grsecurity-3.1-4.8.15-20161215192320161215

14 files changed, 1068 insertions, 12 deletions

diff --git a/4.8.14/0000_README b/4.8.15/0000_README
index e2c9a03..cd91d08 100644
--- a/4.8.14/0000_README
+++ b/4.8.15/0000_README
@@ -10,7 +10,11 @@ Patch:	1013_linux-4.8.14.patch
 From:	http://www.kernel.org
 Desc:	Linux 4.8.14
 
-Patch:	4420_grsecurity-3.1-4.8.14-201612110933.patch
+Patch:	1014_linux-4.8.15.patch
+From:	http://www.kernel.org
+Desc:	Linux 4.8.15
+
+Patch:	4420_grsecurity-3.1-4.8.15-201612151923.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.8.14/1012_linux-4.8.13.patch b/4.8.15/1012_linux-4.8.13.patch
index c742393..c742393 100644
--- a/4.8.14/1012_linux-4.8.13.patch
+++ b/4.8.15/1012_linux-4.8.13.patch
diff --git a/4.8.14/1013_linux-4.8.14.patch b/4.8.15/1013_linux-4.8.14.patch
index 63d837b..63d837b 100644
--- a/4.8.14/1013_linux-4.8.14.patch
+++ b/4.8.15/1013_linux-4.8.14.patch
diff --git a/4.8.15/1014_linux-4.8.15.patch b/4.8.15/1014_linux-4.8.15.patch
new file mode 100644
index 0000000..9b7b2f4
--- /dev/null
+++ b/4.8.15/1014_linux-4.8.15.patch
@@ -0,0 +1,1042 @@
+diff --git a/Makefile b/Makefile
+index 6a74924..c7f0e79 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 8
+-SUBLEVEL = 14
++SUBLEVEL = 15
+ EXTRAVERSION =
+ NAME = Psychotic Stoned Sheep
+ 
+diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi
+index 1e90bdb..fb307de 100644
+--- a/arch/arm/boot/dts/imx7s.dtsi
++++ b/arch/arm/boot/dts/imx7s.dtsi
+@@ -640,9 +640,8 @@
+ 				reg = <0x30730000 0x10000>;
+ 				interrupts = <GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>;
+ 				clocks = <&clks IMX7D_LCDIF_PIXEL_ROOT_CLK>,
+-					<&clks IMX7D_CLK_DUMMY>,
+-					<&clks IMX7D_CLK_DUMMY>;
+-				clock-names = "pix", "axi", "disp_axi";
++					<&clks IMX7D_LCDIF_PIXEL_ROOT_CLK>;
++				clock-names = "pix", "axi";
+ 				status = "disabled";
+ 			};
+ 		};
+diff --git a/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts b/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts
+index 1cf644b..51dc734 100644
+--- a/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts
++++ b/arch/arm/boot/dts/orion5x-linkstation-lsgl.dts
+@@ -82,6 +82,10 @@
+ 	gpios = <&gpio0 9 GPIO_ACTIVE_HIGH>;
+ };
+ 
++&sata {
++	nr-ports = <2>;
++};
++
+ &ehci1 {
+ 	status = "okay";
+ };
+diff --git a/arch/m68k/include/asm/delay.h b/arch/m68k/include/asm/delay.h
+index d28fa8f..c598d84 100644
+--- a/arch/m68k/include/asm/delay.h
++++ b/arch/m68k/include/asm/delay.h
+@@ -114,6 +114,6 @@ static inline void __udelay(unsigned long usecs)
+  */
+ #define	HZSCALE		(268435456 / (1000000 / HZ))
+ 
+-#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000));
++#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000))
+ 
+ #endif /* defined(_M68K_DELAY_H) */
+diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
+index c2c43f7..3a4ed9f 100644
+--- a/arch/parisc/include/asm/pgtable.h
++++ b/arch/parisc/include/asm/pgtable.h
+@@ -65,9 +65,9 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
+ 		unsigned long flags;				\
+ 		spin_lock_irqsave(&pa_tlb_lock, flags);		\
+ 		old_pte = *ptep;				\
+-		set_pte(ptep, pteval);				\
+ 		if (pte_inserted(old_pte))			\
+ 			purge_tlb_entries(mm, addr);		\
++		set_pte(ptep, pteval);				\
+ 		spin_unlock_irqrestore(&pa_tlb_lock, flags);	\
+ 	} while (0)
+ 
+@@ -478,8 +478,8 @@ static inline int ptep_test_and_clear_young(struct vm_area_struct *vma, unsigned
+ 		spin_unlock_irqrestore(&pa_tlb_lock, flags);
+ 		return 0;
+ 	}
+-	set_pte(ptep, pte_mkold(pte));
+ 	purge_tlb_entries(vma->vm_mm, addr);
++	set_pte(ptep, pte_mkold(pte));
+ 	spin_unlock_irqrestore(&pa_tlb_lock, flags);
+ 	return 1;
+ }
+@@ -492,9 +492,9 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
+ 
+ 	spin_lock_irqsave(&pa_tlb_lock, flags);
+ 	old_pte = *ptep;
+-	set_pte(ptep, __pte(0));
+ 	if (pte_inserted(old_pte))
+ 		purge_tlb_entries(mm, addr);
++	set_pte(ptep, __pte(0));
+ 	spin_unlock_irqrestore(&pa_tlb_lock, flags);
+ 
+ 	return old_pte;
+@@ -504,8 +504,8 @@ static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr,
+ {
+ 	unsigned long flags;
+ 	spin_lock_irqsave(&pa_tlb_lock, flags);
+-	set_pte(ptep, pte_wrprotect(*ptep));
+ 	purge_tlb_entries(mm, addr);
++	set_pte(ptep, pte_wrprotect(*ptep));
+ 	spin_unlock_irqrestore(&pa_tlb_lock, flags);
+ }
+ 
+diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c
+index c2259d4..bbb314eb 100644
+--- a/arch/parisc/kernel/cache.c
++++ b/arch/parisc/kernel/cache.c
+@@ -393,6 +393,15 @@ void __init parisc_setup_cache_timing(void)
+ 
+ 	/* calculate TLB flush threshold */
+ 
++	/* On SMP machines, skip the TLB measure of kernel text which
++	 * has been mapped as huge pages. */
++	if (num_online_cpus() > 1 && !parisc_requires_coherency()) {
++		threshold = max(cache_info.it_size, cache_info.dt_size);
++		threshold *= PAGE_SIZE;
++		threshold /= num_online_cpus();
++		goto set_tlb_threshold;
++	}
++
+ 	alltime = mfctl(16);
+ 	flush_tlb_all();
+ 	alltime = mfctl(16) - alltime;
+@@ -411,6 +420,8 @@ void __init parisc_setup_cache_timing(void)
+ 		alltime, size, rangetime);
+ 
+ 	threshold = PAGE_ALIGN(num_online_cpus() * size * alltime / rangetime);
++
++set_tlb_threshold:
+ 	if (threshold)
+ 		parisc_tlb_flush_threshold = threshold;
+ 	printk(KERN_INFO "TLB flush threshold set to %lu KiB\n",
+diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S
+index 6755219..a4761b7 100644
+--- a/arch/parisc/kernel/pacache.S
++++ b/arch/parisc/kernel/pacache.S
+@@ -886,19 +886,10 @@ ENTRY(flush_dcache_page_asm)
+ 	fdc,m		r31(%r28)
+ 	fdc,m		r31(%r28)
+ 	fdc,m		r31(%r28)
+-	cmpb,COND(<<)		%r28, %r25,1b
++	cmpb,COND(<<)	%r28, %r25,1b
+ 	fdc,m		r31(%r28)
+ 
+ 	sync
+-
+-#ifdef CONFIG_PA20
+-	pdtlb,l		%r0(%r25)
+-#else
+-	tlb_lock	%r20,%r21,%r22
+-	pdtlb		%r0(%r25)
+-	tlb_unlock	%r20,%r21,%r22
+-#endif
+-
+ 	bv		%r0(%r2)
+ 	nop
+ 	.exit
+@@ -973,17 +964,6 @@ ENTRY(flush_icache_page_asm)
+ 	fic,m		%r31(%sr4,%r28)
+ 
+ 	sync
+-
+-#ifdef CONFIG_PA20
+-	pdtlb,l		%r0(%r28)
+-	pitlb,l         %r0(%sr4,%r25)
+-#else
+-	tlb_lock        %r20,%r21,%r22
+-	pdtlb		%r0(%r28)
+-	pitlb           %r0(%sr4,%r25)
+-	tlb_unlock      %r20,%r21,%r22
+-#endif
+-
+ 	bv		%r0(%r2)
+ 	nop
+ 	.exit
+diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile
+index 1a2a6e8..1894beb 100644
+--- a/arch/powerpc/boot/Makefile
++++ b/arch/powerpc/boot/Makefile
+@@ -78,7 +78,8 @@ src-wlib-y := string.S crt0.S crtsavres.S stdio.c main.c \
+ 		ns16550.c serial.c simple_alloc.c div64.S util.S \
+ 		gunzip_util.c elf_util.c $(zlib) devtree.c stdlib.c \
+ 		oflib.c ofconsole.c cuboot.c mpsc.c cpm-serial.c \
+-		uartlite.c mpc52xx-psc.c opal.c opal-calls.S
++		uartlite.c mpc52xx-psc.c opal.c
++src-wlib-$(CONFIG_PPC64_BOOT_WRAPPER) +=  opal-calls.S
+ src-wlib-$(CONFIG_40x) += 4xx.c planetcore.c
+ src-wlib-$(CONFIG_44x) += 4xx.c ebony.c bamboo.c
+ src-wlib-$(CONFIG_8xx) += mpc8xx.c planetcore.c fsl-soc.c
+diff --git a/arch/powerpc/boot/opal.c b/arch/powerpc/boot/opal.c
+index d7b4fd4..0272570 100644
+--- a/arch/powerpc/boot/opal.c
++++ b/arch/powerpc/boot/opal.c
+@@ -13,7 +13,7 @@
+ #include <libfdt.h>
+ #include "../include/asm/opal-api.h"
+ 
+-#ifdef __powerpc64__
++#ifdef CONFIG_PPC64_BOOT_WRAPPER
+ 
+ /* Global OPAL struct used by opal-call.S */
+ struct opal {
+diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
+index 29aa8d1..248f28b 100644
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -671,8 +671,10 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
+ 
+ 	/* Clear frozen state */
+ 	rc = eeh_clear_pe_frozen_state(pe, false);
+-	if (rc)
++	if (rc) {
++		pci_unlock_rescan_remove();
+ 		return rc;
++	}
+ 
+ 	/* Give the system 5 seconds to finish running the user-space
+ 	 * hotplug shutdown scripts, e.g. ifdown for ethernet.  Yes,
+diff --git a/arch/powerpc/mm/hash64_4k.c b/arch/powerpc/mm/hash64_4k.c
+index 42c702b..6fa450c 100644
+--- a/arch/powerpc/mm/hash64_4k.c
++++ b/arch/powerpc/mm/hash64_4k.c
+@@ -55,7 +55,7 @@ int __hash_page_4K(unsigned long ea, unsigned long access, unsigned long vsid,
+ 	 */
+ 	rflags = htab_convert_pte_flags(new_pte);
+ 
+-	if (!cpu_has_feature(CPU_FTR_NOEXECUTE) &&
++	if (cpu_has_feature(CPU_FTR_NOEXECUTE) &&
+ 	    !cpu_has_feature(CPU_FTR_COHERENT_ICACHE))
+ 		rflags = hash_page_do_lazy_icache(rflags, __pte(old_pte), trap);
+ 
+diff --git a/arch/powerpc/mm/hash64_64k.c b/arch/powerpc/mm/hash64_64k.c
+index 3bbbea0..1a68cb1 100644
+--- a/arch/powerpc/mm/hash64_64k.c
++++ b/arch/powerpc/mm/hash64_64k.c
+@@ -87,7 +87,7 @@ int __hash_page_4K(unsigned long ea, unsigned long access, unsigned long vsid,
+ 	subpg_pte = new_pte & ~subpg_prot;
+ 	rflags = htab_convert_pte_flags(subpg_pte);
+ 
+-	if (!cpu_has_feature(CPU_FTR_NOEXECUTE) &&
++	if (cpu_has_feature(CPU_FTR_NOEXECUTE) &&
+ 	    !cpu_has_feature(CPU_FTR_COHERENT_ICACHE)) {
+ 
+ 		/*
+@@ -258,7 +258,7 @@ int __hash_page_64K(unsigned long ea, unsigned long access,
+ 
+ 	rflags = htab_convert_pte_flags(new_pte);
+ 
+-	if (!cpu_has_feature(CPU_FTR_NOEXECUTE) &&
++	if (cpu_has_feature(CPU_FTR_NOEXECUTE) &&
+ 	    !cpu_has_feature(CPU_FTR_COHERENT_ICACHE))
+ 		rflags = hash_page_do_lazy_icache(rflags, __pte(old_pte), trap);
+ 
+diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
+index a4e070a..8c925ec 100644
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -68,7 +68,7 @@ u64 x86_perf_event_update(struct perf_event *event)
+ 	int shift = 64 - x86_pmu.cntval_bits;
+ 	u64 prev_raw_count, new_raw_count;
+ 	int idx = hwc->idx;
+-	s64 delta;
++	u64 delta;
+ 
+ 	if (idx == INTEL_PMC_IDX_FIXED_BTS)
+ 		return 0;
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index 4c9a79b..3ef34c6 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -4024,7 +4024,7 @@ __init int intel_pmu_init(void)
+ 
+ 	/* Support full width counters using alternative MSR range */
+ 	if (x86_pmu.intel_cap.full_width_write) {
+-		x86_pmu.max_period = x86_pmu.cntval_mask;
++		x86_pmu.max_period = x86_pmu.cntval_mask >> 1;
+ 		x86_pmu.perfctr = MSR_IA32_PMC0;
+ 		pr_cont("full-width counters, ");
+ 	}
+diff --git a/crypto/Makefile b/crypto/Makefile
+index 99cc64ac..bd6a029 100644
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -40,6 +40,7 @@ obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
+ 
+ $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
+ $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
++$(obj)/rsa_helper.o: $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.h
+ clean-files += rsapubkey-asn1.c rsapubkey-asn1.h
+ clean-files += rsaprivkey-asn1.c rsaprivkey-asn1.h
+ 
+diff --git a/crypto/mcryptd.c b/crypto/mcryptd.c
+index 86fb59b..c6e9920 100644
+--- a/crypto/mcryptd.c
++++ b/crypto/mcryptd.c
+@@ -254,18 +254,22 @@ static void *mcryptd_alloc_instance(struct crypto_alg *alg, unsigned int head,
+ 	goto out;
+ }
+ 
+-static inline void mcryptd_check_internal(struct rtattr **tb, u32 *type,
++static inline bool mcryptd_check_internal(struct rtattr **tb, u32 *type,
+ 					  u32 *mask)
+ {
+ 	struct crypto_attr_type *algt;
+ 
+ 	algt = crypto_get_attr_type(tb);
+ 	if (IS_ERR(algt))
+-		return;
+-	if ((algt->type & CRYPTO_ALG_INTERNAL))
+-		*type |= CRYPTO_ALG_INTERNAL;
+-	if ((algt->mask & CRYPTO_ALG_INTERNAL))
+-		*mask |= CRYPTO_ALG_INTERNAL;
++		return false;
++
++	*type |= algt->type & CRYPTO_ALG_INTERNAL;
++	*mask |= algt->mask & CRYPTO_ALG_INTERNAL;
++
++	if (*type & *mask & CRYPTO_ALG_INTERNAL)
++		return true;
++	else
++		return false;
+ }
+ 
+ static int mcryptd_hash_init_tfm(struct crypto_tfm *tfm)
+@@ -492,7 +496,8 @@ static int mcryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
+ 	u32 mask = 0;
+ 	int err;
+ 
+-	mcryptd_check_internal(tb, &type, &mask);
++	if (!mcryptd_check_internal(tb, &type, &mask))
++		return -EINVAL;
+ 
+ 	halg = ahash_attr_alg(tb[1], type, mask);
+ 	if (IS_ERR(halg))
+diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
+index 2accf78..93e0d83 100644
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -94,7 +94,7 @@ static struct acpi_device *to_acpi_dev(struct acpi_nfit_desc *acpi_desc)
+ 	return to_acpi_device(acpi_desc->dev);
+ }
+ 
+-static int xlat_status(void *buf, unsigned int cmd, u32 status)
++static int xlat_bus_status(void *buf, unsigned int cmd, u32 status)
+ {
+ 	struct nd_cmd_clear_error *clear_err;
+ 	struct nd_cmd_ars_status *ars_status;
+@@ -113,7 +113,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ 		flags = ND_ARS_PERSISTENT | ND_ARS_VOLATILE;
+ 		if ((status >> 16 & flags) == 0)
+ 			return -ENOTTY;
+-		break;
++		return 0;
+ 	case ND_CMD_ARS_START:
+ 		/* ARS is in progress */
+ 		if ((status & 0xffff) == NFIT_ARS_START_BUSY)
+@@ -122,7 +122,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ 		/* Command failed */
+ 		if (status & 0xffff)
+ 			return -EIO;
+-		break;
++		return 0;
+ 	case ND_CMD_ARS_STATUS:
+ 		ars_status = buf;
+ 		/* Command failed */
+@@ -146,7 +146,8 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ 		 * then just continue with the returned results.
+ 		 */
+ 		if (status == NFIT_ARS_STATUS_INTR) {
+-			if (ars_status->flags & NFIT_ARS_F_OVERFLOW)
++			if (ars_status->out_length >= 40 && (ars_status->flags
++						& NFIT_ARS_F_OVERFLOW))
+ 				return -ENOSPC;
+ 			return 0;
+ 		}
+@@ -154,7 +155,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ 		/* Unknown status */
+ 		if (status >> 16)
+ 			return -EIO;
+-		break;
++		return 0;
+ 	case ND_CMD_CLEAR_ERROR:
+ 		clear_err = buf;
+ 		if (status & 0xffff)
+@@ -163,7 +164,7 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ 			return -EIO;
+ 		if (clear_err->length > clear_err->cleared)
+ 			return clear_err->cleared;
+-		break;
++		return 0;
+ 	default:
+ 		break;
+ 	}
+@@ -174,6 +175,16 @@ static int xlat_status(void *buf, unsigned int cmd, u32 status)
+ 	return 0;
+ }
+ 
++static int xlat_status(struct nvdimm *nvdimm, void *buf, unsigned int cmd,
++		u32 status)
++{
++	if (!nvdimm)
++		return xlat_bus_status(buf, cmd, status);
++	if (status)
++		return -EIO;
++	return 0;
++}
++
+ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
+ 		struct nvdimm *nvdimm, unsigned int cmd, void *buf,
+ 		unsigned int buf_len, int *cmd_rc)
+@@ -298,7 +309,8 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
+ 
+ 	for (i = 0, offset = 0; i < desc->out_num; i++) {
+ 		u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i, buf,
+-				(u32 *) out_obj->buffer.pointer);
++				(u32 *) out_obj->buffer.pointer,
++				out_obj->buffer.length - offset);
+ 
+ 		if (offset + out_size > out_obj->buffer.length) {
+ 			dev_dbg(dev, "%s:%s output object underflow cmd: %s field: %d\n",
+@@ -333,7 +345,8 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
+ 			 */
+ 			rc = buf_len - offset - in_buf.buffer.length;
+ 			if (cmd_rc)
+-				*cmd_rc = xlat_status(buf, cmd, fw_status);
++				*cmd_rc = xlat_status(nvdimm, buf, cmd,
++						fw_status);
+ 		} else {
+ 			dev_err(dev, "%s:%s underrun cmd: %s buf_len: %d out_len: %d\n",
+ 					__func__, dimm_name, cmd_name, buf_len,
+@@ -343,7 +356,7 @@ static int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc,
+ 	} else {
+ 		rc = 0;
+ 		if (cmd_rc)
+-			*cmd_rc = xlat_status(buf, cmd, fw_status);
++			*cmd_rc = xlat_status(nvdimm, buf, cmd, fw_status);
+ 	}
+ 
+  out:
+@@ -1857,19 +1870,32 @@ static int ars_get_status(struct acpi_nfit_desc *acpi_desc)
+ 	return cmd_rc;
+ }
+ 
+-static int ars_status_process_records(struct nvdimm_bus *nvdimm_bus,
++static int ars_status_process_records(struct acpi_nfit_desc *acpi_desc,
+ 		struct nd_cmd_ars_status *ars_status)
+ {
++	struct nvdimm_bus *nvdimm_bus = acpi_desc->nvdimm_bus;
+ 	int rc;
+ 	u32 i;
+ 
++	/*
++	 * First record starts at 44 byte offset from the start of the
++	 * payload.
++	 */
++	if (ars_status->out_length < 44)
++		return 0;
+ 	for (i = 0; i < ars_status->num_records; i++) {
++		/* only process full records */
++		if (ars_status->out_length
++				< 44 + sizeof(struct nd_ars_record) * (i + 1))
++			break;
+ 		rc = nvdimm_bus_add_poison(nvdimm_bus,
+ 				ars_status->records[i].err_address,
+ 				ars_status->records[i].length);
+ 		if (rc)
+ 			return rc;
+ 	}
++	if (i < ars_status->num_records)
++		dev_warn(acpi_desc->dev, "detected truncated ars results\n");
+ 
+ 	return 0;
+ }
+@@ -2122,8 +2148,7 @@ static int acpi_nfit_query_poison(struct acpi_nfit_desc *acpi_desc,
+ 	if (rc < 0 && rc != -ENOSPC)
+ 		return rc;
+ 
+-	if (ars_status_process_records(acpi_desc->nvdimm_bus,
+-				acpi_desc->ars_status))
++	if (ars_status_process_records(acpi_desc, acpi_desc->ars_status))
+ 		return -ENOMEM;
+ 
+ 	return 0;
+diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
+index 2b38c1b..7a2e4d4 100644
+--- a/drivers/acpi/sleep.c
++++ b/drivers/acpi/sleep.c
+@@ -47,32 +47,15 @@ static void acpi_sleep_tts_switch(u32 acpi_state)
+ 	}
+ }
+ 
+-static void acpi_sleep_pts_switch(u32 acpi_state)
+-{
+-	acpi_status status;
+-
+-	status = acpi_execute_simple_method(NULL, "\\_PTS", acpi_state);
+-	if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) {
+-		/*
+-		 * OS can't evaluate the _PTS object correctly. Some warning
+-		 * message will be printed. But it won't break anything.
+-		 */
+-		printk(KERN_NOTICE "Failure in evaluating _PTS object\n");
+-	}
+-}
+-
+-static int sleep_notify_reboot(struct notifier_block *this,
++static int tts_notify_reboot(struct notifier_block *this,
+ 			unsigned long code, void *x)
+ {
+ 	acpi_sleep_tts_switch(ACPI_STATE_S5);
+-
+-	acpi_sleep_pts_switch(ACPI_STATE_S5);
+-
+ 	return NOTIFY_DONE;
+ }
+ 
+-static struct notifier_block sleep_notifier = {
+-	.notifier_call	= sleep_notify_reboot,
++static struct notifier_block tts_notifier = {
++	.notifier_call	= tts_notify_reboot,
+ 	.next		= NULL,
+ 	.priority	= 0,
+ };
+@@ -916,9 +899,9 @@ int __init acpi_sleep_init(void)
+ 	pr_info(PREFIX "(supports%s)\n", supported);
+ 
+ 	/*
+-	 * Register the sleep_notifier to reboot notifier list so that the _TTS
+-	 * and _PTS object can also be evaluated when the system enters S5.
++	 * Register the tts_notifier to reboot notifier list so that the _TTS
++	 * object can also be evaluated when the system enters S5.
+ 	 */
+-	register_reboot_notifier(&sleep_notifier);
++	register_reboot_notifier(&tts_notifier);
+ 	return 0;
+ }
+diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
+index 5163c8f..5497f7f 100644
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -1413,8 +1413,14 @@ static ssize_t hot_remove_store(struct class *class,
+ 	return ret ? ret : count;
+ }
+ 
++/*
++ * NOTE: hot_add attribute is not the usual read-only sysfs attribute. In a
++ * sense that reading from this file does alter the state of your system -- it
++ * creates a new un-initialized zram device and returns back this device's
++ * device_id (or an error code if it fails to create a new device).
++ */
+ static struct class_attribute zram_control_class_attrs[] = {
+-	__ATTR_RO(hot_add),
++	__ATTR(hot_add, 0400, hot_add_show, NULL),
+ 	__ATTR_WO(hot_remove),
+ 	__ATTR_NULL,
+ };
+diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c
+index 0ec112e..2341f37 100644
+--- a/drivers/crypto/caam/ctrl.c
++++ b/drivers/crypto/caam/ctrl.c
+@@ -557,8 +557,9 @@ static int caam_probe(struct platform_device *pdev)
+ 	 * Enable DECO watchdogs and, if this is a PHYS_ADDR_T_64BIT kernel,
+ 	 * long pointers in master configuration register
+ 	 */
+-	clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK, MCFGR_AWCACHE_CACH |
+-		      MCFGR_AWCACHE_BUFF | MCFGR_WDENABLE | MCFGR_LARGE_BURST |
++	clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK | MCFGR_LONG_PTR,
++		      MCFGR_AWCACHE_CACH | MCFGR_AWCACHE_BUFF |
++		      MCFGR_WDENABLE | MCFGR_LARGE_BURST |
+ 		      (sizeof(dma_addr_t) == sizeof(u64) ? MCFGR_LONG_PTR : 0));
+ 
+ 	/*
+diff --git a/drivers/crypto/marvell/hash.c b/drivers/crypto/marvell/hash.c
+index b111e14..13e89af 100644
+--- a/drivers/crypto/marvell/hash.c
++++ b/drivers/crypto/marvell/hash.c
+@@ -168,12 +168,11 @@ static void mv_cesa_ahash_std_step(struct ahash_request *req)
+ 	mv_cesa_adjust_op(engine, &creq->op_tmpl);
+ 	memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl));
+ 
+-	digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req));
+-	for (i = 0; i < digsize / 4; i++)
+-		writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i));
+-
+-	mv_cesa_adjust_op(engine, &creq->op_tmpl);
+-	memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl));
++	if (!sreq->offset) {
++		digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req));
++		for (i = 0; i < digsize / 4; i++)
++			writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i));
++	}
+ 
+ 	if (creq->cache_ptr)
+ 		memcpy_toio(engine->sram + CESA_SA_DATA_SRAM_OFFSET,
+diff --git a/drivers/dax/dax.c b/drivers/dax/dax.c
+index ff64313..4894199 100644
+--- a/drivers/dax/dax.c
++++ b/drivers/dax/dax.c
+@@ -324,7 +324,7 @@ static int check_vma(struct dax_dev *dax_dev, struct vm_area_struct *vma,
+ 		return -ENXIO;
+ 
+ 	/* prevent private mappings from being established */
+-	if ((vma->vm_flags & VM_SHARED) != VM_SHARED) {
++	if ((vma->vm_flags & VM_MAYSHARE) != VM_MAYSHARE) {
+ 		dev_info(dev, "%s: %s: fail, attempted private mapping\n",
+ 				current->comm, func);
+ 		return -EINVAL;
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+index bfb91d8..1006af4 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -872,23 +872,25 @@ static int peak_usb_create_dev(const struct peak_usb_adapter *peak_usb_adapter,
+ static void peak_usb_disconnect(struct usb_interface *intf)
+ {
+ 	struct peak_usb_device *dev;
++	struct peak_usb_device *dev_prev_siblings;
+ 
+ 	/* unregister as many netdev devices as siblings */
+-	for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) {
++	for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
+ 		struct net_device *netdev = dev->netdev;
+ 		char name[IFNAMSIZ];
+ 
++		dev_prev_siblings = dev->prev_siblings;
+ 		dev->state &= ~PCAN_USB_STATE_CONNECTED;
+ 		strncpy(name, netdev->name, IFNAMSIZ);
+ 
+ 		unregister_netdev(netdev);
+-		free_candev(netdev);
+ 
+ 		kfree(dev->cmd_buf);
+ 		dev->next_siblings = NULL;
+ 		if (dev->adapter->dev_free)
+ 			dev->adapter->dev_free(dev);
+ 
++		free_candev(netdev);
+ 		dev_info(&intf->dev, "%s removed\n", name);
+ 	}
+ 
+diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
+index a8b6949..23d4a17 100644
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -715,7 +715,7 @@ EXPORT_SYMBOL_GPL(nd_cmd_in_size);
+ 
+ u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
+ 		const struct nd_cmd_desc *desc, int idx, const u32 *in_field,
+-		const u32 *out_field)
++		const u32 *out_field, unsigned long remainder)
+ {
+ 	if (idx >= desc->out_num)
+ 		return UINT_MAX;
+@@ -727,9 +727,24 @@ u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
+ 		return in_field[1];
+ 	else if (nvdimm && cmd == ND_CMD_VENDOR && idx == 2)
+ 		return out_field[1];
+-	else if (!nvdimm && cmd == ND_CMD_ARS_STATUS && idx == 2)
+-		return out_field[1] - 8;
+-	else if (cmd == ND_CMD_CALL) {
++	else if (!nvdimm && cmd == ND_CMD_ARS_STATUS && idx == 2) {
++		/*
++		 * Per table 9-276 ARS Data in ACPI 6.1, out_field[1] is
++		 * "Size of Output Buffer in bytes, including this
++		 * field."
++		 */
++		if (out_field[1] < 4)
++			return 0;
++		/*
++		 * ACPI 6.1 is ambiguous if 'status' is included in the
++		 * output size. If we encounter an output size that
++		 * overshoots the remainder by 4 bytes, assume it was
++		 * including 'status'.
++		 */
++		if (out_field[1] - 8 == remainder)
++			return remainder;
++		return out_field[1] - 4;
++	} else if (cmd == ND_CMD_CALL) {
+ 		struct nd_cmd_pkg *pkg = (struct nd_cmd_pkg *) in_field;
+ 
+ 		return pkg->nd_size_out;
+@@ -876,7 +891,7 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
+ 	/* process an output envelope */
+ 	for (i = 0; i < desc->out_num; i++) {
+ 		u32 out_size = nd_cmd_out_size(nvdimm, cmd, desc, i,
+-				(u32 *) in_env, (u32 *) out_env);
++				(u32 *) in_env, (u32 *) out_env, 0);
+ 		u32 copy;
+ 
+ 		if (out_size == UINT_MAX) {
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 7080ce2..8214eba 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -1323,18 +1323,20 @@ lpfc_sli_ringtxcmpl_put(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
+ {
+ 	lockdep_assert_held(&phba->hbalock);
+ 
+-	BUG_ON(!piocb || !piocb->vport);
++	BUG_ON(!piocb);
+ 
+ 	list_add_tail(&piocb->list, &pring->txcmplq);
+ 	piocb->iocb_flag |= LPFC_IO_ON_TXCMPLQ;
+ 
+ 	if ((unlikely(pring->ringno == LPFC_ELS_RING)) &&
+ 	   (piocb->iocb.ulpCommand != CMD_ABORT_XRI_CN) &&
+-	   (piocb->iocb.ulpCommand != CMD_CLOSE_XRI_CN) &&
+-	    (!(piocb->vport->load_flag & FC_UNLOADING)))
+-		mod_timer(&piocb->vport->els_tmofunc,
+-			  jiffies +
+-			  msecs_to_jiffies(1000 * (phba->fc_ratov << 1)));
++	   (piocb->iocb.ulpCommand != CMD_CLOSE_XRI_CN)) {
++		BUG_ON(!piocb->vport);
++		if (!(piocb->vport->load_flag & FC_UNLOADING))
++			mod_timer(&piocb->vport->els_tmofunc,
++				  jiffies +
++				  msecs_to_jiffies(1000 * (phba->fc_ratov << 1)));
++	}
+ 
+ 	return 0;
+ }
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index e3b30ea..a504e2e0 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -506,7 +506,7 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
+ 	 * executing.
+ 	 */
+ 
+-	if (!vhost_vsock_get(vsk->local_addr.svm_cid)) {
++	if (!vhost_vsock_get(vsk->remote_addr.svm_cid)) {
+ 		sock_set_flag(sk, SOCK_DONE);
+ 		vsk->peer_shutdown = SHUTDOWN_MASK;
+ 		sk->sk_state = SS_UNCONNECTED;
+diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
+index df4b3e6..93142bf 100644
+--- a/fs/ceph/dir.c
++++ b/fs/ceph/dir.c
+@@ -1257,26 +1257,30 @@ static int ceph_d_revalidate(struct dentry *dentry, unsigned int flags)
+ 			return -ECHILD;
+ 
+ 		op = ceph_snap(dir) == CEPH_SNAPDIR ?
+-			CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_LOOKUP;
++			CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_GETATTR;
+ 		req = ceph_mdsc_create_request(mdsc, op, USE_ANY_MDS);
+ 		if (!IS_ERR(req)) {
+ 			req->r_dentry = dget(dentry);
+-			req->r_num_caps = 2;
++			req->r_num_caps = op == CEPH_MDS_OP_GETATTR ? 1 : 2;
+ 
+ 			mask = CEPH_STAT_CAP_INODE | CEPH_CAP_AUTH_SHARED;
+ 			if (ceph_security_xattr_wanted(dir))
+ 				mask |= CEPH_CAP_XATTR_SHARED;
+ 			req->r_args.getattr.mask = mask;
+ 
+-			req->r_locked_dir = dir;
+ 			err = ceph_mdsc_do_request(mdsc, NULL, req);
+-			if (err == 0 || err == -ENOENT) {
+-				if (dentry == req->r_dentry) {
+-					valid = !d_unhashed(dentry);
+-				} else {
+-					d_invalidate(req->r_dentry);
+-					err = -EAGAIN;
+-				}
++			switch (err) {
++			case 0:
++				if (d_really_is_positive(dentry) &&
++				    d_inode(dentry) == req->r_target_inode)
++					valid = 1;
++				break;
++			case -ENOENT:
++				if (d_really_is_negative(dentry))
++					valid = 1;
++				/* Fallthrough */
++			default:
++				break;
+ 			}
+ 			ceph_mdsc_put_request(req);
+ 			dout("d_revalidate %p lookup result=%d\n",
+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
+index 4ff9251..eb5373a 100644
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1709,8 +1709,6 @@ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
+ 		return -EACCES;
+ 
+ 	if (attr->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID)) {
+-		int kill;
+-
+ 		attr->ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID |
+ 				    ATTR_MODE);
+ 		/*
+@@ -1722,12 +1720,11 @@ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
+ 			return ret;
+ 
+ 		attr->ia_mode = inode->i_mode;
+-		kill = should_remove_suid(entry);
+-		if (kill & ATTR_KILL_SUID) {
++		if (inode->i_mode & S_ISUID) {
+ 			attr->ia_valid |= ATTR_MODE;
+ 			attr->ia_mode &= ~S_ISUID;
+ 		}
+-		if (kill & ATTR_KILL_SGID) {
++		if ((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+ 			attr->ia_valid |= ATTR_MODE;
+ 			attr->ia_mode &= ~S_ISGID;
+ 		}
+diff --git a/include/linux/cpu.h b/include/linux/cpu.h
+index 797d9c8..c8938eb 100644
+--- a/include/linux/cpu.h
++++ b/include/linux/cpu.h
+@@ -105,22 +105,16 @@ extern bool cpuhp_tasks_frozen;
+ 		{ .notifier_call = fn, .priority = pri };	\
+ 	__register_cpu_notifier(&fn##_nb);			\
+ }
+-#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
+-#define cpu_notifier(fn, pri)	do { (void)(fn); } while (0)
+-#define __cpu_notifier(fn, pri)	do { (void)(fn); } while (0)
+-#endif /* #else #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
+ 
+-#ifdef CONFIG_HOTPLUG_CPU
+ extern int register_cpu_notifier(struct notifier_block *nb);
+ extern int __register_cpu_notifier(struct notifier_block *nb);
+ extern void unregister_cpu_notifier(struct notifier_block *nb);
+ extern void __unregister_cpu_notifier(struct notifier_block *nb);
+-#else
+ 
+-#ifndef MODULE
+-extern int register_cpu_notifier(struct notifier_block *nb);
+-extern int __register_cpu_notifier(struct notifier_block *nb);
+-#else
++#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
++#define cpu_notifier(fn, pri)	do { (void)(fn); } while (0)
++#define __cpu_notifier(fn, pri)	do { (void)(fn); } while (0)
++
+ static inline int register_cpu_notifier(struct notifier_block *nb)
+ {
+ 	return 0;
+@@ -130,7 +124,6 @@ static inline int __register_cpu_notifier(struct notifier_block *nb)
+ {
+ 	return 0;
+ }
+-#endif
+ 
+ static inline void unregister_cpu_notifier(struct notifier_block *nb)
+ {
+diff --git a/include/linux/libnvdimm.h b/include/linux/libnvdimm.h
+index bbfce62..d02d65d 100644
+--- a/include/linux/libnvdimm.h
++++ b/include/linux/libnvdimm.h
+@@ -153,7 +153,7 @@ u32 nd_cmd_in_size(struct nvdimm *nvdimm, int cmd,
+ 		const struct nd_cmd_desc *desc, int idx, void *buf);
+ u32 nd_cmd_out_size(struct nvdimm *nvdimm, int cmd,
+ 		const struct nd_cmd_desc *desc, int idx, const u32 *in_field,
+-		const u32 *out_field);
++		const u32 *out_field, unsigned long remainder);
+ int nvdimm_bus_check_dimm_count(struct nvdimm_bus *nvdimm_bus, int dimm_count);
+ struct nd_region *nvdimm_pmem_region_create(struct nvdimm_bus *nvdimm_bus,
+ 		struct nd_region_desc *ndr_desc);
+diff --git a/include/uapi/linux/can.h b/include/uapi/linux/can.h
+index 9692cda..c48d93a 100644
+--- a/include/uapi/linux/can.h
++++ b/include/uapi/linux/can.h
+@@ -196,5 +196,6 @@ struct can_filter {
+ };
+ 
+ #define CAN_INV_FILTER 0x20000000U /* to be set in can_filter.can_id */
++#define CAN_RAW_FILTER_MAX 512 /* maximum number of can_filter set via setsockopt() */
+ 
+ #endif /* !_UAPI_CAN_H */
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 341bf80..73fb59f 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -578,7 +578,6 @@ void __init cpuhp_threads_init(void)
+ 	kthread_unpark(this_cpu_read(cpuhp_state.thread));
+ }
+ 
+-#ifdef CONFIG_HOTPLUG_CPU
+ EXPORT_SYMBOL(register_cpu_notifier);
+ EXPORT_SYMBOL(__register_cpu_notifier);
+ void unregister_cpu_notifier(struct notifier_block *nb)
+@@ -595,6 +594,7 @@ void __unregister_cpu_notifier(struct notifier_block *nb)
+ }
+ EXPORT_SYMBOL(__unregister_cpu_notifier);
+ 
++#ifdef CONFIG_HOTPLUG_CPU
+ /**
+  * clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
+  * @cpu: a CPU id
+diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
+index 1ec0f48..2c49d76 100644
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -65,8 +65,72 @@ static inline void clear_rt_mutex_waiters(struct rt_mutex *lock)
+ 
+ static void fixup_rt_mutex_waiters(struct rt_mutex *lock)
+ {
+-	if (!rt_mutex_has_waiters(lock))
+-		clear_rt_mutex_waiters(lock);
++	unsigned long owner, *p = (unsigned long *) &lock->owner;
++
++	if (rt_mutex_has_waiters(lock))
++		return;
++
++	/*
++	 * The rbtree has no waiters enqueued, now make sure that the
++	 * lock->owner still has the waiters bit set, otherwise the
++	 * following can happen:
++	 *
++	 * CPU 0	CPU 1		CPU2
++	 * l->owner=T1
++	 *		rt_mutex_lock(l)
++	 *		lock(l->lock)
++	 *		l->owner = T1 | HAS_WAITERS;
++	 *		enqueue(T2)
++	 *		boost()
++	 *		  unlock(l->lock)
++	 *		block()
++	 *
++	 *				rt_mutex_lock(l)
++	 *				lock(l->lock)
++	 *				l->owner = T1 | HAS_WAITERS;
++	 *				enqueue(T3)
++	 *				boost()
++	 *				  unlock(l->lock)
++	 *				block()
++	 *		signal(->T2)	signal(->T3)
++	 *		lock(l->lock)
++	 *		dequeue(T2)
++	 *		deboost()
++	 *		  unlock(l->lock)
++	 *				lock(l->lock)
++	 *				dequeue(T3)
++	 *				 ==> wait list is empty
++	 *				deboost()
++	 *				 unlock(l->lock)
++	 *		lock(l->lock)
++	 *		fixup_rt_mutex_waiters()
++	 *		  if (wait_list_empty(l) {
++	 *		    l->owner = owner
++	 *		    owner = l->owner & ~HAS_WAITERS;
++	 *		      ==> l->owner = T1
++	 *		  }
++	 *				lock(l->lock)
++	 * rt_mutex_unlock(l)		fixup_rt_mutex_waiters()
++	 *				  if (wait_list_empty(l) {
++	 *				    owner = l->owner & ~HAS_WAITERS;
++	 * cmpxchg(l->owner, T1, NULL)
++	 *  ===> Success (l->owner = NULL)
++	 *
++	 *				    l->owner = owner
++	 *				      ==> l->owner = T1
++	 *				  }
++	 *
++	 * With the check for the waiter bit in place T3 on CPU2 will not
++	 * overwrite. All tasks fiddling with the waiters bit are
++	 * serialized by l->lock, so nothing else can modify the waiters
++	 * bit. If the bit is set then nothing can change l->owner either
++	 * so the simple RMW is safe. The cmpxchg() will simply fail if it
++	 * happens in the middle of the RMW because the waiters bit is
++	 * still set.
++	 */
++	owner = READ_ONCE(*p);
++	if (owner & RT_MUTEX_HAS_WAITERS)
++		WRITE_ONCE(*p, owner & ~RT_MUTEX_HAS_WAITERS);
+ }
+ 
+ /*
+diff --git a/kernel/locking/rtmutex_common.h b/kernel/locking/rtmutex_common.h
+index 4f5f83c..e317e1c 100644
+--- a/kernel/locking/rtmutex_common.h
++++ b/kernel/locking/rtmutex_common.h
+@@ -75,8 +75,9 @@ task_top_pi_waiter(struct task_struct *p)
+ 
+ static inline struct task_struct *rt_mutex_owner(struct rt_mutex *lock)
+ {
+-	return (struct task_struct *)
+-		((unsigned long)lock->owner & ~RT_MUTEX_OWNER_MASKALL);
++	unsigned long owner = (unsigned long) READ_ONCE(lock->owner);
++
++	return (struct task_struct *) (owner & ~RT_MUTEX_OWNER_MASKALL);
+ }
+ 
+ /*
+diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c
+index a5d966c..418d9b6 100644
+--- a/kernel/sched/auto_group.c
++++ b/kernel/sched/auto_group.c
+@@ -192,6 +192,7 @@ int proc_sched_autogroup_set_nice(struct task_struct *p, int nice)
+ {
+ 	static unsigned long next = INITIAL_JIFFIES;
+ 	struct autogroup *ag;
++	unsigned long shares;
+ 	int err;
+ 
+ 	if (nice < MIN_NICE || nice > MAX_NICE)
+@@ -210,9 +211,10 @@ int proc_sched_autogroup_set_nice(struct task_struct *p, int nice)
+ 
+ 	next = HZ / 10 + jiffies;
+ 	ag = autogroup_task_get(p);
++	shares = scale_load(sched_prio_to_weight[nice + 20]);
+ 
+ 	down_write(&ag->lock);
+-	err = sched_group_set_shares(ag->tg, sched_prio_to_weight[nice + 20]);
++	err = sched_group_set_shares(ag->tg, shares);
+ 	if (!err)
+ 		ag->nice = nice;
+ 	up_write(&ag->lock);
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 7e6df7a..67f8fa9 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -2849,7 +2849,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
+ 							     &tvlv_tt_data,
+ 							     &tt_change,
+ 							     &tt_len);
+-		if (!tt_len)
++		if (!tt_len || !tvlv_len)
+ 			goto unlock;
+ 
+ 		/* Copy the last orig_node's OGM buffer */
+@@ -2867,7 +2867,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
+ 							     &tvlv_tt_data,
+ 							     &tt_change,
+ 							     &tt_len);
+-		if (!tt_len)
++		if (!tt_len || !tvlv_len)
+ 			goto out;
+ 
+ 		/* fill the rest of the tvlv with the real TT entries */
+diff --git a/net/can/raw.c b/net/can/raw.c
+index 972c187..b075f02 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -499,6 +499,9 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
+ 		if (optlen % sizeof(struct can_filter) != 0)
+ 			return -EINVAL;
+ 
++		if (optlen > CAN_RAW_FILTER_MAX * sizeof(struct can_filter))
++			return -EINVAL;
++
+ 		count = optlen / sizeof(struct can_filter);
+ 
+ 		if (count > 1) {
diff --git a/4.8.14/4420_grsecurity-3.1-4.8.14-201612110933.patch b/4.8.15/4420_grsecurity-3.1-4.8.15-201612151923.patch
index c16e8f5..f7b8b72 100644
--- a/4.8.14/4420_grsecurity-3.1-4.8.14-201612110933.patch
+++ b/4.8.15/4420_grsecurity-3.1-4.8.15-201612151923.patch
@@ -407,7 +407,7 @@ index ffab8b5..b8fcd61 100644
  
  A toggle value indicating if modules are allowed to be loaded
 diff --git a/Makefile b/Makefile
-index 6a74924..c5a7b40 100644
+index c7f0e79..0a12dea 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -7873,7 +7873,7 @@ index f08dda3..ea6aa1b 100644
  #endif
  
 diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
-index c2c43f7..b08ffd9 100644
+index 3a4ed9f..29b7218 100644
 --- a/arch/parisc/include/asm/pgtable.h
 +++ b/arch/parisc/include/asm/pgtable.h
 @@ -236,6 +236,17 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
@@ -19051,7 +19051,7 @@ index b28200d..e93e14d 100644
  
  	while (amd_iommu_v2_event_descs[i].attr.attr.name)
 diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
-index a4e070a..6804f87 100644
+index 8c925ec..287eaab 100644
 --- a/arch/x86/events/core.c
 +++ b/arch/x86/events/core.c
 @@ -1545,7 +1545,7 @@ static void __init pmu_check_apic(void)
@@ -19091,7 +19091,7 @@ index a4e070a..6804f87 100644
  	pagefault_enable();
  }
 diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
-index 4c9a79b..7c0d6ca 100644
+index 3ef34c6..166e15a 100644
 --- a/arch/x86/events/intel/core.c
 +++ b/arch/x86/events/intel/core.c
 @@ -2408,6 +2408,8 @@ __intel_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
@@ -41805,10 +41805,10 @@ index 7cfbda4..74f738c 100644
  	set_no_mwait, "Extensa 5220", {
  	DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
 diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
-index 2b38c1b..61fcc2b 100644
+index 7a2e4d4..0de00c5 100644
 --- a/drivers/acpi/sleep.c
 +++ b/drivers/acpi/sleep.c
-@@ -171,7 +171,7 @@ static int __init init_nvs_nosave(const struct dmi_system_id *d)
+@@ -154,7 +154,7 @@ static int __init init_nvs_nosave(const struct dmi_system_id *d)
  	return 0;
  }
  
@@ -147937,7 +147937,7 @@ index 9b5f044..b8b0a33 100644
  }
  __initcall(ioresources_init);
 diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c
-index a5d966c..9c2d28b 100644
+index 418d9b6..45ff39b 100644
 --- a/kernel/sched/auto_group.c
 +++ b/kernel/sched/auto_group.c
 @@ -9,7 +9,7 @@
@@ -152038,9 +152038,18 @@ index 6c707bf..c8d0529 100644
  	return sys_fadvise64_64(fd, offset, len, advice);
  }
 diff --git a/mm/filemap.c b/mm/filemap.c
-index ced9ef6..e042a5b 100644
+index ced9ef6..b3151bf 100644
 --- a/mm/filemap.c
 +++ b/mm/filemap.c
+@@ -1688,7 +1688,7 @@ static ssize_t do_generic_file_read(struct file *filp, loff_t *ppos,
+ 	int error = 0;
+ 
+ 	if (unlikely(*ppos >= inode->i_sb->s_maxbytes))
+-		return -EINVAL;
++		return 0;
+ 	iov_iter_truncate(iter, inode->i_sb->s_maxbytes);
+ 
+ 	index = *ppos >> PAGE_SHIFT;
 @@ -2334,7 +2334,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
  	struct address_space *mapping = file->f_mapping;
  
@@ -158571,7 +158580,7 @@ index c76021b..3aef377 100644
  };
  
 diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
-index 7e6df7a..474128b 100644
+index 67f8fa9..4b611eb 100644
 --- a/net/batman-adv/translation-table.c
 +++ b/net/batman-adv/translation-table.c
 @@ -664,7 +664,7 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const u8 *addr,
@@ -204352,10 +204361,10 @@ index 0000000..4aabb55
 +size_mei_msg_data_65529_fields size mei_msg_data 0 65529 NULL
 diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fns.data b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data
 new file mode 100644
-index 0000000..269bba1
+index 0000000..510c554
 --- /dev/null
 +++ b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data
-@@ -0,0 +1,5527 @@
+@@ -0,0 +1,5528 @@
 +logi_dj_recv_query_paired_devices_fndecl_13_fns logi_dj_recv_query_paired_devices fndecl 0 13 NULL
 +response_length_ib_uverbs_ex_destroy_wq_resp_15_fns response_length ib_uverbs_ex_destroy_wq_resp 0 15 NULL
 +kfd_wait_on_events_fndecl_19_fns kfd_wait_on_events fndecl 2 19 NULL
@@ -206853,6 +206862,7 @@ index 0000000..269bba1
 +si_lasti_bfs_sb_info_29842_fns si_lasti bfs_sb_info 0 29842 NULL
 +len_ethtool_dump_29843_fns len ethtool_dump 0 29843 NULL
 +fq_alloc_node_fndecl_29850_fns fq_alloc_node fndecl 1 29850 NULL
++nd_cmd_out_size_fndecl_29867_fns nd_cmd_out_size fndecl 0-7 29867 NULL
 +nfs_idmap_lookup_id_fndecl_29879_fns nfs_idmap_lookup_id fndecl 2 29879 NULL
 +parport_write_fndecl_29886_fns parport_write fndecl 0 29886 NULL
 +length_ndis_80211_pmkid_29893_fns length ndis_80211_pmkid 0 29893 NULL
diff --git a/4.8.14/4425_grsec_remove_EI_PAX.patch b/4.8.15/4425_grsec_remove_EI_PAX.patch
index 594598a..594598a 100644
--- a/4.8.14/4425_grsec_remove_EI_PAX.patch
+++ b/4.8.15/4425_grsec_remove_EI_PAX.patch
diff --git a/4.8.14/4427_force_XATTR_PAX_tmpfs.patch b/4.8.15/4427_force_XATTR_PAX_tmpfs.patch
index caecb91..caecb91 100644
--- a/4.8.14/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.8.15/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.8.14/4430_grsec-remove-localversion-grsec.patch b/4.8.15/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.8.14/4430_grsec-remove-localversion-grsec.patch
+++ b/4.8.15/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.8.14/4435_grsec-mute-warnings.patch b/4.8.15/4435_grsec-mute-warnings.patch
index 8929222..8929222 100644
--- a/4.8.14/4435_grsec-mute-warnings.patch
+++ b/4.8.15/4435_grsec-mute-warnings.patch
diff --git a/4.8.14/4440_grsec-remove-protected-paths.patch b/4.8.15/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.8.14/4440_grsec-remove-protected-paths.patch
+++ b/4.8.15/4440_grsec-remove-protected-paths.patch
diff --git a/4.8.14/4450_grsec-kconfig-default-gids.patch b/4.8.15/4450_grsec-kconfig-default-gids.patch
index cee6e27..cee6e27 100644
--- a/4.8.14/4450_grsec-kconfig-default-gids.patch
+++ b/4.8.15/4450_grsec-kconfig-default-gids.patch
diff --git a/4.8.14/4465_selinux-avc_audit-log-curr_ip.patch b/4.8.15/4465_selinux-avc_audit-log-curr_ip.patch
index 06a5294..06a5294 100644
--- a/4.8.14/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.8.15/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.8.14/4470_disable-compat_vdso.patch b/4.8.15/4470_disable-compat_vdso.patch
index 1e4b84a..1e4b84a 100644
--- a/4.8.14/4470_disable-compat_vdso.patch
+++ b/4.8.15/4470_disable-compat_vdso.patch
diff --git a/4.8.14/4475_emutramp_default_on.patch b/4.8.15/4475_emutramp_default_on.patch
index 7b468ee..7b468ee 100644
--- a/4.8.14/4475_emutramp_default_on.patch
+++ b/4.8.15/4475_emutramp_default_on.patch