* [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.8.2/, 3.2.40/
@ 2013-03-16 13:25 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2013-03-16 13:25 UTC (permalink / raw
To: gentoo-commits
commit: 3ffd0980490b6bd656a839ddee22060a09a32a94
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Mar 16 13:25:00 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Mar 16 13:25:00 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=3ffd0980
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.2}-201303142235
---
..._grsecurity-2.9.1-2.6.32.60-201303142231.patch} | 134 ++++-
3.2.40/0000_README | 2 +-
...420_grsecurity-2.9.1-3.2.40-201303142234.patch} | 294 +++++++-
3.8.2/0000_README | 2 +-
...4420_grsecurity-2.9.1-3.8.3-201303142235.patch} | 775 +++++++++-----------
5 files changed, 751 insertions(+), 456 deletions(-)
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch
index 844bced..966075e 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch
@@ -67598,6 +67598,25 @@ index 7ad177e..5503586 100644
typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
struct bfa_iocfc_s {
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index 075e239..85a1eaf 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -3746,13 +3746,13 @@ static struct DeviceCtlBlk *device_alloc(struct AdapterCtlBlk *acb,
+ dcb->max_command = 1;
+ dcb->target_id = target;
+ dcb->target_lun = lun;
++ dcb->dev_mode = eeprom->target[target].cfg0;
+ #ifndef DC395x_NO_DISCONNECT
+ dcb->identify_msg =
+ IDENTIFY(dcb->dev_mode & NTC_DO_DISCONNECT, lun);
+ #else
+ dcb->identify_msg = IDENTIFY(0, lun);
+ #endif
+- dcb->dev_mode = eeprom->target[target].cfg0;
+ dcb->inquiry7 = 0;
+ dcb->sync_mode = 0;
+ dcb->min_nego_period = clock_period[period_index];
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 4967643..cbec06b 100644
--- a/drivers/scsi/dpt_i2o.c
@@ -71265,6 +71284,76 @@ index fbea856..06efea6 100644
if (!left--) {
if (instance->disconnected)
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 37f2899..6ca1363 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -52,7 +52,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
+ #define WDM_READ 4
+ #define WDM_INT_STALL 5
+ #define WDM_POLL_RUNNING 6
+-
++#define WDM_OVERFLOW 10
+
+ #define WDM_MAX 16
+
+@@ -115,6 +115,7 @@ static void wdm_in_callback(struct urb *urb)
+ {
+ struct wdm_device *desc = urb->context;
+ int status = urb->status;
++ int length = urb->actual_length;
+
+ spin_lock(&desc->iuspin);
+
+@@ -144,9 +145,17 @@ static void wdm_in_callback(struct urb *urb)
+ }
+
+ desc->rerr = status;
+- desc->reslength = urb->actual_length;
+- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
+- desc->length += desc->reslength;
++ if (length + desc->length > desc->wMaxCommand) {
++ /* The buffer would overflow */
++ set_bit(WDM_OVERFLOW, &desc->flags);
++ } else {
++ /* we may already be in overflow */
++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
++ memmove(desc->ubuf + desc->length, desc->inbuf, length);
++ desc->length += length;
++ desc->reslength = length;
++ }
++ }
+ wake_up(&desc->wait);
+
+ set_bit(WDM_READ, &desc->flags);
+@@ -398,6 +407,11 @@ retry:
+ rv = -ENODEV;
+ goto err;
+ }
++ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
++ clear_bit(WDM_OVERFLOW, &desc->flags);
++ rv = -ENOBUFS;
++ goto err;
++ }
+ i++;
+ if (file->f_flags & O_NONBLOCK) {
+ if (!test_bit(WDM_READ, &desc->flags)) {
+@@ -440,6 +454,7 @@ retry:
+ spin_unlock_irq(&desc->iuspin);
+ goto retry;
+ }
++
+ if (!desc->reslength) { /* zero length read */
+ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
+ clear_bit(WDM_READ, &desc->flags);
+@@ -844,6 +859,7 @@ static int wdm_post_reset(struct usb_interface *intf)
+ struct wdm_device *desc = usb_get_intfdata(intf);
+ int rv;
+
++ clear_bit(WDM_OVERFLOW, &desc->flags);
+ rv = recover_from_urb_loss(desc);
+ mutex_unlock(&desc->plock);
+ return 0;
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 24e6205..b94523b 100644
--- a/drivers/usb/core/hcd.c
@@ -81696,7 +81785,7 @@ index f6af760..d0adf34 100644
base = (void __user *)(unsigned long)argv[n].v_base;
if (len == 0) {
diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
-index 44a88a9..0eb059e 100644
+index 44a88a9..0eb059ec 100644
--- a/fs/nls/nls_base.c
+++ b/fs/nls/nls_base.c
@@ -114,34 +114,57 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxlen)
@@ -82286,7 +82375,7 @@ index 5765198..7f8e9e0 100644
int pos = slot * secsize;
put_dev_sector(sect);
diff --git a/fs/pipe.c b/fs/pipe.c
-index d0cc080..8a6f211 100644
+index d0cc080..b63ef40 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -401,9 +401,9 @@ redo:
@@ -82381,7 +82470,15 @@ index d0cc080..8a6f211 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+@@ -813,14 +813,17 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
+ int ret = -ENOENT;
+
++ if (!(filp->f_mode & (FMODE_READ|FMODE_WRITE)))
++ return -EINVAL;
++
+ mutex_lock(&inode->i_mutex);
+
if (inode->i_pipe) {
ret = 0;
if (filp->f_mode & FMODE_READ)
@@ -82393,7 +82490,7 @@ index d0cc080..8a6f211 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
+@@ -905,7 +908,7 @@ void free_pipe_info(struct inode *inode)
inode->i_pipe = NULL;
}
@@ -82402,7 +82499,7 @@ index d0cc080..8a6f211 100644
static int pipefs_delete_dentry(struct dentry *dentry)
{
/*
-@@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(void)
+@@ -945,7 +948,8 @@ static struct inode * get_pipe_inode(void)
goto fail_iput;
inode->i_pipe = pipe;
@@ -118216,7 +118313,7 @@ index 0747d8a..e8bf3f3 100644
sub->evt.event = htohl(event, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index db8d51a..608692d 100644
+index db8d51a..b141925 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -745,6 +745,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -118265,8 +118362,18 @@ index db8d51a..608692d 100644
mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
dput(nd.path.dentry);
nd.path.dentry = dentry;
-@@ -2211,7 +2231,11 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2206,12 +2226,20 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ seq_puts(seq, "Num RefCount Protocol Flags Type St "
+ "Inode Path\n");
+ else {
+- struct sock *s = v;
++ struct sock *s = v, *peer;
+ struct unix_sock *u = unix_sk(s);
unix_state_lock(s);
++ peer = unix_peer(s);
++ unix_state_unlock(s);
++
++ unix_state_double_lock(s, peer);
seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
+#ifdef CONFIG_GRKERNSEC_HIDESYM
@@ -118277,6 +118384,19 @@ index db8d51a..608692d 100644
atomic_read(&s->sk_refcnt),
0,
s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
+@@ -2235,8 +2263,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ }
+ for ( ; i < len; i++)
+ seq_putc(seq, u->addr->name->sun_path[i]);
+- }
+- unix_state_unlock(s);
++ } else if (peer)
++ seq_printf(seq, " P%lu", sock_i_ino(peer));
++
++ unix_state_double_unlock(s, peer);
+ seq_putc(seq, '\n');
+ }
+
diff --git a/net/wireless/wext.c b/net/wireless/wext.c
index a2e4c60..0979cbe 100644
--- a/net/wireless/wext.c
diff --git a/3.2.40/0000_README b/3.2.40/0000_README
index 173a1e3..6682017 100644
--- a/3.2.40/0000_README
+++ b/3.2.40/0000_README
@@ -78,7 +78,7 @@ Patch: 1039_linux-3.2.40.patch
From: http://www.kernel.org
Desc: Linux 3.2.40
-Patch: 4420_grsecurity-2.9.1-3.2.40-201303111844.patch
+Patch: 4420_grsecurity-2.9.1-3.2.40-201303142234.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch
similarity index 99%
rename from 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch
rename to 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch
index 94cafc4..c85236f 100644
--- a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch
+++ b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303142234.patch
@@ -31356,6 +31356,57 @@ index 0833896..cccce52 100644
struct hpet_info *info)
{
struct hpet_timer __iomem *timer;
+diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
+index 1bafb40..69ae597 100644
+--- a/drivers/char/hw_random/core.c
++++ b/drivers/char/hw_random/core.c
+@@ -40,6 +40,7 @@
+ #include <linux/init.h>
+ #include <linux/miscdevice.h>
+ #include <linux/delay.h>
++#include <linux/slab.h>
+ #include <asm/uaccess.h>
+
+
+@@ -52,8 +53,12 @@ static struct hwrng *current_rng;
+ static LIST_HEAD(rng_list);
+ static DEFINE_MUTEX(rng_mutex);
+ static int data_avail;
+-static u8 rng_buffer[SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES]
+- __cacheline_aligned;
++static u8 *rng_buffer;
++
++static size_t rng_buffer_size(void)
++{
++ return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES;
++}
+
+ static inline int hwrng_init(struct hwrng *rng)
+ {
+@@ -116,7 +121,7 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf,
+
+ if (!data_avail) {
+ bytes_read = rng_get_data(current_rng, rng_buffer,
+- sizeof(rng_buffer),
++ rng_buffer_size(),
+ !(filp->f_flags & O_NONBLOCK));
+ if (bytes_read < 0) {
+ err = bytes_read;
+@@ -307,6 +312,14 @@ int hwrng_register(struct hwrng *rng)
+
+ mutex_lock(&rng_mutex);
+
++ /* kmalloc makes this safe for virt_to_page() in virtio_rng.c */
++ err = -ENOMEM;
++ if (!rng_buffer) {
++ rng_buffer = kmalloc(rng_buffer_size(), GFP_KERNEL);
++ if (!rng_buffer)
++ goto out_unlock;
++ }
++
+ /* Must not register two RNGs with the same name. */
+ err = -EEXIST;
+ list_for_each_entry(tmp, &rng_list, list) {
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 58c0e63..46c16bf 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
@@ -39411,6 +39462,25 @@ index 546d46b..642fa5b 100644
/*
* Queue element to wait for room in request queue. FIFO order is
+diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c
+index f5b718d..aed7756 100644
+--- a/drivers/scsi/dc395x.c
++++ b/drivers/scsi/dc395x.c
+@@ -3747,13 +3747,13 @@ static struct DeviceCtlBlk *device_alloc(struct AdapterCtlBlk *acb,
+ dcb->max_command = 1;
+ dcb->target_id = target;
+ dcb->target_lun = lun;
++ dcb->dev_mode = eeprom->target[target].cfg0;
+ #ifndef DC395x_NO_DISCONNECT
+ dcb->identify_msg =
+ IDENTIFY(dcb->dev_mode & NTC_DO_DISCONNECT, lun);
+ #else
+ dcb->identify_msg = IDENTIFY(0, lun);
+ #endif
+- dcb->dev_mode = eeprom->target[target].cfg0;
+ dcb->inquiry7 = 0;
+ dcb->sync_mode = 0;
+ dcb->min_nego_period = clock_period[period_index];
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index ee77a58..af9d518 100644
--- a/drivers/scsi/hosts.c
@@ -41518,6 +41588,75 @@ index d3448ca..d2864ca 100644
if (!left--) {
if (instance->disconnected)
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 97b2c55..fe8c04b 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -70,6 +70,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
+ #define WDM_POLL_RUNNING 6
+ #define WDM_RESPONDING 7
+ #define WDM_SUSPENDING 8
++#define WDM_OVERFLOW 10
+
+ #define WDM_MAX 16
+
+@@ -134,6 +135,7 @@ static void wdm_in_callback(struct urb *urb)
+ {
+ struct wdm_device *desc = urb->context;
+ int status = urb->status;
++ int length = urb->actual_length;
+
+ spin_lock(&desc->iuspin);
+ clear_bit(WDM_RESPONDING, &desc->flags);
+@@ -164,9 +166,17 @@ static void wdm_in_callback(struct urb *urb)
+ }
+
+ desc->rerr = status;
+- desc->reslength = urb->actual_length;
+- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
+- desc->length += desc->reslength;
++ if (length + desc->length > desc->wMaxCommand) {
++ /* The buffer would overflow */
++ set_bit(WDM_OVERFLOW, &desc->flags);
++ } else {
++ /* we may already be in overflow */
++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
++ memmove(desc->ubuf + desc->length, desc->inbuf, length);
++ desc->length += length;
++ desc->reslength = length;
++ }
++ }
+ skip_error:
+ wake_up(&desc->wait);
+
+@@ -433,6 +443,11 @@ retry:
+ rv = -ENODEV;
+ goto err;
+ }
++ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
++ clear_bit(WDM_OVERFLOW, &desc->flags);
++ rv = -ENOBUFS;
++ goto err;
++ }
+ i++;
+ if (file->f_flags & O_NONBLOCK) {
+ if (!test_bit(WDM_READ, &desc->flags)) {
+@@ -472,6 +487,7 @@ retry:
+ spin_unlock_irq(&desc->iuspin);
+ goto retry;
+ }
++
+ if (!desc->reslength) { /* zero length read */
+ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
+ clear_bit(WDM_READ, &desc->flags);
+@@ -926,6 +942,7 @@ static int wdm_post_reset(struct usb_interface *intf)
+ struct wdm_device *desc = usb_get_intfdata(intf);
+ int rv;
+
++ clear_bit(WDM_OVERFLOW, &desc->flags);
+ rv = recover_from_urb_loss(desc);
+ mutex_unlock(&desc->wlock);
+ mutex_unlock(&desc->rlock);
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index 3440812..2a4ef1f 100644
--- a/drivers/usb/core/devices.c
@@ -46496,10 +46635,22 @@ index 84e8c07..6170d31 100644
}
}
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
-index b1451af..9a30647 100644
+index b1451af..72c6542 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
-@@ -989,7 +989,7 @@ cifs_init_request_bufs(void)
+@@ -561,6 +561,11 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb)
+ dentry = ERR_PTR(-ENOENT);
+ break;
+ }
++ if (!S_ISDIR(dir->i_mode)) {
++ dput(dentry);
++ dentry = ERR_PTR(-ENOTDIR);
++ break;
++ }
+
+ /* skip separators */
+ while (*s == sep)
+@@ -989,7 +994,7 @@ cifs_init_request_bufs(void)
cifs_req_cachep = kmem_cache_create("cifs_request",
CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE, 0,
@@ -46508,7 +46659,7 @@ index b1451af..9a30647 100644
if (cifs_req_cachep == NULL)
return -ENOMEM;
-@@ -1016,7 +1016,7 @@ cifs_init_request_bufs(void)
+@@ -1016,7 +1021,7 @@ cifs_init_request_bufs(void)
efficient to alloc 1 per page off the slab compared to 17K (5page)
alloc of large cifs buffers even when page debugging is on */
cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
@@ -46517,7 +46668,7 @@ index b1451af..9a30647 100644
NULL);
if (cifs_sm_req_cachep == NULL) {
mempool_destroy(cifs_req_poolp);
-@@ -1101,8 +1101,8 @@ init_cifs(void)
+@@ -1101,8 +1106,8 @@ init_cifs(void)
atomic_set(&bufAllocCount, 0);
atomic_set(&smBufAllocCount, 0);
#ifdef CONFIG_CIFS_STATS2
@@ -46710,7 +46861,7 @@ index 6901578..d402eb5 100644
return hit;
diff --git a/fs/compat.c b/fs/compat.c
-index e07a3d3..1b4dfbb 100644
+index e07a3d3..d33d8b7 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -132,8 +132,8 @@ asmlinkage long compat_sys_utimes(const char __user *filename, struct compat_tim
@@ -46742,7 +46893,18 @@ index e07a3d3..1b4dfbb 100644
goto out;
if (nr_segs > fast_segs) {
ret = -ENOMEM;
-@@ -845,6 +845,7 @@ struct compat_old_linux_dirent {
+@@ -572,6 +572,10 @@ ssize_t compat_rw_copy_check_uvector(int type,
+ }
+ *ret_pointer = iov;
+
++ ret = -EFAULT;
++ if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
++ goto out;
++
+ /*
+ * Single unix specification:
+ * We should -EINVAL if an element length is not >= 0 and fitting an
+@@ -845,6 +849,7 @@ struct compat_old_linux_dirent {
struct compat_readdir_callback {
struct compat_old_linux_dirent __user *dirent;
@@ -46750,7 +46912,7 @@ index e07a3d3..1b4dfbb 100644
int result;
};
-@@ -862,6 +863,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen,
+@@ -862,6 +867,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen,
buf->result = -EOVERFLOW;
return -EOVERFLOW;
}
@@ -46761,7 +46923,7 @@ index e07a3d3..1b4dfbb 100644
buf->result++;
dirent = buf->dirent;
if (!access_ok(VERIFY_WRITE, dirent,
-@@ -894,6 +899,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd,
+@@ -894,6 +903,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd,
buf.result = 0;
buf.dirent = dirent;
@@ -46769,7 +46931,7 @@ index e07a3d3..1b4dfbb 100644
error = vfs_readdir(file, compat_fillonedir, &buf);
if (buf.result)
-@@ -914,6 +920,7 @@ struct compat_linux_dirent {
+@@ -914,6 +924,7 @@ struct compat_linux_dirent {
struct compat_getdents_callback {
struct compat_linux_dirent __user *current_dir;
struct compat_linux_dirent __user *previous;
@@ -46777,7 +46939,7 @@ index e07a3d3..1b4dfbb 100644
int count;
int error;
};
-@@ -935,6 +942,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen,
+@@ -935,6 +946,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen,
buf->error = -EOVERFLOW;
return -EOVERFLOW;
}
@@ -46788,7 +46950,7 @@ index e07a3d3..1b4dfbb 100644
dirent = buf->previous;
if (dirent) {
if (__put_user(offset, &dirent->d_off))
-@@ -982,6 +993,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
+@@ -982,6 +997,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
buf.previous = NULL;
buf.count = count;
buf.error = 0;
@@ -46796,7 +46958,7 @@ index e07a3d3..1b4dfbb 100644
error = vfs_readdir(file, compat_filldir, &buf);
if (error >= 0)
-@@ -1003,6 +1015,7 @@ out:
+@@ -1003,6 +1019,7 @@ out:
struct compat_getdents_callback64 {
struct linux_dirent64 __user *current_dir;
struct linux_dirent64 __user *previous;
@@ -46804,7 +46966,7 @@ index e07a3d3..1b4dfbb 100644
int count;
int error;
};
-@@ -1019,6 +1032,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t
+@@ -1019,6 +1036,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
@@ -46815,7 +46977,7 @@ index e07a3d3..1b4dfbb 100644
dirent = buf->previous;
if (dirent) {
-@@ -1070,13 +1087,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd,
+@@ -1070,13 +1091,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd,
buf.previous = NULL;
buf.count = count;
buf.error = 0;
@@ -46831,6 +46993,27 @@ index e07a3d3..1b4dfbb 100644
if (__put_user_unaligned(d_off, &lastdirent->d_off))
error = -EFAULT;
else
+@@ -1103,17 +1125,12 @@ static ssize_t compat_do_readv_writev(int type, struct file *file,
+ if (!file->f_op)
+ goto out;
+
+- ret = -EFAULT;
+- if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
+- goto out;
+-
+- tot_len = compat_rw_copy_check_uvector(type, uvector, nr_segs,
++ ret = compat_rw_copy_check_uvector(type, uvector, nr_segs,
+ UIO_FASTIOV, iovstack, &iov, 1);
+- if (tot_len == 0) {
+- ret = 0;
++ if (ret <= 0)
+ goto out;
+- }
+
++ tot_len = ret;
+ ret = rw_verify_area(type, file, pos, tot_len);
+ if (ret < 0)
+ goto out;
diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c
index 112e45a..b59845b 100644
--- a/fs/compat_binfmt_elf.c
@@ -50853,7 +51036,7 @@ index 1c98f53..41e6a04 100644
nilfs->ns_crc_seed = le32_to_cpu(sbp->s_crc_seed);
return 0;
diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
-index 44a88a9..0eb059e 100644
+index 44a88a9..0eb059ec 100644
--- a/fs/nls/nls_base.c
+++ b/fs/nls/nls_base.c
@@ -114,34 +114,57 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxlen)
@@ -51274,7 +51457,7 @@ index bd8ae78..539d250 100644
ldm_crit ("Out of memory.");
return false;
diff --git a/fs/pipe.c b/fs/pipe.c
-index 05ed5ca..ab15592 100644
+index 05ed5ca..d1f8b8a 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -437,9 +437,9 @@ redo:
@@ -51369,7 +51552,15 @@ index 05ed5ca..ab15592 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -864,9 +864,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+@@ -859,14 +859,17 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
+ int ret = -ENOENT;
+
++ if (!(filp->f_mode & (FMODE_READ|FMODE_WRITE)))
++ return -EINVAL;
++
+ mutex_lock(&inode->i_mutex);
+
if (inode->i_pipe) {
ret = 0;
if (filp->f_mode & FMODE_READ)
@@ -51381,7 +51572,7 @@ index 05ed5ca..ab15592 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -958,7 +958,7 @@ void free_pipe_info(struct inode *inode)
+@@ -958,7 +961,7 @@ void free_pipe_info(struct inode *inode)
inode->i_pipe = NULL;
}
@@ -51390,7 +51581,7 @@ index 05ed5ca..ab15592 100644
/*
* pipefs_dname() is called from d_path().
-@@ -988,7 +988,8 @@ static struct inode * get_pipe_inode(void)
+@@ -988,7 +991,8 @@ static struct inode * get_pipe_inode(void)
goto fail_iput;
inode->i_pipe = pipe;
@@ -78940,7 +79131,7 @@ index 5c29750..99f6386 100644
static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
-index e920aa3..137702a 100644
+index e920aa3..38e1f43 100644
--- a/mm/process_vm_access.c
+++ b/mm/process_vm_access.c
@@ -13,6 +13,7 @@
@@ -79012,6 +79203,28 @@ index e920aa3..137702a 100644
for (i = 0; i < riovcnt && iov_l_curr_idx < liovcnt; i++) {
rc = process_vm_rw_single_vec(
(unsigned long)rvec[i].iov_base, rvec[i].iov_len,
+@@ -434,12 +435,6 @@ compat_process_vm_rw(compat_pid_t pid,
+ if (flags != 0)
+ return -EINVAL;
+
+- if (!access_ok(VERIFY_READ, lvec, liovcnt * sizeof(*lvec)))
+- goto out;
+-
+- if (!access_ok(VERIFY_READ, rvec, riovcnt * sizeof(*rvec)))
+- goto out;
+-
+ if (vm_write)
+ rc = compat_rw_copy_check_uvector(WRITE, lvec, liovcnt,
+ UIO_FASTIOV, iovstack_l,
+@@ -464,8 +459,6 @@ free_iovecs:
+ kfree(iov_r);
+ if (iov_l != iovstack_l)
+ kfree(iov_l);
+-
+-out:
+ return rc;
+ }
+
diff --git a/mm/rmap.c b/mm/rmap.c
index 8685697..b490361 100644
--- a/mm/rmap.c
@@ -85086,7 +85299,7 @@ index 1983717..4d6102c 100644
sub->evt.event = htohl(event, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 317bfe3..6786706 100644
+index 317bfe3..342dd43 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -767,6 +767,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -85135,6 +85348,34 @@ index 317bfe3..6786706 100644
mutex_unlock(&path.dentry->d_inode->i_mutex);
dput(path.dentry);
path.dentry = dentry;
+@@ -2261,9 +2281,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ seq_puts(seq, "Num RefCount Protocol Flags Type St "
+ "Inode Path\n");
+ else {
+- struct sock *s = v;
++ struct sock *s = v, *peer;
+ struct unix_sock *u = unix_sk(s);
+ unix_state_lock(s);
++ peer = unix_peer(s);
++ unix_state_unlock(s);
++
++ unix_state_double_lock(s, peer);
+
+ seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
+ s,
+@@ -2290,8 +2314,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ }
+ for ( ; i < len; i++)
+ seq_putc(seq, u->addr->name->sun_path[i]);
+- }
+- unix_state_unlock(s);
++ } else if (peer)
++ seq_printf(seq, " P%lu", sock_i_ino(peer));
++
++ unix_state_double_unlock(s, peer);
+ seq_putc(seq, '\n');
+ }
+
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index 0af7f54..c916d2f 100644
--- a/net/wireless/wext-core.c
@@ -86797,18 +87038,25 @@ index 55a6271..ad829c3 100644
hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
return 0;
diff --git a/security/keys/compat.c b/security/keys/compat.c
-index 4c48e13..7abdac9 100644
+index 4c48e13..6ba5dc8 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
-@@ -44,7 +44,7 @@ long compat_keyctl_instantiate_key_iov(
+@@ -40,12 +40,13 @@ long compat_keyctl_instantiate_key_iov(
+ ARRAY_SIZE(iovstack),
+ iovstack, &iov, 1);
+ if (ret < 0)
+- return ret;
++ goto err;
if (ret == 0)
goto no_payload_free;
- ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+ ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
++err:
if (iov != iovstack)
kfree(iov);
+ return ret;
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 0b3f5d7..892c8a6 100644
--- a/security/keys/keyctl.c
diff --git a/3.8.2/0000_README b/3.8.2/0000_README
index 3b4b3f3..43053f3 100644
--- a/3.8.2/0000_README
+++ b/3.8.2/0000_README
@@ -6,7 +6,7 @@ Patch: 1001_linux-3.8.1.patch
From: http://www.kernel.org
Desc: Linux 3.8.1
-Patch: 4420_grsecurity-2.9.1-3.8.2-201303111845.patch
+Patch: 4420_grsecurity-2.9.1-3.8.3-201303142235.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch b/3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch
similarity index 99%
rename from 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch
rename to 3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch
index e088f8a..ef25e2b 100644
--- a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch
+++ b/3.8.2/4420_grsecurity-2.9.1-3.8.3-201303142235.patch
@@ -259,7 +259,7 @@ index 986614d..e8bfedc 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 20d5318..d5cec9c 100644
+index 8c49fc9b..9a2af09 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1540,13 +1540,13 @@ index 7eb18c1..e38b6d2 100644
#include <asm-generic/cmpxchg-local.h>
diff --git a/arch/arm/include/asm/delay.h b/arch/arm/include/asm/delay.h
-index ab98fdd..6b19938 100644
+index 720799f..2f67631 100644
--- a/arch/arm/include/asm/delay.h
+++ b/arch/arm/include/asm/delay.h
-@@ -24,9 +24,9 @@ extern struct arm_delay_ops {
- void (*delay)(unsigned long);
+@@ -25,9 +25,9 @@ extern struct arm_delay_ops {
void (*const_udelay)(unsigned long);
void (*udelay)(unsigned long);
+ bool const_clock;
-} arm_delay_ops;
+} *arm_delay_ops;
@@ -1555,7 +1555,7 @@ index ab98fdd..6b19938 100644
/*
* This function intentionally does not exist; if you see references to
-@@ -47,8 +47,8 @@ extern void __bad_udelay(void);
+@@ -48,8 +48,8 @@ extern void __bad_udelay(void);
* first constant multiplications gets optimized away if the delay is
* a constant)
*/
@@ -1977,7 +1977,7 @@ index a3f3792..7b932a6 100644
#define L_PTE_DIRTY_HIGH (1 << (55 - 32))
diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
-index 9c82f988..514705a 100644
+index c094749..fd8272e 100644
--- a/arch/arm/include/asm/pgtable.h
+++ b/arch/arm/include/asm/pgtable.h
@@ -30,6 +30,9 @@
@@ -2062,12 +2062,13 @@ index 9c82f988..514705a 100644
*/
#define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG
-@@ -240,7 +290,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
+@@ -240,8 +290,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
{
-- const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE;
-+ const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE | __supported_pte_mask;
+- const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
+- L_PTE_NONE | L_PTE_VALID;
++ const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | L_PTE_NONE | L_PTE_VALID | __supported_pte_mask;
pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask);
return pte;
}
@@ -2723,7 +2724,7 @@ index 2adda11..7fbe958 100644
flush_icache_range(0xffff001c, 0xffff001c + length);
if (!vectors_high())
diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S
-index 486a15a..2d6880e 100644
+index e0eb9a1..c7d74a3 100644
--- a/arch/arm/kernel/head.S
+++ b/arch/arm/kernel/head.S
@@ -52,7 +52,9 @@
@@ -2737,7 +2738,7 @@ index 486a15a..2d6880e 100644
.endm
/*
-@@ -416,7 +418,7 @@ __enable_mmu:
+@@ -434,7 +436,7 @@ __enable_mmu:
mov r5, #(domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
domain_val(DOMAIN_TABLE, DOMAIN_MANAGER) | \
@@ -2967,7 +2968,7 @@ index 3f6cbb2..6d856f5 100644
#ifdef MULTI_TLB
cpu_tlb = *list->tlb;
diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
-index 84f4cbf..672f5b8 100644
+index 58af91c..343ce99 100644
--- a/arch/arm/kernel/smp.c
+++ b/arch/arm/kernel/smp.c
@@ -70,7 +70,7 @@ enum ipi_msg_type {
@@ -3196,7 +3197,7 @@ index 7d08b43..f7ca7ea 100644
#include "csumpartialcopygeneric.S"
diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c
-index 0dc5385..45833ef 100644
+index 6b93f6a..88d9b64 100644
--- a/arch/arm/lib/delay.c
+++ b/arch/arm/lib/delay.c
@@ -28,12 +28,14 @@
@@ -3215,7 +3216,7 @@ index 0dc5385..45833ef 100644
static const struct delay_timer *delay_timer;
static bool delay_calibrated;
-@@ -67,6 +69,12 @@ static void __timer_udelay(unsigned long usecs)
+@@ -67,6 +69,13 @@ static void __timer_udelay(unsigned long usecs)
__timer_const_udelay(usecs * UDELAY_MULT);
}
@@ -3223,18 +3224,20 @@ index 0dc5385..45833ef 100644
+ .delay = __timer_delay,
+ .const_udelay = __timer_const_udelay,
+ .udelay = __timer_udelay,
++ .const_clock = true,
+};
+
void __init register_current_timer_delay(const struct delay_timer *timer)
{
if (!delay_calibrated) {
-@@ -74,9 +82,7 @@ void __init register_current_timer_delay(const struct delay_timer *timer)
+@@ -74,10 +83,7 @@ void __init register_current_timer_delay(const struct delay_timer *timer)
delay_timer = timer;
lpj_fine = timer->freq / HZ;
loops_per_jiffy = lpj_fine;
- arm_delay_ops.delay = __timer_delay;
- arm_delay_ops.const_udelay = __timer_const_udelay;
- arm_delay_ops.udelay = __timer_udelay;
+- arm_delay_ops.const_clock = true;
+ arm_delay_ops = &arm_timer_delay_ops;
delay_calibrated = true;
} else {
@@ -3302,6 +3305,53 @@ index 0abb30f..54064da 100644
.late_init = n8x0_menelaus_late_init,
};
+diff --git a/arch/arm/mach-omap2/gpmc.c b/arch/arm/mach-omap2/gpmc.c
+index 8033cb7..2f7cb62 100644
+--- a/arch/arm/mach-omap2/gpmc.c
++++ b/arch/arm/mach-omap2/gpmc.c
+@@ -139,7 +139,6 @@ struct omap3_gpmc_regs {
+ };
+
+ static struct gpmc_client_irq gpmc_client_irq[GPMC_NR_IRQ];
+-static struct irq_chip gpmc_irq_chip;
+ static unsigned gpmc_irq_start;
+
+ static struct resource gpmc_mem_root;
+@@ -700,6 +699,18 @@ static void gpmc_irq_noop(struct irq_data *data) { }
+
+ static unsigned int gpmc_irq_noop_ret(struct irq_data *data) { return 0; }
+
++static struct irq_chip gpmc_irq_chip = {
++ .name = "gpmc",
++ .irq_startup = gpmc_irq_noop_ret,
++ .irq_enable = gpmc_irq_enable,
++ .irq_disable = gpmc_irq_disable,
++ .irq_shutdown = gpmc_irq_noop,
++ .irq_ack = gpmc_irq_noop,
++ .irq_mask = gpmc_irq_noop,
++ .irq_unmask = gpmc_irq_noop,
++
++};
++
+ static int gpmc_setup_irq(void)
+ {
+ int i;
+@@ -714,15 +725,6 @@ static int gpmc_setup_irq(void)
+ return gpmc_irq_start;
+ }
+
+- gpmc_irq_chip.name = "gpmc";
+- gpmc_irq_chip.irq_startup = gpmc_irq_noop_ret;
+- gpmc_irq_chip.irq_enable = gpmc_irq_enable;
+- gpmc_irq_chip.irq_disable = gpmc_irq_disable;
+- gpmc_irq_chip.irq_shutdown = gpmc_irq_noop;
+- gpmc_irq_chip.irq_ack = gpmc_irq_noop;
+- gpmc_irq_chip.irq_mask = gpmc_irq_noop;
+- gpmc_irq_chip.irq_unmask = gpmc_irq_noop;
+-
+ gpmc_client_irq[0].bitmask = GPMC_IRQ_FIFOEVENTENABLE;
+ gpmc_client_irq[1].bitmask = GPMC_IRQ_COUNT_EVENT;
+
diff --git a/arch/arm/mach-omap2/omap-wakeupgen.c b/arch/arm/mach-omap2/omap-wakeupgen.c
index 5d3b4f4..ddba3c0 100644
--- a/arch/arm/mach-omap2/omap-wakeupgen.c
@@ -3315,6 +3365,49 @@ index 5d3b4f4..ddba3c0 100644
.notifier_call = irq_cpu_hotplug_notify,
};
+diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c
+index e065daa..7b1ad9b 100644
+--- a/arch/arm/mach-omap2/omap_device.c
++++ b/arch/arm/mach-omap2/omap_device.c
+@@ -686,7 +686,7 @@ void omap_device_delete(struct omap_device *od)
+ * passes along the return value of omap_device_build_ss().
+ */
+ struct platform_device __init *omap_device_build(const char *pdev_name, int pdev_id,
+- struct omap_hwmod *oh, void *pdata,
++ struct omap_hwmod *oh, const void *pdata,
+ int pdata_len,
+ struct omap_device_pm_latency *pm_lats,
+ int pm_lats_cnt, int is_early_device)
+@@ -720,7 +720,7 @@ struct platform_device __init *omap_device_build(const char *pdev_name, int pdev
+ */
+ struct platform_device __init *omap_device_build_ss(const char *pdev_name, int pdev_id,
+ struct omap_hwmod **ohs, int oh_cnt,
+- void *pdata, int pdata_len,
++ const void *pdata, int pdata_len,
+ struct omap_device_pm_latency *pm_lats,
+ int pm_lats_cnt, int is_early_device)
+ {
+diff --git a/arch/arm/mach-omap2/omap_device.h b/arch/arm/mach-omap2/omap_device.h
+index 0933c59..42b8e2d 100644
+--- a/arch/arm/mach-omap2/omap_device.h
++++ b/arch/arm/mach-omap2/omap_device.h
+@@ -91,14 +91,14 @@ int omap_device_shutdown(struct platform_device *pdev);
+ /* Core code interface */
+
+ struct platform_device *omap_device_build(const char *pdev_name, int pdev_id,
+- struct omap_hwmod *oh, void *pdata,
++ struct omap_hwmod *oh, const void *pdata,
+ int pdata_len,
+ struct omap_device_pm_latency *pm_lats,
+ int pm_lats_cnt, int is_early_device);
+
+ struct platform_device *omap_device_build_ss(const char *pdev_name, int pdev_id,
+ struct omap_hwmod **oh, int oh_cnt,
+- void *pdata, int pdata_len,
++ const void *pdata, int pdata_len,
+ struct omap_device_pm_latency *pm_lats,
+ int pm_lats_cnt, int is_early_device);
+
diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
index 4653efb..8c60bf7 100644
--- a/arch/arm/mach-omap2/omap_hwmod.c
@@ -4118,19 +4211,6 @@ index a5bc92d..0bb4730 100644
omap_sram_size - omap_sram_skip);
+ pax_close_kernel();
}
-diff --git a/arch/arm/plat-orion/include/plat/addr-map.h b/arch/arm/plat-orion/include/plat/addr-map.h
-index b76c065..b6e766b 100644
---- a/arch/arm/plat-orion/include/plat/addr-map.h
-+++ b/arch/arm/plat-orion/include/plat/addr-map.h
-@@ -27,7 +27,7 @@ struct orion_addr_map_cfg {
- value in bridge_virt_base */
- void __iomem *(*win_cfg_base) (const struct orion_addr_map_cfg *cfg,
- const int win);
--};
-+} __no_const;
-
- /*
- * Information needed to setup one address mapping.
diff --git a/arch/arm/plat-samsung/include/plat/dma-ops.h b/arch/arm/plat-samsung/include/plat/dma-ops.h
index f5144cd..71f6d1f 100644
--- a/arch/arm/plat-samsung/include/plat/dma-ops.h
@@ -21922,7 +22002,7 @@ index b629bbe..0fa615a 100644
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
-index 85c3959..76b89f9 100644
+index 2cb9470..ff1fd80 100644
--- a/arch/x86/kernel/pvclock.c
+++ b/arch/x86/kernel/pvclock.c
@@ -43,11 +43,11 @@ unsigned long pvclock_tsc_khz(struct pvclock_vcpu_time_info *src)
@@ -30565,10 +30645,10 @@ index 431e875..cbb23f3 100644
-}
-__setup("vdso=", vdso_setup);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index e014092..c76ab69 100644
+index 2262003..f229ced 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
-@@ -99,8 +99,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
+@@ -100,8 +100,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
struct shared_info xen_dummy_shared_info;
@@ -30577,7 +30657,7 @@ index e014092..c76ab69 100644
RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
__read_mostly int xen_have_vector_callback;
EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -495,8 +493,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -496,8 +494,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -30587,7 +30667,7 @@ index e014092..c76ab69 100644
int f;
/*
-@@ -544,8 +541,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -545,8 +542,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -30597,7 +30677,7 @@ index e014092..c76ab69 100644
int f;
/*
-@@ -938,7 +934,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
+@@ -939,7 +935,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
return 0;
}
@@ -30606,7 +30686,7 @@ index e014092..c76ab69 100644
{
apic->read = xen_apic_read;
apic->write = xen_apic_write;
-@@ -1244,30 +1240,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1245,30 +1241,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -30644,7 +30724,7 @@ index e014092..c76ab69 100644
{
if (pm_power_off)
pm_power_off();
-@@ -1369,7 +1365,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1370,7 +1366,17 @@ asmlinkage void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -30663,7 +30743,7 @@ index e014092..c76ab69 100644
xen_setup_features();
-@@ -1398,14 +1404,7 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1399,14 +1405,7 @@ asmlinkage void __init xen_start_kernel(void)
pv_mmu_ops.ptep_modify_prot_commit = xen_ptep_modify_prot_commit;
}
@@ -30679,7 +30759,7 @@ index e014092..c76ab69 100644
xen_smp_init();
-@@ -1590,7 +1589,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
+@@ -1598,7 +1597,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
return NOTIFY_OK;
}
@@ -31090,93 +31170,6 @@ index 9a87daa..fb17486 100644
if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
goto error;
-diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
-index 533de95..7d4a8d2 100644
---- a/crypto/ablkcipher.c
-+++ b/crypto/ablkcipher.c
-@@ -388,9 +388,9 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_blkcipher rblkcipher;
-
-- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "ablkcipher");
-- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- alg->cra_ablkcipher.geniv ?: "<default>");
-+ strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type));
-+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
-+ sizeof(rblkcipher.geniv));
-
- rblkcipher.blocksize = alg->cra_blocksize;
- rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
-@@ -469,9 +469,9 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_blkcipher rblkcipher;
-
-- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "givcipher");
-- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- alg->cra_ablkcipher.geniv ?: "<built-in>");
-+ strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type));
-+ strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>",
-+ sizeof(rblkcipher.geniv));
-
- rblkcipher.blocksize = alg->cra_blocksize;
- rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
-diff --git a/crypto/aead.c b/crypto/aead.c
-index 0b8121e..27bc487 100644
---- a/crypto/aead.c
-+++ b/crypto/aead.c
-@@ -117,9 +117,8 @@ static int crypto_aead_report(struct sk_buff *skb, struct crypto_alg *alg)
- struct crypto_report_aead raead;
- struct aead_alg *aead = &alg->cra_aead;
-
-- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "aead");
-- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- aead->geniv ?: "<built-in>");
-+ strncpy(raead.type, "aead", sizeof(raead.type));
-+ strncpy(raead.geniv, aead->geniv ?: "<built-in>", sizeof(raead.geniv));
-
- raead.blocksize = alg->cra_blocksize;
- raead.maxauthsize = aead->maxauthsize;
-@@ -203,8 +202,8 @@ static int crypto_nivaead_report(struct sk_buff *skb, struct crypto_alg *alg)
- struct crypto_report_aead raead;
- struct aead_alg *aead = &alg->cra_aead;
-
-- snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "nivaead");
-- snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", aead->geniv);
-+ strncpy(raead.type, "nivaead", sizeof(raead.type));
-+ strncpy(raead.geniv, aead->geniv, sizeof(raead.geniv));
-
- raead.blocksize = alg->cra_blocksize;
- raead.maxauthsize = aead->maxauthsize;
-diff --git a/crypto/ahash.c b/crypto/ahash.c
-index 3887856..793a27f 100644
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -404,7 +404,7 @@ static int crypto_ahash_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_hash rhash;
-
-- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "ahash");
-+ strncpy(rhash.type, "ahash", sizeof(rhash.type));
-
- rhash.blocksize = alg->cra_blocksize;
- rhash.digestsize = __crypto_hash_alg_common(alg)->digestsize;
-diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
-index a8d85a1..c44e014 100644
---- a/crypto/blkcipher.c
-+++ b/crypto/blkcipher.c
-@@ -499,9 +499,9 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_blkcipher rblkcipher;
-
-- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "blkcipher");
-- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
-- alg->cra_blkcipher.geniv ?: "<default>");
-+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type));
-+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>",
-+ sizeof(rblkcipher.geniv));
-
- rblkcipher.blocksize = alg->cra_blocksize;
- rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 7bdd61b..afec999 100644
--- a/crypto/cryptd.c
@@ -31200,7 +31193,7 @@ index 7bdd61b..afec999 100644
static void cryptd_queue_worker(struct work_struct *work);
diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
-index 35d700a..dfd511f 100644
+index f6d9baf..dfd511f 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -30,6 +30,8 @@
@@ -31212,55 +31205,6 @@ index 35d700a..dfd511f 100644
static DEFINE_MUTEX(crypto_cfg_mutex);
/* The crypto netlink socket */
-@@ -75,7 +77,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_cipher rcipher;
-
-- snprintf(rcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "cipher");
-+ strncpy(rcipher.type, "cipher", sizeof(rcipher.type));
-
- rcipher.blocksize = alg->cra_blocksize;
- rcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
-@@ -94,8 +96,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_comp rcomp;
-
-- snprintf(rcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "compression");
--
-+ strncpy(rcomp.type, "compression", sizeof(rcomp.type));
- if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
- sizeof(struct crypto_report_comp), &rcomp))
- goto nla_put_failure;
-@@ -108,12 +109,14 @@ nla_put_failure:
- static int crypto_report_one(struct crypto_alg *alg,
- struct crypto_user_alg *ualg, struct sk_buff *skb)
- {
-- memcpy(&ualg->cru_name, &alg->cra_name, sizeof(ualg->cru_name));
-- memcpy(&ualg->cru_driver_name, &alg->cra_driver_name,
-- sizeof(ualg->cru_driver_name));
-- memcpy(&ualg->cru_module_name, module_name(alg->cra_module),
-- CRYPTO_MAX_ALG_NAME);
-+ strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
-+ strncpy(ualg->cru_driver_name, alg->cra_driver_name,
-+ sizeof(ualg->cru_driver_name));
-+ strncpy(ualg->cru_module_name, module_name(alg->cra_module),
-+ sizeof(ualg->cru_module_name));
-
-+ ualg->cru_type = 0;
-+ ualg->cru_mask = 0;
- ualg->cru_flags = alg->cra_flags;
- ualg->cru_refcnt = atomic_read(&alg->cra_refcnt);
-
-@@ -122,8 +125,7 @@ static int crypto_report_one(struct crypto_alg *alg,
- if (alg->cra_flags & CRYPTO_ALG_LARVAL) {
- struct crypto_report_larval rl;
-
-- snprintf(rl.type, CRYPTO_MAX_ALG_NAME, "%s", "larval");
--
-+ strncpy(rl.type, "larval", sizeof(rl.type));
- if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL,
- sizeof(struct crypto_report_larval), &rl))
- goto nla_put_failure;
@@ -196,7 +198,10 @@ static int crypto_report(struct sk_buff *in_skb, struct nlmsghdr *in_nlh,
struct crypto_dump_info info;
int err;
@@ -31303,47 +31247,6 @@ index 35d700a..dfd511f 100644
if (strlen(p->cru_driver_name))
exact = 1;
-diff --git a/crypto/pcompress.c b/crypto/pcompress.c
-index 04e083f..7140fe7 100644
---- a/crypto/pcompress.c
-+++ b/crypto/pcompress.c
-@@ -53,8 +53,7 @@ static int crypto_pcomp_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_comp rpcomp;
-
-- snprintf(rpcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "pcomp");
--
-+ strncpy(rpcomp.type, "pcomp", sizeof(rpcomp.type));
- if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
- sizeof(struct crypto_report_comp), &rpcomp))
- goto nla_put_failure;
-diff --git a/crypto/rng.c b/crypto/rng.c
-index f3b7894..e0a25c2 100644
---- a/crypto/rng.c
-+++ b/crypto/rng.c
-@@ -65,7 +65,7 @@ static int crypto_rng_report(struct sk_buff *skb, struct crypto_alg *alg)
- {
- struct crypto_report_rng rrng;
-
-- snprintf(rrng.type, CRYPTO_MAX_ALG_NAME, "%s", "rng");
-+ strncpy(rrng.type, "rng", sizeof(rrng.type));
-
- rrng.seedsize = alg->cra_rng.seedsize;
-
-diff --git a/crypto/shash.c b/crypto/shash.c
-index f426330f..929058a 100644
---- a/crypto/shash.c
-+++ b/crypto/shash.c
-@@ -530,7 +530,8 @@ static int crypto_shash_report(struct sk_buff *skb, struct crypto_alg *alg)
- struct crypto_report_hash rhash;
- struct shash_alg *salg = __crypto_shash_alg(alg);
-
-- snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "shash");
-+ strncpy(rhash.type, "shash", sizeof(rhash.type));
-+
- rhash.blocksize = alg->cra_blocksize;
- rhash.digestsize = salg->digestsize;
-
diff --git a/drivers/acpi/apei/apei-internal.h b/drivers/acpi/apei/apei-internal.h
index f220d64..d359ad6 100644
--- a/drivers/acpi/apei/apei-internal.h
@@ -33545,7 +33448,7 @@ index b66eaa0..2619d1b 100644
if (cmd != SIOCWANDEV)
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 85e81ec..a129a39 100644
+index 57d4b15..253207b 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -272,8 +272,13 @@
@@ -33591,7 +33494,7 @@ index 85e81ec..a129a39 100644
smp_wmb();
if (out)
-@@ -1020,7 +1032,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1024,7 +1036,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
extract_buf(r, tmp);
i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -33600,7 +33503,7 @@ index 85e81ec..a129a39 100644
ret = -EFAULT;
break;
}
-@@ -1356,7 +1368,7 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1360,7 +1372,7 @@ EXPORT_SYMBOL(generate_random_uuid);
#include <linux/sysctl.h>
static int min_read_thresh = 8, min_write_thresh;
@@ -33609,7 +33512,7 @@ index 85e81ec..a129a39 100644
static int max_write_thresh = INPUT_POOL_WORDS * 32;
static char sysctl_bootid[16];
-@@ -1372,7 +1384,7 @@ static char sysctl_bootid[16];
+@@ -1376,7 +1388,7 @@ static char sysctl_bootid[16];
static int proc_do_uuid(ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -33758,32 +33661,6 @@ index 8ae1a61..9c00613 100644
.notifier_call = arch_timer_cpu_notify,
};
-diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
-index fce2000..1110478 100644
---- a/drivers/connector/cn_proc.c
-+++ b/drivers/connector/cn_proc.c
-@@ -313,6 +313,12 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
- (task_active_pid_ns(current) != &init_pid_ns))
- return;
-
-+ /* Can only change if privileged. */
-+ if (!capable(CAP_NET_ADMIN)) {
-+ err = EPERM;
-+ goto out;
-+ }
-+
- mc_op = (enum proc_cn_mcast_op *)msg->data;
- switch (*mc_op) {
- case PROC_CN_MCAST_LISTEN:
-@@ -325,6 +331,8 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
- err = EINVAL;
- break;
- }
-+
-+out:
- cn_proc_ack(err, msg->seq, msg->ack);
- }
-
diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
index 7b0d49d..134fac9 100644
--- a/drivers/cpufreq/acpi-cpufreq.c
@@ -34262,10 +34139,10 @@ index 94a58a0..f5eba42 100644
container_of(_dev_attr, struct dmi_device_attribute, dev_attr)
diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
-index 982f1f5..d21e5da 100644
+index 4cd392d..4b629e1 100644
--- a/drivers/firmware/dmi_scan.c
+++ b/drivers/firmware/dmi_scan.c
-@@ -491,11 +491,6 @@ void __init dmi_scan_machine(void)
+@@ -490,11 +490,6 @@ void __init dmi_scan_machine(void)
}
}
else {
@@ -34277,7 +34154,7 @@ index 982f1f5..d21e5da 100644
p = dmi_ioremap(0xF0000, 0x10000);
if (p == NULL)
goto error;
-@@ -770,7 +765,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *),
+@@ -769,7 +764,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *),
if (buf == NULL)
return -1;
@@ -34287,7 +34164,7 @@ index 982f1f5..d21e5da 100644
iounmap(buf);
return 0;
diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
-index bcb201c..4fd34dd 100644
+index 2a2e145..73745e79 100644
--- a/drivers/firmware/efivars.c
+++ b/drivers/firmware/efivars.c
@@ -133,7 +133,7 @@ struct efivar_attribute {
@@ -34299,7 +34176,7 @@ index bcb201c..4fd34dd 100644
#define PSTORE_EFI_ATTRIBUTES \
(EFI_VARIABLE_NON_VOLATILE | \
-@@ -1734,7 +1734,7 @@ efivar_create_sysfs_entry(struct efivars *efivars,
+@@ -1798,7 +1798,7 @@ efivar_create_sysfs_entry(struct efivars *efivars,
static int
create_efivars_bin_attributes(struct efivars *efivars)
{
@@ -34726,7 +34603,7 @@ index 8a7c48b..72effc2 100644
if (IS_GEN6(dev) || IS_GEN7(dev)) {
seq_printf(m,
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
-index 99daa89..84ebd44 100644
+index 5206f24..7af0a0a 100644
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1253,7 +1253,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev)
@@ -34739,7 +34616,7 @@ index 99daa89..84ebd44 100644
return can_switch;
}
diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
-index 7339a4b..445aaba 100644
+index 66ad64f..a865871 100644
--- a/drivers/gpu/drm/i915/i915_drv.h
+++ b/drivers/gpu/drm/i915/i915_drv.h
@@ -656,7 +656,7 @@ typedef struct drm_i915_private {
@@ -34751,7 +34628,7 @@ index 7339a4b..445aaba 100644
/* protects the irq masks */
spinlock_t irq_lock;
-@@ -1102,7 +1102,7 @@ struct drm_i915_gem_object {
+@@ -1103,7 +1103,7 @@ struct drm_i915_gem_object {
* will be page flipped away on the next vblank. When it
* reaches 0, dev_priv->pending_flip_queue will be woken up.
*/
@@ -34760,7 +34637,7 @@ index 7339a4b..445aaba 100644
};
#define to_gem_object(obj) (&((struct drm_i915_gem_object *)(obj))->base)
-@@ -1633,7 +1633,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter(
+@@ -1634,7 +1634,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter(
struct drm_i915_private *dev_priv, unsigned port);
extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
@@ -34830,10 +34707,10 @@ index 3c59584..500f2e9 100644
return ret;
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
-index fe84338..a863190 100644
+index 3c00403..5a5c6c9 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
-@@ -535,7 +535,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg)
+@@ -539,7 +539,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg)
u32 pipe_stats[I915_MAX_PIPES];
bool blc_event;
@@ -34842,7 +34719,7 @@ index fe84338..a863190 100644
while (true) {
iir = I915_READ(VLV_IIR);
-@@ -688,7 +688,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg)
+@@ -692,7 +692,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg)
irqreturn_t ret = IRQ_NONE;
int i;
@@ -34851,7 +34728,7 @@ index fe84338..a863190 100644
/* disable master interrupt before clearing iir */
de_ier = I915_READ(DEIER);
-@@ -760,7 +760,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg)
+@@ -764,7 +764,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg)
int ret = IRQ_NONE;
u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir;
@@ -34860,7 +34737,7 @@ index fe84338..a863190 100644
/* disable master interrupt before clearing iir */
de_ier = I915_READ(DEIER);
-@@ -1787,7 +1787,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev)
+@@ -1791,7 +1791,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev)
{
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
@@ -34869,7 +34746,7 @@ index fe84338..a863190 100644
I915_WRITE(HWSTAM, 0xeffe);
-@@ -1813,7 +1813,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev)
+@@ -1817,7 +1817,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34878,7 +34755,7 @@ index fe84338..a863190 100644
/* VLV magic */
I915_WRITE(VLV_IMR, 0);
-@@ -2108,7 +2108,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev)
+@@ -2112,7 +2112,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34887,7 +34764,7 @@ index fe84338..a863190 100644
for_each_pipe(pipe)
I915_WRITE(PIPESTAT(pipe), 0);
-@@ -2159,7 +2159,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg)
+@@ -2163,7 +2163,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg)
I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT |
I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT;
@@ -34896,7 +34773,7 @@ index fe84338..a863190 100644
iir = I915_READ16(IIR);
if (iir == 0)
-@@ -2244,7 +2244,7 @@ static void i915_irq_preinstall(struct drm_device * dev)
+@@ -2248,7 +2248,7 @@ static void i915_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34905,7 +34782,7 @@ index fe84338..a863190 100644
if (I915_HAS_HOTPLUG(dev)) {
I915_WRITE(PORT_HOTPLUG_EN, 0);
-@@ -2339,7 +2339,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg)
+@@ -2343,7 +2343,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg)
};
int pipe, ret = IRQ_NONE;
@@ -34914,7 +34791,7 @@ index fe84338..a863190 100644
iir = I915_READ(IIR);
do {
-@@ -2465,7 +2465,7 @@ static void i965_irq_preinstall(struct drm_device * dev)
+@@ -2469,7 +2469,7 @@ static void i965_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -34923,7 +34800,7 @@ index fe84338..a863190 100644
I915_WRITE(PORT_HOTPLUG_EN, 0);
I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT));
-@@ -2572,7 +2572,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg)
+@@ -2576,7 +2576,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg)
int irq_received;
int ret = IRQ_NONE, pipe;
@@ -35931,7 +35808,7 @@ index 7d19b1b..8fdaaac 100644
BUG_ON(data->num_attributes >= data->max_attributes); \
sysfs_attr_init(&a->dev_attr.attr); \
diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
-index 1c85d39..55ed3cf 100644
+index 8047fed..1e956f0 100644
--- a/drivers/hwmon/sht15.c
+++ b/drivers/hwmon/sht15.c
@@ -169,7 +169,7 @@ struct sht15_data {
@@ -37247,10 +37124,10 @@ index 7155945..4bcc562 100644
seq_printf(seq, "\n");
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
-index 0666b5d..ed82cb4 100644
+index eee353d..74504c4 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
-@@ -1628,7 +1628,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
+@@ -1632,7 +1632,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
cmd == DM_LIST_VERSIONS_CMD)
return 0;
@@ -37260,7 +37137,7 @@ index 0666b5d..ed82cb4 100644
DMWARN("name not supplied when creating device");
return -EINVAL;
diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
-index fa51918..c26253c 100644
+index 7f24190..0e18099 100644
--- a/drivers/md/dm-raid1.c
+++ b/drivers/md/dm-raid1.c
@@ -40,7 +40,7 @@ enum dm_raid1_error {
@@ -37336,7 +37213,7 @@ index fa51918..c26253c 100644
return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
-index c89cde8..9d184cf 100644
+index aaecefa..23b3026 100644
--- a/drivers/md/dm-stripe.c
+++ b/drivers/md/dm-stripe.c
@@ -20,7 +20,7 @@ struct stripe {
@@ -37357,7 +37234,7 @@ index c89cde8..9d184cf 100644
}
ti->private = sc;
-@@ -325,7 +325,7 @@ static int stripe_status(struct dm_target *ti, status_type_t type,
+@@ -325,7 +325,7 @@ static void stripe_status(struct dm_target *ti, status_type_t type,
DMEMIT("%d ", sc->stripes);
for (i = 0; i < sc->stripes; i++) {
DMEMIT("%s ", sc->stripe[i].dev->name);
@@ -37366,7 +37243,7 @@ index c89cde8..9d184cf 100644
'D' : 'A';
}
buffer[i] = '\0';
-@@ -371,8 +371,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error)
+@@ -370,8 +370,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error)
*/
for (i = 0; i < sc->stripes; i++)
if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
@@ -37413,7 +37290,7 @@ index 4d6e853..a234157 100644
pmd->bl_info.value_type.inc = data_block_inc;
pmd->bl_info.value_type.dec = data_block_dec;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 314a0e2..1376406 100644
+index 0d8f086..f5a91d5 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -170,9 +170,9 @@ struct mapped_device {
@@ -37439,7 +37316,7 @@ index 314a0e2..1376406 100644
INIT_LIST_HEAD(&md->uevent_list);
spin_lock_init(&md->uevent_lock);
-@@ -2014,7 +2014,7 @@ static void event_callback(void *context)
+@@ -2026,7 +2026,7 @@ static void event_callback(void *context)
dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
@@ -37448,7 +37325,7 @@ index 314a0e2..1376406 100644
wake_up(&md->eventq);
}
-@@ -2669,18 +2669,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -2683,18 +2683,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
uint32_t dm_next_uevent_seq(struct mapped_device *md)
{
@@ -37471,7 +37348,7 @@ index 314a0e2..1376406 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 3db3d1b..9487468 100644
+index f363135..9b38815 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -240,10 +240,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
@@ -37496,7 +37373,7 @@ index 3db3d1b..9487468 100644
wake_up(&md_event_waiters);
}
-@@ -1503,7 +1503,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
+@@ -1507,7 +1507,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) &&
(le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET))
rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset);
@@ -37505,7 +37382,7 @@ index 3db3d1b..9487468 100644
rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
-@@ -1747,7 +1747,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
+@@ -1751,7 +1751,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
else
sb->resync_offset = cpu_to_le64(0);
@@ -37514,7 +37391,7 @@ index 3db3d1b..9487468 100644
sb->raid_disks = cpu_to_le32(mddev->raid_disks);
sb->size = cpu_to_le64(mddev->dev_sectors);
-@@ -2747,7 +2747,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store);
+@@ -2751,7 +2751,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store);
static ssize_t
errors_show(struct md_rdev *rdev, char *page)
{
@@ -37523,7 +37400,7 @@ index 3db3d1b..9487468 100644
}
static ssize_t
-@@ -2756,7 +2756,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
+@@ -2760,7 +2760,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
char *e;
unsigned long n = simple_strtoul(buf, &e, 10);
if (*buf && (*e == 0 || *e == '\n')) {
@@ -37532,7 +37409,7 @@ index 3db3d1b..9487468 100644
return len;
}
return -EINVAL;
-@@ -3203,8 +3203,8 @@ int md_rdev_init(struct md_rdev *rdev)
+@@ -3210,8 +3210,8 @@ int md_rdev_init(struct md_rdev *rdev)
rdev->sb_loaded = 0;
rdev->bb_page = NULL;
atomic_set(&rdev->nr_pending, 0);
@@ -37543,7 +37420,7 @@ index 3db3d1b..9487468 100644
INIT_LIST_HEAD(&rdev->same_set);
init_waitqueue_head(&rdev->blocked_wait);
-@@ -6980,7 +6980,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -6987,7 +6987,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
spin_unlock(&pers_lock);
seq_printf(seq, "\n");
@@ -37552,7 +37429,7 @@ index 3db3d1b..9487468 100644
return 0;
}
if (v == (void*)2) {
-@@ -7083,7 +7083,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -7090,7 +7090,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
return error;
seq = file->private_data;
@@ -37561,7 +37438,7 @@ index 3db3d1b..9487468 100644
return error;
}
-@@ -7097,7 +7097,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -7104,7 +7104,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
/* always allow read */
mask = POLLIN | POLLRDNORM;
@@ -37570,7 +37447,7 @@ index 3db3d1b..9487468 100644
mask |= POLLERR | POLLPRI;
return mask;
}
-@@ -7141,7 +7141,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -7148,7 +7148,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
(int)part_stat_read(&disk->part0, sectors[1]) -
@@ -37621,10 +37498,10 @@ index 1cbfc6b..56e1dbb 100644
/*----------------------------------------------------------------*/
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index d5bddfc..b079b4b 100644
+index 75b1f89..00ba344 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
-@@ -1818,7 +1818,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
+@@ -1819,7 +1819,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
if (r1_sync_page_io(rdev, sect, s,
bio->bi_io_vec[idx].bv_page,
READ) != 0)
@@ -37633,7 +37510,7 @@ index d5bddfc..b079b4b 100644
}
sectors -= s;
sect += s;
-@@ -2040,7 +2040,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
+@@ -2041,7 +2041,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
test_bit(In_sync, &rdev->flags)) {
if (r1_sync_page_io(rdev, sect, s,
conf->tmppage, READ)) {
@@ -37643,10 +37520,10 @@ index d5bddfc..b079b4b 100644
"md/raid1:%s: read error corrected "
"(%d sectors at %llu on %s)\n",
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index 64d4824..8b9ea57 100644
+index 8d925dc..11d674f 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
-@@ -1877,7 +1877,7 @@ static void end_sync_read(struct bio *bio, int error)
+@@ -1878,7 +1878,7 @@ static void end_sync_read(struct bio *bio, int error)
/* The write handler will notice the lack of
* R10BIO_Uptodate and record any errors etc
*/
@@ -37655,7 +37532,7 @@ index 64d4824..8b9ea57 100644
&conf->mirrors[d].rdev->corrected_errors);
/* for reconstruct, we always reschedule after a read.
-@@ -2226,7 +2226,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -2227,7 +2227,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
{
struct timespec cur_time_mon;
unsigned long hours_since_last;
@@ -37664,7 +37541,7 @@ index 64d4824..8b9ea57 100644
ktime_get_ts(&cur_time_mon);
-@@ -2248,9 +2248,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -2249,9 +2249,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
* overflowing the shift of read_errors by hours_since_last.
*/
if (hours_since_last >= 8 * sizeof(read_errors))
@@ -37676,7 +37553,7 @@ index 64d4824..8b9ea57 100644
}
static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
-@@ -2304,8 +2304,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -2305,8 +2305,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
return;
check_decay_read_errors(mddev, rdev);
@@ -37687,7 +37564,7 @@ index 64d4824..8b9ea57 100644
char b[BDEVNAME_SIZE];
bdevname(rdev->bdev, b);
-@@ -2313,7 +2313,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -2314,7 +2314,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
"md/raid10:%s: %s: Raid device exceeded "
"read_error threshold [cur %d:max %d]\n",
mdname(mddev), b,
@@ -37696,7 +37573,7 @@ index 64d4824..8b9ea57 100644
printk(KERN_NOTICE
"md/raid10:%s: %s: Failing raid device\n",
mdname(mddev), b);
-@@ -2468,7 +2468,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -2469,7 +2469,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
sect +
choose_data_offset(r10_bio, rdev)),
bdevname(rdev->bdev, b));
@@ -40321,7 +40198,7 @@ index 2111dbb..79e434b 100644
/* disable hardware control by fn key */
result = ec_read(MSI_STANDARD_EC_SCM_LOAD_ADDRESS, &data);
diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
-index b8ad71f..3ec9bb4 100644
+index 0fe987f..6f3d5c3 100644
--- a/drivers/platform/x86/sony-laptop.c
+++ b/drivers/platform/x86/sony-laptop.c
@@ -2356,7 +2356,7 @@ static void sony_nc_lid_resume_cleanup(struct platform_device *pd)
@@ -43559,6 +43436,75 @@ index 35f10bf..6a38a0b 100644
if (!left--) {
if (instance->disconnected)
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 5f0cb41..122d056 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
+ #define WDM_RESPONDING 7
+ #define WDM_SUSPENDING 8
+ #define WDM_RESETTING 9
++#define WDM_OVERFLOW 10
+
+ #define WDM_MAX 16
+
+@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *urb)
+ {
+ struct wdm_device *desc = urb->context;
+ int status = urb->status;
++ int length = urb->actual_length;
+
+ spin_lock(&desc->iuspin);
+ clear_bit(WDM_RESPONDING, &desc->flags);
+@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *urb)
+ }
+
+ desc->rerr = status;
+- desc->reslength = urb->actual_length;
+- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
+- desc->length += desc->reslength;
++ if (length + desc->length > desc->wMaxCommand) {
++ /* The buffer would overflow */
++ set_bit(WDM_OVERFLOW, &desc->flags);
++ } else {
++ /* we may already be in overflow */
++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
++ memmove(desc->ubuf + desc->length, desc->inbuf, length);
++ desc->length += length;
++ desc->reslength = length;
++ }
++ }
+ skip_error:
+ wake_up(&desc->wait);
+
+@@ -435,6 +445,11 @@ retry:
+ rv = -ENODEV;
+ goto err;
+ }
++ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
++ clear_bit(WDM_OVERFLOW, &desc->flags);
++ rv = -ENOBUFS;
++ goto err;
++ }
+ i++;
+ if (file->f_flags & O_NONBLOCK) {
+ if (!test_bit(WDM_READ, &desc->flags)) {
+@@ -478,6 +493,7 @@ retry:
+ spin_unlock_irq(&desc->iuspin);
+ goto retry;
+ }
++
+ if (!desc->reslength) { /* zero length read */
+ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
+ clear_bit(WDM_READ, &desc->flags);
+@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_interface *intf)
+ struct wdm_device *desc = wdm_find_device(intf);
+ int rv;
+
++ clear_bit(WDM_OVERFLOW, &desc->flags);
+ clear_bit(WDM_RESETTING, &desc->flags);
+ rv = recover_from_urb_loss(desc);
+ mutex_unlock(&desc->wlock);
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index cbacea9..246cccd 100644
--- a/drivers/usb/core/devices.c
@@ -48388,10 +48334,10 @@ index eea5da7..88fead70 100644
WARN_ON(trans->transid != btrfs_header_generation(parent));
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
-index cc93b23..f3c42bf 100644
+index 659ea81..0f63c1a 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
-@@ -7296,7 +7296,7 @@ fail:
+@@ -7300,7 +7300,7 @@ fail:
return -ENOMEM;
}
@@ -48400,7 +48346,7 @@ index cc93b23..f3c42bf 100644
struct dentry *dentry, struct kstat *stat)
{
struct inode *inode = dentry->d_inode;
-@@ -7310,6 +7310,14 @@ static int btrfs_getattr(struct vfsmount *mnt,
+@@ -7314,6 +7314,14 @@ static int btrfs_getattr(struct vfsmount *mnt,
return 0;
}
@@ -48681,10 +48627,10 @@ index d9ea6ed..1e6c8ac 100644
server->ops->print_stats(m, tcon);
}
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
-index de7f916..6cb22a9 100644
+index e328339..322228b 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
-@@ -997,7 +997,7 @@ cifs_init_request_bufs(void)
+@@ -1002,7 +1002,7 @@ cifs_init_request_bufs(void)
/* cERROR(1, "CIFSMaxBufSize %d 0x%x",CIFSMaxBufSize,CIFSMaxBufSize); */
cifs_req_cachep = kmem_cache_create("cifs_request",
CIFSMaxBufSize + max_hdr_size, 0,
@@ -48693,7 +48639,7 @@ index de7f916..6cb22a9 100644
if (cifs_req_cachep == NULL)
return -ENOMEM;
-@@ -1024,7 +1024,7 @@ cifs_init_request_bufs(void)
+@@ -1029,7 +1029,7 @@ cifs_init_request_bufs(void)
efficient to alloc 1 per page off the slab compared to 17K (5page)
alloc of large cifs buffers even when page debugging is on */
cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
@@ -48702,7 +48648,7 @@ index de7f916..6cb22a9 100644
NULL);
if (cifs_sm_req_cachep == NULL) {
mempool_destroy(cifs_req_poolp);
-@@ -1109,8 +1109,8 @@ init_cifs(void)
+@@ -1114,8 +1114,8 @@ init_cifs(void)
atomic_set(&bufAllocCount, 0);
atomic_set(&smBufAllocCount, 0);
#ifdef CONFIG_CIFS_STATS2
@@ -48942,7 +48888,7 @@ index 47bc5a8..10decbe 100644
}
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
-index c9c7aa7..065056a 100644
+index bceffe7..cd1ae59 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -274,8 +274,8 @@ smb2_clear_stats(struct cifs_tcon *tcon)
@@ -49126,7 +49072,7 @@ index 958ae0e..505c9d0 100644
return hit;
diff --git a/fs/compat.c b/fs/compat.c
-index 015e1e1..b8966ac 100644
+index a06dcbc..dacb6d3 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -54,7 +54,7 @@
@@ -49156,7 +49102,7 @@ index 015e1e1..b8966ac 100644
goto out;
if (nr_segs > fast_segs) {
ret = -ENOMEM;
-@@ -831,6 +831,7 @@ struct compat_old_linux_dirent {
+@@ -835,6 +835,7 @@ struct compat_old_linux_dirent {
struct compat_readdir_callback {
struct compat_old_linux_dirent __user *dirent;
@@ -49164,7 +49110,7 @@ index 015e1e1..b8966ac 100644
int result;
};
-@@ -848,6 +849,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen,
+@@ -852,6 +853,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen,
buf->result = -EOVERFLOW;
return -EOVERFLOW;
}
@@ -49175,7 +49121,7 @@ index 015e1e1..b8966ac 100644
buf->result++;
dirent = buf->dirent;
if (!access_ok(VERIFY_WRITE, dirent,
-@@ -878,6 +883,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd,
+@@ -882,6 +887,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd,
buf.result = 0;
buf.dirent = dirent;
@@ -49183,7 +49129,7 @@ index 015e1e1..b8966ac 100644
error = vfs_readdir(f.file, compat_fillonedir, &buf);
if (buf.result)
-@@ -897,6 +903,7 @@ struct compat_linux_dirent {
+@@ -901,6 +907,7 @@ struct compat_linux_dirent {
struct compat_getdents_callback {
struct compat_linux_dirent __user *current_dir;
struct compat_linux_dirent __user *previous;
@@ -49191,7 +49137,7 @@ index 015e1e1..b8966ac 100644
int count;
int error;
};
-@@ -918,6 +925,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen,
+@@ -922,6 +929,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen,
buf->error = -EOVERFLOW;
return -EOVERFLOW;
}
@@ -49202,7 +49148,7 @@ index 015e1e1..b8966ac 100644
dirent = buf->previous;
if (dirent) {
if (__put_user(offset, &dirent->d_off))
-@@ -963,6 +974,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
+@@ -967,6 +978,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
buf.previous = NULL;
buf.count = count;
buf.error = 0;
@@ -49210,7 +49156,7 @@ index 015e1e1..b8966ac 100644
error = vfs_readdir(f.file, compat_filldir, &buf);
if (error >= 0)
-@@ -983,6 +995,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
+@@ -987,6 +999,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
struct compat_getdents_callback64 {
struct linux_dirent64 __user *current_dir;
struct linux_dirent64 __user *previous;
@@ -49218,7 +49164,7 @@ index 015e1e1..b8966ac 100644
int count;
int error;
};
-@@ -999,6 +1012,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t
+@@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
@@ -49229,7 +49175,7 @@ index 015e1e1..b8966ac 100644
dirent = buf->previous;
if (dirent) {
-@@ -1048,13 +1065,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd,
+@@ -1052,13 +1069,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd,
buf.previous = NULL;
buf.count = count;
buf.error = 0;
@@ -50321,7 +50267,7 @@ index 22548f5..41521d8 100644
}
return 1;
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
-index 2f2e0da..89b113a 100644
+index 92e68b3..115d987 100644
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -505,8 +505,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
@@ -50370,7 +50316,7 @@ index 8462eb3..4a71af6 100644
/* locality groups */
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
-index 061727a..7622abf 100644
+index 28bbf9b..75ca7c1 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1747,7 +1747,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
@@ -50487,7 +50433,7 @@ index 061727a..7622abf 100644
return 0;
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 0465f36..99a003a 100644
+index 5fa223d..12fa738 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2429,7 +2429,7 @@ struct ext4_attr {
@@ -52391,7 +52337,7 @@ index a94e331..060bce3 100644
lock_flocks();
diff --git a/fs/namei.c b/fs/namei.c
-index 43a97ee..4e585fd 100644
+index ec97aef..eedf4fe 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -319,16 +319,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -52445,7 +52391,7 @@ index 43a97ee..4e585fd 100644
return -EACCES;
}
-@@ -826,7 +834,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
+@@ -824,7 +832,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
{
struct dentry *dentry = link->dentry;
int error;
@@ -52454,7 +52400,7 @@ index 43a97ee..4e585fd 100644
BUG_ON(nd->flags & LOOKUP_RCU);
-@@ -847,6 +855,12 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
+@@ -845,6 +853,12 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
if (error)
goto out_put_nd_path;
@@ -52467,7 +52413,7 @@ index 43a97ee..4e585fd 100644
nd->last_type = LAST_BIND;
*p = dentry->d_inode->i_op->follow_link(dentry, nd);
error = PTR_ERR(*p);
-@@ -1596,6 +1610,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
+@@ -1594,6 +1608,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
break;
res = walk_component(nd, path, &nd->last,
nd->last_type, LOOKUP_FOLLOW);
@@ -52476,7 +52422,7 @@ index 43a97ee..4e585fd 100644
put_link(nd, &link, cookie);
} while (res > 0);
-@@ -1694,7 +1710,7 @@ EXPORT_SYMBOL(full_name_hash);
+@@ -1692,7 +1708,7 @@ EXPORT_SYMBOL(full_name_hash);
static inline unsigned long hash_name(const char *name, unsigned int *hashp)
{
unsigned long a, b, adata, bdata, mask, hash, len;
@@ -52485,7 +52431,7 @@ index 43a97ee..4e585fd 100644
hash = a = 0;
len = -sizeof(unsigned long);
-@@ -1979,6 +1995,8 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1977,6 +1993,8 @@ static int path_lookupat(int dfd, const char *name,
if (err)
break;
err = lookup_last(nd, &path);
@@ -52494,7 +52440,7 @@ index 43a97ee..4e585fd 100644
put_link(nd, &link, cookie);
}
}
-@@ -1986,6 +2004,19 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1984,6 +2002,19 @@ static int path_lookupat(int dfd, const char *name,
if (!err)
err = complete_walk(nd);
@@ -52514,7 +52460,7 @@ index 43a97ee..4e585fd 100644
if (!err && nd->flags & LOOKUP_DIRECTORY) {
if (!nd->inode->i_op->lookup) {
path_put(&nd->path);
-@@ -2013,8 +2044,17 @@ static int filename_lookup(int dfd, struct filename *name,
+@@ -2011,8 +2042,17 @@ static int filename_lookup(int dfd, struct filename *name,
retval = path_lookupat(dfd, name->name,
flags | LOOKUP_REVAL, nd);
@@ -52533,7 +52479,7 @@ index 43a97ee..4e585fd 100644
return retval;
}
-@@ -2392,6 +2432,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2390,6 +2430,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
if (flag & O_NOATIME && !inode_owner_or_capable(inode))
return -EPERM;
@@ -52547,7 +52493,7 @@ index 43a97ee..4e585fd 100644
return 0;
}
-@@ -2613,7 +2660,7 @@ looked_up:
+@@ -2611,7 +2658,7 @@ looked_up:
* cleared otherwise prior to returning.
*/
static int lookup_open(struct nameidata *nd, struct path *path,
@@ -52556,7 +52502,7 @@ index 43a97ee..4e585fd 100644
const struct open_flags *op,
bool got_write, int *opened)
{
-@@ -2648,6 +2695,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2646,6 +2693,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
/* Negative dentry, just create the file */
if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
umode_t mode = op->mode;
@@ -52574,7 +52520,7 @@ index 43a97ee..4e585fd 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
/*
-@@ -2669,6 +2727,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
+@@ -2667,6 +2725,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
nd->flags & LOOKUP_EXCL);
if (error)
goto out_dput;
@@ -52583,7 +52529,7 @@ index 43a97ee..4e585fd 100644
}
out_no_open:
path->dentry = dentry;
-@@ -2683,7 +2743,7 @@ out_dput:
+@@ -2681,7 +2741,7 @@ out_dput:
/*
* Handle the last step of open()
*/
@@ -52592,7 +52538,7 @@ index 43a97ee..4e585fd 100644
struct file *file, const struct open_flags *op,
int *opened, struct filename *name)
{
-@@ -2712,16 +2772,44 @@ static int do_last(struct nameidata *nd, struct path *path,
+@@ -2710,16 +2770,44 @@ static int do_last(struct nameidata *nd, struct path *path,
error = complete_walk(nd);
if (error)
return error;
@@ -52637,7 +52583,7 @@ index 43a97ee..4e585fd 100644
audit_inode(name, dir, 0);
goto finish_open;
}
-@@ -2770,7 +2858,7 @@ retry_lookup:
+@@ -2768,7 +2856,7 @@ retry_lookup:
*/
}
mutex_lock(&dir->d_inode->i_mutex);
@@ -52646,7 +52592,7 @@ index 43a97ee..4e585fd 100644
mutex_unlock(&dir->d_inode->i_mutex);
if (error <= 0) {
-@@ -2794,11 +2882,28 @@ retry_lookup:
+@@ -2792,11 +2880,28 @@ retry_lookup:
goto finish_open_created;
}
@@ -52676,7 +52622,7 @@ index 43a97ee..4e585fd 100644
/*
* If atomic_open() acquired write access it is dropped now due to
-@@ -2839,6 +2944,11 @@ finish_lookup:
+@@ -2837,6 +2942,11 @@ finish_lookup:
}
}
BUG_ON(inode != path->dentry->d_inode);
@@ -52688,7 +52634,7 @@ index 43a97ee..4e585fd 100644
return 1;
}
-@@ -2848,7 +2958,6 @@ finish_lookup:
+@@ -2846,7 +2956,6 @@ finish_lookup:
save_parent.dentry = nd->path.dentry;
save_parent.mnt = mntget(path->mnt);
nd->path.dentry = path->dentry;
@@ -52696,7 +52642,7 @@ index 43a97ee..4e585fd 100644
}
nd->inode = inode;
/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
-@@ -2857,6 +2966,22 @@ finish_lookup:
+@@ -2855,6 +2964,22 @@ finish_lookup:
path_put(&save_parent);
return error;
}
@@ -52719,7 +52665,7 @@ index 43a97ee..4e585fd 100644
error = -EISDIR;
if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode))
goto out;
-@@ -2955,7 +3080,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -2953,7 +3078,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
if (unlikely(error))
goto out;
@@ -52728,7 +52674,7 @@ index 43a97ee..4e585fd 100644
while (unlikely(error > 0)) { /* trailing symlink */
struct path link = path;
void *cookie;
-@@ -2973,7 +3098,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
+@@ -2971,7 +3096,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
error = follow_link(&link, nd, &cookie);
if (unlikely(error))
break;
@@ -52737,7 +52683,7 @@ index 43a97ee..4e585fd 100644
put_link(nd, &link, cookie);
}
out:
-@@ -3073,8 +3198,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
+@@ -3071,8 +3196,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
goto unlock;
error = -EEXIST;
@@ -52751,7 +52697,7 @@ index 43a97ee..4e585fd 100644
/*
* Special case - lookup gave negative, but... we had foo/bar/
* From the vfs_mknod() POV we just have a negative dentry -
-@@ -3126,6 +3255,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
+@@ -3124,6 +3253,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
}
EXPORT_SYMBOL(user_path_create);
@@ -52772,7 +52718,7 @@ index 43a97ee..4e585fd 100644
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
int error = may_create(dir, dentry);
-@@ -3188,6 +3331,17 @@ retry:
+@@ -3186,6 +3329,17 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -52790,7 +52736,7 @@ index 43a97ee..4e585fd 100644
error = security_path_mknod(&path, dentry, mode, dev);
if (error)
goto out;
-@@ -3204,6 +3358,8 @@ retry:
+@@ -3202,6 +3356,8 @@ retry:
break;
}
out:
@@ -52799,7 +52745,7 @@ index 43a97ee..4e585fd 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3256,9 +3412,16 @@ retry:
+@@ -3254,9 +3410,16 @@ retry:
if (!IS_POSIXACL(path.dentry->d_inode))
mode &= ~current_umask();
@@ -52816,7 +52762,7 @@ index 43a97ee..4e585fd 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3339,6 +3502,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -3337,6 +3500,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
@@ -52825,7 +52771,7 @@ index 43a97ee..4e585fd 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3371,10 +3536,21 @@ retry:
+@@ -3369,10 +3534,21 @@ retry:
error = -ENOENT;
goto exit3;
}
@@ -52847,7 +52793,7 @@ index 43a97ee..4e585fd 100644
exit3:
dput(dentry);
exit2:
-@@ -3440,6 +3616,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -3438,6 +3614,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
@@ -52856,7 +52802,7 @@ index 43a97ee..4e585fd 100644
unsigned int lookup_flags = 0;
retry:
name = user_path_parent(dfd, pathname, &nd, lookup_flags);
-@@ -3466,10 +3644,22 @@ retry:
+@@ -3464,10 +3642,22 @@ retry:
if (!inode)
goto slashes;
ihold(inode);
@@ -52879,7 +52825,7 @@ index 43a97ee..4e585fd 100644
exit2:
dput(dentry);
}
-@@ -3547,9 +3737,17 @@ retry:
+@@ -3545,9 +3735,17 @@ retry:
if (IS_ERR(dentry))
goto out_putname;
@@ -52897,7 +52843,7 @@ index 43a97ee..4e585fd 100644
done_path_create(&path, dentry);
if (retry_estale(error, lookup_flags)) {
lookup_flags |= LOOKUP_REVAL;
-@@ -3623,6 +3821,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3621,6 +3819,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
{
struct dentry *new_dentry;
struct path old_path, new_path;
@@ -52905,7 +52851,7 @@ index 43a97ee..4e585fd 100644
int how = 0;
int error;
-@@ -3646,7 +3845,7 @@ retry:
+@@ -3644,7 +3843,7 @@ retry:
if (error)
return error;
@@ -52914,7 +52860,7 @@ index 43a97ee..4e585fd 100644
(how & LOOKUP_REVAL));
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
-@@ -3658,11 +3857,28 @@ retry:
+@@ -3656,11 +3855,28 @@ retry:
error = may_linkat(&old_path);
if (unlikely(error))
goto out_dput;
@@ -52943,7 +52889,7 @@ index 43a97ee..4e585fd 100644
done_path_create(&new_path, new_dentry);
if (retry_estale(error, how)) {
how |= LOOKUP_REVAL;
-@@ -3908,12 +4124,21 @@ retry:
+@@ -3906,12 +4122,21 @@ retry:
if (new_dentry == trap)
goto exit5;
@@ -52965,7 +52911,7 @@ index 43a97ee..4e585fd 100644
exit5:
dput(new_dentry);
exit4:
-@@ -3945,6 +4170,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -3943,6 +4168,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -52974,7 +52920,7 @@ index 43a97ee..4e585fd 100644
int len;
len = PTR_ERR(link);
-@@ -3954,7 +4181,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -3952,7 +4179,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -53564,7 +53510,7 @@ index 9b33c0c..2ffcca2 100644
}
putname(tmp);
diff --git a/fs/pipe.c b/fs/pipe.c
-index bd3479d..fb92c4d 100644
+index 8e2e73f..1ef1048 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -438,9 +438,9 @@ redo:
@@ -53659,7 +53605,7 @@ index bd3479d..fb92c4d 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -868,9 +868,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+@@ -871,9 +871,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
if (inode->i_pipe) {
ret = 0;
if (filp->f_mode & FMODE_READ)
@@ -53671,7 +53617,7 @@ index bd3479d..fb92c4d 100644
}
mutex_unlock(&inode->i_mutex);
-@@ -962,7 +962,7 @@ void free_pipe_info(struct inode *inode)
+@@ -965,7 +965,7 @@ void free_pipe_info(struct inode *inode)
inode->i_pipe = NULL;
}
@@ -53680,7 +53626,7 @@ index bd3479d..fb92c4d 100644
/*
* pipefs_dname() is called from d_path().
-@@ -992,7 +992,8 @@ static struct inode * get_pipe_inode(void)
+@@ -995,7 +995,8 @@ static struct inode * get_pipe_inode(void)
goto fail_iput;
inode->i_pipe = pipe;
@@ -72544,7 +72490,7 @@ index 71a3ca1..cc330ee 100644
if (u->mq_bytes + mq_bytes < u->mq_bytes ||
u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
diff --git a/ipc/msg.c b/ipc/msg.c
-index 950572f..362ea07 100644
+index 31cd1bf..362ea07 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -309,18 +309,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
@@ -72572,40 +72518,6 @@ index 950572f..362ea07 100644
msg_params.key = key;
msg_params.flg = msgflg;
-@@ -820,15 +821,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp,
- struct msg_msg *copy = NULL;
- unsigned long copy_number = 0;
-
-+ ns = current->nsproxy->ipc_ns;
-+
- if (msqid < 0 || (long) bufsz < 0)
- return -EINVAL;
- if (msgflg & MSG_COPY) {
-- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number);
-+ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax),
-+ msgflg, &msgtyp, ©_number);
- if (IS_ERR(copy))
- return PTR_ERR(copy);
- }
- mode = convert_mode(&msgtyp, msgflg);
-- ns = current->nsproxy->ipc_ns;
-
- msq = msg_lock_check(ns, msqid);
- if (IS_ERR(msq)) {
-diff --git a/ipc/msgutil.c b/ipc/msgutil.c
-index ebfcbfa..5df8e4b 100644
---- a/ipc/msgutil.c
-+++ b/ipc/msgutil.c
-@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
- if (alen > DATALEN_MSG)
- alen = DATALEN_MSG;
-
-- dst->next = NULL;
-- dst->security = NULL;
--
- memcpy(dst + 1, src + 1, alen);
-
- len -= alen;
diff --git a/ipc/sem.c b/ipc/sem.c
index 58d31f1..cce7a55 100644
--- a/ipc/sem.c
@@ -73486,7 +73398,7 @@ index b4df219..f13c02d 100644
{
struct signal_struct *sig = current->signal;
diff --git a/kernel/fork.c b/kernel/fork.c
-index c535f33..1d768f9 100644
+index 5630e52..0cee608 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -318,7 +318,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
@@ -73735,7 +73647,7 @@ index c535f33..1d768f9 100644
return 0;
}
-@@ -1193,6 +1243,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1196,6 +1246,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
retval = -EAGAIN;
@@ -73745,7 +73657,7 @@ index c535f33..1d768f9 100644
if (atomic_read(&p->real_cred->user->processes) >=
task_rlimit(p, RLIMIT_NPROC)) {
if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
-@@ -1432,6 +1485,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1435,6 +1488,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
goto bad_fork_free_pid;
}
@@ -73757,7 +73669,7 @@ index c535f33..1d768f9 100644
if (clone_flags & CLONE_THREAD) {
current->signal->nr_threads++;
atomic_inc(¤t->signal->live);
-@@ -1515,6 +1573,8 @@ bad_fork_cleanup_count:
+@@ -1518,6 +1576,8 @@ bad_fork_cleanup_count:
bad_fork_free:
free_task(p);
fork_out:
@@ -73766,7 +73678,7 @@ index c535f33..1d768f9 100644
return ERR_PTR(retval);
}
-@@ -1565,6 +1625,23 @@ long do_fork(unsigned long clone_flags,
+@@ -1568,6 +1628,23 @@ long do_fork(unsigned long clone_flags,
return -EINVAL;
}
@@ -73790,7 +73702,7 @@ index c535f33..1d768f9 100644
/*
* Determine whether and which event to report to ptracer. When
* called from kernel_thread or CLONE_UNTRACED is explicitly
-@@ -1599,6 +1676,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1602,6 +1679,8 @@ long do_fork(unsigned long clone_flags,
if (clone_flags & CLONE_PARENT_SETTID)
put_user(nr, parent_tidptr);
@@ -73799,7 +73711,7 @@ index c535f33..1d768f9 100644
if (clone_flags & CLONE_VFORK) {
p->vfork_done = &vfork;
init_completion(&vfork);
-@@ -1752,7 +1831,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1755,7 +1834,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
@@ -73808,7 +73720,7 @@ index c535f33..1d768f9 100644
return 0;
*new_fsp = copy_fs_struct(fs);
-@@ -1866,7 +1945,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -1869,7 +1948,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
fs = current->fs;
spin_lock(&fs->lock);
current->fs = new_fs;
@@ -78278,10 +78190,10 @@ index 33acb5e..57ebfd4 100644
.group = GLOBAL_ROOT_GID,
.proc_inum = PROC_USER_INIT_INO,
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index 2b042c4..24f8ec3 100644
+index dbfe36a7..6d36e9a 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
-@@ -78,7 +78,7 @@ int create_user_ns(struct cred *new)
+@@ -79,7 +79,7 @@ int create_user_ns(struct cred *new)
return ret;
}
@@ -78290,7 +78202,7 @@ index 2b042c4..24f8ec3 100644
/* Leave the new->user_ns reference with the new user namespace. */
ns->parent = parent_ns;
ns->owner = owner;
-@@ -104,15 +104,16 @@ int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
+@@ -105,15 +105,16 @@ int unshare_userns(unsigned long unshare_flags, struct cred **new_cred)
return create_user_ns(cred);
}
@@ -80047,7 +79959,7 @@ index bb1369f..efb96b5 100644
return 0;
}
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index e2df1c1..1e31d57 100644
+index 3df6d12..a11056a 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -721,6 +721,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
@@ -81920,7 +81832,7 @@ index 8c8e08f..73a5cda 100644
static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
-index 926b466..b23df53 100644
+index fd26d04..0cea1b0 100644
--- a/mm/process_vm_access.c
+++ b/mm/process_vm_access.c
@@ -13,6 +13,7 @@
@@ -88679,7 +88591,7 @@ index 6b42d47..2ac24d5 100644
sub->evt.event = htohl(event, sub->swap);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 5b5c876..3127bf7 100644
+index 5b5c876..6713b81 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -786,6 +786,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -88728,6 +88640,34 @@ index 5b5c876..3127bf7 100644
done_path_create(&path, dentry);
return err;
}
+@@ -2326,9 +2345,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ seq_puts(seq, "Num RefCount Protocol Flags Type St "
+ "Inode Path\n");
+ else {
+- struct sock *s = v;
++ struct sock *s = v, *peer;
+ struct unix_sock *u = unix_sk(s);
+ unix_state_lock(s);
++ peer = unix_peer(s);
++ unix_state_unlock(s);
++
++ unix_state_double_lock(s, peer);
+
+ seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
+ s,
+@@ -2355,8 +2378,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ }
+ for ( ; i < len; i++)
+ seq_putc(seq, u->addr->name->sun_path[i]);
+- }
+- unix_state_unlock(s);
++ } else if (peer)
++ seq_printf(seq, " P%lu", sock_i_ino(peer));
++
++ unix_state_double_unlock(s, peer);
+ seq_putc(seq, '\n');
+ }
+
diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c
index 8800604..0526440 100644
--- a/net/unix/sysctl_net_unix.c
@@ -90455,7 +90395,7 @@ index 55a6271..ad829c3 100644
hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
return 0;
diff --git a/security/keys/compat.c b/security/keys/compat.c
-index 1c26176..64a1ba2 100644
+index d65fa7f..cbfe366 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -44,7 +44,7 @@ static long compat_keyctl_instantiate_key_iov(
@@ -90464,7 +90404,7 @@ index 1c26176..64a1ba2 100644
- ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+ ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
-
+ err:
if (iov != iovstack)
kfree(iov);
diff --git a/security/keys/key.c b/security/keys/key.c
@@ -90588,19 +90528,6 @@ index 6ece7f2..ecdb55c 100644
goto error;
buflen -= tmp;
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 58dfe08..c5ec083 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -57,7 +57,7 @@ int install_user_keyrings(void)
-
- kenter("%p{%u}", user, uid);
-
-- if (user->uid_keyring) {
-+ if (user->uid_keyring && user->session_keyring) {
- kleave(" = 0 [exist]");
- return 0;
- }
diff --git a/security/min_addr.c b/security/min_addr.c
index f728728..6457a0c 100644
--- a/security/min_addr.c
^ permalink raw reply related [flat|nested] 2+ messages in thread* [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.8.2/, 3.2.40/
@ 2013-03-12 13:25 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2013-03-12 13:25 UTC (permalink / raw
To: gentoo-commits
commit: 5887bfa1ed303153a33e8909165ea760a787f68d
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 12 13:24:53 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Mar 12 13:24:53 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=5887bfa1
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.2}-201303111845
---
..._grsecurity-2.9.1-2.6.32.60-201303111841.patch} | 88 +++--
3.2.40/0000_README | 2 +-
...420_grsecurity-2.9.1-3.2.40-201303111844.patch} | 136 +++++--
3.8.2/0000_README | 2 +-
...4420_grsecurity-2.9.1-3.8.2-201303111845.patch} | 425 ++++++++++++++++----
5 files changed, 508 insertions(+), 145 deletions(-)
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch
index 0660165..844bced 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch
@@ -22169,10 +22169,10 @@ index 3149032..14f1053 100644
return 0;
/* 64-bit mode: REX prefix */
diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
-index dee1ff7..d0e3ef7 100644
+index dee1ff7..585a36b 100644
--- a/arch/x86/kernel/sys_i386_32.c
+++ b/arch/x86/kernel/sys_i386_32.c
-@@ -24,6 +24,21 @@
+@@ -24,6 +24,22 @@
#include <asm/syscalls.h>
@@ -22185,8 +22185,9 @@ index dee1ff7..d0e3ef7 100644
+ pax_task_size = SEGMEXEC_TASK_SIZE;
+#endif
+
-+ if (len > pax_task_size || addr > pax_task_size - len)
-+ return -EINVAL;
++ if (flags & MAP_FIXED)
++ if (len > pax_task_size || addr > pax_task_size - len)
++ return -EINVAL;
+
+ return 0;
+}
@@ -22194,7 +22195,7 @@ index dee1ff7..d0e3ef7 100644
/*
* Perform the select(nd, in, out, ex, tv) and mmap() system
* calls. Linux/i386 didn't use to be able to handle more than
-@@ -58,6 +73,214 @@ out:
+@@ -58,6 +74,214 @@ out:
return err;
}
@@ -22409,7 +22410,7 @@ index dee1ff7..d0e3ef7 100644
struct sel_arg_struct {
unsigned long n;
-@@ -93,7 +316,7 @@ asmlinkage int sys_ipc(uint call, int first, int second,
+@@ -93,7 +317,7 @@ asmlinkage int sys_ipc(uint call, int first, int second,
return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
case SEMTIMEDOP:
return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
@@ -22418,7 +22419,7 @@ index dee1ff7..d0e3ef7 100644
case SEMGET:
return sys_semget(first, second, third);
-@@ -140,7 +363,7 @@ asmlinkage int sys_ipc(uint call, int first, int second,
+@@ -140,7 +364,7 @@ asmlinkage int sys_ipc(uint call, int first, int second,
ret = do_shmat(first, (char __user *) ptr, second, &raddr);
if (ret)
return ret;
@@ -22427,7 +22428,7 @@ index dee1ff7..d0e3ef7 100644
}
case 1: /* iBCS2 emulator entry point */
if (!segment_eq(get_fs(), get_ds()))
-@@ -207,17 +430,3 @@ asmlinkage int sys_olduname(struct oldold_utsname __user *name)
+@@ -207,17 +431,3 @@ asmlinkage int sys_olduname(struct oldold_utsname __user *name)
return error;
}
@@ -83601,7 +83602,7 @@ index b080b79..d957e63 100644
}
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index 3b7b82a..0655a0f 100644
+index 3b7b82a..43956d4 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -8,12 +8,19 @@
@@ -83624,7 +83625,7 @@ index 3b7b82a..0655a0f 100644
void task_mem(struct seq_file *m, struct mm_struct *mm)
{
unsigned long data, text, lib;
-@@ -46,15 +53,27 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
+@@ -46,15 +53,32 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
"VmStk:\t%8lu kB\n"
"VmExe:\t%8lu kB\n"
"VmLib:\t%8lu kB\n"
@@ -83647,15 +83648,20 @@ index 3b7b82a..0655a0f 100644
+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
+
+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base
+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit
++#else
++ , mm->context.user_cs_base
++ , mm->context.user_cs_limit
++#endif
+#endif
+
+ );
}
unsigned long task_vsize(struct mm_struct *mm)
-@@ -175,7 +194,8 @@ static void m_stop(struct seq_file *m, void *v)
+@@ -175,7 +199,8 @@ static void m_stop(struct seq_file *m, void *v)
struct proc_maps_private *priv = m->private;
struct vm_area_struct *vma = v;
@@ -83665,7 +83671,7 @@ index 3b7b82a..0655a0f 100644
if (priv->task)
put_task_struct(priv->task);
}
-@@ -206,7 +226,6 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -206,7 +231,6 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
int flags = vma->vm_flags;
unsigned long ino = 0;
unsigned long long pgoff = 0;
@@ -83673,7 +83679,7 @@ index 3b7b82a..0655a0f 100644
dev_t dev = 0;
int len;
-@@ -217,20 +236,23 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -217,20 +241,23 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
}
@@ -83704,7 +83710,7 @@ index 3b7b82a..0655a0f 100644
MAJOR(dev), MINOR(dev), ino, &len);
/*
-@@ -239,7 +261,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -239,7 +266,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
*/
if (file) {
pad_len_spaces(m, len);
@@ -83713,7 +83719,7 @@ index 3b7b82a..0655a0f 100644
} else {
const char *name = arch_vma_name(vma);
if (!name) {
-@@ -247,8 +269,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -247,8 +274,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
if (vma->vm_start <= mm->brk &&
vma->vm_end >= mm->start_brk) {
name = "[heap]";
@@ -83725,7 +83731,7 @@ index 3b7b82a..0655a0f 100644
name = "[stack]";
}
} else {
-@@ -269,6 +292,13 @@ static int show_map(struct seq_file *m, void *v)
+@@ -269,6 +297,13 @@ static int show_map(struct seq_file *m, void *v)
struct proc_maps_private *priv = m->private;
struct task_struct *task = priv->task;
@@ -83739,7 +83745,7 @@ index 3b7b82a..0655a0f 100644
show_map_vma(m, vma);
if (m->count < m->size) /* vma is copied successfully */
-@@ -390,10 +420,23 @@ static int show_smap(struct seq_file *m, void *v)
+@@ -390,10 +425,23 @@ static int show_smap(struct seq_file *m, void *v)
.private = &mss,
};
@@ -83766,7 +83772,7 @@ index 3b7b82a..0655a0f 100644
show_map_vma(m, vma);
-@@ -409,7 +452,11 @@ static int show_smap(struct seq_file *m, void *v)
+@@ -409,7 +457,11 @@ static int show_smap(struct seq_file *m, void *v)
"Swap: %8lu kB\n"
"KernelPageSize: %8lu kB\n"
"MMUPageSize: %8lu kB\n",
@@ -106892,7 +106898,7 @@ index 0591df8..dcf3f9f 100644
if (cpu != group_first_cpu(sd->groups))
return;
diff --git a/kernel/signal.c b/kernel/signal.c
-index 2494827..02e4288 100644
+index 2494827..3087914 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -41,12 +41,12 @@
@@ -106929,7 +106935,17 @@ index 2494827..02e4288 100644
if (override_rlimit ||
atomic_read(&user->sigpending) <=
t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
-@@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+@@ -320,6 +323,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+ if (force_default || ka->sa.sa_handler != SIG_IGN)
+ ka->sa.sa_handler = SIG_DFL;
+ ka->sa.sa_flags = 0;
++#ifdef SA_RESTORER
++ ka->sa.sa_restorer = NULL;
++#endif
+ sigemptyset(&ka->sa.sa_mask);
+ ka++;
+ }
+@@ -327,7 +333,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
int unhandled_signal(struct task_struct *tsk, int sig)
{
@@ -106938,7 +106954,7 @@ index 2494827..02e4288 100644
if (is_global_init(tsk))
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
-@@ -513,23 +516,17 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
+@@ -513,23 +519,17 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
* No need to set need_resched since signal event passing
* goes through ->blocked
*/
@@ -106965,7 +106981,7 @@ index 2494827..02e4288 100644
kick_process(t);
}
-@@ -627,6 +624,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
+@@ -627,6 +627,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
}
}
@@ -106979,7 +106995,7 @@ index 2494827..02e4288 100644
return security_task_kill(t, info, sig, 0);
}
-@@ -968,7 +972,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -968,7 +975,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
return send_signal(sig, info, p, 1);
}
@@ -106988,7 +107004,7 @@ index 2494827..02e4288 100644
specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
{
return send_signal(sig, info, t, 0);
-@@ -1005,6 +1009,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1005,6 +1012,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
unsigned long int flags;
int ret, blocked, ignored;
struct k_sigaction *action;
@@ -106996,7 +107012,7 @@ index 2494827..02e4288 100644
spin_lock_irqsave(&t->sighand->siglock, flags);
action = &t->sighand->action[sig-1];
-@@ -1019,9 +1024,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1019,9 +1027,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
}
if (action->sa.sa_handler == SIG_DFL)
t->signal->flags &= ~SIGNAL_UNKILLABLE;
@@ -107015,7 +107031,7 @@ index 2494827..02e4288 100644
return ret;
}
-@@ -1081,8 +1095,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1081,8 +1098,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
{
int ret = check_kill_permission(sig, info, p);
@@ -107028,7 +107044,7 @@ index 2494827..02e4288 100644
return ret;
}
-@@ -1530,6 +1547,10 @@ static inline int may_ptrace_stop(void)
+@@ -1530,6 +1550,10 @@ static inline int may_ptrace_stop(void)
* If SIGKILL was already sent before the caller unlocked
* ->siglock we must see ->core_state != NULL. Otherwise it
* is safe to enter schedule().
@@ -107039,7 +107055,7 @@ index 2494827..02e4288 100644
*/
if (unlikely(current->mm->core_state) &&
unlikely(current->mm == current->parent->mm))
-@@ -1611,6 +1632,8 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info)
+@@ -1611,6 +1635,8 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info)
* By the time we got the lock, our tracer went away.
* Don't drop the lock yet, another tracer may come.
*/
@@ -107048,7 +107064,7 @@ index 2494827..02e4288 100644
__set_current_state(TASK_RUNNING);
if (clear_code)
current->exit_code = 0;
-@@ -1644,6 +1667,8 @@ void ptrace_notify(int exit_code)
+@@ -1644,6 +1670,8 @@ void ptrace_notify(int exit_code)
{
siginfo_t info;
@@ -107057,7 +107073,7 @@ index 2494827..02e4288 100644
BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
memset(&info, 0, sizeof info);
-@@ -2275,7 +2300,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -2275,7 +2303,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
int error = -ESRCH;
rcu_read_lock();
@@ -114315,6 +114331,18 @@ index 4538a34..d53ed34 100644
}
EXPORT_SYMBOL(sock_init_data);
+diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
+index ac1205d..813fe4b 100644
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -307,6 +307,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlattr **tb,
+ dcb->dcb_family = AF_UNSPEC;
+ dcb->cmd = DCB_CMD_GPERM_HWADDR;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr),
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index 34dcc79..f51ed45 100644
--- a/net/dccp/ccids/ccid3.c
diff --git a/3.2.40/0000_README b/3.2.40/0000_README
index fd368e5..173a1e3 100644
--- a/3.2.40/0000_README
+++ b/3.2.40/0000_README
@@ -78,7 +78,7 @@ Patch: 1039_linux-3.2.40.patch
From: http://www.kernel.org
Desc: Linux 3.2.40
-Patch: 4420_grsecurity-2.9.1-3.2.40-201303082037.patch
+Patch: 4420_grsecurity-2.9.1-3.2.40-201303111844.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch
similarity index 99%
rename from 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch
rename to 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch
index 774963f..94cafc4 100644
--- a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch
+++ b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch
@@ -20387,10 +20387,10 @@ index d4f278e..86c58c0 100644
for (i = 0; i < copied; i++) {
switch (opcode[i]) {
diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
-index 0b0cb5f..26bb1af 100644
+index 0b0cb5f..207bec6 100644
--- a/arch/x86/kernel/sys_i386_32.c
+++ b/arch/x86/kernel/sys_i386_32.c
-@@ -24,17 +24,226 @@
+@@ -24,17 +24,227 @@
#include <asm/syscalls.h>
@@ -20415,8 +20415,9 @@ index 0b0cb5f..26bb1af 100644
+ pax_task_size = SEGMEXEC_TASK_SIZE;
+#endif
+
-+ if (len > pax_task_size || addr > pax_task_size - len)
-+ return -EINVAL;
++ if (flags & MAP_FIXED)
++ if (len > pax_task_size || addr > pax_task_size - len)
++ return -EINVAL;
+
+ return 0;
+}
@@ -52514,7 +52515,7 @@ index 03102d9..4ae347e 100644
}
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index 3efa725..6d85d94 100644
+index 3efa725..27582ca 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -11,12 +11,19 @@
@@ -52553,7 +52554,7 @@ index 3efa725..6d85d94 100644
(total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
mm->locked_vm << (PAGE_SHIFT-10),
mm->pinned_vm << (PAGE_SHIFT-10),
-@@ -62,7 +74,14 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
+@@ -62,7 +74,19 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
data << (PAGE_SHIFT-10),
mm->stack_vm << (PAGE_SHIFT-10), text, lib,
(PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
@@ -52561,15 +52562,20 @@ index 3efa725..6d85d94 100644
+ swap << (PAGE_SHIFT-10)
+
+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base
+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit
++#else
++ , mm->context.user_cs_base
++ , mm->context.user_cs_limit
++#endif
+#endif
+
+ );
}
unsigned long task_vsize(struct mm_struct *mm)
-@@ -125,7 +144,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+@@ -125,7 +149,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
if (!priv->task)
return ERR_PTR(-ESRCH);
@@ -52578,7 +52584,7 @@ index 3efa725..6d85d94 100644
if (!mm || IS_ERR(mm))
return mm;
down_read(&mm->mmap_sem);
-@@ -227,13 +246,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -227,13 +251,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
}
@@ -52597,7 +52603,7 @@ index 3efa725..6d85d94 100644
seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
start,
-@@ -242,7 +261,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -242,7 +266,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
flags & VM_WRITE ? 'w' : '-',
flags & VM_EXEC ? 'x' : '-',
flags & VM_MAYSHARE ? 's' : 'p',
@@ -52609,7 +52615,7 @@ index 3efa725..6d85d94 100644
MAJOR(dev), MINOR(dev), ino, &len);
/*
-@@ -251,7 +274,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -251,7 +279,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
*/
if (file) {
pad_len_spaces(m, len);
@@ -52618,7 +52624,7 @@ index 3efa725..6d85d94 100644
} else {
const char *name = arch_vma_name(vma);
if (!name) {
-@@ -259,8 +282,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -259,8 +287,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
if (vma->vm_start <= mm->brk &&
vma->vm_end >= mm->start_brk) {
name = "[heap]";
@@ -52630,7 +52636,7 @@ index 3efa725..6d85d94 100644
name = "[stack]";
}
} else {
-@@ -281,6 +305,13 @@ static int show_map(struct seq_file *m, void *v)
+@@ -281,6 +310,13 @@ static int show_map(struct seq_file *m, void *v)
struct proc_maps_private *priv = m->private;
struct task_struct *task = priv->task;
@@ -52644,7 +52650,7 @@ index 3efa725..6d85d94 100644
show_map_vma(m, vma);
if (m->count < m->size) /* vma is copied successfully */
-@@ -437,12 +468,23 @@ static int show_smap(struct seq_file *m, void *v)
+@@ -437,12 +473,23 @@ static int show_smap(struct seq_file *m, void *v)
.private = &mss,
};
@@ -52673,7 +52679,7 @@ index 3efa725..6d85d94 100644
show_map_vma(m, vma);
seq_printf(m,
-@@ -460,7 +502,11 @@ static int show_smap(struct seq_file *m, void *v)
+@@ -460,7 +507,11 @@ static int show_smap(struct seq_file *m, void *v)
"KernelPageSize: %8lu kB\n"
"MMUPageSize: %8lu kB\n"
"Locked: %8lu kB\n",
@@ -52685,7 +52691,7 @@ index 3efa725..6d85d94 100644
mss.resident >> 10,
(unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
mss.shared_clean >> 10,
-@@ -798,7 +844,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+@@ -798,7 +849,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!pm.buffer)
goto out_task;
@@ -52694,7 +52700,7 @@ index 3efa725..6d85d94 100644
ret = PTR_ERR(mm);
if (!mm || IS_ERR(mm))
goto out_free;
-@@ -1024,6 +1070,13 @@ static int show_numa_map(struct seq_file *m, void *v)
+@@ -1024,6 +1075,13 @@ static int show_numa_map(struct seq_file *m, void *v)
int n;
char buffer[50];
@@ -52708,7 +52714,7 @@ index 3efa725..6d85d94 100644
if (!mm)
return 0;
-@@ -1041,11 +1094,15 @@ static int show_numa_map(struct seq_file *m, void *v)
+@@ -1041,11 +1099,15 @@ static int show_numa_map(struct seq_file *m, void *v)
mpol_to_str(buffer, sizeof(buffer), pol, 0);
mpol_cond_put(pol);
@@ -73568,7 +73574,7 @@ index 66e4576..d05c6d5 100644
int this_cpu = smp_processor_id();
struct rq *this_rq = cpu_rq(this_cpu);
diff --git a/kernel/signal.c b/kernel/signal.c
-index d2f55ea..4dc47a0 100644
+index d2f55ea..5725e4f 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -73605,7 +73611,17 @@ index d2f55ea..4dc47a0 100644
if (override_rlimit ||
atomic_read(&user->sigpending) <=
task_rlimit(t, RLIMIT_SIGPENDING)) {
-@@ -488,7 +491,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+@@ -481,6 +484,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+ if (force_default || ka->sa.sa_handler != SIG_IGN)
+ ka->sa.sa_handler = SIG_DFL;
+ ka->sa.sa_flags = 0;
++#ifdef SA_RESTORER
++ ka->sa.sa_restorer = NULL;
++#endif
+ sigemptyset(&ka->sa.sa_mask);
+ ka++;
+ }
+@@ -488,7 +494,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
int unhandled_signal(struct task_struct *tsk, int sig)
{
@@ -73614,7 +73630,7 @@ index d2f55ea..4dc47a0 100644
if (is_global_init(tsk))
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
-@@ -809,6 +812,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
+@@ -809,6 +815,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
}
}
@@ -73628,7 +73644,7 @@ index d2f55ea..4dc47a0 100644
return security_task_kill(t, info, sig, 0);
}
-@@ -1159,7 +1169,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1159,7 +1172,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
return send_signal(sig, info, p, 1);
}
@@ -73637,7 +73653,7 @@ index d2f55ea..4dc47a0 100644
specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
{
return send_signal(sig, info, t, 0);
-@@ -1196,6 +1206,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1196,6 +1209,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
unsigned long int flags;
int ret, blocked, ignored;
struct k_sigaction *action;
@@ -73645,7 +73661,7 @@ index d2f55ea..4dc47a0 100644
spin_lock_irqsave(&t->sighand->siglock, flags);
action = &t->sighand->action[sig-1];
-@@ -1210,9 +1221,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1210,9 +1224,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
}
if (action->sa.sa_handler == SIG_DFL)
t->signal->flags &= ~SIGNAL_UNKILLABLE;
@@ -73664,7 +73680,7 @@ index d2f55ea..4dc47a0 100644
return ret;
}
-@@ -1279,8 +1299,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1279,8 +1302,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
ret = check_kill_permission(sig, info, p);
rcu_read_unlock();
@@ -73677,7 +73693,7 @@ index d2f55ea..4dc47a0 100644
return ret;
}
-@@ -2762,7 +2785,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -2762,7 +2788,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
int error = -ESRCH;
rcu_read_lock();
@@ -81453,7 +81469,7 @@ index c40f27e..7f49254 100644
m->msg_iov = iov;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index 5229c7f..6cb13fa 100644
+index 5229c7f..d5c2289 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -57,7 +57,7 @@ struct rtnl_link {
@@ -81465,6 +81481,14 @@ index 5229c7f..6cb13fa 100644
static DEFINE_MUTEX(rtnl_mutex);
+@@ -973,6 +973,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
+ * report anything.
+ */
+ ivi.spoofchk = -1;
++ memset(ivi.mac, 0, sizeof(ivi.mac));
+ if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
+ break;
+ vf_mac.vf =
diff --git a/net/core/scm.c b/net/core/scm.c
index ff52ad0..aff1c0f 100644
--- a/net/core/scm.c
@@ -81610,6 +81634,66 @@ index 1e8a882..af175b4 100644
}
EXPORT_SYMBOL(sock_init_data);
+diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
+index d860530..2f9517d 100644
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -336,6 +336,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlattr **tb,
+ dcb->dcb_family = AF_UNSPEC;
+ dcb->cmd = DCB_CMD_GPERM_HWADDR;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr),
+@@ -1238,6 +1239,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_getets(netdev, &ets);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets);
+@@ -1245,6 +1247,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc);
+@@ -1277,6 +1280,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* get peer info if available */
+ if (ops->ieee_peer_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_peer_getets(netdev, &ets);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets);
+@@ -1284,6 +1288,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_peer_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_peer_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc);
+@@ -1463,6 +1468,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* peer info if available */
+ if (ops->cee_peer_getpg) {
+ struct cee_pg pg;
++ memset(&pg, 0, sizeof(pg));
+ err = ops->cee_peer_getpg(netdev, &pg);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg);
+@@ -1470,6 +1476,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->cee_peer_getpfc) {
+ struct cee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->cee_peer_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc);
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 19acd00..dcb43f2 100644
--- a/net/decnet/af_decnet.c
diff --git a/3.8.2/0000_README b/3.8.2/0000_README
index ff4a56d..3b4b3f3 100644
--- a/3.8.2/0000_README
+++ b/3.8.2/0000_README
@@ -6,7 +6,7 @@ Patch: 1001_linux-3.8.1.patch
From: http://www.kernel.org
Desc: Linux 3.8.1
-Patch: 4420_grsecurity-2.9.1-3.8.2-201303082215.patch
+Patch: 4420_grsecurity-2.9.1-3.8.2-201303111845.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch b/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch
similarity index 99%
rename from 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch
rename to 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch
index 6e0e897..e088f8a 100644
--- a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch
+++ b/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch
@@ -225,7 +225,7 @@ index b89a739..b47493f 100644
+zconf.lex.c
zoffset.h
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 986614d..0afd461 100644
+index 986614d..e8bfedc 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -922,6 +922,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@@ -239,7 +239,7 @@ index 986614d..0afd461 100644
hashdist= [KNL,NUMA] Large hashes allocated during boot
are distributed across NUMA nodes. Defaults on
for 64-bit NUMA, off otherwise.
-@@ -2121,6 +2125,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -2121,6 +2125,18 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -250,6 +250,11 @@ index 986614d..0afd461 100644
+
+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
+
++ pax_extra_latent_entropy
++ Enable a very simple form of latent entropy extraction
++ from the first 4GB of memory as the bootmem allocator
++ passes the memory pages to the buddy allocator.
++
pcbit= [HW,ISDN]
pcd. [PARIDE]
@@ -2798,6 +2803,26 @@ index 1e9be5d..03edbc2 100644
#endif
int
+diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
+index 07314af..c46655c 100644
+--- a/arch/arm/kernel/patch.c
++++ b/arch/arm/kernel/patch.c
+@@ -18,6 +18,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn)
+ bool thumb2 = IS_ENABLED(CONFIG_THUMB2_KERNEL);
+ int size;
+
++ pax_open_kernel();
+ if (thumb2 && __opcode_is_thumb16(insn)) {
+ *(u16 *)addr = __opcode_to_mem_thumb16(insn);
+ size = sizeof(u16);
+@@ -39,6 +40,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn)
+ *(u32 *)addr = insn;
+ size = sizeof(u32);
+ }
++ pax_close_kernel();
+
+ flush_icache_range((uintptr_t)(addr),
+ (uintptr_t)(addr) + size);
diff --git a/arch/arm/kernel/perf_event_cpu.c b/arch/arm/kernel/perf_event_cpu.c
index 5f66206..dce492f 100644
--- a/arch/arm/kernel/perf_event_cpu.c
@@ -22328,10 +22353,10 @@ index 9b4d51d..5d28b58 100644
switch (opcode[i]) {
diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
new file mode 100644
-index 0000000..26bb1af
+index 0000000..207bec6
--- /dev/null
+++ b/arch/x86/kernel/sys_i386_32.c
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,250 @@
+/*
+ * This file contains various random system calls that
+ * have a non-standard calling sequence on the Linux/i386
@@ -22367,8 +22392,9 @@ index 0000000..26bb1af
+ pax_task_size = SEGMEXEC_TASK_SIZE;
+#endif
+
-+ if (len > pax_task_size || addr > pax_task_size - len)
-+ return -EINVAL;
++ if (flags & MAP_FIXED)
++ if (len > pax_task_size || addr > pax_task_size - len)
++ return -EINVAL;
+
+ return 0;
+}
@@ -31370,9 +31396,18 @@ index be60399..778b33e8 100644
bgrt_kobj = kobject_create_and_add("bgrt", acpi_kobj);
if (!bgrt_kobj)
diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
-index cb96296..2d6082b 100644
+index cb96296..b81293b 100644
--- a/drivers/acpi/blacklist.c
+++ b/drivers/acpi/blacklist.c
+@@ -52,7 +52,7 @@ struct acpi_blacklist_item {
+ u32 is_critical_error;
+ };
+
+-static struct dmi_system_id acpi_osi_dmi_table[] __initdata;
++static const struct dmi_system_id acpi_osi_dmi_table[] __initconst;
+
+ /*
+ * POLICY: If *anything* doesn't work, put it on the blacklist.
@@ -193,7 +193,7 @@ static int __init dmi_disable_osi_win7(const struct dmi_system_id *d)
return 0;
}
@@ -43843,10 +43878,18 @@ index 4f27fdc..d3537e6 100644
}
diff --git a/drivers/video/aty/mach64_cursor.c b/drivers/video/aty/mach64_cursor.c
-index 95ec042..ae33e7a 100644
+index 95ec042..e6affdd 100644
--- a/drivers/video/aty/mach64_cursor.c
+++ b/drivers/video/aty/mach64_cursor.c
-@@ -208,7 +208,9 @@ int aty_init_cursor(struct fb_info *info)
+@@ -7,6 +7,7 @@
+ #include <linux/string.h>
+
+ #include <asm/io.h>
++#include <asm/pgtable.h>
+
+ #ifdef __sparc__
+ #include <asm/fbio.h>
+@@ -208,7 +209,9 @@ int aty_init_cursor(struct fb_info *info)
info->sprite.buf_align = 16; /* and 64 lines tall. */
info->sprite.flags = FB_PIXMAP_IO;
@@ -47369,7 +47412,7 @@ index 6043567..16a9239 100644
fd_offset + ex.a_text);
if (error != N_DATADDR(ex)) {
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 0c42cdb..f4be023 100644
+index 0c42cdb..9551bb8 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -33,6 +33,7 @@
@@ -47866,7 +47909,7 @@ index 0c42cdb..f4be023 100644
loc = kmalloc(sizeof(*loc), GFP_KERNEL);
if (!loc) {
-@@ -715,11 +1050,81 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -715,11 +1050,82 @@ static int load_elf_binary(struct linux_binprm *bprm)
goto out_free_dentry;
/* OK, This is the point of no return */
@@ -47887,6 +47930,7 @@ index 0c42cdb..f4be023 100644
+#ifdef CONFIG_PAX_ASLR
+ current->mm->delta_mmap = 0UL;
+ current->mm->delta_stack = 0UL;
++ current->mm->aslr_gap = 0UL;
+#endif
+
+ current->mm->def_flags = 0;
@@ -47949,7 +47993,7 @@ index 0c42cdb..f4be023 100644
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
-@@ -810,6 +1215,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -810,6 +1216,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
@@ -47970,7 +48014,7 @@ index 0c42cdb..f4be023 100644
}
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -842,9 +1261,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -842,9 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
* allowed task size. Note that p_filesz must always be
* <= p_memsz so it is only necessary to check p_memsz.
*/
@@ -47983,7 +48027,7 @@ index 0c42cdb..f4be023 100644
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
-@@ -883,17 +1302,44 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -883,17 +1303,44 @@ static int load_elf_binary(struct linux_binprm *bprm)
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -48009,7 +48053,7 @@ index 0c42cdb..f4be023 100644
+ unsigned long prot = PROT_NONE;
+
+ up_read(¤t->mm->mmap_sem);
-+ current->mm->brk_gap = PAGE_ALIGN(size) >> PAGE_SHIFT;
++ current->mm->aslr_gap += PAGE_ALIGN(size) >> PAGE_SHIFT;
+// if (current->personality & ADDR_NO_RANDOMIZE)
+// prot = PROT_READ;
+ start = vm_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0);
@@ -48034,7 +48078,7 @@ index 0c42cdb..f4be023 100644
load_bias);
if (!IS_ERR((void *)elf_entry)) {
/*
-@@ -1115,7 +1561,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
+@@ -1115,7 +1562,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
* Decide what to dump of a segment, part, all or none.
*/
static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -48043,7 +48087,7 @@ index 0c42cdb..f4be023 100644
{
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
-@@ -1152,7 +1598,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1152,7 +1599,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
if (vma->vm_file == NULL)
return 0;
@@ -48052,7 +48096,7 @@ index 0c42cdb..f4be023 100644
goto whole;
/*
-@@ -1374,9 +1820,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1374,9 +1821,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
{
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
int i = 0;
@@ -48064,7 +48108,7 @@ index 0c42cdb..f4be023 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -2006,14 +2452,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -2006,14 +2453,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
}
static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -48081,7 +48125,7 @@ index 0c42cdb..f4be023 100644
return size;
}
-@@ -2107,7 +2553,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2107,7 +2554,7 @@ static int elf_core_dump(struct coredump_params *cprm)
dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
@@ -48090,7 +48134,7 @@ index 0c42cdb..f4be023 100644
offset += elf_core_extra_data_size();
e_shoff = offset;
-@@ -2121,10 +2567,12 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2121,10 +2568,12 @@ static int elf_core_dump(struct coredump_params *cprm)
offset = dataoff;
size += sizeof(*elf);
@@ -48103,7 +48147,7 @@ index 0c42cdb..f4be023 100644
if (size > cprm->limit
|| !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
goto end_coredump;
-@@ -2138,7 +2586,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2138,7 +2587,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
phdr.p_paddr = 0;
@@ -48112,7 +48156,7 @@ index 0c42cdb..f4be023 100644
phdr.p_memsz = vma->vm_end - vma->vm_start;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -2149,6 +2597,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2149,6 +2598,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_align = ELF_EXEC_PAGESIZE;
size += sizeof(phdr);
@@ -48120,7 +48164,7 @@ index 0c42cdb..f4be023 100644
if (size > cprm->limit
|| !dump_write(cprm->file, &phdr, sizeof(phdr)))
goto end_coredump;
-@@ -2173,7 +2622,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2173,7 +2623,7 @@ static int elf_core_dump(struct coredump_params *cprm)
unsigned long addr;
unsigned long end;
@@ -48129,7 +48173,7 @@ index 0c42cdb..f4be023 100644
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
struct page *page;
-@@ -2182,6 +2631,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2182,6 +2632,7 @@ static int elf_core_dump(struct coredump_params *cprm)
page = get_dump_page(addr);
if (page) {
void *kaddr = kmap(page);
@@ -48137,7 +48181,7 @@ index 0c42cdb..f4be023 100644
stop = ((size += PAGE_SIZE) > cprm->limit) ||
!dump_write(cprm->file, kaddr,
PAGE_SIZE);
-@@ -2199,6 +2649,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2199,6 +2650,7 @@ static int elf_core_dump(struct coredump_params *cprm)
if (e_phnum == PN_XNUM) {
size += sizeof(*shdr4extnum);
@@ -48145,7 +48189,7 @@ index 0c42cdb..f4be023 100644
if (size > cprm->limit
|| !dump_write(cprm->file, shdr4extnum,
sizeof(*shdr4extnum)))
-@@ -2219,6 +2670,97 @@ out:
+@@ -2219,6 +2671,97 @@ out:
#endif /* CONFIG_ELF_CORE */
@@ -49502,7 +49546,7 @@ index b2a34a1..162fa69 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
-index 20df02c..9b8f78d 100644
+index 20df02c..81c9e78 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,6 +55,17 @@
@@ -49767,7 +49811,7 @@ index 20df02c..9b8f78d 100644
/* mprotect_fixup is overkill to remove the temporary stack flags */
vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
-@@ -737,6 +776,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -737,6 +776,30 @@ int setup_arg_pages(struct linux_binprm *bprm,
#endif
current->mm->start_stack = bprm->p;
ret = expand_stack(vma, stack_base);
@@ -49784,8 +49828,11 @@ index 20df02c..9b8f78d 100644
+
+#ifdef CONFIG_X86
+ if (!ret) {
++ current->mm->aslr_gap += size >> PAGE_SHIFT;
+ size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0);
++ if (!ret)
++ current->mm->aslr_gap += size >> PAGE_SHIFT;
+ }
+#endif
+
@@ -49795,7 +49842,7 @@ index 20df02c..9b8f78d 100644
if (ret)
ret = -EFAULT;
-@@ -772,6 +832,8 @@ struct file *open_exec(const char *name)
+@@ -772,6 +835,8 @@ struct file *open_exec(const char *name)
fsnotify_open(file);
@@ -49804,7 +49851,7 @@ index 20df02c..9b8f78d 100644
err = deny_write_access(file);
if (err)
goto exit;
-@@ -795,7 +857,7 @@ int kernel_read(struct file *file, loff_t offset,
+@@ -795,7 +860,7 @@ int kernel_read(struct file *file, loff_t offset,
old_fs = get_fs();
set_fs(get_ds());
/* The cast to a user pointer is valid due to the set_fs() */
@@ -49813,7 +49860,7 @@ index 20df02c..9b8f78d 100644
set_fs(old_fs);
return result;
}
-@@ -1247,7 +1309,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1247,7 +1312,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -49822,7 +49869,7 @@ index 20df02c..9b8f78d 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
-@@ -1447,6 +1509,28 @@ int search_binary_handler(struct linux_binprm *bprm)
+@@ -1447,6 +1512,28 @@ int search_binary_handler(struct linux_binprm *bprm)
EXPORT_SYMBOL(search_binary_handler);
@@ -49851,7 +49898,7 @@ index 20df02c..9b8f78d 100644
/*
* sys_execve() executes a new program.
*/
-@@ -1454,6 +1538,11 @@ static int do_execve_common(const char *filename,
+@@ -1454,6 +1541,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr argv,
struct user_arg_ptr envp)
{
@@ -49863,7 +49910,7 @@ index 20df02c..9b8f78d 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
-@@ -1461,6 +1550,8 @@ static int do_execve_common(const char *filename,
+@@ -1461,6 +1553,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
@@ -49872,7 +49919,7 @@ index 20df02c..9b8f78d 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
-@@ -1501,12 +1592,27 @@ static int do_execve_common(const char *filename,
+@@ -1501,12 +1595,27 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
@@ -49900,7 +49947,7 @@ index 20df02c..9b8f78d 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1523,24 +1629,65 @@ static int do_execve_common(const char *filename,
+@@ -1523,24 +1632,65 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
@@ -49970,7 +50017,7 @@ index 20df02c..9b8f78d 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1549,6 +1696,14 @@ static int do_execve_common(const char *filename,
+@@ -1549,6 +1699,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
@@ -49985,7 +50032,7 @@ index 20df02c..9b8f78d 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1697,3 +1852,253 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1697,3 +1855,253 @@ asmlinkage long compat_sys_execve(const char __user * filename,
return error;
}
#endif
@@ -68780,7 +68827,7 @@ index 66e2f7c..ea88001 100644
#endif /* __KERNEL__ */
#endif /* _LINUX_MM_H */
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
-index f8f5162..6276a36 100644
+index f8f5162..a039af9 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -288,6 +288,8 @@ struct vm_area_struct {
@@ -68797,7 +68844,7 @@ index f8f5162..6276a36 100644
unsigned long nr_ptes; /* Page table pages */
unsigned long start_code, end_code, start_data, end_data;
- unsigned long start_brk, brk, start_stack;
-+ unsigned long brk_gap, start_brk, brk, start_stack;
++ unsigned long aslr_gap, start_brk, brk, start_stack;
unsigned long arg_start, arg_end, env_start, env_end;
unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */
@@ -72264,7 +72311,7 @@ index 84c6bf1..8899338 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index cee4b5c..9c267d9 100644
+index cee4b5c..6a3402b 100644
--- a/init/main.c
+++ b/init/main.c
@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { }
@@ -72366,18 +72413,7 @@ index cee4b5c..9c267d9 100644
}
return ret;
-@@ -743,6 +801,10 @@ static char *initcall_level_names[] __initdata = {
- "late",
- };
-
-+#ifdef CONFIG_PAX_LATENT_ENTROPY
-+u64 latent_entropy;
-+#endif
-+
- static void __init do_initcall_level(int level)
- {
- extern const struct kernel_param __start___param[], __stop___param[];
-@@ -755,8 +817,14 @@ static void __init do_initcall_level(int level)
+@@ -755,8 +813,14 @@ static void __init do_initcall_level(int level)
level, level,
&repair_env_string);
@@ -72386,14 +72422,14 @@ index cee4b5c..9c267d9 100644
do_one_initcall(*fn);
+
+#ifdef CONFIG_PAX_LATENT_ENTROPY
-+ add_device_randomness(&latent_entropy, sizeof(latent_entropy));
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
+#endif
+
+ }
}
static void __init do_initcalls(void)
-@@ -790,8 +858,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -790,8 +854,14 @@ static void __init do_pre_smp_initcalls(void)
{
initcall_t *fn;
@@ -72402,14 +72438,14 @@ index cee4b5c..9c267d9 100644
do_one_initcall(*fn);
+
+#ifdef CONFIG_PAX_LATENT_ENTROPY
-+ add_device_randomness(&latent_entropy, sizeof(latent_entropy));
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
+#endif
+
+ }
}
static int run_init_process(const char *init_filename)
-@@ -877,7 +951,7 @@ static noinline void __init kernel_init_freeable(void)
+@@ -877,7 +947,7 @@ static noinline void __init kernel_init_freeable(void)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -72418,7 +72454,7 @@ index cee4b5c..9c267d9 100644
printk(KERN_WARNING "Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -890,11 +964,13 @@ static noinline void __init kernel_init_freeable(void)
+@@ -890,11 +960,13 @@ static noinline void __init kernel_init_freeable(void)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -72508,7 +72544,7 @@ index 71a3ca1..cc330ee 100644
if (u->mq_bytes + mq_bytes < u->mq_bytes ||
u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
diff --git a/ipc/msg.c b/ipc/msg.c
-index 950572f..266c15f 100644
+index 950572f..362ea07 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -309,18 +309,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
@@ -72536,6 +72572,40 @@ index 950572f..266c15f 100644
msg_params.key = key;
msg_params.flg = msgflg;
+@@ -820,15 +821,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp,
+ struct msg_msg *copy = NULL;
+ unsigned long copy_number = 0;
+
++ ns = current->nsproxy->ipc_ns;
++
+ if (msqid < 0 || (long) bufsz < 0)
+ return -EINVAL;
+ if (msgflg & MSG_COPY) {
+- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number);
++ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax),
++ msgflg, &msgtyp, ©_number);
+ if (IS_ERR(copy))
+ return PTR_ERR(copy);
+ }
+ mode = convert_mode(&msgtyp, msgflg);
+- ns = current->nsproxy->ipc_ns;
+
+ msq = msg_lock_check(ns, msqid);
+ if (IS_ERR(msq)) {
+diff --git a/ipc/msgutil.c b/ipc/msgutil.c
+index ebfcbfa..5df8e4b 100644
+--- a/ipc/msgutil.c
++++ b/ipc/msgutil.c
+@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
+ if (alen > DATALEN_MSG)
+ alen = DATALEN_MSG;
+
+- dst->next = NULL;
+- dst->security = NULL;
+-
+ memcpy(dst + 1, src + 1, alen);
+
+ len -= alen;
diff --git a/ipc/sem.c b/ipc/sem.c
index 58d31f1..cce7a55 100644
--- a/ipc/sem.c
@@ -76688,7 +76758,7 @@ index 81fa536..6ccf96a 100644
int this_cpu = smp_processor_id();
struct rq *this_rq = cpu_rq(this_cpu);
diff --git a/kernel/signal.c b/kernel/signal.c
-index 3d09cf6..a67d2c6 100644
+index 3d09cf6..8988390 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -50,12 +50,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -76725,7 +76795,17 @@ index 3d09cf6..a67d2c6 100644
if (override_rlimit ||
atomic_read(&user->sigpending) <=
task_rlimit(t, RLIMIT_SIGPENDING)) {
-@@ -492,7 +495,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+@@ -485,6 +488,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+ if (force_default || ka->sa.sa_handler != SIG_IGN)
+ ka->sa.sa_handler = SIG_DFL;
+ ka->sa.sa_flags = 0;
++#ifdef SA_RESTORER
++ ka->sa.sa_restorer = NULL;
++#endif
+ sigemptyset(&ka->sa.sa_mask);
+ ka++;
+ }
+@@ -492,7 +498,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
int unhandled_signal(struct task_struct *tsk, int sig)
{
@@ -76734,7 +76814,7 @@ index 3d09cf6..a67d2c6 100644
if (is_global_init(tsk))
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
-@@ -812,6 +815,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
+@@ -812,6 +818,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
}
}
@@ -76748,7 +76828,7 @@ index 3d09cf6..a67d2c6 100644
return security_task_kill(t, info, sig, 0);
}
-@@ -1194,7 +1204,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1194,7 +1207,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
return send_signal(sig, info, p, 1);
}
@@ -76757,7 +76837,7 @@ index 3d09cf6..a67d2c6 100644
specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
{
return send_signal(sig, info, t, 0);
-@@ -1231,6 +1241,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1231,6 +1244,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
unsigned long int flags;
int ret, blocked, ignored;
struct k_sigaction *action;
@@ -76765,7 +76845,7 @@ index 3d09cf6..a67d2c6 100644
spin_lock_irqsave(&t->sighand->siglock, flags);
action = &t->sighand->action[sig-1];
-@@ -1245,9 +1256,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1245,9 +1259,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
}
if (action->sa.sa_handler == SIG_DFL)
t->signal->flags &= ~SIGNAL_UNKILLABLE;
@@ -76784,7 +76864,7 @@ index 3d09cf6..a67d2c6 100644
return ret;
}
-@@ -1314,8 +1334,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1314,8 +1337,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
ret = check_kill_permission(sig, info, p);
rcu_read_unlock();
@@ -76797,7 +76877,7 @@ index 3d09cf6..a67d2c6 100644
return ret;
}
-@@ -2852,7 +2875,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -2852,7 +2878,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
int error = -ESRCH;
rcu_read_lock();
@@ -76814,7 +76894,7 @@ index 3d09cf6..a67d2c6 100644
if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
error = check_kill_permission(sig, info, p);
/*
-@@ -3135,8 +3166,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
+@@ -3135,8 +3169,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
}
seg = get_fs();
set_fs(KERNEL_DS);
@@ -80133,7 +80213,7 @@ index c9bd528..da8d069 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 8832b87..7d36e4f 100644
+index 8832b87..20500c1 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -32,6 +32,7 @@
@@ -81299,7 +81379,7 @@ index 8832b87..7d36e4f 100644
+#ifdef CONFIG_PAX_RANDMMAP
+ if (mm->pax_flags & MF_PAX_RANDMMAP)
-+ cur -= mm->brk_gap;
++ cur -= mm->aslr_gap;
+#endif
+
+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
@@ -81717,10 +81797,18 @@ index 0713bfb..e3774e0 100644
.next = NULL,
};
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 6a83cd3..bc2dcb6 100644
+index 6a83cd3..3ab04ef 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
-@@ -338,7 +338,7 @@ out:
+@@ -58,6 +58,7 @@
+ #include <linux/prefetch.h>
+ #include <linux/migrate.h>
+ #include <linux/page-debug-flags.h>
++#include <linux/random.h>
+
+ #include <asm/tlbflush.h>
+ #include <asm/div64.h>
+@@ -338,7 +339,7 @@ out:
* This usage means that zero-order pages may not be compound.
*/
@@ -81729,7 +81817,7 @@ index 6a83cd3..bc2dcb6 100644
{
__free_pages_ok(page, compound_order(page));
}
-@@ -693,6 +693,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
+@@ -693,6 +694,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
int i;
int bad = 0;
@@ -81740,7 +81828,7 @@ index 6a83cd3..bc2dcb6 100644
trace_mm_page_free(page, order);
kmemcheck_free_shadow(page, order);
-@@ -708,6 +712,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
+@@ -708,6 +713,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
debug_check_no_obj_freed(page_address(page),
PAGE_SIZE << order);
}
@@ -81753,7 +81841,47 @@ index 6a83cd3..bc2dcb6 100644
arch_free_page(page, order);
kernel_map_pages(page, 1 << order, 0);
-@@ -861,8 +871,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags)
+@@ -730,6 +741,19 @@ static void __free_pages_ok(struct page *page, unsigned int order)
+ local_irq_restore(flags);
+ }
+
++#ifdef CONFIG_PAX_LATENT_ENTROPY
++bool __meminitdata extra_latent_entropy;
++
++static int __init setup_pax_extra_latent_entropy(char *str)
++{
++ extra_latent_entropy = true;
++ return 0;
++}
++early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy);
++
++volatile u64 latent_entropy;
++#endif
++
+ /*
+ * Read access to zone->managed_pages is safe because it's unsigned long,
+ * but we still need to serialize writers. Currently all callers of
+@@ -752,6 +776,19 @@ void __meminit __free_pages_bootmem(struct page *page, unsigned int order)
+ set_page_count(p, 0);
+ }
+
++#ifdef CONFIG_PAX_LATENT_ENTROPY
++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) {
++ u64 hash = 0;
++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash;
++ const u64 *data = lowmem_page_address(page);
++
++ for (index = 0; index < end; index++)
++ hash ^= hash + data[index];
++ latent_entropy ^= hash;
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
++ }
++#endif
++
+ page_zone(page)->managed_pages += 1 << order;
+ set_page_refcounted(page);
+ __free_pages(page, order);
+@@ -861,8 +898,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags)
arch_alloc_page(page, order);
kernel_map_pages(page, 1 << order, 1);
@@ -81764,7 +81892,7 @@ index 6a83cd3..bc2dcb6 100644
if (order && (gfp_flags & __GFP_COMP))
prep_compound_page(page, order);
-@@ -3752,7 +3764,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn)
+@@ -3752,7 +3791,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn)
unsigned long pfn;
for (pfn = start_pfn; pfn < end_pfn; pfn++) {
@@ -83712,6 +83840,42 @@ index bd6fd0f..6492cba 100644
spin_unlock_irqrestore(&dev->port.lock, flags);
if (dev->tty_dev->parent)
device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
+diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
+index acc9f4c..2897e40 100644
+--- a/net/bridge/br_mdb.c
++++ b/net/bridge/br_mdb.c
+@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_buff *skb, struct netlink_callback *cb,
+ port = p->port;
+ if (port) {
+ struct br_mdb_entry e;
++ memset(&e, 0, sizeof(e));
+ e.ifindex = port->dev->ifindex;
+ e.state = p->state;
+ if (p->addr.proto == htons(ETH_P_IP))
+@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ break;
+
+ bpm = nlmsg_data(nlh);
++ memset(bpm, 0, sizeof(*bpm));
+ bpm->ifindex = dev->ifindex;
+ if (br_mdb_fill_info(skb, cb, dev) < 0)
+ goto out;
+@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struct sk_buff *skb,
+ return -EMSGSIZE;
+
+ bpm = nlmsg_data(nlh);
++ memset(bpm, 0, sizeof(*bpm));
+ bpm->family = AF_BRIDGE;
+ bpm->ifindex = dev->ifindex;
+ nest = nla_nest_start(skb, MDBA_MDB);
+@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *dev, struct net_bridge_port *port,
+ {
+ struct br_mdb_entry entry;
+
++ memset(&entry, 0, sizeof(entry));
+ entry.ifindex = port->dev->ifindex;
+ entry.addr.proto = group->proto;
+ entry.addr.u.ip4 = group->u.ip4;
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5fe2ff3..121d696 100644
--- a/net/bridge/netfilter/ebtables.c
@@ -84216,7 +84380,7 @@ index 8acce01..2e306bb 100644
return error;
}
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index 1868625..b1b1284 100644
+index 1868625..e2261f5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -58,7 +58,7 @@ struct rtnl_link {
@@ -84254,6 +84418,14 @@ index 1868625..b1b1284 100644
}
EXPORT_SYMBOL_GPL(__rtnl_link_unregister);
+@@ -976,6 +979,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
+ * report anything.
+ */
+ ivi.spoofchk = -1;
++ memset(ivi.mac, 0, sizeof(ivi.mac));
+ if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
+ break;
+ vf_mac.vf =
diff --git a/net/core/scm.c b/net/core/scm.c
index 905dcc6..14ee2d6 100644
--- a/net/core/scm.c
@@ -84551,6 +84723,74 @@ index d1b0804..4aed0a5 100644
.init = sysctl_core_net_init,
.exit = sysctl_core_net_exit,
};
+diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
+index 1b588e2..21291f1 100644
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlmsghdr *nlh,
+ if (!netdev->dcbnl_ops->getpermhwaddr)
+ return -EOPNOTSUPP;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr);
+@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_getets(netdev, &ets);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets))
+@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getmaxrate) {
+ struct ieee_maxrate maxrate;
++ memset(&maxrate, 0, sizeof(maxrate));
+ err = ops->ieee_getmaxrate(netdev, &maxrate);
+ if (!err) {
+ err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE,
+@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc))
+@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* get peer info if available */
+ if (ops->ieee_peer_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_peer_getets(netdev, &ets);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets))
+@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_peer_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_peer_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc))
+@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* peer info if available */
+ if (ops->cee_peer_getpg) {
+ struct cee_pg pg;
++ memset(&pg, 0, sizeof(pg));
+ err = ops->cee_peer_getpg(netdev, &pg);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg))
+@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->cee_peer_getpfc) {
+ struct cee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->cee_peer_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc))
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 307c322..78a4c6f 100644
--- a/net/decnet/af_decnet.c
@@ -89156,10 +89396,10 @@ index e4fd45b..2eeb5c4 100644
shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff));
shstrtab_sec = shdr + r2(&ehdr->e_shstrndx);
diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..da94e8b 100644
+index e9c6ac7..952353c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,920 @@
+@@ -4,6 +4,925 @@
menu "Security options"
@@ -90060,6 +90300,11 @@ index e9c6ac7..da94e8b 100644
+ there is little 'natural' source of entropy normally. The cost
+ is some slowdown of the boot process.
+
++ When pax_extra_latent_entropy is passed on the kernel command line,
++ entropy will be extracted from up to the first 4GB of RAM while the
++ runtime memory allocator is being initialized. This costs even more
++ slowdown of the boot process.
++
+ Note that the implementation requires a gcc with plugin support,
+ i.e., gcc 4.5 or newer. You may need to install the supporting
+ headers explicitly in addition to the normal gcc package.
@@ -90080,7 +90325,7 @@ index e9c6ac7..da94e8b 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1017,7 @@ config INTEL_TXT
+@@ -103,7 +1022,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -92708,10 +92953,10 @@ index 0000000..0408e06
+}
diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
new file mode 100644
-index 0000000..1276616
+index 0000000..b5395ba
--- /dev/null
+++ b/tools/gcc/latent_entropy_plugin.c
-@@ -0,0 +1,321 @@
+@@ -0,0 +1,327 @@
+/*
+ * Copyright 2012-2013 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -92752,6 +92997,7 @@ index 0000000..1276616
+#include "rtl.h"
+#include "emit-rtl.h"
+#include "tree-flow.h"
++#include "langhooks.h"
+
+#if BUILDING_GCC_VERSION >= 4008
+#define TODO_dump_func 0
@@ -92762,7 +93008,7 @@ index 0000000..1276616
+static tree latent_entropy_decl;
+
+static struct plugin_info latent_entropy_plugin_info = {
-+ .version = "201302112000",
++ .version = "201303102320",
+ .help = NULL
+};
+
@@ -92986,6 +93232,8 @@ index 0000000..1276616
+
+static void start_unit_callback(void *gcc_data, void *user_data)
+{
++ tree latent_entropy_type;
++
+#if BUILDING_GCC_VERSION >= 4007
+ seed = get_random_seed(false);
+#else
@@ -92996,16 +93244,19 @@ index 0000000..1276616
+ if (in_lto_p)
+ return;
+
-+ // extern u64 latent_entropy
-+ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), unsigned_intDI_type_node);
++ // extern volatile u64 latent_entropy
++ gcc_assert(TYPE_PRECISION(long_long_unsigned_type_node) == 64);
++ latent_entropy_type = build_qualified_type(long_long_unsigned_type_node, TYPE_QUALS(long_long_unsigned_type_node) | TYPE_QUAL_VOLATILE);
++ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), latent_entropy_type);
+
+ TREE_STATIC(latent_entropy_decl) = 1;
+ TREE_PUBLIC(latent_entropy_decl) = 1;
+ TREE_USED(latent_entropy_decl) = 1;
+ TREE_THIS_VOLATILE(latent_entropy_decl) = 1;
+ DECL_EXTERNAL(latent_entropy_decl) = 1;
-+ DECL_ARTIFICIAL(latent_entropy_decl) = 0;
++ DECL_ARTIFICIAL(latent_entropy_decl) = 1;
+ DECL_INITIAL(latent_entropy_decl) = NULL;
++ lang_hooks.decls.pushdecl(latent_entropy_decl);
+// DECL_ASSEMBLER_NAME(latent_entropy_decl);
+// varpool_finalize_decl(latent_entropy_decl);
+// varpool_mark_needed_node(latent_entropy_decl);
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-03-16 13:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-03-16 13:25 [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.8.2/, 3.2.40/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2013-03-12 13:25 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox