++ /* This netns is being destroyed, and conntrack has nat null binding.
++ * Remove it from bysource hash, as the table will be freed soon.
++ *
++ * Else, when the conntrack is destoyed, nf_nat_cleanup_conntrack()
++ * will delete entry from already-freed table.
++ */
++ if (!del_timer(&ct->timeout))
++ return 1;
++
++ spin_lock_bh(&nf_nat_lock);
++ hlist_del_rcu(&nat->bysource);
++ ct->status &= ~IPS_NAT_DONE_MASK;
++ nat->ct = NULL;
++ spin_unlock_bh(&nf_nat_lock);
++
++ add_timer(&ct->timeout);
++
++ /* don't delete conntrack. Although that would make things a lot
++ * simpler, we'd end up flushing all conntracks on nat rmmod.
++ */
++ return 0;
++}
++
+ static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
+ {
+ struct nf_nat_proto_clean clean = {
+@@ -749,7 +782,7 @@ static void __net_exit nf_nat_net_exit(s
+ {
+ struct nf_nat_proto_clean clean = {};
+
+- nf_ct_iterate_cleanup(net, &nf_nat_proto_remove, &clean);
++ nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
+ synchronize_rcu();
+ nf_ct_free_hashtable(net->ct.nat_bysource, net->ct.nat_htable_size);
+ }
--- /dev/null
+From c1e7dc91eed0ed1a51c9b814d648db18bf8fc6e9 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 23 Oct 2014 10:36:07 +0200
+Subject: netfilter: nfnetlink_log: fix maximum packet length logged to userspace
+
+From: Florian Westphal <fw@strlen.de>
+
+commit c1e7dc91eed0ed1a51c9b814d648db18bf8fc6e9 upstream.
+
+don't try to queue payloads > 0xffff - NLA_HDRLEN, it does not work.
+The nla length includes the size of the nla struct, so anything larger
+results in u16 integer overflow.
+
+This patch is similar to
+9cefbbc9c8f9abe (netfilter: nfnetlink_queue: cleanup copy_range usage).
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_log.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -45,7 +45,8 @@
+ #define NFULNL_NLBUFSIZ_DEFAULT NLMSG_GOODSIZE
+ #define NFULNL_TIMEOUT_DEFAULT 100 /* every second */
+ #define NFULNL_QTHRESH_DEFAULT 100 /* 100 packets */
+-#define NFULNL_COPY_RANGE_MAX 0xFFFF /* max packet size is limited by 16-bit struct nfattr nfa_len field */
++/* max packet size is limited by 16-bit struct nfattr nfa_len field */
++#define NFULNL_COPY_RANGE_MAX (0xFFFF - NLA_HDRLEN)
+
+ #define PRINTR(x, args...) do { if (net_ratelimit()) \
+ printk(x, ## args); } while (0);
+@@ -255,6 +256,8 @@ nfulnl_set_mode(struct nfulnl_instance *
+
+ case NFULNL_COPY_PACKET:
+ inst->copy_mode = mode;
++ if (range == 0)
++ range = NFULNL_COPY_RANGE_MAX;
+ inst->copy_range = min_t(unsigned int,
+ range, NFULNL_COPY_RANGE_MAX);
+ break;
+@@ -677,8 +680,7 @@ nfulnl_log_packet(struct net *net,
+ break;
+
+ case NFULNL_COPY_PACKET:
+- if (inst->copy_range == 0
+- || inst->copy_range > skb->len)
++ if (inst->copy_range > skb->len)
+ data_len = skb->len;
+ else
+ data_len = inst->copy_range;
--- /dev/null
+From e10038a8ec06ac819b7552bb67aaa6d2d6f850c1 Mon Sep 17 00:00:00 2001
+From: Pablo Neira <pablo@netfilter.org>
+Date: Tue, 29 Jul 2014 18:12:15 +0200
+Subject: netfilter: xt_bpf: add mising opaque struct sk_filter definition
+
+From: Pablo Neira <pablo@netfilter.org>
+
+commit e10038a8ec06ac819b7552bb67aaa6d2d6f850c1 upstream.
+
+This structure is not exposed to userspace, so fix this by defining
+struct sk_filter; so we skip the casting in kernelspace. This is safe
+since userspace has no way to lurk with that internal pointer.
+
+Fixes: e6f30c7 ("netfilter: x_tables: add xt_bpf match")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/netfilter/xt_bpf.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/uapi/linux/netfilter/xt_bpf.h
++++ b/include/uapi/linux/netfilter/xt_bpf.h
+@@ -6,6 +6,8 @@
+
+ #define XT_BPF_MAX_NUM_INSTR 64
+
++struct sk_filter;
++
+ struct xt_bpf_info {
+ __u16 bpf_program_num_elem;
+ struct sock_filter bpf_program[XT_BPF_MAX_NUM_INSTR];
--- /dev/null
+From b3f207855f57b9c8f43a547a801340bb5cbc59e5 Mon Sep 17 00:00:00 2001
+From: Pawel Moll <pawel.moll@arm.com>
+Date: Fri, 13 Jun 2014 16:03:32 +0100
+Subject: perf: Handle compat ioctl
+
+From: Pawel Moll <pawel.moll@arm.com>
+
+commit b3f207855f57b9c8f43a547a801340bb5cbc59e5 upstream.
+
+When running a 32-bit userspace on a 64-bit kernel (eg. i386
+application on x86_64 kernel or 32-bit arm userspace on arm64
+kernel) some of the perf ioctls must be treated with special
+care, as they have a pointer size encoded in the command.
+
+For example, PERF_EVENT_IOC_ID in 32-bit world will be encoded
+as 0x80042407, but 64-bit kernel will expect 0x80082407. In
+result the ioctl will fail returning -ENOTTY.
+
+This patch solves the problem by adding code fixing up the
+size as compat_ioctl file operation.
+
+Reported-by: Drew Richardson <drew.richardson@arm.com>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: http://lkml.kernel.org/r/1402671812-9078-1-git-send-email-pawel.moll@arm.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: David Ahern <daahern@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -39,6 +39,7 @@
+ #include <linux/hw_breakpoint.h>
+ #include <linux/mm_types.h>
+ #include <linux/cgroup.h>
++#include <linux/compat.h>
+
+ #include "internal.h"
+
+@@ -3490,6 +3491,25 @@ static long perf_ioctl(struct file *file
+ return 0;
+ }
+
++#ifdef CONFIG_COMPAT
++static long perf_compat_ioctl(struct file *file, unsigned int cmd,
++ unsigned long arg)
++{
++ switch (_IOC_NR(cmd)) {
++ case _IOC_NR(PERF_EVENT_IOC_SET_FILTER):
++ /* Fix up pointer size (usually 4 -> 8 in 32-on-64-bit case */
++ if (_IOC_SIZE(cmd) == sizeof(compat_uptr_t)) {
++ cmd &= ~IOCSIZE_MASK;
++ cmd |= sizeof(void *) << IOCSIZE_SHIFT;
++ }
++ break;
++ }
++ return perf_ioctl(file, cmd, arg);
++}
++#else
++# define perf_compat_ioctl NULL
++#endif
++
+ int perf_event_task_enable(void)
+ {
+ struct perf_event *event;
+@@ -3961,7 +3981,7 @@ static const struct file_operations perf
+ .read = perf_read,
+ .poll = perf_poll,
+ .unlocked_ioctl = perf_ioctl,
+- .compat_ioctl = perf_ioctl,
++ .compat_ioctl = perf_compat_ioctl,
+ .mmap = perf_mmap,
+ .fasync = perf_fasync,
+ };
--- /dev/null
+From 1996388e9f4e3444db8273bc08d25164d2967c21 Mon Sep 17 00:00:00 2001
+From: Vince Weaver <vincent.weaver@maine.edu>
+Date: Mon, 14 Jul 2014 15:33:25 -0400
+Subject: perf/x86/intel: Use proper dTLB-load-misses event on IvyBridge
+
+From: Vince Weaver <vincent.weaver@maine.edu>
+
+commit 1996388e9f4e3444db8273bc08d25164d2967c21 upstream.
+
+This was discussed back in February:
+
+ https://lkml.org/lkml/2014/2/18/956
+
+But I never saw a patch come out of it.
+
+On IvyBridge we share the SandyBridge cache event tables, but the
+dTLB-load-miss event is not compatible. Patch it up after
+the fact to the proper DTLB_LOAD_MISSES.DEMAND_LD_MISS_CAUSES_A_WALK
+
+Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1407141528200.17214@vincent-weaver-1.umelst.maine.edu
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Hou Pengyang <houpengyang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/perf_event_intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/cpu/perf_event_intel.c
++++ b/arch/x86/kernel/cpu/perf_event_intel.c
+@@ -2172,6 +2172,9 @@ __init int intel_pmu_init(void)
+ case 62: /* IvyBridge EP */
+ memcpy(hw_cache_event_ids, snb_hw_cache_event_ids,
+ sizeof(hw_cache_event_ids));
++ /* dTLB-load-misses on IVB is different than SNB */
++ hw_cache_event_ids[C(DTLB)][C(OP_READ)][C(RESULT_MISS)] = 0x8108; /* DTLB_LOAD_MISSES.DEMAND_LD_MISS_CAUSES_A_WALK */
++
+ memcpy(hw_cache_extra_regs, snb_hw_cache_extra_regs,
+ sizeof(hw_cache_extra_regs));
+
--- /dev/null
+From 2cc5bfaf854463d9d1aa52091f60110fbf102a96 Mon Sep 17 00:00:00 2001
+From: Tomas Henzl <thenzl@redhat.com>
+Date: Thu, 1 Aug 2013 15:14:00 +0200
+Subject: SCSI: hpsa: fix a race in cmd_free/scsi_done
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+commit 2cc5bfaf854463d9d1aa52091f60110fbf102a96 upstream.
+
+When the driver calls scsi_done and after that frees it's internal
+preallocated memory it can happen that a new job is enqueud before
+the memory is freed. The allocation fails and the message
+"cmd_alloc returned NULL" is shown.
+Patch below fixes it by moving cmd->scsi_done after cmd_free.
+
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Acked-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Cc: Masoud Sharbiani <msharbiani@twitter.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/hpsa.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1206,8 +1206,8 @@ static void complete_scsi_command(struct
+ scsi_set_resid(cmd, ei->ResidualCnt);
+
+ if (ei->CommandStatus == 0) {
+- cmd->scsi_done(cmd);
+ cmd_free(h, cp);
++ cmd->scsi_done(cmd);
+ return;
+ }
+
+@@ -1380,8 +1380,8 @@ static void complete_scsi_command(struct
+ dev_warn(&h->pdev->dev, "cp %p returned unknown status %x\n",
+ cp, ei->CommandStatus);
+ }
+- cmd->scsi_done(cmd);
+ cmd_free(h, cp);
++ cmd->scsi_done(cmd);
+ }
+
+ static void hpsa_pci_unmap(struct pci_dev *pdev,
nfs-fix-use-of-uninitialized-variable-in-nfs_getattr.patch
nfsv4-fix-races-between-nfs_remove_bad_delegation-and-delegation-return.patch
media-ttusb-dec-buffer-overflow-in-ioctl.patch
+kgdb-remove-weak-from-kgdb_arch_pc-declaration.patch
+clocksource-remove-weak-from-clocksource_default_clock-declaration.patch
+ipc-always-handle-a-new-value-of-auto_msgmni.patch
+netfilter-nf_log-account-for-size-of-nlmsg_done-attribute.patch
+netfilter-nfnetlink_log-fix-maximum-packet-length-logged-to-userspace.patch
+netfilter-nf_log-release-skbuff-on-nlmsg-put-failure.patch
+netfilter-xt_bpf-add-mising-opaque-struct-sk_filter-definition.patch
+netfilter-nf_nat-fix-oops-on-netns-removal.patch
+br-fix-use-of-rx_handler_data-in-code-executed-on-non-rx_handler-path.patch
+arm-probes-fix-instruction-fetch-order-with-asm-opcodes.h.patch
+dell-wmi-fix-access-out-of-memory.patch
+mips-fix-forgotten-preempt_enable-when-cpu-has-inclusive.patch
+perf-handle-compat-ioctl.patch
+mei-bus-fix-possible-boundaries-violation.patch
+perf-x86-intel-use-proper-dtlb-load-misses-event-on-ivybridge.patch
+arm-correct-bug-assembly-to-ensure-it-is-endian-agnostic.patch
+net-mlx4_en-fix-blueflame-race.patch
+scsi-hpsa-fix-a-race-in-cmd_free-scsi_done.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
