From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E7B0B198005 for ; Sat, 16 Mar 2013 13:25:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AD3A6E0517; Sat, 16 Mar 2013 13:25:58 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0BB59E0517 for ; Sat, 16 Mar 2013 13:25:57 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 94C7E33D77F for ; Sat, 16 Mar 2013 13:25:56 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 2F950E4079 for ; Sat, 16 Mar 2013 13:25:55 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <1363440300.3ffd0980490b6bd656a839ddee22060a09a32a94.blueness@gentoo> Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.8.2/, 3.2.40/ X-VCS-Repository: proj/hardened-patchset X-VCS-Files: 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch 3.2.40/0000_README 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch 3.8.2/0000_README 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch 3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch X-VCS-Directories: 2.6.32/ 3.8.2/ 3.2.40/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: 3ffd0980490b6bd656a839ddee22060a09a32a94 X-VCS-Branch: master Date: Sat, 16 Mar 2013 13:25:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: ba1adce5-7dd3-4cad-bf65-ef97b02a5c95 X-Archives-Hash: 9d5ca679f7bfbfa3434a50640634a119 commit: 3ffd0980490b6bd656a839ddee22060a09a32a94 Author: Anthony G. Basile gentoo org> AuthorDate: Sat Mar 16 13:25:00 2013 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Sat Mar 16 13:25:00 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=3ffd0980 Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.2}-201303142235 --- ..._grsecurity-2.9.1-2.6.32.60-201303142231.patch} | 134 ++++- 3.2.40/0000_README | 2 +- ...420_grsecurity-2.9.1-3.2.40-201303142234.patch} | 294 +++++++- 3.8.2/0000_README | 2 +- ...4420_grsecurity-2.9.1-3.8.3-201303142235.patch} | 775 +++++++++----------- 5 files changed, 751 insertions(+), 456 deletions(-) diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch similarity index 99% rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch index 844bced..966075e 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch @@ -67598,6 +67598,25 @@ index 7ad177e..5503586 100644 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status); struct bfa_iocfc_s { +diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c +index 075e239..85a1eaf 100644 +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -3746,13 +3746,13 @@ static struct DeviceCtlBlk *device_alloc(struct AdapterCtlBlk *acb, + dcb->max_command = 1; + dcb->target_id = target; + dcb->target_lun = lun; ++ dcb->dev_mode = eeprom->target[target].cfg0; + #ifndef DC395x_NO_DISCONNECT + dcb->identify_msg = + IDENTIFY(dcb->dev_mode & NTC_DO_DISCONNECT, lun); + #else + dcb->identify_msg = IDENTIFY(0, lun); + #endif +- dcb->dev_mode = eeprom->target[target].cfg0; + dcb->inquiry7 = 0; + dcb->sync_mode = 0; + dcb->min_nego_period = clock_period[period_index]; diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index 4967643..cbec06b 100644 --- a/drivers/scsi/dpt_i2o.c @@ -71265,6 +71284,76 @@ index fbea856..06efea6 100644 if (!left--) { if (instance->disconnected) +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c +index 37f2899..6ca1363 100644 +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -52,7 +52,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); + #define WDM_READ 4 + #define WDM_INT_STALL 5 + #define WDM_POLL_RUNNING 6 +- ++#define WDM_OVERFLOW 10 + + #define WDM_MAX 16 + +@@ -115,6 +115,7 @@ static void wdm_in_callback(struct urb *urb) + { + struct wdm_device *desc = urb->context; + int status = urb->status; ++ int length = urb->actual_length; + + spin_lock(&desc->iuspin); + +@@ -144,9 +145,17 @@ static void wdm_in_callback(struct urb *urb) + } + + desc->rerr = status; +- desc->reslength = urb->actual_length; +- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); +- desc->length += desc->reslength; ++ if (length + desc->length > desc->wMaxCommand) { ++ /* The buffer would overflow */ ++ set_bit(WDM_OVERFLOW, &desc->flags); ++ } else { ++ /* we may already be in overflow */ ++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) { ++ memmove(desc->ubuf + desc->length, desc->inbuf, length); ++ desc->length += length; ++ desc->reslength = length; ++ } ++ } + wake_up(&desc->wait); + + set_bit(WDM_READ, &desc->flags); +@@ -398,6 +407,11 @@ retry: + rv = -ENODEV; + goto err; + } ++ if (test_bit(WDM_OVERFLOW, &desc->flags)) { ++ clear_bit(WDM_OVERFLOW, &desc->flags); ++ rv = -ENOBUFS; ++ goto err; ++ } + i++; + if (file->f_flags & O_NONBLOCK) { + if (!test_bit(WDM_READ, &desc->flags)) { +@@ -440,6 +454,7 @@ retry: + spin_unlock_irq(&desc->iuspin); + goto retry; + } ++ + if (!desc->reslength) { /* zero length read */ + dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); + clear_bit(WDM_READ, &desc->flags); +@@ -844,6 +859,7 @@ static int wdm_post_reset(struct usb_interface *intf) + struct wdm_device *desc = usb_get_intfdata(intf); + int rv; + ++ clear_bit(WDM_OVERFLOW, &desc->flags); + rv = recover_from_urb_loss(desc); + mutex_unlock(&desc->plock); + return 0; diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c index 24e6205..b94523b 100644 --- a/drivers/usb/core/hcd.c @@ -81696,7 +81785,7 @@ index f6af760..d0adf34 100644 base = (void __user *)(unsigned long)argv[n].v_base; if (len == 0) { diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c -index 44a88a9..0eb059e 100644 +index 44a88a9..0eb059ec 100644 --- a/fs/nls/nls_base.c +++ b/fs/nls/nls_base.c @@ -114,34 +114,57 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxlen) @@ -82286,7 +82375,7 @@ index 5765198..7f8e9e0 100644 int pos = slot * secsize; put_dev_sector(sect); diff --git a/fs/pipe.c b/fs/pipe.c -index d0cc080..8a6f211 100644 +index d0cc080..b63ef40 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -401,9 +401,9 @@ redo: @@ -82381,7 +82470,15 @@ index d0cc080..8a6f211 100644 } mutex_unlock(&inode->i_mutex); -@@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) +@@ -813,14 +813,17 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) + { + int ret = -ENOENT; + ++ if (!(filp->f_mode & (FMODE_READ|FMODE_WRITE))) ++ return -EINVAL; ++ + mutex_lock(&inode->i_mutex); + if (inode->i_pipe) { ret = 0; if (filp->f_mode & FMODE_READ) @@ -82393,7 +82490,7 @@ index d0cc080..8a6f211 100644 } mutex_unlock(&inode->i_mutex); -@@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode) +@@ -905,7 +908,7 @@ void free_pipe_info(struct inode *inode) inode->i_pipe = NULL; } @@ -82402,7 +82499,7 @@ index d0cc080..8a6f211 100644 static int pipefs_delete_dentry(struct dentry *dentry) { /* -@@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(void) +@@ -945,7 +948,8 @@ static struct inode * get_pipe_inode(void) goto fail_iput; inode->i_pipe = pipe; @@ -118216,7 +118313,7 @@ index 0747d8a..e8bf3f3 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index db8d51a..608692d 100644 +index db8d51a..b141925 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -745,6 +745,12 @@ static struct sock *unix_find_other(struct net *net, @@ -118265,8 +118362,18 @@ index db8d51a..608692d 100644 mutex_unlock(&nd.path.dentry->d_inode->i_mutex); dput(nd.path.dentry); nd.path.dentry = dentry; -@@ -2211,7 +2231,11 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2206,12 +2226,20 @@ static int unix_seq_show(struct seq_file *seq, void *v) + seq_puts(seq, "Num RefCount Protocol Flags Type St " + "Inode Path\n"); + else { +- struct sock *s = v; ++ struct sock *s = v, *peer; + struct unix_sock *u = unix_sk(s); unix_state_lock(s); ++ peer = unix_peer(s); ++ unix_state_unlock(s); ++ ++ unix_state_double_lock(s, peer); seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu", +#ifdef CONFIG_GRKERNSEC_HIDESYM @@ -118277,6 +118384,19 @@ index db8d51a..608692d 100644 atomic_read(&s->sk_refcnt), 0, s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0, +@@ -2235,8 +2263,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) + } + for ( ; i < len; i++) + seq_putc(seq, u->addr->name->sun_path[i]); +- } +- unix_state_unlock(s); ++ } else if (peer) ++ seq_printf(seq, " P%lu", sock_i_ino(peer)); ++ ++ unix_state_double_unlock(s, peer); + seq_putc(seq, '\n'); + } + diff --git a/net/wireless/wext.c b/net/wireless/wext.c index a2e4c60..0979cbe 100644 --- a/net/wireless/wext.c diff --git a/3.2.40/0000_README b/3.2.40/0000_README index 173a1e3..6682017 100644 --- a/3.2.40/0000_README +++ b/3.2.40/0000_README @@ -78,7 +78,7 @@ Patch: 1039_linux-3.2.40.patch From: http://www.kernel.org Desc: Linux 3.2.40 -Patch: 4420_grsecurity-2.9.1-3.2.40-201303111844.patch +Patch: 4420_grsecurity-2.9.1-3.2.40-201303142234.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch similarity index 99% rename from 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch rename to 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch index 94cafc4..c85236f 100644 --- a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch +++ b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch @@ -31356,6 +31356,57 @@ index 0833896..cccce52 100644 struct hpet_info *info) { struct hpet_timer __iomem *timer; +diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c +index 1bafb40..69ae597 100644 +--- a/drivers/char/hw_random/core.c ++++ b/drivers/char/hw_random/core.c +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include + #include + + +@@ -52,8 +53,12 @@ static struct hwrng *current_rng; + static LIST_HEAD(rng_list); + static DEFINE_MUTEX(rng_mutex); + static int data_avail; +-static u8 rng_buffer[SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES] +- __cacheline_aligned; ++static u8 *rng_buffer; ++ ++static size_t rng_buffer_size(void) ++{ ++ return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES; ++} + + static inline int hwrng_init(struct hwrng *rng) + { +@@ -116,7 +121,7 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf, + + if (!data_avail) { + bytes_read = rng_get_data(current_rng, rng_buffer, +- sizeof(rng_buffer), ++ rng_buffer_size(), + !(filp->f_flags & O_NONBLOCK)); + if (bytes_read < 0) { + err = bytes_read; +@@ -307,6 +312,14 @@ int hwrng_register(struct hwrng *rng) + + mutex_lock(&rng_mutex); + ++ /* kmalloc makes this safe for virt_to_page() in virtio_rng.c */ ++ err = -ENOMEM; ++ if (!rng_buffer) { ++ rng_buffer = kmalloc(rng_buffer_size(), GFP_KERNEL); ++ if (!rng_buffer) ++ goto out_unlock; ++ } ++ + /* Must not register two RNGs with the same name. */ + err = -EEXIST; + list_for_each_entry(tmp, &rng_list, list) { diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index 58c0e63..46c16bf 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c @@ -39411,6 +39462,25 @@ index 546d46b..642fa5b 100644 /* * Queue element to wait for room in request queue. FIFO order is +diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c +index f5b718d..aed7756 100644 +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -3747,13 +3747,13 @@ static struct DeviceCtlBlk *device_alloc(struct AdapterCtlBlk *acb, + dcb->max_command = 1; + dcb->target_id = target; + dcb->target_lun = lun; ++ dcb->dev_mode = eeprom->target[target].cfg0; + #ifndef DC395x_NO_DISCONNECT + dcb->identify_msg = + IDENTIFY(dcb->dev_mode & NTC_DO_DISCONNECT, lun); + #else + dcb->identify_msg = IDENTIFY(0, lun); + #endif +- dcb->dev_mode = eeprom->target[target].cfg0; + dcb->inquiry7 = 0; + dcb->sync_mode = 0; + dcb->min_nego_period = clock_period[period_index]; diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index ee77a58..af9d518 100644 --- a/drivers/scsi/hosts.c @@ -41518,6 +41588,75 @@ index d3448ca..d2864ca 100644 if (!left--) { if (instance->disconnected) +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c +index 97b2c55..fe8c04b 100644 +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -70,6 +70,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); + #define WDM_POLL_RUNNING 6 + #define WDM_RESPONDING 7 + #define WDM_SUSPENDING 8 ++#define WDM_OVERFLOW 10 + + #define WDM_MAX 16 + +@@ -134,6 +135,7 @@ static void wdm_in_callback(struct urb *urb) + { + struct wdm_device *desc = urb->context; + int status = urb->status; ++ int length = urb->actual_length; + + spin_lock(&desc->iuspin); + clear_bit(WDM_RESPONDING, &desc->flags); +@@ -164,9 +166,17 @@ static void wdm_in_callback(struct urb *urb) + } + + desc->rerr = status; +- desc->reslength = urb->actual_length; +- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); +- desc->length += desc->reslength; ++ if (length + desc->length > desc->wMaxCommand) { ++ /* The buffer would overflow */ ++ set_bit(WDM_OVERFLOW, &desc->flags); ++ } else { ++ /* we may already be in overflow */ ++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) { ++ memmove(desc->ubuf + desc->length, desc->inbuf, length); ++ desc->length += length; ++ desc->reslength = length; ++ } ++ } + skip_error: + wake_up(&desc->wait); + +@@ -433,6 +443,11 @@ retry: + rv = -ENODEV; + goto err; + } ++ if (test_bit(WDM_OVERFLOW, &desc->flags)) { ++ clear_bit(WDM_OVERFLOW, &desc->flags); ++ rv = -ENOBUFS; ++ goto err; ++ } + i++; + if (file->f_flags & O_NONBLOCK) { + if (!test_bit(WDM_READ, &desc->flags)) { +@@ -472,6 +487,7 @@ retry: + spin_unlock_irq(&desc->iuspin); + goto retry; + } ++ + if (!desc->reslength) { /* zero length read */ + dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); + clear_bit(WDM_READ, &desc->flags); +@@ -926,6 +942,7 @@ static int wdm_post_reset(struct usb_interface *intf) + struct wdm_device *desc = usb_get_intfdata(intf); + int rv; + ++ clear_bit(WDM_OVERFLOW, &desc->flags); + rv = recover_from_urb_loss(desc); + mutex_unlock(&desc->wlock); + mutex_unlock(&desc->rlock); diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c index 3440812..2a4ef1f 100644 --- a/drivers/usb/core/devices.c @@ -46496,10 +46635,22 @@ index 84e8c07..6170d31 100644 } } diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c -index b1451af..9a30647 100644 +index b1451af..72c6542 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c -@@ -989,7 +989,7 @@ cifs_init_request_bufs(void) +@@ -561,6 +561,11 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb) + dentry = ERR_PTR(-ENOENT); + break; + } ++ if (!S_ISDIR(dir->i_mode)) { ++ dput(dentry); ++ dentry = ERR_PTR(-ENOTDIR); ++ break; ++ } + + /* skip separators */ + while (*s == sep) +@@ -989,7 +994,7 @@ cifs_init_request_bufs(void) cifs_req_cachep = kmem_cache_create("cifs_request", CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, 0, @@ -46508,7 +46659,7 @@ index b1451af..9a30647 100644 if (cifs_req_cachep == NULL) return -ENOMEM; -@@ -1016,7 +1016,7 @@ cifs_init_request_bufs(void) +@@ -1016,7 +1021,7 @@ cifs_init_request_bufs(void) efficient to alloc 1 per page off the slab compared to 17K (5page) alloc of large cifs buffers even when page debugging is on */ cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq", @@ -46517,7 +46668,7 @@ index b1451af..9a30647 100644 NULL); if (cifs_sm_req_cachep == NULL) { mempool_destroy(cifs_req_poolp); -@@ -1101,8 +1101,8 @@ init_cifs(void) +@@ -1101,8 +1106,8 @@ init_cifs(void) atomic_set(&bufAllocCount, 0); atomic_set(&smBufAllocCount, 0); #ifdef CONFIG_CIFS_STATS2 @@ -46710,7 +46861,7 @@ index 6901578..d402eb5 100644 return hit; diff --git a/fs/compat.c b/fs/compat.c -index e07a3d3..1b4dfbb 100644 +index e07a3d3..d33d8b7 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -132,8 +132,8 @@ asmlinkage long compat_sys_utimes(const char __user *filename, struct compat_tim @@ -46742,7 +46893,18 @@ index e07a3d3..1b4dfbb 100644 goto out; if (nr_segs > fast_segs) { ret = -ENOMEM; -@@ -845,6 +845,7 @@ struct compat_old_linux_dirent { +@@ -572,6 +572,10 @@ ssize_t compat_rw_copy_check_uvector(int type, + } + *ret_pointer = iov; + ++ ret = -EFAULT; ++ if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector))) ++ goto out; ++ + /* + * Single unix specification: + * We should -EINVAL if an element length is not >= 0 and fitting an +@@ -845,6 +849,7 @@ struct compat_old_linux_dirent { struct compat_readdir_callback { struct compat_old_linux_dirent __user *dirent; @@ -46750,7 +46912,7 @@ index e07a3d3..1b4dfbb 100644 int result; }; -@@ -862,6 +863,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen, +@@ -862,6 +867,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen, buf->result = -EOVERFLOW; return -EOVERFLOW; } @@ -46761,7 +46923,7 @@ index e07a3d3..1b4dfbb 100644 buf->result++; dirent = buf->dirent; if (!access_ok(VERIFY_WRITE, dirent, -@@ -894,6 +899,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd, +@@ -894,6 +903,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd, buf.result = 0; buf.dirent = dirent; @@ -46769,7 +46931,7 @@ index e07a3d3..1b4dfbb 100644 error = vfs_readdir(file, compat_fillonedir, &buf); if (buf.result) -@@ -914,6 +920,7 @@ struct compat_linux_dirent { +@@ -914,6 +924,7 @@ struct compat_linux_dirent { struct compat_getdents_callback { struct compat_linux_dirent __user *current_dir; struct compat_linux_dirent __user *previous; @@ -46777,7 +46939,7 @@ index e07a3d3..1b4dfbb 100644 int count; int error; }; -@@ -935,6 +942,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen, +@@ -935,6 +946,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen, buf->error = -EOVERFLOW; return -EOVERFLOW; } @@ -46788,7 +46950,7 @@ index e07a3d3..1b4dfbb 100644 dirent = buf->previous; if (dirent) { if (__put_user(offset, &dirent->d_off)) -@@ -982,6 +993,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd, +@@ -982,6 +997,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd, buf.previous = NULL; buf.count = count; buf.error = 0; @@ -46796,7 +46958,7 @@ index e07a3d3..1b4dfbb 100644 error = vfs_readdir(file, compat_filldir, &buf); if (error >= 0) -@@ -1003,6 +1015,7 @@ out: +@@ -1003,6 +1019,7 @@ out: struct compat_getdents_callback64 { struct linux_dirent64 __user *current_dir; struct linux_dirent64 __user *previous; @@ -46804,7 +46966,7 @@ index e07a3d3..1b4dfbb 100644 int count; int error; }; -@@ -1019,6 +1032,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t +@@ -1019,6 +1036,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; @@ -46815,7 +46977,7 @@ index e07a3d3..1b4dfbb 100644 dirent = buf->previous; if (dirent) { -@@ -1070,13 +1087,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd, +@@ -1070,13 +1091,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd, buf.previous = NULL; buf.count = count; buf.error = 0; @@ -46831,6 +46993,27 @@ index e07a3d3..1b4dfbb 100644 if (__put_user_unaligned(d_off, &lastdirent->d_off)) error = -EFAULT; else +@@ -1103,17 +1125,12 @@ static ssize_t compat_do_readv_writev(int type, struct file *file, + if (!file->f_op) + goto out; + +- ret = -EFAULT; +- if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector))) +- goto out; +- +- tot_len = compat_rw_copy_check_uvector(type, uvector, nr_segs, ++ ret = compat_rw_copy_check_uvector(type, uvector, nr_segs, + UIO_FASTIOV, iovstack, &iov, 1); +- if (tot_len == 0) { +- ret = 0; ++ if (ret <= 0) + goto out; +- } + ++ tot_len = ret; + ret = rw_verify_area(type, file, pos, tot_len); + if (ret < 0) + goto out; diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c index 112e45a..b59845b 100644 --- a/fs/compat_binfmt_elf.c @@ -50853,7 +51036,7 @@ index 1c98f53..41e6a04 100644 nilfs->ns_crc_seed = le32_to_cpu(sbp->s_crc_seed); return 0; diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c -index 44a88a9..0eb059e 100644 +index 44a88a9..0eb059ec 100644 --- a/fs/nls/nls_base.c +++ b/fs/nls/nls_base.c @@ -114,34 +114,57 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxlen) @@ -51274,7 +51457,7 @@ index bd8ae78..539d250 100644 ldm_crit ("Out of memory."); return false; diff --git a/fs/pipe.c b/fs/pipe.c -index 05ed5ca..ab15592 100644 +index 05ed5ca..d1f8b8a 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -437,9 +437,9 @@ redo: @@ -51369,7 +51552,15 @@ index 05ed5ca..ab15592 100644 } mutex_unlock(&inode->i_mutex); -@@ -864,9 +864,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) +@@ -859,14 +859,17 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) + { + int ret = -ENOENT; + ++ if (!(filp->f_mode & (FMODE_READ|FMODE_WRITE))) ++ return -EINVAL; ++ + mutex_lock(&inode->i_mutex); + if (inode->i_pipe) { ret = 0; if (filp->f_mode & FMODE_READ) @@ -51381,7 +51572,7 @@ index 05ed5ca..ab15592 100644 } mutex_unlock(&inode->i_mutex); -@@ -958,7 +958,7 @@ void free_pipe_info(struct inode *inode) +@@ -958,7 +961,7 @@ void free_pipe_info(struct inode *inode) inode->i_pipe = NULL; } @@ -51390,7 +51581,7 @@ index 05ed5ca..ab15592 100644 /* * pipefs_dname() is called from d_path(). -@@ -988,7 +988,8 @@ static struct inode * get_pipe_inode(void) +@@ -988,7 +991,8 @@ static struct inode * get_pipe_inode(void) goto fail_iput; inode->i_pipe = pipe; @@ -78940,7 +79131,7 @@ index 5c29750..99f6386 100644 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */ diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c -index e920aa3..137702a 100644 +index e920aa3..38e1f43 100644 --- a/mm/process_vm_access.c +++ b/mm/process_vm_access.c @@ -13,6 +13,7 @@ @@ -79012,6 +79203,28 @@ index e920aa3..137702a 100644 for (i = 0; i < riovcnt && iov_l_curr_idx < liovcnt; i++) { rc = process_vm_rw_single_vec( (unsigned long)rvec[i].iov_base, rvec[i].iov_len, +@@ -434,12 +435,6 @@ compat_process_vm_rw(compat_pid_t pid, + if (flags != 0) + return -EINVAL; + +- if (!access_ok(VERIFY_READ, lvec, liovcnt * sizeof(*lvec))) +- goto out; +- +- if (!access_ok(VERIFY_READ, rvec, riovcnt * sizeof(*rvec))) +- goto out; +- + if (vm_write) + rc = compat_rw_copy_check_uvector(WRITE, lvec, liovcnt, + UIO_FASTIOV, iovstack_l, +@@ -464,8 +459,6 @@ free_iovecs: + kfree(iov_r); + if (iov_l != iovstack_l) + kfree(iov_l); +- +-out: + return rc; + } + diff --git a/mm/rmap.c b/mm/rmap.c index 8685697..b490361 100644 --- a/mm/rmap.c @@ -85086,7 +85299,7 @@ index 1983717..4d6102c 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 317bfe3..6786706 100644 +index 317bfe3..342dd43 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -767,6 +767,12 @@ static struct sock *unix_find_other(struct net *net, @@ -85135,6 +85348,34 @@ index 317bfe3..6786706 100644 mutex_unlock(&path.dentry->d_inode->i_mutex); dput(path.dentry); path.dentry = dentry; +@@ -2261,9 +2281,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) + seq_puts(seq, "Num RefCount Protocol Flags Type St " + "Inode Path\n"); + else { +- struct sock *s = v; ++ struct sock *s = v, *peer; + struct unix_sock *u = unix_sk(s); + unix_state_lock(s); ++ peer = unix_peer(s); ++ unix_state_unlock(s); ++ ++ unix_state_double_lock(s, peer); + + seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", + s, +@@ -2290,8 +2314,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) + } + for ( ; i < len; i++) + seq_putc(seq, u->addr->name->sun_path[i]); +- } +- unix_state_unlock(s); ++ } else if (peer) ++ seq_printf(seq, " P%lu", sock_i_ino(peer)); ++ ++ unix_state_double_unlock(s, peer); + seq_putc(seq, '\n'); + } + diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c index 0af7f54..c916d2f 100644 --- a/net/wireless/wext-core.c @@ -86797,18 +87038,25 @@ index 55a6271..ad829c3 100644 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]); return 0; diff --git a/security/keys/compat.c b/security/keys/compat.c -index 4c48e13..7abdac9 100644 +index 4c48e13..6ba5dc8 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c -@@ -44,7 +44,7 @@ long compat_keyctl_instantiate_key_iov( +@@ -40,12 +40,13 @@ long compat_keyctl_instantiate_key_iov( + ARRAY_SIZE(iovstack), + iovstack, &iov, 1); + if (ret < 0) +- return ret; ++ goto err; if (ret == 0) goto no_payload_free; - ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid); + ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid); ++err: if (iov != iovstack) kfree(iov); + return ret; diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 0b3f5d7..892c8a6 100644 --- a/security/keys/keyctl.c diff --git a/3.8.2/0000_README b/3.8.2/0000_README index 3b4b3f3..43053f3 100644 --- a/3.8.2/0000_README +++ b/3.8.2/0000_README @@ -6,7 +6,7 @@ Patch: 1001_linux-3.8.1.patch From: http://www.kernel.org Desc: Linux 3.8.1 -Patch: 4420_grsecurity-2.9.1-3.8.2-201303111845.patch +Patch: 4420_grsecurity-2.9.1-3.8.3-201303142235.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch b/3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch similarity index 99% rename from 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch rename to 3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch index e088f8a..ef25e2b 100644 --- a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch +++ b/3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch @@ -259,7 +259,7 @@ index 986614d..e8bfedc 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 20d5318..d5cec9c 100644 +index 8c49fc9b..9a2af09 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -1540,13 +1540,13 @@ index 7eb18c1..e38b6d2 100644 #include diff --git a/arch/arm/include/asm/delay.h b/arch/arm/include/asm/delay.h -index ab98fdd..6b19938 100644 +index 720799f..2f67631 100644 --- a/arch/arm/include/asm/delay.h +++ b/arch/arm/include/asm/delay.h -@@ -24,9 +24,9 @@ extern struct arm_delay_ops { - void (*delay)(unsigned long); +@@ -25,9 +25,9 @@ extern struct arm_delay_ops { void (*const_udelay)(unsigned long); void (*udelay)(unsigned long); + bool const_clock; -} arm_delay_ops; +} *arm_delay_ops; @@ -1555,7 +1555,7 @@ index ab98fdd..6b19938 100644 /* * This function intentionally does not exist; if you see references to -@@ -47,8 +47,8 @@ extern void __bad_udelay(void); +@@ -48,8 +48,8 @@ extern void __bad_udelay(void); * first constant multiplications gets optimized away if the delay is * a constant) */ @@ -1977,7 +1977,7 @@ index a3f3792..7b932a6 100644 #define L_PTE_DIRTY_HIGH (1 << (55 - 32)) diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h -index 9c82f988..514705a 100644 +index c094749..fd8272e 100644 --- a/arch/arm/include/asm/pgtable.h +++ b/arch/arm/include/asm/pgtable.h @@ -30,6 +30,9 @@ @@ -2062,12 +2062,13 @@ index 9c82f988..514705a 100644 */ #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG -@@ -240,7 +290,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; } +@@ -240,8 +290,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; } static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) { -- const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE; -+ const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE | __supported_pte_mask; +- const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | +- L_PTE_NONE | L_PTE_VALID; ++ const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE | L_PTE_VALID | __supported_pte_mask; pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask); return pte; } @@ -2723,7 +2724,7 @@ index 2adda11..7fbe958 100644 flush_icache_range(0xffff001c, 0xffff001c + length); if (!vectors_high()) diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S -index 486a15a..2d6880e 100644 +index e0eb9a1..c7d74a3 100644 --- a/arch/arm/kernel/head.S +++ b/arch/arm/kernel/head.S @@ -52,7 +52,9 @@ @@ -2737,7 +2738,7 @@ index 486a15a..2d6880e 100644 .endm /* -@@ -416,7 +418,7 @@ __enable_mmu: +@@ -434,7 +436,7 @@ __enable_mmu: mov r5, #(domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \ domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \ domain_val(DOMAIN_TABLE, DOMAIN_MANAGER) | \ @@ -2967,7 +2968,7 @@ index 3f6cbb2..6d856f5 100644 #ifdef MULTI_TLB cpu_tlb = *list->tlb; diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c -index 84f4cbf..672f5b8 100644 +index 58af91c..343ce99 100644 --- a/arch/arm/kernel/smp.c +++ b/arch/arm/kernel/smp.c @@ -70,7 +70,7 @@ enum ipi_msg_type { @@ -3196,7 +3197,7 @@ index 7d08b43..f7ca7ea 100644 #include "csumpartialcopygeneric.S" diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c -index 0dc5385..45833ef 100644 +index 6b93f6a..88d9b64 100644 --- a/arch/arm/lib/delay.c +++ b/arch/arm/lib/delay.c @@ -28,12 +28,14 @@ @@ -3215,7 +3216,7 @@ index 0dc5385..45833ef 100644 static const struct delay_timer *delay_timer; static bool delay_calibrated; -@@ -67,6 +69,12 @@ static void __timer_udelay(unsigned long usecs) +@@ -67,6 +69,13 @@ static void __timer_udelay(unsigned long usecs) __timer_const_udelay(usecs * UDELAY_MULT); } @@ -3223,18 +3224,20 @@ index 0dc5385..45833ef 100644 + .delay = __timer_delay, + .const_udelay = __timer_const_udelay, + .udelay = __timer_udelay, ++ .const_clock = true, +}; + void __init register_current_timer_delay(const struct delay_timer *timer) { if (!delay_calibrated) { -@@ -74,9 +82,7 @@ void __init register_current_timer_delay(const struct delay_timer *timer) +@@ -74,10 +83,7 @@ void __init register_current_timer_delay(const struct delay_timer *timer) delay_timer = timer; lpj_fine = timer->freq / HZ; loops_per_jiffy = lpj_fine; - arm_delay_ops.delay = __timer_delay; - arm_delay_ops.const_udelay = __timer_const_udelay; - arm_delay_ops.udelay = __timer_udelay; +- arm_delay_ops.const_clock = true; + arm_delay_ops = &arm_timer_delay_ops; delay_calibrated = true; } else { @@ -3302,6 +3305,53 @@ index 0abb30f..54064da 100644 .late_init = n8x0_menelaus_late_init, }; +diff --git a/arch/arm/mach-omap2/gpmc.c b/arch/arm/mach-omap2/gpmc.c +index 8033cb7..2f7cb62 100644 +--- a/arch/arm/mach-omap2/gpmc.c ++++ b/arch/arm/mach-omap2/gpmc.c +@@ -139,7 +139,6 @@ struct omap3_gpmc_regs { + }; + + static struct gpmc_client_irq gpmc_client_irq[GPMC_NR_IRQ]; +-static struct irq_chip gpmc_irq_chip; + static unsigned gpmc_irq_start; + + static struct resource gpmc_mem_root; +@@ -700,6 +699,18 @@ static void gpmc_irq_noop(struct irq_data *data) { } + + static unsigned int gpmc_irq_noop_ret(struct irq_data *data) { return 0; } + ++static struct irq_chip gpmc_irq_chip = { ++ .name = "gpmc", ++ .irq_startup = gpmc_irq_noop_ret, ++ .irq_enable = gpmc_irq_enable, ++ .irq_disable = gpmc_irq_disable, ++ .irq_shutdown = gpmc_irq_noop, ++ .irq_ack = gpmc_irq_noop, ++ .irq_mask = gpmc_irq_noop, ++ .irq_unmask = gpmc_irq_noop, ++ ++}; ++ + static int gpmc_setup_irq(void) + { + int i; +@@ -714,15 +725,6 @@ static int gpmc_setup_irq(void) + return gpmc_irq_start; + } + +- gpmc_irq_chip.name = "gpmc"; +- gpmc_irq_chip.irq_startup = gpmc_irq_noop_ret; +- gpmc_irq_chip.irq_enable = gpmc_irq_enable; +- gpmc_irq_chip.irq_disable = gpmc_irq_disable; +- gpmc_irq_chip.irq_shutdown = gpmc_irq_noop; +- gpmc_irq_chip.irq_ack = gpmc_irq_noop; +- gpmc_irq_chip.irq_mask = gpmc_irq_noop; +- gpmc_irq_chip.irq_unmask = gpmc_irq_noop; +- + gpmc_client_irq[0].bitmask = GPMC_IRQ_FIFOEVENTENABLE; + gpmc_client_irq[1].bitmask = GPMC_IRQ_COUNT_EVENT; + diff --git a/arch/arm/mach-omap2/omap-wakeupgen.c b/arch/arm/mach-omap2/omap-wakeupgen.c index 5d3b4f4..ddba3c0 100644 --- a/arch/arm/mach-omap2/omap-wakeupgen.c @@ -3315,6 +3365,49 @@ index 5d3b4f4..ddba3c0 100644 .notifier_call = irq_cpu_hotplug_notify, }; +diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c +index e065daa..7b1ad9b 100644 +--- a/arch/arm/mach-omap2/omap_device.c ++++ b/arch/arm/mach-omap2/omap_device.c +@@ -686,7 +686,7 @@ void omap_device_delete(struct omap_device *od) + * passes along the return value of omap_device_build_ss(). + */ + struct platform_device __init *omap_device_build(const char *pdev_name, int pdev_id, +- struct omap_hwmod *oh, void *pdata, ++ struct omap_hwmod *oh, const void *pdata, + int pdata_len, + struct omap_device_pm_latency *pm_lats, + int pm_lats_cnt, int is_early_device) +@@ -720,7 +720,7 @@ struct platform_device __init *omap_device_build(const char *pdev_name, int pdev + */ + struct platform_device __init *omap_device_build_ss(const char *pdev_name, int pdev_id, + struct omap_hwmod **ohs, int oh_cnt, +- void *pdata, int pdata_len, ++ const void *pdata, int pdata_len, + struct omap_device_pm_latency *pm_lats, + int pm_lats_cnt, int is_early_device) + { +diff --git a/arch/arm/mach-omap2/omap_device.h b/arch/arm/mach-omap2/omap_device.h +index 0933c59..42b8e2d 100644 +--- a/arch/arm/mach-omap2/omap_device.h ++++ b/arch/arm/mach-omap2/omap_device.h +@@ -91,14 +91,14 @@ int omap_device_shutdown(struct platform_device *pdev); + /* Core code interface */ + + struct platform_device *omap_device_build(const char *pdev_name, int pdev_id, +- struct omap_hwmod *oh, void *pdata, ++ struct omap_hwmod *oh, const void *pdata, + int pdata_len, + struct omap_device_pm_latency *pm_lats, + int pm_lats_cnt, int is_early_device); + + struct platform_device *omap_device_build_ss(const char *pdev_name, int pdev_id, + struct omap_hwmod **oh, int oh_cnt, +- void *pdata, int pdata_len, ++ const void *pdata, int pdata_len, + struct omap_device_pm_latency *pm_lats, + int pm_lats_cnt, int is_early_device); + diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c index 4653efb..8c60bf7 100644 --- a/arch/arm/mach-omap2/omap_hwmod.c @@ -4118,19 +4211,6 @@ index a5bc92d..0bb4730 100644 omap_sram_size - omap_sram_skip); + pax_close_kernel(); } -diff --git a/arch/arm/plat-orion/include/plat/addr-map.h b/arch/arm/plat-orion/include/plat/addr-map.h -index b76c065..b6e766b 100644 ---- a/arch/arm/plat-orion/include/plat/addr-map.h -+++ b/arch/arm/plat-orion/include/plat/addr-map.h -@@ -27,7 +27,7 @@ struct orion_addr_map_cfg { - value in bridge_virt_base */ - void __iomem *(*win_cfg_base) (const struct orion_addr_map_cfg *cfg, - const int win); --}; -+} __no_const; - - /* - * Information needed to setup one address mapping. diff --git a/arch/arm/plat-samsung/include/plat/dma-ops.h b/arch/arm/plat-samsung/include/plat/dma-ops.h index f5144cd..71f6d1f 100644 --- a/arch/arm/plat-samsung/include/plat/dma-ops.h @@ -21922,7 +22002,7 @@ index b629bbe..0fa615a 100644 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c -index 85c3959..76b89f9 100644 +index 2cb9470..ff1fd80 100644 --- a/arch/x86/kernel/pvclock.c +++ b/arch/x86/kernel/pvclock.c @@ -43,11 +43,11 @@ unsigned long pvclock_tsc_khz(struct pvclock_vcpu_time_info *src) @@ -30565,10 +30645,10 @@ index 431e875..cbb23f3 100644 -} -__setup("vdso=", vdso_setup); diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index e014092..c76ab69 100644 +index 2262003..f229ced 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c -@@ -99,8 +99,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); +@@ -100,8 +100,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); struct shared_info xen_dummy_shared_info; @@ -30577,7 +30657,7 @@ index e014092..c76ab69 100644 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE); __read_mostly int xen_have_vector_callback; EXPORT_SYMBOL_GPL(xen_have_vector_callback); -@@ -495,8 +493,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) +@@ -496,8 +494,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -30587,7 +30667,7 @@ index e014092..c76ab69 100644 int f; /* -@@ -544,8 +541,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) +@@ -545,8 +542,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr) { unsigned long va = dtr->address; unsigned int size = dtr->size + 1; @@ -30597,7 +30677,7 @@ index e014092..c76ab69 100644 int f; /* -@@ -938,7 +934,7 @@ static u32 xen_safe_apic_wait_icr_idle(void) +@@ -939,7 +935,7 @@ static u32 xen_safe_apic_wait_icr_idle(void) return 0; } @@ -30606,7 +30686,7 @@ index e014092..c76ab69 100644 { apic->read = xen_apic_read; apic->write = xen_apic_write; -@@ -1244,30 +1240,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1245,30 +1241,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -30644,7 +30724,7 @@ index e014092..c76ab69 100644 { if (pm_power_off) pm_power_off(); -@@ -1369,7 +1365,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1370,7 +1366,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -30663,7 +30743,7 @@ index e014092..c76ab69 100644 xen_setup_features(); -@@ -1398,14 +1404,7 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1399,14 +1405,7 @@ asmlinkage void __init xen_start_kernel(void) pv_mmu_ops.ptep_modify_prot_commit = xen_ptep_modify_prot_commit; } @@ -30679,7 +30759,7 @@ index e014092..c76ab69 100644 xen_smp_init(); -@@ -1590,7 +1589,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self, +@@ -1598,7 +1597,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self, return NOTIFY_OK; } @@ -31090,93 +31170,6 @@ index 9a87daa..fb17486 100644 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len)) goto error; -diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c -index 533de95..7d4a8d2 100644 ---- a/crypto/ablkcipher.c -+++ b/crypto/ablkcipher.c -@@ -388,9 +388,9 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_blkcipher rblkcipher; - -- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "ablkcipher"); -- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- alg->cra_ablkcipher.geniv ?: ""); -+ strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type)); -+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", -+ sizeof(rblkcipher.geniv)); - - rblkcipher.blocksize = alg->cra_blocksize; - rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; -@@ -469,9 +469,9 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_blkcipher rblkcipher; - -- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "givcipher"); -- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- alg->cra_ablkcipher.geniv ?: ""); -+ strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type)); -+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", -+ sizeof(rblkcipher.geniv)); - - rblkcipher.blocksize = alg->cra_blocksize; - rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; -diff --git a/crypto/aead.c b/crypto/aead.c -index 0b8121e..27bc487 100644 ---- a/crypto/aead.c -+++ b/crypto/aead.c -@@ -117,9 +117,8 @@ static int crypto_aead_report(struct sk_buff *skb, struct crypto_alg *alg) - struct crypto_report_aead raead; - struct aead_alg *aead = &alg->cra_aead; - -- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "aead"); -- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- aead->geniv ?: ""); -+ strncpy(raead.type, "aead", sizeof(raead.type)); -+ strncpy(raead.geniv, aead->geniv ?: "", sizeof(raead.geniv)); - - raead.blocksize = alg->cra_blocksize; - raead.maxauthsize = aead->maxauthsize; -@@ -203,8 +202,8 @@ static int crypto_nivaead_report(struct sk_buff *skb, struct crypto_alg *alg) - struct crypto_report_aead raead; - struct aead_alg *aead = &alg->cra_aead; - -- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "nivaead"); -- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", aead->geniv); -+ strncpy(raead.type, "nivaead", sizeof(raead.type)); -+ strncpy(raead.geniv, aead->geniv, sizeof(raead.geniv)); - - raead.blocksize = alg->cra_blocksize; - raead.maxauthsize = aead->maxauthsize; -diff --git a/crypto/ahash.c b/crypto/ahash.c -index 3887856..793a27f 100644 ---- a/crypto/ahash.c -+++ b/crypto/ahash.c -@@ -404,7 +404,7 @@ static int crypto_ahash_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_hash rhash; - -- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "ahash"); -+ strncpy(rhash.type, "ahash", sizeof(rhash.type)); - - rhash.blocksize = alg->cra_blocksize; - rhash.digestsize = __crypto_hash_alg_common(alg)->digestsize; -diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c -index a8d85a1..c44e014 100644 ---- a/crypto/blkcipher.c -+++ b/crypto/blkcipher.c -@@ -499,9 +499,9 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_blkcipher rblkcipher; - -- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "blkcipher"); -- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", -- alg->cra_blkcipher.geniv ?: ""); -+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type)); -+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "", -+ sizeof(rblkcipher.geniv)); - - rblkcipher.blocksize = alg->cra_blocksize; - rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; diff --git a/crypto/cryptd.c b/crypto/cryptd.c index 7bdd61b..afec999 100644 --- a/crypto/cryptd.c @@ -31200,7 +31193,7 @@ index 7bdd61b..afec999 100644 static void cryptd_queue_worker(struct work_struct *work); diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c -index 35d700a..dfd511f 100644 +index f6d9baf..dfd511f 100644 --- a/crypto/crypto_user.c +++ b/crypto/crypto_user.c @@ -30,6 +30,8 @@ @@ -31212,55 +31205,6 @@ index 35d700a..dfd511f 100644 static DEFINE_MUTEX(crypto_cfg_mutex); /* The crypto netlink socket */ -@@ -75,7 +77,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_cipher rcipher; - -- snprintf(rcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "cipher"); -+ strncpy(rcipher.type, "cipher", sizeof(rcipher.type)); - - rcipher.blocksize = alg->cra_blocksize; - rcipher.min_keysize = alg->cra_cipher.cia_min_keysize; -@@ -94,8 +96,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_comp rcomp; - -- snprintf(rcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "compression"); -- -+ strncpy(rcomp.type, "compression", sizeof(rcomp.type)); - if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, - sizeof(struct crypto_report_comp), &rcomp)) - goto nla_put_failure; -@@ -108,12 +109,14 @@ nla_put_failure: - static int crypto_report_one(struct crypto_alg *alg, - struct crypto_user_alg *ualg, struct sk_buff *skb) - { -- memcpy(&ualg->cru_name, &alg->cra_name, sizeof(ualg->cru_name)); -- memcpy(&ualg->cru_driver_name, &alg->cra_driver_name, -- sizeof(ualg->cru_driver_name)); -- memcpy(&ualg->cru_module_name, module_name(alg->cra_module), -- CRYPTO_MAX_ALG_NAME); -+ strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name)); -+ strncpy(ualg->cru_driver_name, alg->cra_driver_name, -+ sizeof(ualg->cru_driver_name)); -+ strncpy(ualg->cru_module_name, module_name(alg->cra_module), -+ sizeof(ualg->cru_module_name)); - -+ ualg->cru_type = 0; -+ ualg->cru_mask = 0; - ualg->cru_flags = alg->cra_flags; - ualg->cru_refcnt = atomic_read(&alg->cra_refcnt); - -@@ -122,8 +125,7 @@ static int crypto_report_one(struct crypto_alg *alg, - if (alg->cra_flags & CRYPTO_ALG_LARVAL) { - struct crypto_report_larval rl; - -- snprintf(rl.type, CRYPTO_MAX_ALG_NAME, "%s", "larval"); -- -+ strncpy(rl.type, "larval", sizeof(rl.type)); - if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL, - sizeof(struct crypto_report_larval), &rl)) - goto nla_put_failure; @@ -196,7 +198,10 @@ static int crypto_report(struct sk_buff *in_skb, struct nlmsghdr *in_nlh, struct crypto_dump_info info; int err; @@ -31303,47 +31247,6 @@ index 35d700a..dfd511f 100644 if (strlen(p->cru_driver_name)) exact = 1; -diff --git a/crypto/pcompress.c b/crypto/pcompress.c -index 04e083f..7140fe7 100644 ---- a/crypto/pcompress.c -+++ b/crypto/pcompress.c -@@ -53,8 +53,7 @@ static int crypto_pcomp_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_comp rpcomp; - -- snprintf(rpcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "pcomp"); -- -+ strncpy(rpcomp.type, "pcomp", sizeof(rpcomp.type)); - if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, - sizeof(struct crypto_report_comp), &rpcomp)) - goto nla_put_failure; -diff --git a/crypto/rng.c b/crypto/rng.c -index f3b7894..e0a25c2 100644 ---- a/crypto/rng.c -+++ b/crypto/rng.c -@@ -65,7 +65,7 @@ static int crypto_rng_report(struct sk_buff *skb, struct crypto_alg *alg) - { - struct crypto_report_rng rrng; - -- snprintf(rrng.type, CRYPTO_MAX_ALG_NAME, "%s", "rng"); -+ strncpy(rrng.type, "rng", sizeof(rrng.type)); - - rrng.seedsize = alg->cra_rng.seedsize; - -diff --git a/crypto/shash.c b/crypto/shash.c -index f426330f..929058a 100644 ---- a/crypto/shash.c -+++ b/crypto/shash.c -@@ -530,7 +530,8 @@ static int crypto_shash_report(struct sk_buff *skb, struct crypto_alg *alg) - struct crypto_report_hash rhash; - struct shash_alg *salg = __crypto_shash_alg(alg); - -- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "shash"); -+ strncpy(rhash.type, "shash", sizeof(rhash.type)); -+ - rhash.blocksize = alg->cra_blocksize; - rhash.digestsize = salg->digestsize; - diff --git a/drivers/acpi/apei/apei-internal.h b/drivers/acpi/apei/apei-internal.h index f220d64..d359ad6 100644 --- a/drivers/acpi/apei/apei-internal.h @@ -33545,7 +33448,7 @@ index b66eaa0..2619d1b 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/char/random.c b/drivers/char/random.c -index 85e81ec..a129a39 100644 +index 57d4b15..253207b 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -272,8 +272,13 @@ @@ -33591,7 +33494,7 @@ index 85e81ec..a129a39 100644 smp_wmb(); if (out) -@@ -1020,7 +1032,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1024,7 +1036,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -33600,7 +33503,7 @@ index 85e81ec..a129a39 100644 ret = -EFAULT; break; } -@@ -1356,7 +1368,7 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1360,7 +1372,7 @@ EXPORT_SYMBOL(generate_random_uuid); #include static int min_read_thresh = 8, min_write_thresh; @@ -33609,7 +33512,7 @@ index 85e81ec..a129a39 100644 static int max_write_thresh = INPUT_POOL_WORDS * 32; static char sysctl_bootid[16]; -@@ -1372,7 +1384,7 @@ static char sysctl_bootid[16]; +@@ -1376,7 +1388,7 @@ static char sysctl_bootid[16]; static int proc_do_uuid(ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -33758,32 +33661,6 @@ index 8ae1a61..9c00613 100644 .notifier_call = arch_timer_cpu_notify, }; -diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c -index fce2000..1110478 100644 ---- a/drivers/connector/cn_proc.c -+++ b/drivers/connector/cn_proc.c -@@ -313,6 +313,12 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, - (task_active_pid_ns(current) != &init_pid_ns)) - return; - -+ /* Can only change if privileged. */ -+ if (!capable(CAP_NET_ADMIN)) { -+ err = EPERM; -+ goto out; -+ } -+ - mc_op = (enum proc_cn_mcast_op *)msg->data; - switch (*mc_op) { - case PROC_CN_MCAST_LISTEN: -@@ -325,6 +331,8 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, - err = EINVAL; - break; - } -+ -+out: - cn_proc_ack(err, msg->seq, msg->ack); - } - diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c index 7b0d49d..134fac9 100644 --- a/drivers/cpufreq/acpi-cpufreq.c @@ -34262,10 +34139,10 @@ index 94a58a0..f5eba42 100644 container_of(_dev_attr, struct dmi_device_attribute, dev_attr) diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index 982f1f5..d21e5da 100644 +index 4cd392d..4b629e1 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c -@@ -491,11 +491,6 @@ void __init dmi_scan_machine(void) +@@ -490,11 +490,6 @@ void __init dmi_scan_machine(void) } } else { @@ -34277,7 +34154,7 @@ index 982f1f5..d21e5da 100644 p = dmi_ioremap(0xF0000, 0x10000); if (p == NULL) goto error; -@@ -770,7 +765,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), +@@ -769,7 +764,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), if (buf == NULL) return -1; @@ -34287,7 +34164,7 @@ index 982f1f5..d21e5da 100644 iounmap(buf); return 0; diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index bcb201c..4fd34dd 100644 +index 2a2e145..73745e79 100644 --- a/drivers/firmware/efivars.c +++ b/drivers/firmware/efivars.c @@ -133,7 +133,7 @@ struct efivar_attribute { @@ -34299,7 +34176,7 @@ index bcb201c..4fd34dd 100644 #define PSTORE_EFI_ATTRIBUTES \ (EFI_VARIABLE_NON_VOLATILE | \ -@@ -1734,7 +1734,7 @@ efivar_create_sysfs_entry(struct efivars *efivars, +@@ -1798,7 +1798,7 @@ efivar_create_sysfs_entry(struct efivars *efivars, static int create_efivars_bin_attributes(struct efivars *efivars) { @@ -34726,7 +34603,7 @@ index 8a7c48b..72effc2 100644 if (IS_GEN6(dev) || IS_GEN7(dev)) { seq_printf(m, diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c -index 99daa89..84ebd44 100644 +index 5206f24..7af0a0a 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1253,7 +1253,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev) @@ -34739,7 +34616,7 @@ index 99daa89..84ebd44 100644 return can_switch; } diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h -index 7339a4b..445aaba 100644 +index 66ad64f..a865871 100644 --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h @@ -656,7 +656,7 @@ typedef struct drm_i915_private { @@ -34751,7 +34628,7 @@ index 7339a4b..445aaba 100644 /* protects the irq masks */ spinlock_t irq_lock; -@@ -1102,7 +1102,7 @@ struct drm_i915_gem_object { +@@ -1103,7 +1103,7 @@ struct drm_i915_gem_object { * will be page flipped away on the next vblank. When it * reaches 0, dev_priv->pending_flip_queue will be woken up. */ @@ -34760,7 +34637,7 @@ index 7339a4b..445aaba 100644 }; #define to_gem_object(obj) (&((struct drm_i915_gem_object *)(obj))->base) -@@ -1633,7 +1633,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter( +@@ -1634,7 +1634,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter( struct drm_i915_private *dev_priv, unsigned port); extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed); extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit); @@ -34830,10 +34707,10 @@ index 3c59584..500f2e9 100644 return ret; diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index fe84338..a863190 100644 +index 3c00403..5a5c6c9 100644 --- a/drivers/gpu/drm/i915/i915_irq.c +++ b/drivers/gpu/drm/i915/i915_irq.c -@@ -535,7 +535,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) +@@ -539,7 +539,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg) u32 pipe_stats[I915_MAX_PIPES]; bool blc_event; @@ -34842,7 +34719,7 @@ index fe84338..a863190 100644 while (true) { iir = I915_READ(VLV_IIR); -@@ -688,7 +688,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg) +@@ -692,7 +692,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg) irqreturn_t ret = IRQ_NONE; int i; @@ -34851,7 +34728,7 @@ index fe84338..a863190 100644 /* disable master interrupt before clearing iir */ de_ier = I915_READ(DEIER); -@@ -760,7 +760,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) +@@ -764,7 +764,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg) int ret = IRQ_NONE; u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir; @@ -34860,7 +34737,7 @@ index fe84338..a863190 100644 /* disable master interrupt before clearing iir */ de_ier = I915_READ(DEIER); -@@ -1787,7 +1787,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) +@@ -1791,7 +1791,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) { drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; @@ -34869,7 +34746,7 @@ index fe84338..a863190 100644 I915_WRITE(HWSTAM, 0xeffe); -@@ -1813,7 +1813,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) +@@ -1817,7 +1817,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -34878,7 +34755,7 @@ index fe84338..a863190 100644 /* VLV magic */ I915_WRITE(VLV_IMR, 0); -@@ -2108,7 +2108,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) +@@ -2112,7 +2112,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -34887,7 +34764,7 @@ index fe84338..a863190 100644 for_each_pipe(pipe) I915_WRITE(PIPESTAT(pipe), 0); -@@ -2159,7 +2159,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) +@@ -2163,7 +2163,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg) I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT | I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT; @@ -34896,7 +34773,7 @@ index fe84338..a863190 100644 iir = I915_READ16(IIR); if (iir == 0) -@@ -2244,7 +2244,7 @@ static void i915_irq_preinstall(struct drm_device * dev) +@@ -2248,7 +2248,7 @@ static void i915_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -34905,7 +34782,7 @@ index fe84338..a863190 100644 if (I915_HAS_HOTPLUG(dev)) { I915_WRITE(PORT_HOTPLUG_EN, 0); -@@ -2339,7 +2339,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) +@@ -2343,7 +2343,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg) }; int pipe, ret = IRQ_NONE; @@ -34914,7 +34791,7 @@ index fe84338..a863190 100644 iir = I915_READ(IIR); do { -@@ -2465,7 +2465,7 @@ static void i965_irq_preinstall(struct drm_device * dev) +@@ -2469,7 +2469,7 @@ static void i965_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -34923,7 +34800,7 @@ index fe84338..a863190 100644 I915_WRITE(PORT_HOTPLUG_EN, 0); I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT)); -@@ -2572,7 +2572,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) +@@ -2576,7 +2576,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg) int irq_received; int ret = IRQ_NONE, pipe; @@ -35931,7 +35808,7 @@ index 7d19b1b..8fdaaac 100644 BUG_ON(data->num_attributes >= data->max_attributes); \ sysfs_attr_init(&a->dev_attr.attr); \ diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c -index 1c85d39..55ed3cf 100644 +index 8047fed..1e956f0 100644 --- a/drivers/hwmon/sht15.c +++ b/drivers/hwmon/sht15.c @@ -169,7 +169,7 @@ struct sht15_data { @@ -37247,10 +37124,10 @@ index 7155945..4bcc562 100644 seq_printf(seq, "\n"); diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c -index 0666b5d..ed82cb4 100644 +index eee353d..74504c4 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c -@@ -1628,7 +1628,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param) +@@ -1632,7 +1632,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param) cmd == DM_LIST_VERSIONS_CMD) return 0; @@ -37260,7 +37137,7 @@ index 0666b5d..ed82cb4 100644 DMWARN("name not supplied when creating device"); return -EINVAL; diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c -index fa51918..c26253c 100644 +index 7f24190..0e18099 100644 --- a/drivers/md/dm-raid1.c +++ b/drivers/md/dm-raid1.c @@ -40,7 +40,7 @@ enum dm_raid1_error { @@ -37336,7 +37213,7 @@ index fa51918..c26253c 100644 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' : diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c -index c89cde8..9d184cf 100644 +index aaecefa..23b3026 100644 --- a/drivers/md/dm-stripe.c +++ b/drivers/md/dm-stripe.c @@ -20,7 +20,7 @@ struct stripe { @@ -37357,7 +37234,7 @@ index c89cde8..9d184cf 100644 } ti->private = sc; -@@ -325,7 +325,7 @@ static int stripe_status(struct dm_target *ti, status_type_t type, +@@ -325,7 +325,7 @@ static void stripe_status(struct dm_target *ti, status_type_t type, DMEMIT("%d ", sc->stripes); for (i = 0; i < sc->stripes; i++) { DMEMIT("%s ", sc->stripe[i].dev->name); @@ -37366,7 +37243,7 @@ index c89cde8..9d184cf 100644 'D' : 'A'; } buffer[i] = '\0'; -@@ -371,8 +371,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error) +@@ -370,8 +370,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error) */ for (i = 0; i < sc->stripes; i++) if (!strcmp(sc->stripe[i].dev->name, major_minor)) { @@ -37413,7 +37290,7 @@ index 4d6e853..a234157 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 314a0e2..1376406 100644 +index 0d8f086..f5a91d5 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -170,9 +170,9 @@ struct mapped_device { @@ -37439,7 +37316,7 @@ index 314a0e2..1376406 100644 INIT_LIST_HEAD(&md->uevent_list); spin_lock_init(&md->uevent_lock); -@@ -2014,7 +2014,7 @@ static void event_callback(void *context) +@@ -2026,7 +2026,7 @@ static void event_callback(void *context) dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); @@ -37448,7 +37325,7 @@ index 314a0e2..1376406 100644 wake_up(&md->eventq); } -@@ -2669,18 +2669,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2683,18 +2683,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -37471,7 +37348,7 @@ index 314a0e2..1376406 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 3db3d1b..9487468 100644 +index f363135..9b38815 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -240,10 +240,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); @@ -37496,7 +37373,7 @@ index 3db3d1b..9487468 100644 wake_up(&md_event_waiters); } -@@ -1503,7 +1503,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_ +@@ -1507,7 +1507,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_ if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) && (le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET)) rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset); @@ -37505,7 +37382,7 @@ index 3db3d1b..9487468 100644 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256; bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1; -@@ -1747,7 +1747,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev) +@@ -1751,7 +1751,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev) else sb->resync_offset = cpu_to_le64(0); @@ -37514,7 +37391,7 @@ index 3db3d1b..9487468 100644 sb->raid_disks = cpu_to_le32(mddev->raid_disks); sb->size = cpu_to_le64(mddev->dev_sectors); -@@ -2747,7 +2747,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store); +@@ -2751,7 +2751,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store); static ssize_t errors_show(struct md_rdev *rdev, char *page) { @@ -37523,7 +37400,7 @@ index 3db3d1b..9487468 100644 } static ssize_t -@@ -2756,7 +2756,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len) +@@ -2760,7 +2760,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len) char *e; unsigned long n = simple_strtoul(buf, &e, 10); if (*buf && (*e == 0 || *e == '\n')) { @@ -37532,7 +37409,7 @@ index 3db3d1b..9487468 100644 return len; } return -EINVAL; -@@ -3203,8 +3203,8 @@ int md_rdev_init(struct md_rdev *rdev) +@@ -3210,8 +3210,8 @@ int md_rdev_init(struct md_rdev *rdev) rdev->sb_loaded = 0; rdev->bb_page = NULL; atomic_set(&rdev->nr_pending, 0); @@ -37543,7 +37420,7 @@ index 3db3d1b..9487468 100644 INIT_LIST_HEAD(&rdev->same_set); init_waitqueue_head(&rdev->blocked_wait); -@@ -6980,7 +6980,7 @@ static int md_seq_show(struct seq_file *seq, void *v) +@@ -6987,7 +6987,7 @@ static int md_seq_show(struct seq_file *seq, void *v) spin_unlock(&pers_lock); seq_printf(seq, "\n"); @@ -37552,7 +37429,7 @@ index 3db3d1b..9487468 100644 return 0; } if (v == (void*)2) { -@@ -7083,7 +7083,7 @@ static int md_seq_open(struct inode *inode, struct file *file) +@@ -7090,7 +7090,7 @@ static int md_seq_open(struct inode *inode, struct file *file) return error; seq = file->private_data; @@ -37561,7 +37438,7 @@ index 3db3d1b..9487468 100644 return error; } -@@ -7097,7 +7097,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) +@@ -7104,7 +7104,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) /* always allow read */ mask = POLLIN | POLLRDNORM; @@ -37570,7 +37447,7 @@ index 3db3d1b..9487468 100644 mask |= POLLERR | POLLPRI; return mask; } -@@ -7141,7 +7141,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) +@@ -7148,7 +7148,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) struct gendisk *disk = rdev->bdev->bd_contains->bd_disk; curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + (int)part_stat_read(&disk->part0, sectors[1]) - @@ -37621,10 +37498,10 @@ index 1cbfc6b..56e1dbb 100644 /*----------------------------------------------------------------*/ diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index d5bddfc..b079b4b 100644 +index 75b1f89..00ba344 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c -@@ -1818,7 +1818,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) +@@ -1819,7 +1819,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) if (r1_sync_page_io(rdev, sect, s, bio->bi_io_vec[idx].bv_page, READ) != 0) @@ -37633,7 +37510,7 @@ index d5bddfc..b079b4b 100644 } sectors -= s; sect += s; -@@ -2040,7 +2040,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, +@@ -2041,7 +2041,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, test_bit(In_sync, &rdev->flags)) { if (r1_sync_page_io(rdev, sect, s, conf->tmppage, READ)) { @@ -37643,10 +37520,10 @@ index d5bddfc..b079b4b 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 64d4824..8b9ea57 100644 +index 8d925dc..11d674f 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c -@@ -1877,7 +1877,7 @@ static void end_sync_read(struct bio *bio, int error) +@@ -1878,7 +1878,7 @@ static void end_sync_read(struct bio *bio, int error) /* The write handler will notice the lack of * R10BIO_Uptodate and record any errors etc */ @@ -37655,7 +37532,7 @@ index 64d4824..8b9ea57 100644 &conf->mirrors[d].rdev->corrected_errors); /* for reconstruct, we always reschedule after a read. -@@ -2226,7 +2226,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2227,7 +2227,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) { struct timespec cur_time_mon; unsigned long hours_since_last; @@ -37664,7 +37541,7 @@ index 64d4824..8b9ea57 100644 ktime_get_ts(&cur_time_mon); -@@ -2248,9 +2248,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) +@@ -2249,9 +2249,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev) * overflowing the shift of read_errors by hours_since_last. */ if (hours_since_last >= 8 * sizeof(read_errors)) @@ -37676,7 +37553,7 @@ index 64d4824..8b9ea57 100644 } static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector, -@@ -2304,8 +2304,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2305,8 +2305,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 return; check_decay_read_errors(mddev, rdev); @@ -37687,7 +37564,7 @@ index 64d4824..8b9ea57 100644 char b[BDEVNAME_SIZE]; bdevname(rdev->bdev, b); -@@ -2313,7 +2313,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2314,7 +2314,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 "md/raid10:%s: %s: Raid device exceeded " "read_error threshold [cur %d:max %d]\n", mdname(mddev), b, @@ -37696,7 +37573,7 @@ index 64d4824..8b9ea57 100644 printk(KERN_NOTICE "md/raid10:%s: %s: Failing raid device\n", mdname(mddev), b); -@@ -2468,7 +2468,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 +@@ -2469,7 +2469,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10 sect + choose_data_offset(r10_bio, rdev)), bdevname(rdev->bdev, b)); @@ -40321,7 +40198,7 @@ index 2111dbb..79e434b 100644 /* disable hardware control by fn key */ result = ec_read(MSI_STANDARD_EC_SCM_LOAD_ADDRESS, &data); diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c -index b8ad71f..3ec9bb4 100644 +index 0fe987f..6f3d5c3 100644 --- a/drivers/platform/x86/sony-laptop.c +++ b/drivers/platform/x86/sony-laptop.c @@ -2356,7 +2356,7 @@ static void sony_nc_lid_resume_cleanup(struct platform_device *pd) @@ -43559,6 +43436,75 @@ index 35f10bf..6a38a0b 100644 if (!left--) { if (instance->disconnected) +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c +index 5f0cb41..122d056 100644 +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); + #define WDM_RESPONDING 7 + #define WDM_SUSPENDING 8 + #define WDM_RESETTING 9 ++#define WDM_OVERFLOW 10 + + #define WDM_MAX 16 + +@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *urb) + { + struct wdm_device *desc = urb->context; + int status = urb->status; ++ int length = urb->actual_length; + + spin_lock(&desc->iuspin); + clear_bit(WDM_RESPONDING, &desc->flags); +@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb) + } + + desc->rerr = status; +- desc->reslength = urb->actual_length; +- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); +- desc->length += desc->reslength; ++ if (length + desc->length > desc->wMaxCommand) { ++ /* The buffer would overflow */ ++ set_bit(WDM_OVERFLOW, &desc->flags); ++ } else { ++ /* we may already be in overflow */ ++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) { ++ memmove(desc->ubuf + desc->length, desc->inbuf, length); ++ desc->length += length; ++ desc->reslength = length; ++ } ++ } + skip_error: + wake_up(&desc->wait); + +@@ -435,6 +445,11 @@ retry: + rv = -ENODEV; + goto err; + } ++ if (test_bit(WDM_OVERFLOW, &desc->flags)) { ++ clear_bit(WDM_OVERFLOW, &desc->flags); ++ rv = -ENOBUFS; ++ goto err; ++ } + i++; + if (file->f_flags & O_NONBLOCK) { + if (!test_bit(WDM_READ, &desc->flags)) { +@@ -478,6 +493,7 @@ retry: + spin_unlock_irq(&desc->iuspin); + goto retry; + } ++ + if (!desc->reslength) { /* zero length read */ + dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); + clear_bit(WDM_READ, &desc->flags); +@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_interface *intf) + struct wdm_device *desc = wdm_find_device(intf); + int rv; + ++ clear_bit(WDM_OVERFLOW, &desc->flags); + clear_bit(WDM_RESETTING, &desc->flags); + rv = recover_from_urb_loss(desc); + mutex_unlock(&desc->wlock); diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c index cbacea9..246cccd 100644 --- a/drivers/usb/core/devices.c @@ -48388,10 +48334,10 @@ index eea5da7..88fead70 100644 WARN_ON(trans->transid != btrfs_header_generation(parent)); diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c -index cc93b23..f3c42bf 100644 +index 659ea81..0f63c1a 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c -@@ -7296,7 +7296,7 @@ fail: +@@ -7300,7 +7300,7 @@ fail: return -ENOMEM; } @@ -48400,7 +48346,7 @@ index cc93b23..f3c42bf 100644 struct dentry *dentry, struct kstat *stat) { struct inode *inode = dentry->d_inode; -@@ -7310,6 +7310,14 @@ static int btrfs_getattr(struct vfsmount *mnt, +@@ -7314,6 +7314,14 @@ static int btrfs_getattr(struct vfsmount *mnt, return 0; } @@ -48681,10 +48627,10 @@ index d9ea6ed..1e6c8ac 100644 server->ops->print_stats(m, tcon); } diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c -index de7f916..6cb22a9 100644 +index e328339..322228b 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c -@@ -997,7 +997,7 @@ cifs_init_request_bufs(void) +@@ -1002,7 +1002,7 @@ cifs_init_request_bufs(void) /* cERROR(1, "CIFSMaxBufSize %d 0x%x",CIFSMaxBufSize,CIFSMaxBufSize); */ cifs_req_cachep = kmem_cache_create("cifs_request", CIFSMaxBufSize + max_hdr_size, 0, @@ -48693,7 +48639,7 @@ index de7f916..6cb22a9 100644 if (cifs_req_cachep == NULL) return -ENOMEM; -@@ -1024,7 +1024,7 @@ cifs_init_request_bufs(void) +@@ -1029,7 +1029,7 @@ cifs_init_request_bufs(void) efficient to alloc 1 per page off the slab compared to 17K (5page) alloc of large cifs buffers even when page debugging is on */ cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq", @@ -48702,7 +48648,7 @@ index de7f916..6cb22a9 100644 NULL); if (cifs_sm_req_cachep == NULL) { mempool_destroy(cifs_req_poolp); -@@ -1109,8 +1109,8 @@ init_cifs(void) +@@ -1114,8 +1114,8 @@ init_cifs(void) atomic_set(&bufAllocCount, 0); atomic_set(&smBufAllocCount, 0); #ifdef CONFIG_CIFS_STATS2 @@ -48942,7 +48888,7 @@ index 47bc5a8..10decbe 100644 } diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c -index c9c7aa7..065056a 100644 +index bceffe7..cd1ae59 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -274,8 +274,8 @@ smb2_clear_stats(struct cifs_tcon *tcon) @@ -49126,7 +49072,7 @@ index 958ae0e..505c9d0 100644 return hit; diff --git a/fs/compat.c b/fs/compat.c -index 015e1e1..b8966ac 100644 +index a06dcbc..dacb6d3 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -54,7 +54,7 @@ @@ -49156,7 +49102,7 @@ index 015e1e1..b8966ac 100644 goto out; if (nr_segs > fast_segs) { ret = -ENOMEM; -@@ -831,6 +831,7 @@ struct compat_old_linux_dirent { +@@ -835,6 +835,7 @@ struct compat_old_linux_dirent { struct compat_readdir_callback { struct compat_old_linux_dirent __user *dirent; @@ -49164,7 +49110,7 @@ index 015e1e1..b8966ac 100644 int result; }; -@@ -848,6 +849,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen, +@@ -852,6 +853,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen, buf->result = -EOVERFLOW; return -EOVERFLOW; } @@ -49175,7 +49121,7 @@ index 015e1e1..b8966ac 100644 buf->result++; dirent = buf->dirent; if (!access_ok(VERIFY_WRITE, dirent, -@@ -878,6 +883,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd, +@@ -882,6 +887,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd, buf.result = 0; buf.dirent = dirent; @@ -49183,7 +49129,7 @@ index 015e1e1..b8966ac 100644 error = vfs_readdir(f.file, compat_fillonedir, &buf); if (buf.result) -@@ -897,6 +903,7 @@ struct compat_linux_dirent { +@@ -901,6 +907,7 @@ struct compat_linux_dirent { struct compat_getdents_callback { struct compat_linux_dirent __user *current_dir; struct compat_linux_dirent __user *previous; @@ -49191,7 +49137,7 @@ index 015e1e1..b8966ac 100644 int count; int error; }; -@@ -918,6 +925,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen, +@@ -922,6 +929,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen, buf->error = -EOVERFLOW; return -EOVERFLOW; } @@ -49202,7 +49148,7 @@ index 015e1e1..b8966ac 100644 dirent = buf->previous; if (dirent) { if (__put_user(offset, &dirent->d_off)) -@@ -963,6 +974,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd, +@@ -967,6 +978,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd, buf.previous = NULL; buf.count = count; buf.error = 0; @@ -49210,7 +49156,7 @@ index 015e1e1..b8966ac 100644 error = vfs_readdir(f.file, compat_filldir, &buf); if (error >= 0) -@@ -983,6 +995,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd, +@@ -987,6 +999,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd, struct compat_getdents_callback64 { struct linux_dirent64 __user *current_dir; struct linux_dirent64 __user *previous; @@ -49218,7 +49164,7 @@ index 015e1e1..b8966ac 100644 int count; int error; }; -@@ -999,6 +1012,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t +@@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; @@ -49229,7 +49175,7 @@ index 015e1e1..b8966ac 100644 dirent = buf->previous; if (dirent) { -@@ -1048,13 +1065,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd, +@@ -1052,13 +1069,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd, buf.previous = NULL; buf.count = count; buf.error = 0; @@ -50321,7 +50267,7 @@ index 22548f5..41521d8 100644 } return 1; diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c -index 2f2e0da..89b113a 100644 +index 92e68b3..115d987 100644 --- a/fs/ext4/balloc.c +++ b/fs/ext4/balloc.c @@ -505,8 +505,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi, @@ -50370,7 +50316,7 @@ index 8462eb3..4a71af6 100644 /* locality groups */ diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 061727a..7622abf 100644 +index 28bbf9b..75ca7c1 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1747,7 +1747,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, @@ -50487,7 +50433,7 @@ index 061727a..7622abf 100644 return 0; diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 0465f36..99a003a 100644 +index 5fa223d..12fa738 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2429,7 +2429,7 @@ struct ext4_attr { @@ -52391,7 +52337,7 @@ index a94e331..060bce3 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index 43a97ee..4e585fd 100644 +index ec97aef..eedf4fe 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -319,16 +319,32 @@ int generic_permission(struct inode *inode, int mask) @@ -52445,7 +52391,7 @@ index 43a97ee..4e585fd 100644 return -EACCES; } -@@ -826,7 +834,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p) +@@ -824,7 +832,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p) { struct dentry *dentry = link->dentry; int error; @@ -52454,7 +52400,7 @@ index 43a97ee..4e585fd 100644 BUG_ON(nd->flags & LOOKUP_RCU); -@@ -847,6 +855,12 @@ follow_link(struct path *link, struct nameidata *nd, void **p) +@@ -845,6 +853,12 @@ follow_link(struct path *link, struct nameidata *nd, void **p) if (error) goto out_put_nd_path; @@ -52467,7 +52413,7 @@ index 43a97ee..4e585fd 100644 nd->last_type = LAST_BIND; *p = dentry->d_inode->i_op->follow_link(dentry, nd); error = PTR_ERR(*p); -@@ -1596,6 +1610,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd) +@@ -1594,6 +1608,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd) break; res = walk_component(nd, path, &nd->last, nd->last_type, LOOKUP_FOLLOW); @@ -52476,7 +52422,7 @@ index 43a97ee..4e585fd 100644 put_link(nd, &link, cookie); } while (res > 0); -@@ -1694,7 +1710,7 @@ EXPORT_SYMBOL(full_name_hash); +@@ -1692,7 +1708,7 @@ EXPORT_SYMBOL(full_name_hash); static inline unsigned long hash_name(const char *name, unsigned int *hashp) { unsigned long a, b, adata, bdata, mask, hash, len; @@ -52485,7 +52431,7 @@ index 43a97ee..4e585fd 100644 hash = a = 0; len = -sizeof(unsigned long); -@@ -1979,6 +1995,8 @@ static int path_lookupat(int dfd, const char *name, +@@ -1977,6 +1993,8 @@ static int path_lookupat(int dfd, const char *name, if (err) break; err = lookup_last(nd, &path); @@ -52494,7 +52440,7 @@ index 43a97ee..4e585fd 100644 put_link(nd, &link, cookie); } } -@@ -1986,6 +2004,19 @@ static int path_lookupat(int dfd, const char *name, +@@ -1984,6 +2002,19 @@ static int path_lookupat(int dfd, const char *name, if (!err) err = complete_walk(nd); @@ -52514,7 +52460,7 @@ index 43a97ee..4e585fd 100644 if (!err && nd->flags & LOOKUP_DIRECTORY) { if (!nd->inode->i_op->lookup) { path_put(&nd->path); -@@ -2013,8 +2044,17 @@ static int filename_lookup(int dfd, struct filename *name, +@@ -2011,8 +2042,17 @@ static int filename_lookup(int dfd, struct filename *name, retval = path_lookupat(dfd, name->name, flags | LOOKUP_REVAL, nd); @@ -52533,7 +52479,7 @@ index 43a97ee..4e585fd 100644 return retval; } -@@ -2392,6 +2432,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2390,6 +2430,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -52547,7 +52493,7 @@ index 43a97ee..4e585fd 100644 return 0; } -@@ -2613,7 +2660,7 @@ looked_up: +@@ -2611,7 +2658,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -52556,7 +52502,7 @@ index 43a97ee..4e585fd 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2648,6 +2695,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2646,6 +2693,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -52574,7 +52520,7 @@ index 43a97ee..4e585fd 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2669,6 +2727,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2667,6 +2725,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -52583,7 +52529,7 @@ index 43a97ee..4e585fd 100644 } out_no_open: path->dentry = dentry; -@@ -2683,7 +2743,7 @@ out_dput: +@@ -2681,7 +2741,7 @@ out_dput: /* * Handle the last step of open() */ @@ -52592,7 +52538,7 @@ index 43a97ee..4e585fd 100644 struct file *file, const struct open_flags *op, int *opened, struct filename *name) { -@@ -2712,16 +2772,44 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2710,16 +2770,44 @@ static int do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return error; @@ -52637,7 +52583,7 @@ index 43a97ee..4e585fd 100644 audit_inode(name, dir, 0); goto finish_open; } -@@ -2770,7 +2858,7 @@ retry_lookup: +@@ -2768,7 +2856,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -52646,7 +52592,7 @@ index 43a97ee..4e585fd 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2794,11 +2882,28 @@ retry_lookup: +@@ -2792,11 +2880,28 @@ retry_lookup: goto finish_open_created; } @@ -52676,7 +52622,7 @@ index 43a97ee..4e585fd 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -2839,6 +2944,11 @@ finish_lookup: +@@ -2837,6 +2942,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -52688,7 +52634,7 @@ index 43a97ee..4e585fd 100644 return 1; } -@@ -2848,7 +2958,6 @@ finish_lookup: +@@ -2846,7 +2956,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -52696,7 +52642,7 @@ index 43a97ee..4e585fd 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -2857,6 +2966,22 @@ finish_lookup: +@@ -2855,6 +2964,22 @@ finish_lookup: path_put(&save_parent); return error; } @@ -52719,7 +52665,7 @@ index 43a97ee..4e585fd 100644 error = -EISDIR; if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode)) goto out; -@@ -2955,7 +3080,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -2953,7 +3078,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, if (unlikely(error)) goto out; @@ -52728,7 +52674,7 @@ index 43a97ee..4e585fd 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -2973,7 +3098,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -2971,7 +3096,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -52737,7 +52683,7 @@ index 43a97ee..4e585fd 100644 put_link(nd, &link, cookie); } out: -@@ -3073,8 +3198,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, +@@ -3071,8 +3196,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, goto unlock; error = -EEXIST; @@ -52751,7 +52697,7 @@ index 43a97ee..4e585fd 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3126,6 +3255,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3124,6 +3253,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -52772,7 +52718,7 @@ index 43a97ee..4e585fd 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3188,6 +3331,17 @@ retry: +@@ -3186,6 +3329,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -52790,7 +52736,7 @@ index 43a97ee..4e585fd 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3204,6 +3358,8 @@ retry: +@@ -3202,6 +3356,8 @@ retry: break; } out: @@ -52799,7 +52745,7 @@ index 43a97ee..4e585fd 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3256,9 +3412,16 @@ retry: +@@ -3254,9 +3410,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -52816,7 +52762,7 @@ index 43a97ee..4e585fd 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3339,6 +3502,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3337,6 +3500,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct filename *name; struct dentry *dentry; struct nameidata nd; @@ -52825,7 +52771,7 @@ index 43a97ee..4e585fd 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3371,10 +3536,21 @@ retry: +@@ -3369,10 +3534,21 @@ retry: error = -ENOENT; goto exit3; } @@ -52847,7 +52793,7 @@ index 43a97ee..4e585fd 100644 exit3: dput(dentry); exit2: -@@ -3440,6 +3616,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3438,6 +3614,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -52856,7 +52802,7 @@ index 43a97ee..4e585fd 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3466,10 +3644,22 @@ retry: +@@ -3464,10 +3642,22 @@ retry: if (!inode) goto slashes; ihold(inode); @@ -52879,7 +52825,7 @@ index 43a97ee..4e585fd 100644 exit2: dput(dentry); } -@@ -3547,9 +3737,17 @@ retry: +@@ -3545,9 +3735,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -52897,7 +52843,7 @@ index 43a97ee..4e585fd 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3623,6 +3821,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3621,6 +3819,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -52905,7 +52851,7 @@ index 43a97ee..4e585fd 100644 int how = 0; int error; -@@ -3646,7 +3845,7 @@ retry: +@@ -3644,7 +3843,7 @@ retry: if (error) return error; @@ -52914,7 +52860,7 @@ index 43a97ee..4e585fd 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -3658,11 +3857,28 @@ retry: +@@ -3656,11 +3855,28 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -52943,7 +52889,7 @@ index 43a97ee..4e585fd 100644 done_path_create(&new_path, new_dentry); if (retry_estale(error, how)) { how |= LOOKUP_REVAL; -@@ -3908,12 +4124,21 @@ retry: +@@ -3906,12 +4122,21 @@ retry: if (new_dentry == trap) goto exit5; @@ -52965,7 +52911,7 @@ index 43a97ee..4e585fd 100644 exit5: dput(new_dentry); exit4: -@@ -3945,6 +4170,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3943,6 +4168,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -52974,7 +52920,7 @@ index 43a97ee..4e585fd 100644 int len; len = PTR_ERR(link); -@@ -3954,7 +4181,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3952,7 +4179,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -53564,7 +53510,7 @@ index 9b33c0c..2ffcca2 100644 } putname(tmp); diff --git a/fs/pipe.c b/fs/pipe.c -index bd3479d..fb92c4d 100644 +index 8e2e73f..1ef1048 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -438,9 +438,9 @@ redo: @@ -53659,7 +53605,7 @@ index bd3479d..fb92c4d 100644 } mutex_unlock(&inode->i_mutex); -@@ -868,9 +868,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) +@@ -871,9 +871,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) if (inode->i_pipe) { ret = 0; if (filp->f_mode & FMODE_READ) @@ -53671,7 +53617,7 @@ index bd3479d..fb92c4d 100644 } mutex_unlock(&inode->i_mutex); -@@ -962,7 +962,7 @@ void free_pipe_info(struct inode *inode) +@@ -965,7 +965,7 @@ void free_pipe_info(struct inode *inode) inode->i_pipe = NULL; } @@ -53680,7 +53626,7 @@ index bd3479d..fb92c4d 100644 /* * pipefs_dname() is called from d_path(). -@@ -992,7 +992,8 @@ static struct inode * get_pipe_inode(void) +@@ -995,7 +995,8 @@ static struct inode * get_pipe_inode(void) goto fail_iput; inode->i_pipe = pipe; @@ -72544,7 +72490,7 @@ index 71a3ca1..cc330ee 100644 if (u->mq_bytes + mq_bytes < u->mq_bytes || u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) { diff --git a/ipc/msg.c b/ipc/msg.c -index 950572f..362ea07 100644 +index 31cd1bf..362ea07 100644 --- a/ipc/msg.c +++ b/ipc/msg.c @@ -309,18 +309,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) @@ -72572,40 +72518,6 @@ index 950572f..362ea07 100644 msg_params.key = key; msg_params.flg = msgflg; -@@ -820,15 +821,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, - struct msg_msg *copy = NULL; - unsigned long copy_number = 0; - -+ ns = current->nsproxy->ipc_ns; -+ - if (msqid < 0 || (long) bufsz < 0) - return -EINVAL; - if (msgflg & MSG_COPY) { -- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number); -+ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax), -+ msgflg, &msgtyp, ©_number); - if (IS_ERR(copy)) - return PTR_ERR(copy); - } - mode = convert_mode(&msgtyp, msgflg); -- ns = current->nsproxy->ipc_ns; - - msq = msg_lock_check(ns, msqid); - if (IS_ERR(msq)) { -diff --git a/ipc/msgutil.c b/ipc/msgutil.c -index ebfcbfa..5df8e4b 100644 ---- a/ipc/msgutil.c -+++ b/ipc/msgutil.c -@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst) - if (alen > DATALEN_MSG) - alen = DATALEN_MSG; - -- dst->next = NULL; -- dst->security = NULL; -- - memcpy(dst + 1, src + 1, alen); - - len -= alen; diff --git a/ipc/sem.c b/ipc/sem.c index 58d31f1..cce7a55 100644 --- a/ipc/sem.c @@ -73486,7 +73398,7 @@ index b4df219..f13c02d 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index c535f33..1d768f9 100644 +index 5630e52..0cee608 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -318,7 +318,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -73735,7 +73647,7 @@ index c535f33..1d768f9 100644 return 0; } -@@ -1193,6 +1243,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1196,6 +1246,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif retval = -EAGAIN; @@ -73745,7 +73657,7 @@ index c535f33..1d768f9 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && -@@ -1432,6 +1485,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1435,6 +1488,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_free_pid; } @@ -73757,7 +73669,7 @@ index c535f33..1d768f9 100644 if (clone_flags & CLONE_THREAD) { current->signal->nr_threads++; atomic_inc(¤t->signal->live); -@@ -1515,6 +1573,8 @@ bad_fork_cleanup_count: +@@ -1518,6 +1576,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -73766,7 +73678,7 @@ index c535f33..1d768f9 100644 return ERR_PTR(retval); } -@@ -1565,6 +1625,23 @@ long do_fork(unsigned long clone_flags, +@@ -1568,6 +1628,23 @@ long do_fork(unsigned long clone_flags, return -EINVAL; } @@ -73790,7 +73702,7 @@ index c535f33..1d768f9 100644 /* * Determine whether and which event to report to ptracer. When * called from kernel_thread or CLONE_UNTRACED is explicitly -@@ -1599,6 +1676,8 @@ long do_fork(unsigned long clone_flags, +@@ -1602,6 +1679,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -73799,7 +73711,7 @@ index c535f33..1d768f9 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1752,7 +1831,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1755,7 +1834,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -73808,7 +73720,7 @@ index c535f33..1d768f9 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1866,7 +1945,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1869,7 +1948,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -78278,10 +78190,10 @@ index 33acb5e..57ebfd4 100644 .group = GLOBAL_ROOT_GID, .proc_inum = PROC_USER_INIT_INO, diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 2b042c4..24f8ec3 100644 +index dbfe36a7..6d36e9a 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c -@@ -78,7 +78,7 @@ int create_user_ns(struct cred *new) +@@ -79,7 +79,7 @@ int create_user_ns(struct cred *new) return ret; } @@ -78290,7 +78202,7 @@ index 2b042c4..24f8ec3 100644 /* Leave the new->user_ns reference with the new user namespace. */ ns->parent = parent_ns; ns->owner = owner; -@@ -104,15 +104,16 @@ int unshare_userns(unsigned long unshare_flags, struct cred **new_cred) +@@ -105,15 +105,16 @@ int unshare_userns(unsigned long unshare_flags, struct cred **new_cred) return create_user_ns(cred); } @@ -80047,7 +79959,7 @@ index bb1369f..efb96b5 100644 return 0; } diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index e2df1c1..1e31d57 100644 +index 3df6d12..a11056a 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -721,6 +721,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, @@ -81920,7 +81832,7 @@ index 8c8e08f..73a5cda 100644 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */ diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c -index 926b466..b23df53 100644 +index fd26d04..0cea1b0 100644 --- a/mm/process_vm_access.c +++ b/mm/process_vm_access.c @@ -13,6 +13,7 @@ @@ -88679,7 +88591,7 @@ index 6b42d47..2ac24d5 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 5b5c876..3127bf7 100644 +index 5b5c876..6713b81 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -786,6 +786,12 @@ static struct sock *unix_find_other(struct net *net, @@ -88728,6 +88640,34 @@ index 5b5c876..3127bf7 100644 done_path_create(&path, dentry); return err; } +@@ -2326,9 +2345,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) + seq_puts(seq, "Num RefCount Protocol Flags Type St " + "Inode Path\n"); + else { +- struct sock *s = v; ++ struct sock *s = v, *peer; + struct unix_sock *u = unix_sk(s); + unix_state_lock(s); ++ peer = unix_peer(s); ++ unix_state_unlock(s); ++ ++ unix_state_double_lock(s, peer); + + seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", + s, +@@ -2355,8 +2378,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) + } + for ( ; i < len; i++) + seq_putc(seq, u->addr->name->sun_path[i]); +- } +- unix_state_unlock(s); ++ } else if (peer) ++ seq_printf(seq, " P%lu", sock_i_ino(peer)); ++ ++ unix_state_double_unlock(s, peer); + seq_putc(seq, '\n'); + } + diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c index 8800604..0526440 100644 --- a/net/unix/sysctl_net_unix.c @@ -90455,7 +90395,7 @@ index 55a6271..ad829c3 100644 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]); return 0; diff --git a/security/keys/compat.c b/security/keys/compat.c -index 1c26176..64a1ba2 100644 +index d65fa7f..cbfe366 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c @@ -44,7 +44,7 @@ static long compat_keyctl_instantiate_key_iov( @@ -90464,7 +90404,7 @@ index 1c26176..64a1ba2 100644 - ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid); + ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid); - + err: if (iov != iovstack) kfree(iov); diff --git a/security/keys/key.c b/security/keys/key.c @@ -90588,19 +90528,6 @@ index 6ece7f2..ecdb55c 100644 goto error; buflen -= tmp; -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index 58dfe08..c5ec083 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -57,7 +57,7 @@ int install_user_keyrings(void) - - kenter("%p{%u}", user, uid); - -- if (user->uid_keyring) { -+ if (user->uid_keyring && user->session_keyring) { - kleave(" = 0 [exist]"); - return 0; - } diff --git a/security/min_addr.c b/security/min_addr.c index f728728..6457a0c 100644 --- a/security/min_addr.c