Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/2.6.32
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2013-03-23 09:36:59 -0400
committerAnthony G. Basile <blueness@gentoo.org>2013-03-23 09:36:59 -0400
commita1a1b04c98349f08d1022ec282abc552d199b2da (patch)
tree54096268c5ca5f43a5ff265474c2f2a47478318b /2.6.32
parentFix 3.8.2 -> 3.8.3 (diff)
downloadhardened-patchset-a1a1b04c98349f08d1022ec282abc552d199b2da.tar.gz
hardened-patchset-a1a1b04c98349f08d1022ec282abc552d199b2da.tar.bz2
hardened-patchset-a1a1b04c98349f08d1022ec282abc552d199b2da.zip
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.4}-20130322182320130322
Diffstat (limited to '2.6.32')
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch)565
1 files changed, 381 insertions, 184 deletions
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch
index 966075e..27cb164 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch
@@ -265,7 +265,7 @@ index 334258c..1e8f4ff 100644
M: Liam Girdwood <lrg@slimlogic.co.uk>
M: Mark Brown <broonie@opensource.wolfsonmicro.com>
diff --git a/Makefile b/Makefile
-index b0e245e..1c8b6ed 100644
+index b0e245e..e2589d0 100644
--- a/Makefile
+++ b/Makefile
@@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -358,7 +358,7 @@ index b0e245e..1c8b6ed 100644
+else
+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
+endif
-+ $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
++ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active."
+endif
+endif
+
@@ -2753,6 +2753,18 @@ index 285aae8..61dbab6 100644
.alloc_coherent = ia64_swiotlb_alloc_coherent,
.free_coherent = swiotlb_free_coherent,
.map_page = swiotlb_map_page,
+diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c
+index f178270..2dcff27 100644
+--- a/arch/ia64/kernel/perfmon.c
++++ b/arch/ia64/kernel/perfmon.c
+@@ -2372,7 +2372,6 @@ pfm_smpl_buffer_alloc(struct task_struct *task, struct file *filp, pfm_context_t
+ */
+ insert_vm_struct(mm, vma);
+
+- mm->total_vm += size >> PAGE_SHIFT;
+ vm_stat_account(vma->vm_mm, vma->vm_flags, vma->vm_file,
+ vma_pages(vma));
+ up_write(&task->mm->mmap_sem);
diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
index 609d500..acd0429 100644
--- a/arch/ia64/kernel/sys_ia64.c
@@ -24038,7 +24050,7 @@ index e6d925f..6bde4d6 100644
.disabled_by_bios = vmx_disabled_by_bios,
.hardware_setup = hardware_setup,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 271fddf..ea708b4 100644
+index 271fddf..fe56f44 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -82,7 +82,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu);
@@ -24050,7 +24062,19 @@ index 271fddf..ea708b4 100644
EXPORT_SYMBOL_GPL(kvm_x86_ops);
int ignore_msrs = 0;
-@@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
+@@ -925,6 +925,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+ /* ...but clean it before doing the actual write */
+ vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
+
++ /* Check that the address is 32-byte aligned. */
++ if (vcpu->arch.time_offset &
++ (sizeof(struct pvclock_vcpu_time_info) - 1))
++ break;
++
+ vcpu->arch.time_page =
+ gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
+
+@@ -1430,15 +1435,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -24074,7 +24098,7 @@ index 271fddf..ea708b4 100644
vcpu->arch.cpuid_nent = cpuid->nent;
kvm_apic_set_version(vcpu);
return 0;
-@@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+@@ -1451,16 +1461,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -24098,7 +24122,7 @@ index 271fddf..ea708b4 100644
return 0;
out:
-@@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
+@@ -1678,7 +1692,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
struct kvm_interrupt *irq)
{
@@ -24107,7 +24131,7 @@ index 271fddf..ea708b4 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -3300,10 +3309,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = {
+@@ -3300,10 +3314,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = {
.notifier_call = kvmclock_cpufreq_notifier
};
@@ -48725,24 +48749,34 @@ index 032ebae..6a3532c 100644
q.int_ops = &sg_ops;
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
-index b6992b7..9fa7547 100644
+index b6992b7..ff830bd 100644
--- a/drivers/message/fusion/mptbase.c
+++ b/drivers/message/fusion/mptbase.c
-@@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo
- len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
+@@ -6710,7 +6710,12 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo
len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
+ len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
+#ifdef CONFIG_GRKERNSEC_HIDESYM
-+ len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
+ NULL, NULL);
+#else
- len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
(void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
+#endif
+
/*
* Rounding UP to nearest 4-kB boundary here...
*/
+@@ -6723,7 +6728,11 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo
+ ioc->facts.GlobalCredits);
+
+ len += sprintf(buf+len, " Frames @ 0x%p (Dma @ 0x%p)\n",
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL, NULL);
++#else
+ (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma);
++#endif
+ sz = (ioc->reply_sz * ioc->reply_depth) + 128;
+ len += sprintf(buf+len, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n",
+ ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz);
diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
index 83873e3..e360e9a 100644
--- a/drivers/message/fusion/mptsas.c
@@ -75307,7 +75341,7 @@ index 0133b5a..3710d09 100644
(unsigned long) create_aout_tables((char __user *) bprm->p, bprm);
#ifdef __alpha__
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index a64fde6..621e25d 100644
+index a64fde6..f7af3a5e 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -31,6 +31,7 @@
@@ -75929,7 +75963,7 @@ index a64fde6..621e25d 100644
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
-@@ -877,17 +1300,43 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -877,17 +1300,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -75945,19 +75979,20 @@ index a64fde6..621e25d 100644
+#ifdef CONFIG_PAX_RANDMMAP
+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
-+ unsigned long start, size;
++ unsigned long start, size, flags, vm_flags;
+
+ start = ELF_PAGEALIGN(elf_brk);
+ size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4);
++ flags = MAP_FIXED | MAP_PRIVATE;
++ vm_flags = VM_DONTEXPAND | VM_RESERVED;
++
+ down_write(&current->mm->mmap_sem);
++ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags);
+ retval = -ENOMEM;
-+ if (!find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
-+ unsigned long prot = PROT_NONE;
-+
-+ current->mm->brk_gap = PAGE_ALIGN(size) >> PAGE_SHIFT;
++ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
+// if (current->personality & ADDR_NO_RANDOMIZE)
+// prot = PROT_READ;
-+ start = do_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0);
++ start = mmap_region(NULL, start, PAGE_ALIGN(size), flags, vm_flags, 0);
+ retval = IS_ERR_VALUE(start) ? start : 0;
+ }
+ up_write(&current->mm->mmap_sem);
@@ -75979,7 +76014,7 @@ index a64fde6..621e25d 100644
load_bias);
if (!IS_ERR((void *)elf_entry)) {
/*
-@@ -1112,8 +1561,10 @@ static int dump_seek(struct file *file, loff_t off)
+@@ -1112,8 +1562,10 @@ static int dump_seek(struct file *file, loff_t off)
unsigned long n = off;
if (n > PAGE_SIZE)
n = PAGE_SIZE;
@@ -75991,7 +76026,7 @@ index a64fde6..621e25d 100644
off -= n;
}
free_page((unsigned long)buf);
-@@ -1125,7 +1576,7 @@ static int dump_seek(struct file *file, loff_t off)
+@@ -1125,7 +1577,7 @@ static int dump_seek(struct file *file, loff_t off)
* Decide what to dump of a segment, part, all or none.
*/
static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -76000,7 +76035,7 @@ index a64fde6..621e25d 100644
{
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
-@@ -1159,7 +1610,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1159,7 +1611,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
if (vma->vm_file == NULL)
return 0;
@@ -76009,7 +76044,7 @@ index a64fde6..621e25d 100644
goto whole;
/*
-@@ -1255,8 +1706,11 @@ static int writenote(struct memelfnote *men, struct file *file,
+@@ -1255,8 +1707,11 @@ static int writenote(struct memelfnote *men, struct file *file,
#undef DUMP_WRITE
#define DUMP_WRITE(addr, nr) \
@@ -76022,7 +76057,7 @@ index a64fde6..621e25d 100644
static void fill_elf_header(struct elfhdr *elf, int segs,
u16 machine, u32 flags, u8 osabi)
-@@ -1385,9 +1839,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1385,9 +1840,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
{
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
int i = 0;
@@ -76034,7 +76069,7 @@ index a64fde6..621e25d 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -1973,7 +2427,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
+@@ -1973,7 +2428,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
phdr.p_paddr = 0;
@@ -76043,7 +76078,7 @@ index a64fde6..621e25d 100644
phdr.p_memsz = vma->vm_end - vma->vm_start;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -2006,7 +2460,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
+@@ -2006,7 +2461,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
unsigned long addr;
unsigned long end;
@@ -76052,7 +76087,7 @@ index a64fde6..621e25d 100644
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
struct page *page;
-@@ -2015,6 +2469,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
+@@ -2015,6 +2470,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
page = get_dump_page(addr);
if (page) {
void *kaddr = kmap(page);
@@ -76060,7 +76095,7 @@ index a64fde6..621e25d 100644
stop = ((size += PAGE_SIZE) > limit) ||
!dump_write(file, kaddr, PAGE_SIZE);
kunmap(page);
-@@ -2042,6 +2497,97 @@ out:
+@@ -2042,6 +2498,97 @@ out:
#endif /* USE_ELF_CORE_DUMP */
@@ -77139,7 +77174,7 @@ index a5bf577..6d19845 100644
return hit;
}
diff --git a/fs/compat.c b/fs/compat.c
-index 46b93d1..84978fe 100644
+index 46b93d1..191dbaa 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char __user *filename, struct compat_timeval _
@@ -77260,7 +77295,17 @@ index 46b93d1..84978fe 100644
goto out;
if (!file->f_op)
goto out;
-@@ -1469,11 +1487,35 @@ int compat_do_execve(char * filename,
+@@ -1460,6 +1478,9 @@ out:
+ return ret;
+ }
+
++extern void gr_handle_exec_args_compat(struct linux_binprm *bprm,
++ compat_uptr_t __user *argv);
++
+ /*
+ * compat_do_execve() is mostly a copy of do_execve(), with the exception
+ * that it processes 32 bit argv and envp pointers.
+@@ -1469,11 +1490,35 @@ int compat_do_execve(char * filename,
compat_uptr_t __user *envp,
struct pt_regs * regs)
{
@@ -77296,7 +77341,7 @@ index 46b93d1..84978fe 100644
retval = unshare_files(&displaced);
if (retval)
-@@ -1499,12 +1541,26 @@ int compat_do_execve(char * filename,
+@@ -1499,12 +1544,26 @@ int compat_do_execve(char * filename,
if (IS_ERR(file))
goto out_unmark;
@@ -77323,7 +77368,7 @@ index 46b93d1..84978fe 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1521,24 +1577,63 @@ int compat_do_execve(char * filename,
+@@ -1521,24 +1580,63 @@ int compat_do_execve(char * filename,
if (retval < 0)
goto out;
@@ -77391,7 +77436,7 @@ index 46b93d1..84978fe 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1547,6 +1642,14 @@ int compat_do_execve(char * filename,
+@@ -1547,6 +1645,14 @@ int compat_do_execve(char * filename,
put_files_struct(displaced);
return retval;
@@ -77406,7 +77451,7 @@ index 46b93d1..84978fe 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1717,6 +1820,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp,
+@@ -1717,6 +1823,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp,
struct fdtable *fdt;
long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
@@ -77415,7 +77460,7 @@ index 46b93d1..84978fe 100644
if (n < 0)
goto out_nofds;
-@@ -2157,7 +2262,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd,
+@@ -2157,7 +2265,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd,
oldfs = get_fs();
set_fs(KERNEL_DS);
/* The __user pointer casts are valid because of the set_fs() */
@@ -77702,7 +77747,7 @@ index ff57421..f65f88a 100644
out_free_fd:
diff --git a/fs/exec.c b/fs/exec.c
-index 86fafc6..0f75c42 100644
+index 86fafc6..a435ef7 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,12 +56,34 @@
@@ -77909,7 +77954,7 @@ index 86fafc6..0f75c42 100644
#endif
ret = expand_stack(vma, stack_base);
+
-+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_ASLR)
++#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP)
+ if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) {
+ unsigned long size, flags, vm_flags;
+
@@ -77922,7 +77967,7 @@ index 86fafc6..0f75c42 100644
+#ifdef CONFIG_X86
+ if (!ret) {
+ size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
-+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0);
++ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), flags, vm_flags, 0);
+ }
+#endif
+
@@ -80998,7 +81043,7 @@ index fde92d1..6256b88 100644
lock_kernel();
diff --git a/fs/namei.c b/fs/namei.c
-index b0afbd4..2b96439 100644
+index b0afbd4..a4dd3a0 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -224,6 +224,14 @@ int generic_permission(struct inode *inode, int mask,
@@ -81098,7 +81143,7 @@ index b0afbd4..2b96439 100644
path_put(&nd->path);
return_err:
return err;
-@@ -1091,13 +1112,20 @@ static int do_path_lookup(int dfd, const char *name,
+@@ -1091,13 +1112,22 @@ static int do_path_lookup(int dfd, const char *name,
int retval = path_init(dfd, name, flags, nd);
if (!retval)
retval = path_walk(name, nd);
@@ -81108,10 +81153,12 @@ index b0afbd4..2b96439 100644
+
+ if (likely(!retval)) {
+ if (nd->path.dentry && nd->path.dentry->d_inode) {
-+ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
-+ retval = -ENOENT;
+ if (!audit_dummy_context())
+ audit_inode(name, nd->path.dentry);
++ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) {
++ path_put(&nd->path);
++ retval = -ENOENT;
++ }
+ }
+ }
if (nd->root.mnt) {
@@ -81122,7 +81169,7 @@ index b0afbd4..2b96439 100644
return retval;
}
-@@ -1251,6 +1279,11 @@ static int __lookup_one_len(const char *name, struct qstr *this,
+@@ -1251,6 +1281,11 @@ static int __lookup_one_len(const char *name, struct qstr *this,
if (!len)
return -EACCES;
@@ -81134,7 +81181,7 @@ index b0afbd4..2b96439 100644
hash = init_name_hash();
while (len--) {
c = *(const unsigned char *)name++;
-@@ -1576,6 +1609,20 @@ int may_open(struct path *path, int acc_mode, int flag)
+@@ -1576,6 +1611,20 @@ int may_open(struct path *path, int acc_mode, int flag)
if (error)
goto err_out;
@@ -81155,7 +81202,7 @@ index b0afbd4..2b96439 100644
if (flag & O_TRUNC) {
error = get_write_access(inode);
if (error)
-@@ -1620,6 +1667,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path,
+@@ -1620,6 +1669,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path,
{
int error;
struct dentry *dir = nd->path.dentry;
@@ -81173,7 +81220,7 @@ index b0afbd4..2b96439 100644
if (!IS_POSIXACL(dir->d_inode))
mode &= ~current_umask();
-@@ -1627,6 +1685,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path,
+@@ -1627,6 +1687,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path,
if (error)
goto out_unlock;
error = vfs_create(dir->d_inode, path->dentry, mode, nd);
@@ -81182,7 +81229,7 @@ index b0afbd4..2b96439 100644
out_unlock:
mutex_unlock(&dir->d_inode->i_mutex);
dput(nd->path.dentry);
-@@ -1684,6 +1744,7 @@ struct file *do_filp_open(int dfd, const char *pathname,
+@@ -1684,6 +1746,7 @@ struct file *do_filp_open(int dfd, const char *pathname,
struct nameidata nd;
int error;
struct path path;
@@ -81190,7 +81237,7 @@ index b0afbd4..2b96439 100644
struct dentry *dir;
int count = 0;
int will_write;
-@@ -1709,6 +1770,22 @@ struct file *do_filp_open(int dfd, const char *pathname,
+@@ -1709,6 +1772,22 @@ struct file *do_filp_open(int dfd, const char *pathname,
&nd, flag);
if (error)
return ERR_PTR(error);
@@ -81213,7 +81260,7 @@ index b0afbd4..2b96439 100644
goto ok;
}
-@@ -1795,6 +1872,19 @@ do_last:
+@@ -1795,6 +1874,19 @@ do_last:
/*
* It already exists.
*/
@@ -81233,7 +81280,7 @@ index b0afbd4..2b96439 100644
mutex_unlock(&dir->d_inode->i_mutex);
audit_inode(pathname, path.dentry);
-@@ -1887,6 +1977,14 @@ do_link:
+@@ -1887,6 +1979,14 @@ do_link:
error = security_inode_follow_link(path.dentry, &nd);
if (error)
goto exit_dput;
@@ -81248,7 +81295,7 @@ index b0afbd4..2b96439 100644
error = __do_follow_link(&path, &nd);
if (error) {
/* Does someone understand code flow here? Or it is only
-@@ -1915,9 +2013,24 @@ do_link:
+@@ -1915,9 +2015,24 @@ do_link:
}
dir = nd.path.dentry;
mutex_lock(&dir->d_inode->i_mutex);
@@ -81273,7 +81320,7 @@ index b0afbd4..2b96439 100644
goto do_last;
}
-@@ -1984,6 +2097,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir)
+@@ -1984,6 +2099,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir)
}
return dentry;
eexist:
@@ -81284,7 +81331,7 @@ index b0afbd4..2b96439 100644
dput(dentry);
dentry = ERR_PTR(-EEXIST);
fail:
-@@ -2061,6 +2178,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
+@@ -2061,6 +2180,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
error = may_mknod(mode);
if (error)
goto out_dput;
@@ -81302,7 +81349,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-@@ -2081,6 +2209,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
+@@ -2081,6 +2211,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
}
out_drop_write:
mnt_drop_write(nd.path.mnt);
@@ -81312,7 +81359,7 @@ index b0afbd4..2b96439 100644
out_dput:
dput(dentry);
out_unlock:
-@@ -2134,6 +2265,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
+@@ -2134,6 +2267,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
if (IS_ERR(dentry))
goto out_unlock;
@@ -81324,7 +81371,7 @@ index b0afbd4..2b96439 100644
if (!IS_POSIXACL(nd.path.dentry->d_inode))
mode &= ~current_umask();
error = mnt_want_write(nd.path.mnt);
-@@ -2145,6 +2281,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
+@@ -2145,6 +2283,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
out_drop_write:
mnt_drop_write(nd.path.mnt);
@@ -81335,7 +81382,7 @@ index b0afbd4..2b96439 100644
out_dput:
dput(dentry);
out_unlock:
-@@ -2226,6 +2366,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2226,6 +2368,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
char * name;
struct dentry *dentry;
struct nameidata nd;
@@ -81344,7 +81391,7 @@ index b0afbd4..2b96439 100644
error = user_path_parent(dfd, pathname, &nd, &name);
if (error)
-@@ -2250,6 +2392,17 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2250,6 +2394,17 @@ static long do_rmdir(int dfd, const char __user *pathname)
error = PTR_ERR(dentry);
if (IS_ERR(dentry))
goto exit2;
@@ -81362,7 +81409,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto exit3;
-@@ -2257,6 +2410,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2257,6 +2412,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
if (error)
goto exit4;
error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
@@ -81371,7 +81418,7 @@ index b0afbd4..2b96439 100644
exit4:
mnt_drop_write(nd.path.mnt);
exit3:
-@@ -2318,6 +2473,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2318,6 +2475,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
@@ -81380,7 +81427,7 @@ index b0afbd4..2b96439 100644
error = user_path_parent(dfd, pathname, &nd, &name);
if (error)
-@@ -2337,8 +2494,19 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2337,8 +2496,19 @@ static long do_unlinkat(int dfd, const char __user *pathname)
if (nd.last.name[nd.last.len])
goto slashes;
inode = dentry->d_inode;
@@ -81401,7 +81448,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto exit2;
-@@ -2346,6 +2514,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2346,6 +2516,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
if (error)
goto exit3;
error = vfs_unlink(nd.path.dentry->d_inode, dentry);
@@ -81410,7 +81457,7 @@ index b0afbd4..2b96439 100644
exit3:
mnt_drop_write(nd.path.mnt);
exit2:
-@@ -2424,6 +2594,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
+@@ -2424,6 +2596,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
if (IS_ERR(dentry))
goto out_unlock;
@@ -81422,7 +81469,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-@@ -2431,6 +2606,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
+@@ -2431,6 +2608,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
if (error)
goto out_drop_write;
error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
@@ -81431,7 +81478,7 @@ index b0afbd4..2b96439 100644
out_drop_write:
mnt_drop_write(nd.path.mnt);
out_dput:
-@@ -2524,6 +2701,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2524,6 +2703,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out_unlock;
@@ -81452,7 +81499,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-@@ -2531,6 +2722,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -2531,6 +2724,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
if (error)
goto out_drop_write;
error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
@@ -81461,7 +81508,7 @@ index b0afbd4..2b96439 100644
out_drop_write:
mnt_drop_write(nd.path.mnt);
out_dput:
-@@ -2708,6 +2901,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -2708,6 +2903,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
char *to;
int error;
@@ -81470,7 +81517,7 @@ index b0afbd4..2b96439 100644
error = user_path_parent(olddfd, oldname, &oldnd, &from);
if (error)
goto exit;
-@@ -2764,6 +2959,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -2764,6 +2961,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
if (new_dentry == trap)
goto exit5;
@@ -81483,7 +81530,7 @@ index b0afbd4..2b96439 100644
error = mnt_want_write(oldnd.path.mnt);
if (error)
goto exit5;
-@@ -2773,6 +2974,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -2773,6 +2976,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
goto exit6;
error = vfs_rename(old_dir->d_inode, old_dentry,
new_dir->d_inode, new_dentry);
@@ -81493,7 +81540,7 @@ index b0afbd4..2b96439 100644
exit6:
mnt_drop_write(oldnd.path.mnt);
exit5:
-@@ -2798,6 +3002,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -2798,6 +3004,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
{
@@ -81502,7 +81549,7 @@ index b0afbd4..2b96439 100644
int len;
len = PTR_ERR(link);
-@@ -2807,7 +3013,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -2807,7 +3015,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
len = strlen(link);
if (len > (unsigned) buflen)
len = buflen;
@@ -86042,10 +86089,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..5aba5a8
+index 0000000..1edd4b5
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4197 @@
+@@ -0,0 +1,4201 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -86071,6 +86118,7 @@ index 0000000..5aba5a8
+#include <linux/stop_machine.h>
+#include <linux/fdtable.h>
+#include <linux/percpu.h>
++#include <linux/posix-timers.h>
+
+#include <asm/uaccess.h>
+#include <asm/errno.h>
@@ -88348,6 +88396,9 @@ index 0000000..5aba5a8
+
+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
++
++ if (i == RLIMIT_CPU)
++ update_rlimit_cpu(task, proc->res[i].rlim_cur);
+ }
+
+ return;
@@ -96556,6 +96607,19 @@ index 78e9047..ff39f6b 100644
/* handle uniform packets for scsi type devices (scsi,atapi) */
int (*generic_packet) (struct cdrom_device_info *,
struct packet_command *);
+diff --git a/include/linux/compat.h b/include/linux/compat.h
+index 510266f..9d64053 100644
+--- a/include/linux/compat.h
++++ b/include/linux/compat.h
+@@ -271,7 +271,7 @@ extern int compat_ptrace_request(struct task_struct *child,
+ extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+ compat_ulong_t addr, compat_ulong_t data);
+ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+- compat_long_t addr, compat_long_t data);
++ compat_ulong_t addr, compat_ulong_t data);
+
+ /*
+ * epoll (fs/eventpoll.c) compat bits follow ...
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
index 450fa59..16b904d 100644
--- a/include/linux/compiler-gcc4.h
@@ -98104,17 +98168,16 @@ index 0000000..18863d1
+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..6e2f8bc
+index 0000000..9ced8a0
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,226 @@
+@@ -0,0 +1,222 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
+#include <linux/fs_struct.h>
+#include <linux/binfmts.h>
+#include <linux/gracl.h>
-+#include <linux/compat.h>
+
+/* notify of brain-dead configs */
+#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
@@ -98184,9 +98247,6 @@ index 0000000..6e2f8bc
+void gr_log_chroot_exec(const struct dentry *dentry,
+ const struct vfsmount *mnt);
+void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
-+#ifdef CONFIG_COMPAT
-+void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
-+#endif
+void gr_log_remount(const char *devname, const int retval);
+void gr_log_unmount(const char *devname, const int retval);
+void gr_log_mount(const char *from, const char *to, const int retval);
@@ -98900,7 +98960,7 @@ index 3797270..7765ede 100644
struct mca_bus {
u64 default_dma_mask;
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 11e5be6..8ff8c91 100644
+index 11e5be6..8a2af3a 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void *objp);
@@ -99023,7 +99083,19 @@ index 11e5be6..8ff8c91 100644
struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
unsigned long pfn, unsigned long size, pgprot_t);
-@@ -1332,7 +1365,13 @@ extern void memory_failure(unsigned long pfn, int trapno);
+@@ -1263,6 +1296,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
+ static inline void vm_stat_account(struct mm_struct *mm,
+ unsigned long flags, struct file *file, long pages)
+ {
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
++ mm->total_vm += pages;
+ }
+ #endif /* CONFIG_PROC_FS */
+
+@@ -1332,7 +1370,13 @@ extern void memory_failure(unsigned long pfn, int trapno);
extern int __memory_failure(unsigned long pfn, int trapno, int ref);
extern int sysctl_memory_failure_early_kill;
extern int sysctl_memory_failure_recovery;
@@ -99039,7 +99111,7 @@ index 11e5be6..8ff8c91 100644
#endif /* __KERNEL__ */
#endif /* _LINUX_MM_H */
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
-index 9d12ed5..9d9dab3 100644
+index 9d12ed5..6d9707a 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -186,6 +186,8 @@ struct vm_area_struct {
@@ -99051,15 +99123,6 @@ index 9d12ed5..9d9dab3 100644
};
struct core_thread {
-@@ -235,7 +237,7 @@ struct mm_struct {
- unsigned long total_vm, locked_vm, shared_vm, exec_vm;
- unsigned long stack_vm, reserved_vm, def_flags, nr_ptes;
- unsigned long start_code, end_code, start_data, end_data;
-- unsigned long start_brk, brk, start_stack;
-+ unsigned long brk_gap, start_brk, brk, start_stack;
- unsigned long arg_start, arg_end, env_start, env_end;
-
- unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */
@@ -287,6 +289,24 @@ struct mm_struct {
#ifdef CONFIG_MMU_NOTIFIER
struct mmu_notifier_mm *mmu_notifier_mm;
@@ -99614,7 +99677,7 @@ index 34066ff..e95d744 100644
/********** include/linux/timer.h **********/
/*
diff --git a/include/linux/posix-timers.h b/include/linux/posix-timers.h
-index 4f71bf4..cd2f68e 100644
+index 4f71bf4..724d413 100644
--- a/include/linux/posix-timers.h
+++ b/include/linux/posix-timers.h
@@ -82,7 +82,8 @@ struct k_clock {
@@ -99627,6 +99690,14 @@ index 4f71bf4..cd2f68e 100644
void register_posix_clock(const clockid_t clock_id, struct k_clock *new_clock);
+@@ -117,6 +118,6 @@ void set_process_cpu_timer(struct task_struct *task, unsigned int clock_idx,
+
+ long clock_nanosleep_restart(struct restart_block *restart_block);
+
+-void update_rlimit_cpu(unsigned long rlim_new);
++void update_rlimit_cpu(struct task_struct *task, unsigned long rlim_new);
+
+ #endif
diff --git a/include/linux/prefetch.h b/include/linux/prefetch.h
index af7c36a..a93005c 100644
--- a/include/linux/prefetch.h
@@ -103473,7 +103544,7 @@ index a2a1659..df8479c 100644
get_task_struct(p);
read_unlock(&tasklist_lock);
diff --git a/kernel/fork.c b/kernel/fork.c
-index c28f804..3a04506 100644
+index c28f804..4f038a3 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -240,21 +240,26 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
@@ -103522,7 +103593,16 @@ index c28f804..3a04506 100644
mm->map_count = 0;
cpumask_clear(mm_cpumask(mm));
mm->mm_rb = RB_ROOT;
-@@ -319,7 +324,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+@@ -311,15 +316,13 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ struct file *file;
+
+ if (mpnt->vm_flags & VM_DONTCOPY) {
+- long pages = vma_pages(mpnt);
+- mm->total_vm -= pages;
+ vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file,
+- -pages);
++ -vma_pages(mpnt));
+ continue;
}
charge = 0;
if (mpnt->vm_flags & VM_ACCOUNT) {
@@ -103531,7 +103611,7 @@ index c28f804..3a04506 100644
if (security_vm_enough_memory(len))
goto fail_nomem;
charge = len;
-@@ -336,6 +341,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+@@ -336,6 +339,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
tmp->vm_flags &= ~VM_LOCKED;
tmp->vm_mm = mm;
tmp->vm_next = tmp->vm_prev = NULL;
@@ -103539,7 +103619,7 @@ index c28f804..3a04506 100644
anon_vma_link(tmp);
file = tmp->vm_file;
if (file) {
-@@ -385,6 +391,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+@@ -385,6 +389,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
if (retval)
goto out;
}
@@ -103571,7 +103651,7 @@ index c28f804..3a04506 100644
/* a new mm has just been created */
arch_dup_mmap(oldmm, mm);
retval = 0;
-@@ -735,13 +766,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
+@@ -735,13 +764,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
write_unlock(&fs->lock);
return -EAGAIN;
}
@@ -103593,7 +103673,7 @@ index c28f804..3a04506 100644
return 0;
}
-@@ -913,6 +951,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
+@@ -913,6 +949,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
sig->oom_adj = current->signal->oom_adj;
@@ -103602,7 +103682,7 @@ index c28f804..3a04506 100644
return 0;
}
-@@ -1036,12 +1076,16 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1036,12 +1074,16 @@ static struct task_struct *copy_process(unsigned long clone_flags,
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
retval = -EAGAIN;
@@ -103621,7 +103701,7 @@ index c28f804..3a04506 100644
retval = copy_creds(p, clone_flags);
if (retval < 0)
-@@ -1263,6 +1307,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1263,6 +1305,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
goto bad_fork_free_pid;
}
@@ -103633,7 +103713,7 @@ index c28f804..3a04506 100644
if (clone_flags & CLONE_THREAD) {
atomic_inc(&current->signal->count);
atomic_inc(&current->signal->live);
-@@ -1337,6 +1386,8 @@ bad_fork_cleanup_count:
+@@ -1337,6 +1384,8 @@ bad_fork_cleanup_count:
bad_fork_free:
free_task(p);
fork_out:
@@ -103642,7 +103722,7 @@ index c28f804..3a04506 100644
return ERR_PTR(retval);
}
-@@ -1430,6 +1481,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1430,6 +1479,8 @@ long do_fork(unsigned long clone_flags,
if (clone_flags & CLONE_PARENT_SETTID)
put_user(nr, parent_tidptr);
@@ -103651,7 +103731,7 @@ index c28f804..3a04506 100644
if (clone_flags & CLONE_VFORK) {
p->vfork_done = &vfork;
init_completion(&vfork);
-@@ -1562,7 +1615,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1562,7 +1613,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
return 0;
/* don't need lock here; in the worst case we'll do useless copy */
@@ -103660,7 +103740,7 @@ index c28f804..3a04506 100644
return 0;
*new_fsp = copy_fs_struct(fs);
-@@ -1685,7 +1738,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -1685,7 +1736,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
fs = current->fs;
write_lock(&fs->lock);
current->fs = new_fs;
@@ -105747,10 +105827,10 @@ index fce7198..4f23a7e 100644
{
struct pid *pid;
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
-index 5c9dc22..7652dca 100644
+index 5c9dc22..6971ae8 100644
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
-@@ -6,9 +6,11 @@
+@@ -6,23 +6,25 @@
#include <linux/posix-timers.h>
#include <linux/errno.h>
#include <linux/math64.h>
@@ -105762,6 +105842,25 @@ index 5c9dc22..7652dca 100644
/*
* Called after updating RLIMIT_CPU to set timer expiration if necessary.
+ */
+-void update_rlimit_cpu(unsigned long rlim_new)
++void update_rlimit_cpu(struct task_struct *task, unsigned long rlim_new)
+ {
+ cputime_t cputime = secs_to_cputime(rlim_new);
+- struct signal_struct *const sig = current->signal;
++ struct signal_struct *const sig = task->signal;
+
+ if (cputime_eq(sig->it[CPUCLOCK_PROF].expires, cputime_zero) ||
+ cputime_gt(sig->it[CPUCLOCK_PROF].expires, cputime)) {
+- spin_lock_irq(&current->sighand->siglock);
+- set_process_cpu_timer(current, CPUCLOCK_PROF, &cputime, NULL);
+- spin_unlock_irq(&current->sighand->siglock);
++ spin_lock_irq(&task->sighand->siglock);
++ set_process_cpu_timer(task, CPUCLOCK_PROF, &cputime, NULL);
++ spin_unlock_irq(&task->sighand->siglock);
+ }
+ }
+
@@ -516,6 +518,8 @@ static void cleanup_timers(struct list_head *head,
*/
void posix_cpu_timers_exit(struct task_struct *tsk)
@@ -106232,7 +106331,7 @@ index dfadc5b..7f59404 100644
}
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index 05625f6..741869b 100644
+index 05625f6..123e351 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -56,7 +56,7 @@ static void ptrace_untrace(struct task_struct *child)
@@ -106529,6 +106628,15 @@ index 05625f6..741869b 100644
switch (request) {
case PTRACE_PEEKTEXT:
case PTRACE_PEEKDATA:
+@@ -720,7 +799,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
+ }
+
+ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+- compat_long_t addr, compat_long_t data)
++ compat_ulong_t addr, compat_ulong_t data)
+ {
+ struct task_struct *child;
+ long ret;
@@ -740,20 +819,30 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
goto out;
}
@@ -107282,7 +107390,7 @@ index 04a0252..4ee2bbb 100644
struct tasklet_struct *list;
diff --git a/kernel/sys.c b/kernel/sys.c
-index e9512b1..f07185f 100644
+index e9512b1..dec4030 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -133,6 +133,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -107444,6 +107552,15 @@ index e9512b1..f07185f 100644
if (gid != old_fsgid) {
new->fsgid = gid;
goto change_okay;
+@@ -1282,7 +1323,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)
+ if (new_rlim.rlim_cur == RLIM_INFINITY)
+ goto out;
+
+- update_rlimit_cpu(new_rlim.rlim_cur);
++ update_rlimit_cpu(current, new_rlim.rlim_cur);
+ out:
+ return 0;
+ }
@@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
error = get_dumpable(me->mm);
break;
@@ -110486,7 +110603,7 @@ index 2d846cf..8d5cdd8 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 4b80cbf..89f7b42 100644
+index 4b80cbf..abfd61a 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -29,6 +29,7 @@
@@ -110684,13 +110801,19 @@ index 4b80cbf..89f7b42 100644
return area;
}
-@@ -898,14 +979,11 @@ none:
+@@ -898,15 +979,22 @@ none:
void vm_stat_account(struct mm_struct *mm, unsigned long flags,
struct file *file, long pages)
{
- const unsigned long stack_flags
- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
--
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
++ mm->total_vm += pages;
+
if (file) {
mm->shared_vm += pages;
if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
@@ -110698,9 +110821,13 @@ index 4b80cbf..89f7b42 100644
- } else if (flags & stack_flags)
+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
mm->stack_vm += pages;
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
if (flags & (VM_RESERVED|VM_IO))
mm->reserved_vm += pages;
-@@ -932,7 +1010,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+ }
+@@ -932,7 +1020,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
* (the exception is when the underlying filesystem is noexec
* mounted, in which case we dont add PROT_EXEC.)
*/
@@ -110709,7 +110836,7 @@ index 4b80cbf..89f7b42 100644
if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
prot |= PROT_EXEC;
-@@ -958,7 +1036,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -958,7 +1046,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
/* Obtain the address to map to. we verify (or select) it and ensure
* that it represents a valid section of the address space.
*/
@@ -110718,7 +110845,7 @@ index 4b80cbf..89f7b42 100644
if (addr & ~PAGE_MASK)
return addr;
-@@ -969,6 +1047,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -969,6 +1057,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
@@ -110755,7 +110882,7 @@ index 4b80cbf..89f7b42 100644
if (flags & MAP_LOCKED)
if (!can_do_mlock())
return -EPERM;
-@@ -980,6 +1088,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -980,6 +1098,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
locked += mm->locked_vm;
lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
lock_limit >>= PAGE_SHIFT;
@@ -110763,7 +110890,7 @@ index 4b80cbf..89f7b42 100644
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
}
-@@ -1053,6 +1162,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1053,6 +1172,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
if (error)
return error;
@@ -110773,7 +110900,7 @@ index 4b80cbf..89f7b42 100644
return mmap_region(file, addr, len, flags, vm_flags, pgoff);
}
EXPORT_SYMBOL(do_mmap_pgoff);
-@@ -1065,10 +1177,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
+@@ -1065,10 +1187,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
*/
int vma_wants_writenotify(struct vm_area_struct *vma)
{
@@ -110786,7 +110913,7 @@ index 4b80cbf..89f7b42 100644
return 0;
/* The backer wishes to know when pages are first written to? */
-@@ -1117,14 +1229,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1117,17 +1239,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
unsigned long charged = 0;
struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
@@ -110813,7 +110940,15 @@ index 4b80cbf..89f7b42 100644
}
/* Check against address space limit. */
-@@ -1173,6 +1295,16 @@ munmap_back:
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
++#endif
++
+ if (!may_expand_vm(mm, len >> PAGE_SHIFT))
+ return -ENOMEM;
+
+@@ -1173,6 +1310,16 @@ munmap_back:
goto unacct_error;
}
@@ -110830,7 +110965,7 @@ index 4b80cbf..89f7b42 100644
vma->vm_mm = mm;
vma->vm_start = addr;
vma->vm_end = addr + len;
-@@ -1180,8 +1312,9 @@ munmap_back:
+@@ -1180,8 +1327,9 @@ munmap_back:
vma->vm_page_prot = vm_get_page_prot(vm_flags);
vma->vm_pgoff = pgoff;
@@ -110841,7 +110976,7 @@ index 4b80cbf..89f7b42 100644
if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
goto free_vma;
if (vm_flags & VM_DENYWRITE) {
-@@ -1195,6 +1328,19 @@ munmap_back:
+@@ -1195,6 +1343,19 @@ munmap_back:
error = file->f_op->mmap(file, vma);
if (error)
goto unmap_and_free_vma;
@@ -110861,7 +110996,7 @@ index 4b80cbf..89f7b42 100644
if (vm_flags & VM_EXECUTABLE)
added_exe_file_vma(mm);
-@@ -1207,6 +1353,8 @@ munmap_back:
+@@ -1207,6 +1368,8 @@ munmap_back:
pgoff = vma->vm_pgoff;
vm_flags = vma->vm_flags;
} else if (vm_flags & VM_SHARED) {
@@ -110870,7 +111005,7 @@ index 4b80cbf..89f7b42 100644
error = shmem_zero_setup(vma);
if (error)
goto free_vma;
-@@ -1218,6 +1366,11 @@ munmap_back:
+@@ -1218,14 +1381,19 @@ munmap_back:
vma_link(mm, vma, prev, rb_link, rb_parent);
file = vma->vm_file;
@@ -110882,15 +111017,16 @@ index 4b80cbf..89f7b42 100644
/* Once vma denies write, undo our temporary denial count */
if (correct_wcount)
atomic_inc(&inode->i_writecount);
-@@ -1226,6 +1379,7 @@ out:
+ out:
+ perf_event_mmap(vma);
- mm->total_vm += len >> PAGE_SHIFT;
+- mm->total_vm += len >> PAGE_SHIFT;
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
+ track_exec_limit(mm, addr, addr + len, vm_flags);
if (vm_flags & VM_LOCKED) {
/*
* makes pages present; downgrades, drops, reacquires mmap_sem
-@@ -1248,6 +1402,12 @@ unmap_and_free_vma:
+@@ -1248,6 +1416,12 @@ unmap_and_free_vma:
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
charged = 0;
free_vma:
@@ -110903,7 +111039,7 @@ index 4b80cbf..89f7b42 100644
kmem_cache_free(vm_area_cachep, vma);
unacct_error:
if (charged)
-@@ -1255,6 +1415,62 @@ unacct_error:
+@@ -1255,6 +1429,62 @@ unacct_error:
return error;
}
@@ -110966,7 +111102,7 @@ index 4b80cbf..89f7b42 100644
/* Get an address range which is currently unmapped.
* For shmat() with addr=0.
*
-@@ -1274,6 +1490,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1274,6 +1504,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
unsigned long start_addr;
@@ -110974,7 +111110,7 @@ index 4b80cbf..89f7b42 100644
if (len > TASK_SIZE)
return -ENOMEM;
-@@ -1281,18 +1498,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1281,18 +1512,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
if (flags & MAP_FIXED)
return addr;
@@ -111005,7 +111141,7 @@ index 4b80cbf..89f7b42 100644
}
full_search:
-@@ -1303,34 +1525,40 @@ full_search:
+@@ -1303,34 +1539,40 @@ full_search:
* Start a new search - just in case we missed
* some holes.
*/
@@ -111057,7 +111193,7 @@ index 4b80cbf..89f7b42 100644
mm->free_area_cache = addr;
mm->cached_hole_size = ~0UL;
}
-@@ -1348,7 +1576,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1348,7 +1590,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
{
struct vm_area_struct *vma;
struct mm_struct *mm = current->mm;
@@ -111067,7 +111203,7 @@ index 4b80cbf..89f7b42 100644
/* requested length too big for entire address space */
if (len > TASK_SIZE)
-@@ -1357,13 +1586,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1357,13 +1600,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
if (flags & MAP_FIXED)
return addr;
@@ -111090,7 +111226,7 @@ index 4b80cbf..89f7b42 100644
}
/* check if free_area_cache is useful for us */
-@@ -1378,7 +1612,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1378,7 +1626,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
/* make sure it can fit in the remaining address space */
if (addr > len) {
vma = find_vma(mm, addr-len);
@@ -111099,7 +111235,7 @@ index 4b80cbf..89f7b42 100644
/* remember the address as a hint for next time */
return (mm->free_area_cache = addr-len);
}
-@@ -1395,7 +1629,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1395,7 +1643,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
* return with success:
*/
vma = find_vma(mm, addr);
@@ -111108,7 +111244,7 @@ index 4b80cbf..89f7b42 100644
/* remember the address as a hint for next time */
return (mm->free_area_cache = addr);
-@@ -1404,8 +1638,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1404,8 +1652,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
mm->cached_hole_size = vma->vm_start - addr;
/* try just below the current vma->vm_start */
@@ -111119,7 +111255,7 @@ index 4b80cbf..89f7b42 100644
bottomup:
/*
-@@ -1414,13 +1648,21 @@ bottomup:
+@@ -1414,13 +1662,21 @@ bottomup:
* can happen with large stack limits and large mmap()
* allocations.
*/
@@ -111143,7 +111279,7 @@ index 4b80cbf..89f7b42 100644
mm->cached_hole_size = ~0UL;
return addr;
-@@ -1429,6 +1671,12 @@ bottomup:
+@@ -1429,6 +1685,12 @@ bottomup:
void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
{
@@ -111156,7 +111292,7 @@ index 4b80cbf..89f7b42 100644
/*
* Is this a new hole at the highest possible address?
*/
-@@ -1436,8 +1684,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
+@@ -1436,8 +1698,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
mm->free_area_cache = addr;
/* dont allow allocations above current base */
@@ -111168,7 +111304,7 @@ index 4b80cbf..89f7b42 100644
}
unsigned long
-@@ -1510,40 +1760,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1510,40 +1774,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
EXPORT_SYMBOL(find_vma);
@@ -111243,7 +111379,7 @@ index 4b80cbf..89f7b42 100644
/*
* Verify that the stack growth is acceptable and
-@@ -1561,6 +1820,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1561,6 +1834,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
return -ENOMEM;
/* Stack limit test */
@@ -111251,7 +111387,7 @@ index 4b80cbf..89f7b42 100644
if (size > rlim[RLIMIT_STACK].rlim_cur)
return -ENOMEM;
-@@ -1570,6 +1830,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1570,6 +1844,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
unsigned long limit;
locked = mm->locked_vm + grow;
limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
@@ -111259,7 +111395,15 @@ index 4b80cbf..89f7b42 100644
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -1600,37 +1861,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1588,7 +1863,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+ return -ENOMEM;
+
+ /* Ok, everything looks good - let it rip */
+- mm->total_vm += grow;
+ if (vma->vm_flags & VM_LOCKED)
+ mm->locked_vm += grow;
+ vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow);
+@@ -1600,37 +1874,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
@@ -111317,7 +111461,7 @@ index 4b80cbf..89f7b42 100644
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -1643,6 +1915,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -1643,6 +1928,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
vma->vm_end = address;
}
}
@@ -111326,7 +111470,7 @@ index 4b80cbf..89f7b42 100644
anon_vma_unlock(vma);
return error;
}
-@@ -1655,6 +1929,8 @@ static int expand_downwards(struct vm_area_struct *vma,
+@@ -1655,6 +1942,8 @@ static int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
int error;
@@ -111335,7 +111479,7 @@ index 4b80cbf..89f7b42 100644
/*
* We must make sure the anon_vma is allocated
-@@ -1668,6 +1944,15 @@ static int expand_downwards(struct vm_area_struct *vma,
+@@ -1668,6 +1957,15 @@ static int expand_downwards(struct vm_area_struct *vma,
if (error)
return error;
@@ -111351,7 +111495,7 @@ index 4b80cbf..89f7b42 100644
anon_vma_lock(vma);
/*
-@@ -1677,9 +1962,17 @@ static int expand_downwards(struct vm_area_struct *vma,
+@@ -1677,9 +1975,17 @@ static int expand_downwards(struct vm_area_struct *vma,
*/
/* Somebody else might have raced and expanded it already */
@@ -111370,7 +111514,7 @@ index 4b80cbf..89f7b42 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -1689,21 +1982,60 @@ static int expand_downwards(struct vm_area_struct *vma,
+@@ -1689,21 +1995,60 @@ static int expand_downwards(struct vm_area_struct *vma,
if (!error) {
vma->vm_start = address;
vma->vm_pgoff -= grow;
@@ -111431,7 +111575,7 @@ index 4b80cbf..89f7b42 100644
return expand_upwards(vma, address);
}
-@@ -1727,6 +2059,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1727,6 +2072,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
#else
int expand_stack(struct vm_area_struct *vma, unsigned long address)
{
@@ -111446,10 +111590,11 @@ index 4b80cbf..89f7b42 100644
return expand_downwards(vma, address);
}
-@@ -1768,6 +2108,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -1768,7 +2121,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
+- mm->total_vm -= nrpages;
+#ifdef CONFIG_PAX_SEGMEXEC
+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
+ vma = remove_vma(vma);
@@ -111457,10 +111602,10 @@ index 4b80cbf..89f7b42 100644
+ }
+#endif
+
- mm->total_vm -= nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
vma = remove_vma(vma);
-@@ -1813,6 +2160,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+ } while (vma);
+@@ -1813,6 +2172,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -111477,7 +111622,7 @@ index 4b80cbf..89f7b42 100644
rb_erase(&vma->vm_rb, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -1840,10 +2197,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1840,10 +2209,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
struct mempolicy *pol;
struct vm_area_struct *new;
@@ -111503,7 +111648,7 @@ index 4b80cbf..89f7b42 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -1851,6 +2223,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1851,6 +2235,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
if (!new)
return -ENOMEM;
@@ -111520,7 +111665,7 @@ index 4b80cbf..89f7b42 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -1861,8 +2243,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1861,8 +2255,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -111550,7 +111695,7 @@ index 4b80cbf..89f7b42 100644
kmem_cache_free(vm_area_cachep, new);
return PTR_ERR(pol);
}
-@@ -1883,6 +2286,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1883,6 +2298,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
else
vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -111579,7 +111724,7 @@ index 4b80cbf..89f7b42 100644
return 0;
}
-@@ -1891,11 +2316,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1891,11 +2328,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -111610,7 +111755,7 @@ index 4b80cbf..89f7b42 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -1959,6 +2403,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -1959,6 +2415,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -111619,7 +111764,7 @@ index 4b80cbf..89f7b42 100644
return 0;
}
-@@ -1971,22 +2417,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -1971,22 +2429,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
profile_munmap(addr);
@@ -111648,7 +111793,7 @@ index 4b80cbf..89f7b42 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2000,6 +2442,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2000,6 +2454,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -111656,7 +111801,7 @@ index 4b80cbf..89f7b42 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2011,16 +2454,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2011,16 +2466,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -111688,7 +111833,7 @@ index 4b80cbf..89f7b42 100644
locked += mm->locked_vm;
lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
lock_limit >>= PAGE_SHIFT;
-@@ -2037,22 +2494,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2037,22 +2506,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -111715,7 +111860,7 @@ index 4b80cbf..89f7b42 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2066,7 +2523,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2066,7 +2535,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -111724,7 +111869,7 @@ index 4b80cbf..89f7b42 100644
return -ENOMEM;
}
-@@ -2078,11 +2535,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2078,11 +2547,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
vma->vm_page_prot = vm_get_page_prot(flags);
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
@@ -111739,7 +111884,7 @@ index 4b80cbf..89f7b42 100644
return addr;
}
-@@ -2129,8 +2587,10 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2129,8 +2599,10 @@ void exit_mmap(struct mm_struct *mm)
* Walk the list again, actually closing and freeing it,
* with preemption enabled, without holding any MM locks.
*/
@@ -111751,7 +111896,7 @@ index 4b80cbf..89f7b42 100644
BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
}
-@@ -2144,6 +2604,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2144,6 +2616,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
struct vm_area_struct * __vma, * prev;
struct rb_node ** rb_link, * rb_parent;
@@ -111762,7 +111907,7 @@ index 4b80cbf..89f7b42 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2166,7 +2630,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2166,7 +2642,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
if ((vma->vm_flags & VM_ACCOUNT) &&
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -111785,7 +111930,7 @@ index 4b80cbf..89f7b42 100644
return 0;
}
-@@ -2184,6 +2663,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2184,6 +2675,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct rb_node **rb_link, *rb_parent;
struct mempolicy *pol;
@@ -111794,7 +111939,7 @@ index 4b80cbf..89f7b42 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2227,6 +2708,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2227,6 +2720,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return new_vma;
}
@@ -111830,20 +111975,15 @@ index 4b80cbf..89f7b42 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2238,6 +2748,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2238,6 +2760,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
-+#ifdef CONFIG_PAX_RANDMMAP
-+ if (mm->pax_flags & MF_PAX_RANDMMAP)
-+ cur -= mm->brk_gap;
-+#endif
-+
+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
if (cur + npages > lim)
return 0;
return 1;
-@@ -2307,6 +2823,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2307,6 +2830,22 @@ int install_special_mapping(struct mm_struct *mm,
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -112093,7 +112233,7 @@ index 1737c7e..c7faeb4 100644
if (nstart < prev->vm_end)
diff --git a/mm/mremap.c b/mm/mremap.c
-index 3e98d79..1706cec 100644
+index 3e98d79..36c2b5d 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
@@ -112109,7 +112249,15 @@ index 3e98d79..1706cec 100644
set_pte_at(mm, new_addr, new_pte, pte);
}
-@@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
+@@ -232,7 +238,6 @@ static unsigned long move_vma(struct vm_area_struct *vma,
+ * If this were a serious issue, we'd add a flag to do_munmap().
+ */
+ hiwater_vm = mm->hiwater_vm;
+- mm->total_vm += new_len >> PAGE_SHIFT;
+ vm_stat_account(mm, vma->vm_flags, vma->vm_file, new_len>>PAGE_SHIFT);
+
+ if (do_munmap(mm, old_addr, old_len) < 0) {
+@@ -271,6 +276,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
if (is_vm_hugetlb_page(vma))
goto Einval;
@@ -112121,7 +112269,7 @@ index 3e98d79..1706cec 100644
/* We can't remap across vm area boundaries */
if (old_len > vma->vm_end - addr)
goto Efault;
-@@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned long addr,
+@@ -327,20 +337,25 @@ static unsigned long mremap_to(unsigned long addr,
unsigned long ret = -EINVAL;
unsigned long charged = 0;
unsigned long map_flags;
@@ -112152,7 +112300,7 @@ index 3e98d79..1706cec 100644
goto out;
ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
-@@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long addr,
+@@ -412,6 +427,7 @@ unsigned long do_mremap(unsigned long addr,
struct vm_area_struct *vma;
unsigned long ret = -EINVAL;
unsigned long charged = 0;
@@ -112160,7 +112308,7 @@ index 3e98d79..1706cec 100644
if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
goto out;
-@@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long addr,
+@@ -430,6 +446,17 @@ unsigned long do_mremap(unsigned long addr,
if (!new_len)
goto out;
@@ -112178,7 +112326,15 @@ index 3e98d79..1706cec 100644
if (flags & MREMAP_FIXED) {
if (flags & MREMAP_MAYMOVE)
ret = mremap_to(addr, old_len, new_addr, new_len);
-@@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long addr,
+@@ -468,7 +495,6 @@ unsigned long do_mremap(unsigned long addr,
+ vma_adjust(vma, vma->vm_start,
+ addr + new_len, vma->vm_pgoff, NULL);
+
+- mm->total_vm += pages;
+ vm_stat_account(mm, vma->vm_flags, vma->vm_file, pages);
+ if (vma->vm_flags & VM_LOCKED) {
+ mm->locked_vm += pages;
+@@ -476,6 +502,7 @@ unsigned long do_mremap(unsigned long addr,
addr + new_len);
}
ret = addr;
@@ -112186,7 +112342,7 @@ index 3e98d79..1706cec 100644
goto out;
}
}
-@@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long addr,
+@@ -502,7 +529,13 @@ unsigned long do_mremap(unsigned long addr,
ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
if (ret)
goto out;
@@ -120289,7 +120445,7 @@ index c4c6732..bc63d84 100644
int security_settime(struct timespec *ts, struct timezone *tz)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index a106754..ca3a589 100644
+index a106754..bdb434e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -76,6 +76,7 @@
@@ -120352,6 +120508,15 @@ index a106754..ca3a589 100644
default:
rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
break;
+@@ -2366,7 +2368,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
+ initrlim = init_task.signal->rlim + i;
+ rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
+ }
+- update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur);
++ update_rlimit_cpu(current, current->signal->rlim[RLIMIT_CPU].rlim_cur);
+ }
+ }
+
@@ -5457,7 +5459,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
@@ -120397,6 +120562,19 @@ index ff17820..d68084c 100644
if (!ss_initialized) {
avtab_cache_init();
if (policydb_read(&policydb, fp)) {
+diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
+index f3cb9ed..22c91e3 100644
+--- a/security/selinux/xfrm.c
++++ b/security/selinux/xfrm.c
+@@ -309,7 +309,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
+
+ if (old_ctx) {
+ new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!new_ctx)
+ return -ENOMEM;
+
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c33b6bb..b51f19e 100644
--- a/security/smack/smack_lsm.c
@@ -127916,6 +128094,25 @@ index 83b3dde..835bee7 100644
} else
break;
}
+diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
+index 9fe140b..69969ae 100644
+--- a/virt/kvm/ioapic.c
++++ b/virt/kvm/ioapic.c
+@@ -71,9 +71,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
+ u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
+ u64 redir_content;
+
+- ASSERT(redir_index < IOAPIC_NUM_PINS);
++ if (redir_index < IOAPIC_NUM_PINS)
++ redir_content =
++ ioapic->redirtbl[redir_index].bits;
++ else
++ redir_content = ~0ULL;
+
+- redir_content = ioapic->redirtbl[redir_index].bits;
+ result = (ioapic->ioregsel & 0x1) ?
+ (redir_content >> 32) & 0xffffffff :
+ redir_content & 0xffffffff;
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 82b6fdc..57cc875 100644
--- a/virt/kvm/kvm_main.c