diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2013-03-23 09:36:59 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2013-03-23 09:36:59 -0400 |
commit | a1a1b04c98349f08d1022ec282abc552d199b2da (patch) | |
tree | 54096268c5ca5f43a5ff265474c2f2a47478318b /2.6.32 | |
parent | Fix 3.8.2 -> 3.8.3 (diff) | |
download | hardened-patchset-a1a1b04c98349f08d1022ec282abc552d199b2da.tar.gz hardened-patchset-a1a1b04c98349f08d1022ec282abc552d199b2da.tar.bz2 hardened-patchset-a1a1b04c98349f08d1022ec282abc552d199b2da.zip |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.4}-20130322182320130322
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch) | 565 |
1 files changed, 381 insertions, 184 deletions
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch index 966075e..27cb164 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303142231.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303221823.patch @@ -265,7 +265,7 @@ index 334258c..1e8f4ff 100644 M: Liam Girdwood <lrg@slimlogic.co.uk> M: Mark Brown <broonie@opensource.wolfsonmicro.com> diff --git a/Makefile b/Makefile -index b0e245e..1c8b6ed 100644 +index b0e245e..e2589d0 100644 --- a/Makefile +++ b/Makefile @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -358,7 +358,7 @@ index b0e245e..1c8b6ed 100644 +else + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least" +endif -+ $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure" ++ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active." +endif +endif + @@ -2753,6 +2753,18 @@ index 285aae8..61dbab6 100644 .alloc_coherent = ia64_swiotlb_alloc_coherent, .free_coherent = swiotlb_free_coherent, .map_page = swiotlb_map_page, +diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c +index f178270..2dcff27 100644 +--- a/arch/ia64/kernel/perfmon.c ++++ b/arch/ia64/kernel/perfmon.c +@@ -2372,7 +2372,6 @@ pfm_smpl_buffer_alloc(struct task_struct *task, struct file *filp, pfm_context_t + */ + insert_vm_struct(mm, vma); + +- mm->total_vm += size >> PAGE_SHIFT; + vm_stat_account(vma->vm_mm, vma->vm_flags, vma->vm_file, + vma_pages(vma)); + up_write(&task->mm->mmap_sem); diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c index 609d500..acd0429 100644 --- a/arch/ia64/kernel/sys_ia64.c @@ -24038,7 +24050,7 @@ index e6d925f..6bde4d6 100644 .disabled_by_bios = vmx_disabled_by_bios, .hardware_setup = hardware_setup, diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 271fddf..ea708b4 100644 +index 271fddf..fe56f44 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -82,7 +82,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu); @@ -24050,7 +24062,19 @@ index 271fddf..ea708b4 100644 EXPORT_SYMBOL_GPL(kvm_x86_ops); int ignore_msrs = 0; -@@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, +@@ -925,6 +925,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data) + /* ...but clean it before doing the actual write */ + vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); + ++ /* Check that the address is 32-byte aligned. */ ++ if (vcpu->arch.time_offset & ++ (sizeof(struct pvclock_vcpu_time_info) - 1)) ++ break; ++ + vcpu->arch.time_page = + gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); + +@@ -1430,15 +1435,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -24074,7 +24098,7 @@ index 271fddf..ea708b4 100644 vcpu->arch.cpuid_nent = cpuid->nent; kvm_apic_set_version(vcpu); return 0; -@@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, +@@ -1451,16 +1461,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, struct kvm_cpuid_entry2 __user *entries) { @@ -24098,7 +24122,7 @@ index 271fddf..ea708b4 100644 return 0; out: -@@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, +@@ -1678,7 +1692,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq) { @@ -24107,7 +24131,7 @@ index 271fddf..ea708b4 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -3300,10 +3309,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = { +@@ -3300,10 +3314,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = { .notifier_call = kvmclock_cpufreq_notifier }; @@ -48725,24 +48749,34 @@ index 032ebae..6a3532c 100644 q.int_ops = &sg_ops; diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c -index b6992b7..9fa7547 100644 +index b6992b7..ff830bd 100644 --- a/drivers/message/fusion/mptbase.c +++ b/drivers/message/fusion/mptbase.c -@@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo - len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth); +@@ -6710,7 +6710,12 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize); + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", +#ifdef CONFIG_GRKERNSEC_HIDESYM -+ len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", + NULL, NULL); +#else - len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma); +#endif + /* * Rounding UP to nearest 4-kB boundary here... */ +@@ -6723,7 +6728,11 @@ procmpt_iocinfo_read(char *buf, char **start, off_t offset, int request, int *eo + ioc->facts.GlobalCredits); + + len += sprintf(buf+len, " Frames @ 0x%p (Dma @ 0x%p)\n", ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL, NULL); ++#else + (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma); ++#endif + sz = (ioc->reply_sz * ioc->reply_depth) + 128; + len += sprintf(buf+len, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n", + ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz); diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c index 83873e3..e360e9a 100644 --- a/drivers/message/fusion/mptsas.c @@ -75307,7 +75341,7 @@ index 0133b5a..3710d09 100644 (unsigned long) create_aout_tables((char __user *) bprm->p, bprm); #ifdef __alpha__ diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index a64fde6..621e25d 100644 +index a64fde6..f7af3a5e 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -31,6 +31,7 @@ @@ -75929,7 +75963,7 @@ index a64fde6..621e25d 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -877,17 +1300,43 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -877,17 +1300,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -75945,19 +75979,20 @@ index a64fde6..621e25d 100644 +#ifdef CONFIG_PAX_RANDMMAP + if (current->mm->pax_flags & MF_PAX_RANDMMAP) { -+ unsigned long start, size; ++ unsigned long start, size, flags, vm_flags; + + start = ELF_PAGEALIGN(elf_brk); + size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4); ++ flags = MAP_FIXED | MAP_PRIVATE; ++ vm_flags = VM_DONTEXPAND | VM_RESERVED; ++ + down_write(¤t->mm->mmap_sem); ++ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags); + retval = -ENOMEM; -+ if (!find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) { -+ unsigned long prot = PROT_NONE; -+ -+ current->mm->brk_gap = PAGE_ALIGN(size) >> PAGE_SHIFT; ++ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) { +// if (current->personality & ADDR_NO_RANDOMIZE) +// prot = PROT_READ; -+ start = do_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0); ++ start = mmap_region(NULL, start, PAGE_ALIGN(size), flags, vm_flags, 0); + retval = IS_ERR_VALUE(start) ? start : 0; + } + up_write(¤t->mm->mmap_sem); @@ -75979,7 +76014,7 @@ index a64fde6..621e25d 100644 load_bias); if (!IS_ERR((void *)elf_entry)) { /* -@@ -1112,8 +1561,10 @@ static int dump_seek(struct file *file, loff_t off) +@@ -1112,8 +1562,10 @@ static int dump_seek(struct file *file, loff_t off) unsigned long n = off; if (n > PAGE_SIZE) n = PAGE_SIZE; @@ -75991,7 +76026,7 @@ index a64fde6..621e25d 100644 off -= n; } free_page((unsigned long)buf); -@@ -1125,7 +1576,7 @@ static int dump_seek(struct file *file, loff_t off) +@@ -1125,7 +1577,7 @@ static int dump_seek(struct file *file, loff_t off) * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -76000,7 +76035,7 @@ index a64fde6..621e25d 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1159,7 +1610,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1159,7 +1611,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -76009,7 +76044,7 @@ index a64fde6..621e25d 100644 goto whole; /* -@@ -1255,8 +1706,11 @@ static int writenote(struct memelfnote *men, struct file *file, +@@ -1255,8 +1707,11 @@ static int writenote(struct memelfnote *men, struct file *file, #undef DUMP_WRITE #define DUMP_WRITE(addr, nr) \ @@ -76022,7 +76057,7 @@ index a64fde6..621e25d 100644 static void fill_elf_header(struct elfhdr *elf, int segs, u16 machine, u32 flags, u8 osabi) -@@ -1385,9 +1839,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1385,9 +1840,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -76034,7 +76069,7 @@ index a64fde6..621e25d 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1973,7 +2427,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -1973,7 +2428,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -76043,7 +76078,7 @@ index a64fde6..621e25d 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2006,7 +2460,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -2006,7 +2461,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un unsigned long addr; unsigned long end; @@ -76052,7 +76087,7 @@ index a64fde6..621e25d 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2015,6 +2469,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -2015,6 +2470,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -76060,7 +76095,7 @@ index a64fde6..621e25d 100644 stop = ((size += PAGE_SIZE) > limit) || !dump_write(file, kaddr, PAGE_SIZE); kunmap(page); -@@ -2042,6 +2497,97 @@ out: +@@ -2042,6 +2498,97 @@ out: #endif /* USE_ELF_CORE_DUMP */ @@ -77139,7 +77174,7 @@ index a5bf577..6d19845 100644 return hit; } diff --git a/fs/compat.c b/fs/compat.c -index 46b93d1..84978fe 100644 +index 46b93d1..191dbaa 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char __user *filename, struct compat_timeval _ @@ -77260,7 +77295,17 @@ index 46b93d1..84978fe 100644 goto out; if (!file->f_op) goto out; -@@ -1469,11 +1487,35 @@ int compat_do_execve(char * filename, +@@ -1460,6 +1478,9 @@ out: + return ret; + } + ++extern void gr_handle_exec_args_compat(struct linux_binprm *bprm, ++ compat_uptr_t __user *argv); ++ + /* + * compat_do_execve() is mostly a copy of do_execve(), with the exception + * that it processes 32 bit argv and envp pointers. +@@ -1469,11 +1490,35 @@ int compat_do_execve(char * filename, compat_uptr_t __user *envp, struct pt_regs * regs) { @@ -77296,7 +77341,7 @@ index 46b93d1..84978fe 100644 retval = unshare_files(&displaced); if (retval) -@@ -1499,12 +1541,26 @@ int compat_do_execve(char * filename, +@@ -1499,12 +1544,26 @@ int compat_do_execve(char * filename, if (IS_ERR(file)) goto out_unmark; @@ -77323,7 +77368,7 @@ index 46b93d1..84978fe 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1521,24 +1577,63 @@ int compat_do_execve(char * filename, +@@ -1521,24 +1580,63 @@ int compat_do_execve(char * filename, if (retval < 0) goto out; @@ -77391,7 +77436,7 @@ index 46b93d1..84978fe 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1547,6 +1642,14 @@ int compat_do_execve(char * filename, +@@ -1547,6 +1645,14 @@ int compat_do_execve(char * filename, put_files_struct(displaced); return retval; @@ -77406,7 +77451,7 @@ index 46b93d1..84978fe 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1717,6 +1820,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp, +@@ -1717,6 +1823,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp, struct fdtable *fdt; long stack_fds[SELECT_STACK_ALLOC/sizeof(long)]; @@ -77415,7 +77460,7 @@ index 46b93d1..84978fe 100644 if (n < 0) goto out_nofds; -@@ -2157,7 +2262,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd, +@@ -2157,7 +2265,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd, oldfs = get_fs(); set_fs(KERNEL_DS); /* The __user pointer casts are valid because of the set_fs() */ @@ -77702,7 +77747,7 @@ index ff57421..f65f88a 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 86fafc6..0f75c42 100644 +index 86fafc6..a435ef7 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,12 +56,34 @@ @@ -77909,7 +77954,7 @@ index 86fafc6..0f75c42 100644 #endif ret = expand_stack(vma, stack_base); + -+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_ASLR) ++#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP) + if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) { + unsigned long size, flags, vm_flags; + @@ -77922,7 +77967,7 @@ index 86fafc6..0f75c42 100644 +#ifdef CONFIG_X86 + if (!ret) { + size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT)); -+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0); ++ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), flags, vm_flags, 0); + } +#endif + @@ -80998,7 +81043,7 @@ index fde92d1..6256b88 100644 lock_kernel(); diff --git a/fs/namei.c b/fs/namei.c -index b0afbd4..2b96439 100644 +index b0afbd4..a4dd3a0 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -224,6 +224,14 @@ int generic_permission(struct inode *inode, int mask, @@ -81098,7 +81143,7 @@ index b0afbd4..2b96439 100644 path_put(&nd->path); return_err: return err; -@@ -1091,13 +1112,20 @@ static int do_path_lookup(int dfd, const char *name, +@@ -1091,13 +1112,22 @@ static int do_path_lookup(int dfd, const char *name, int retval = path_init(dfd, name, flags, nd); if (!retval) retval = path_walk(name, nd); @@ -81108,10 +81153,12 @@ index b0afbd4..2b96439 100644 + + if (likely(!retval)) { + if (nd->path.dentry && nd->path.dentry->d_inode) { -+ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) -+ retval = -ENOENT; + if (!audit_dummy_context()) + audit_inode(name, nd->path.dentry); ++ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) { ++ path_put(&nd->path); ++ retval = -ENOENT; ++ } + } + } if (nd->root.mnt) { @@ -81122,7 +81169,7 @@ index b0afbd4..2b96439 100644 return retval; } -@@ -1251,6 +1279,11 @@ static int __lookup_one_len(const char *name, struct qstr *this, +@@ -1251,6 +1281,11 @@ static int __lookup_one_len(const char *name, struct qstr *this, if (!len) return -EACCES; @@ -81134,7 +81181,7 @@ index b0afbd4..2b96439 100644 hash = init_name_hash(); while (len--) { c = *(const unsigned char *)name++; -@@ -1576,6 +1609,20 @@ int may_open(struct path *path, int acc_mode, int flag) +@@ -1576,6 +1611,20 @@ int may_open(struct path *path, int acc_mode, int flag) if (error) goto err_out; @@ -81155,7 +81202,7 @@ index b0afbd4..2b96439 100644 if (flag & O_TRUNC) { error = get_write_access(inode); if (error) -@@ -1620,6 +1667,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, +@@ -1620,6 +1669,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, { int error; struct dentry *dir = nd->path.dentry; @@ -81173,7 +81220,7 @@ index b0afbd4..2b96439 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); -@@ -1627,6 +1685,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, +@@ -1627,6 +1687,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, if (error) goto out_unlock; error = vfs_create(dir->d_inode, path->dentry, mode, nd); @@ -81182,7 +81229,7 @@ index b0afbd4..2b96439 100644 out_unlock: mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); -@@ -1684,6 +1744,7 @@ struct file *do_filp_open(int dfd, const char *pathname, +@@ -1684,6 +1746,7 @@ struct file *do_filp_open(int dfd, const char *pathname, struct nameidata nd; int error; struct path path; @@ -81190,7 +81237,7 @@ index b0afbd4..2b96439 100644 struct dentry *dir; int count = 0; int will_write; -@@ -1709,6 +1770,22 @@ struct file *do_filp_open(int dfd, const char *pathname, +@@ -1709,6 +1772,22 @@ struct file *do_filp_open(int dfd, const char *pathname, &nd, flag); if (error) return ERR_PTR(error); @@ -81213,7 +81260,7 @@ index b0afbd4..2b96439 100644 goto ok; } -@@ -1795,6 +1872,19 @@ do_last: +@@ -1795,6 +1874,19 @@ do_last: /* * It already exists. */ @@ -81233,7 +81280,7 @@ index b0afbd4..2b96439 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path.dentry); -@@ -1887,6 +1977,14 @@ do_link: +@@ -1887,6 +1979,14 @@ do_link: error = security_inode_follow_link(path.dentry, &nd); if (error) goto exit_dput; @@ -81248,7 +81295,7 @@ index b0afbd4..2b96439 100644 error = __do_follow_link(&path, &nd); if (error) { /* Does someone understand code flow here? Or it is only -@@ -1915,9 +2013,24 @@ do_link: +@@ -1915,9 +2015,24 @@ do_link: } dir = nd.path.dentry; mutex_lock(&dir->d_inode->i_mutex); @@ -81273,7 +81320,7 @@ index b0afbd4..2b96439 100644 goto do_last; } -@@ -1984,6 +2097,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir) +@@ -1984,6 +2099,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir) } return dentry; eexist: @@ -81284,7 +81331,7 @@ index b0afbd4..2b96439 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2061,6 +2178,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2061,6 +2180,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, error = may_mknod(mode); if (error) goto out_dput; @@ -81302,7 +81349,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2081,6 +2209,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2081,6 +2211,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, } out_drop_write: mnt_drop_write(nd.path.mnt); @@ -81312,7 +81359,7 @@ index b0afbd4..2b96439 100644 out_dput: dput(dentry); out_unlock: -@@ -2134,6 +2265,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2134,6 +2267,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) if (IS_ERR(dentry)) goto out_unlock; @@ -81324,7 +81371,7 @@ index b0afbd4..2b96439 100644 if (!IS_POSIXACL(nd.path.dentry->d_inode)) mode &= ~current_umask(); error = mnt_want_write(nd.path.mnt); -@@ -2145,6 +2281,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2145,6 +2283,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); out_drop_write: mnt_drop_write(nd.path.mnt); @@ -81335,7 +81382,7 @@ index b0afbd4..2b96439 100644 out_dput: dput(dentry); out_unlock: -@@ -2226,6 +2366,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2226,6 +2368,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -81344,7 +81391,7 @@ index b0afbd4..2b96439 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2250,6 +2392,17 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2250,6 +2394,17 @@ static long do_rmdir(int dfd, const char __user *pathname) error = PTR_ERR(dentry); if (IS_ERR(dentry)) goto exit2; @@ -81362,7 +81409,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2257,6 +2410,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2257,6 +2412,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -81371,7 +81418,7 @@ index b0afbd4..2b96439 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2318,6 +2473,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2318,6 +2475,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -81380,7 +81427,7 @@ index b0afbd4..2b96439 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2337,8 +2494,19 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2337,8 +2496,19 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (nd.last.name[nd.last.len]) goto slashes; inode = dentry->d_inode; @@ -81401,7 +81448,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2346,6 +2514,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2346,6 +2516,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -81410,7 +81457,7 @@ index b0afbd4..2b96439 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2424,6 +2594,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2424,6 +2596,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (IS_ERR(dentry)) goto out_unlock; @@ -81422,7 +81469,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2431,6 +2606,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2431,6 +2608,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (error) goto out_drop_write; error = vfs_symlink(nd.path.dentry->d_inode, dentry, from); @@ -81431,7 +81478,7 @@ index b0afbd4..2b96439 100644 out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2524,6 +2701,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2524,6 +2703,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; @@ -81452,7 +81499,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2531,6 +2722,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2531,6 +2724,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) goto out_drop_write; error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry); @@ -81461,7 +81508,7 @@ index b0afbd4..2b96439 100644 out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2708,6 +2901,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2708,6 +2903,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, char *to; int error; @@ -81470,7 +81517,7 @@ index b0afbd4..2b96439 100644 error = user_path_parent(olddfd, oldname, &oldnd, &from); if (error) goto exit; -@@ -2764,6 +2959,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2764,6 +2961,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -81483,7 +81530,7 @@ index b0afbd4..2b96439 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -2773,6 +2974,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2773,6 +2976,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -81493,7 +81540,7 @@ index b0afbd4..2b96439 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -2798,6 +3002,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -2798,6 +3004,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -81502,7 +81549,7 @@ index b0afbd4..2b96439 100644 int len; len = PTR_ERR(link); -@@ -2807,7 +3013,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -2807,7 +3015,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -86042,10 +86089,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..5aba5a8 +index 0000000..1edd4b5 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4197 @@ +@@ -0,0 +1,4201 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -86071,6 +86118,7 @@ index 0000000..5aba5a8 +#include <linux/stop_machine.h> +#include <linux/fdtable.h> +#include <linux/percpu.h> ++#include <linux/posix-timers.h> + +#include <asm/uaccess.h> +#include <asm/errno.h> @@ -88348,6 +88396,9 @@ index 0000000..5aba5a8 + + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur; + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max; ++ ++ if (i == RLIMIT_CPU) ++ update_rlimit_cpu(task, proc->res[i].rlim_cur); + } + + return; @@ -96556,6 +96607,19 @@ index 78e9047..ff39f6b 100644 /* handle uniform packets for scsi type devices (scsi,atapi) */ int (*generic_packet) (struct cdrom_device_info *, struct packet_command *); +diff --git a/include/linux/compat.h b/include/linux/compat.h +index 510266f..9d64053 100644 +--- a/include/linux/compat.h ++++ b/include/linux/compat.h +@@ -271,7 +271,7 @@ extern int compat_ptrace_request(struct task_struct *child, + extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request, + compat_ulong_t addr, compat_ulong_t data); + asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +- compat_long_t addr, compat_long_t data); ++ compat_ulong_t addr, compat_ulong_t data); + + /* + * epoll (fs/eventpoll.c) compat bits follow ... diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h index 450fa59..16b904d 100644 --- a/include/linux/compiler-gcc4.h @@ -98104,17 +98168,16 @@ index 0000000..18863d1 +#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..6e2f8bc +index 0000000..9ced8a0 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,226 @@ +@@ -0,0 +1,222 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> +#include <linux/fs_struct.h> +#include <linux/binfmts.h> +#include <linux/gracl.h> -+#include <linux/compat.h> + +/* notify of brain-dead configs */ +#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP) @@ -98184,9 +98247,6 @@ index 0000000..6e2f8bc +void gr_log_chroot_exec(const struct dentry *dentry, + const struct vfsmount *mnt); +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv); -+#ifdef CONFIG_COMPAT -+void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv); -+#endif +void gr_log_remount(const char *devname, const int retval); +void gr_log_unmount(const char *devname, const int retval); +void gr_log_mount(const char *from, const char *to, const int retval); @@ -98900,7 +98960,7 @@ index 3797270..7765ede 100644 struct mca_bus { u64 default_dma_mask; diff --git a/include/linux/mm.h b/include/linux/mm.h -index 11e5be6..8ff8c91 100644 +index 11e5be6..8a2af3a 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void *objp); @@ -99023,7 +99083,19 @@ index 11e5be6..8ff8c91 100644 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr); int remap_pfn_range(struct vm_area_struct *, unsigned long addr, unsigned long pfn, unsigned long size, pgprot_t); -@@ -1332,7 +1365,13 @@ extern void memory_failure(unsigned long pfn, int trapno); +@@ -1263,6 +1296,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long); + static inline void vm_stat_account(struct mm_struct *mm, + unsigned long flags, struct file *file, long pages) + { ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ ++ mm->total_vm += pages; + } + #endif /* CONFIG_PROC_FS */ + +@@ -1332,7 +1370,13 @@ extern void memory_failure(unsigned long pfn, int trapno); extern int __memory_failure(unsigned long pfn, int trapno, int ref); extern int sysctl_memory_failure_early_kill; extern int sysctl_memory_failure_recovery; @@ -99039,7 +99111,7 @@ index 11e5be6..8ff8c91 100644 #endif /* __KERNEL__ */ #endif /* _LINUX_MM_H */ diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index 9d12ed5..9d9dab3 100644 +index 9d12ed5..6d9707a 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -186,6 +186,8 @@ struct vm_area_struct { @@ -99051,15 +99123,6 @@ index 9d12ed5..9d9dab3 100644 }; struct core_thread { -@@ -235,7 +237,7 @@ struct mm_struct { - unsigned long total_vm, locked_vm, shared_vm, exec_vm; - unsigned long stack_vm, reserved_vm, def_flags, nr_ptes; - unsigned long start_code, end_code, start_data, end_data; -- unsigned long start_brk, brk, start_stack; -+ unsigned long brk_gap, start_brk, brk, start_stack; - unsigned long arg_start, arg_end, env_start, env_end; - - unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ @@ -287,6 +289,24 @@ struct mm_struct { #ifdef CONFIG_MMU_NOTIFIER struct mmu_notifier_mm *mmu_notifier_mm; @@ -99614,7 +99677,7 @@ index 34066ff..e95d744 100644 /********** include/linux/timer.h **********/ /* diff --git a/include/linux/posix-timers.h b/include/linux/posix-timers.h -index 4f71bf4..cd2f68e 100644 +index 4f71bf4..724d413 100644 --- a/include/linux/posix-timers.h +++ b/include/linux/posix-timers.h @@ -82,7 +82,8 @@ struct k_clock { @@ -99627,6 +99690,14 @@ index 4f71bf4..cd2f68e 100644 void register_posix_clock(const clockid_t clock_id, struct k_clock *new_clock); +@@ -117,6 +118,6 @@ void set_process_cpu_timer(struct task_struct *task, unsigned int clock_idx, + + long clock_nanosleep_restart(struct restart_block *restart_block); + +-void update_rlimit_cpu(unsigned long rlim_new); ++void update_rlimit_cpu(struct task_struct *task, unsigned long rlim_new); + + #endif diff --git a/include/linux/prefetch.h b/include/linux/prefetch.h index af7c36a..a93005c 100644 --- a/include/linux/prefetch.h @@ -103473,7 +103544,7 @@ index a2a1659..df8479c 100644 get_task_struct(p); read_unlock(&tasklist_lock); diff --git a/kernel/fork.c b/kernel/fork.c -index c28f804..3a04506 100644 +index c28f804..4f038a3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -240,21 +240,26 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -103522,7 +103593,16 @@ index c28f804..3a04506 100644 mm->map_count = 0; cpumask_clear(mm_cpumask(mm)); mm->mm_rb = RB_ROOT; -@@ -319,7 +324,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -311,15 +316,13 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) + struct file *file; + + if (mpnt->vm_flags & VM_DONTCOPY) { +- long pages = vma_pages(mpnt); +- mm->total_vm -= pages; + vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file, +- -pages); ++ -vma_pages(mpnt)); + continue; } charge = 0; if (mpnt->vm_flags & VM_ACCOUNT) { @@ -103531,7 +103611,7 @@ index c28f804..3a04506 100644 if (security_vm_enough_memory(len)) goto fail_nomem; charge = len; -@@ -336,6 +341,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -336,6 +339,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) tmp->vm_flags &= ~VM_LOCKED; tmp->vm_mm = mm; tmp->vm_next = tmp->vm_prev = NULL; @@ -103539,7 +103619,7 @@ index c28f804..3a04506 100644 anon_vma_link(tmp); file = tmp->vm_file; if (file) { -@@ -385,6 +391,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -385,6 +389,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) if (retval) goto out; } @@ -103571,7 +103651,7 @@ index c28f804..3a04506 100644 /* a new mm has just been created */ arch_dup_mmap(oldmm, mm); retval = 0; -@@ -735,13 +766,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) +@@ -735,13 +764,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) write_unlock(&fs->lock); return -EAGAIN; } @@ -103593,7 +103673,7 @@ index c28f804..3a04506 100644 return 0; } -@@ -913,6 +951,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk) +@@ -913,6 +949,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk) sig->oom_adj = current->signal->oom_adj; @@ -103602,7 +103682,7 @@ index c28f804..3a04506 100644 return 0; } -@@ -1036,12 +1076,16 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1036,12 +1074,16 @@ static struct task_struct *copy_process(unsigned long clone_flags, DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif retval = -EAGAIN; @@ -103621,7 +103701,7 @@ index c28f804..3a04506 100644 retval = copy_creds(p, clone_flags); if (retval < 0) -@@ -1263,6 +1307,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1263,6 +1305,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_free_pid; } @@ -103633,7 +103713,7 @@ index c28f804..3a04506 100644 if (clone_flags & CLONE_THREAD) { atomic_inc(¤t->signal->count); atomic_inc(¤t->signal->live); -@@ -1337,6 +1386,8 @@ bad_fork_cleanup_count: +@@ -1337,6 +1384,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -103642,7 +103722,7 @@ index c28f804..3a04506 100644 return ERR_PTR(retval); } -@@ -1430,6 +1481,8 @@ long do_fork(unsigned long clone_flags, +@@ -1430,6 +1479,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -103651,7 +103731,7 @@ index c28f804..3a04506 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1562,7 +1615,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1562,7 +1613,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -103660,7 +103740,7 @@ index c28f804..3a04506 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1685,7 +1738,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1685,7 +1736,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; write_lock(&fs->lock); current->fs = new_fs; @@ -105747,10 +105827,10 @@ index fce7198..4f23a7e 100644 { struct pid *pid; diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c -index 5c9dc22..7652dca 100644 +index 5c9dc22..6971ae8 100644 --- a/kernel/posix-cpu-timers.c +++ b/kernel/posix-cpu-timers.c -@@ -6,9 +6,11 @@ +@@ -6,23 +6,25 @@ #include <linux/posix-timers.h> #include <linux/errno.h> #include <linux/math64.h> @@ -105762,6 +105842,25 @@ index 5c9dc22..7652dca 100644 /* * Called after updating RLIMIT_CPU to set timer expiration if necessary. + */ +-void update_rlimit_cpu(unsigned long rlim_new) ++void update_rlimit_cpu(struct task_struct *task, unsigned long rlim_new) + { + cputime_t cputime = secs_to_cputime(rlim_new); +- struct signal_struct *const sig = current->signal; ++ struct signal_struct *const sig = task->signal; + + if (cputime_eq(sig->it[CPUCLOCK_PROF].expires, cputime_zero) || + cputime_gt(sig->it[CPUCLOCK_PROF].expires, cputime)) { +- spin_lock_irq(¤t->sighand->siglock); +- set_process_cpu_timer(current, CPUCLOCK_PROF, &cputime, NULL); +- spin_unlock_irq(¤t->sighand->siglock); ++ spin_lock_irq(&task->sighand->siglock); ++ set_process_cpu_timer(task, CPUCLOCK_PROF, &cputime, NULL); ++ spin_unlock_irq(&task->sighand->siglock); + } + } + @@ -516,6 +518,8 @@ static void cleanup_timers(struct list_head *head, */ void posix_cpu_timers_exit(struct task_struct *tsk) @@ -106232,7 +106331,7 @@ index dfadc5b..7f59404 100644 } diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index 05625f6..741869b 100644 +index 05625f6..123e351 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -56,7 +56,7 @@ static void ptrace_untrace(struct task_struct *child) @@ -106529,6 +106628,15 @@ index 05625f6..741869b 100644 switch (request) { case PTRACE_PEEKTEXT: case PTRACE_PEEKDATA: +@@ -720,7 +799,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request, + } + + asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, +- compat_long_t addr, compat_long_t data) ++ compat_ulong_t addr, compat_ulong_t data) + { + struct task_struct *child; + long ret; @@ -740,20 +819,30 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid, goto out; } @@ -107282,7 +107390,7 @@ index 04a0252..4ee2bbb 100644 struct tasklet_struct *list; diff --git a/kernel/sys.c b/kernel/sys.c -index e9512b1..f07185f 100644 +index e9512b1..dec4030 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -133,6 +133,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -107444,6 +107552,15 @@ index e9512b1..f07185f 100644 if (gid != old_fsgid) { new->fsgid = gid; goto change_okay; +@@ -1282,7 +1323,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) + if (new_rlim.rlim_cur == RLIM_INFINITY) + goto out; + +- update_rlimit_cpu(new_rlim.rlim_cur); ++ update_rlimit_cpu(current, new_rlim.rlim_cur); + out: + return 0; + } @@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = get_dumpable(me->mm); break; @@ -110486,7 +110603,7 @@ index 2d846cf..8d5cdd8 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 4b80cbf..89f7b42 100644 +index 4b80cbf..abfd61a 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -29,6 +29,7 @@ @@ -110684,13 +110801,19 @@ index 4b80cbf..89f7b42 100644 return area; } -@@ -898,14 +979,11 @@ none: +@@ -898,15 +979,22 @@ none: void vm_stat_account(struct mm_struct *mm, unsigned long flags, struct file *file, long pages) { - const unsigned long stack_flags - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN); -- ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ ++ mm->total_vm += pages; + if (file) { mm->shared_vm += pages; if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC) @@ -110698,9 +110821,13 @@ index 4b80cbf..89f7b42 100644 - } else if (flags & stack_flags) + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN)) mm->stack_vm += pages; ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif if (flags & (VM_RESERVED|VM_IO)) mm->reserved_vm += pages; -@@ -932,7 +1010,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, + } +@@ -932,7 +1020,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) */ @@ -110709,7 +110836,7 @@ index 4b80cbf..89f7b42 100644 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC))) prot |= PROT_EXEC; -@@ -958,7 +1036,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -958,7 +1046,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ @@ -110718,7 +110845,7 @@ index 4b80cbf..89f7b42 100644 if (addr & ~PAGE_MASK) return addr; -@@ -969,6 +1047,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -969,6 +1057,36 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; @@ -110755,7 +110882,7 @@ index 4b80cbf..89f7b42 100644 if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -980,6 +1088,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -980,6 +1098,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; @@ -110763,7 +110890,7 @@ index 4b80cbf..89f7b42 100644 if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1053,6 +1162,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1053,6 +1172,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, if (error) return error; @@ -110773,7 +110900,7 @@ index 4b80cbf..89f7b42 100644 return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1065,10 +1177,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); +@@ -1065,10 +1187,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); */ int vma_wants_writenotify(struct vm_area_struct *vma) { @@ -110786,7 +110913,7 @@ index 4b80cbf..89f7b42 100644 return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1117,14 +1229,24 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1117,17 +1239,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -110813,7 +110940,15 @@ index 4b80cbf..89f7b42 100644 } /* Check against address space limit. */ -@@ -1173,6 +1295,16 @@ munmap_back: ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC))) ++#endif ++ + if (!may_expand_vm(mm, len >> PAGE_SHIFT)) + return -ENOMEM; + +@@ -1173,6 +1310,16 @@ munmap_back: goto unacct_error; } @@ -110830,7 +110965,7 @@ index 4b80cbf..89f7b42 100644 vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1180,8 +1312,9 @@ munmap_back: +@@ -1180,8 +1327,9 @@ munmap_back: vma->vm_page_prot = vm_get_page_prot(vm_flags); vma->vm_pgoff = pgoff; @@ -110841,7 +110976,7 @@ index 4b80cbf..89f7b42 100644 if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP)) goto free_vma; if (vm_flags & VM_DENYWRITE) { -@@ -1195,6 +1328,19 @@ munmap_back: +@@ -1195,6 +1343,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -110861,7 +110996,7 @@ index 4b80cbf..89f7b42 100644 if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1207,6 +1353,8 @@ munmap_back: +@@ -1207,6 +1368,8 @@ munmap_back: pgoff = vma->vm_pgoff; vm_flags = vma->vm_flags; } else if (vm_flags & VM_SHARED) { @@ -110870,7 +111005,7 @@ index 4b80cbf..89f7b42 100644 error = shmem_zero_setup(vma); if (error) goto free_vma; -@@ -1218,6 +1366,11 @@ munmap_back: +@@ -1218,14 +1381,19 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -110882,15 +111017,16 @@ index 4b80cbf..89f7b42 100644 /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1226,6 +1379,7 @@ out: + out: + perf_event_mmap(vma); - mm->total_vm += len >> PAGE_SHIFT; +- mm->total_vm += len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); + track_exec_limit(mm, addr, addr + len, vm_flags); if (vm_flags & VM_LOCKED) { /* * makes pages present; downgrades, drops, reacquires mmap_sem -@@ -1248,6 +1402,12 @@ unmap_and_free_vma: +@@ -1248,6 +1416,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -110903,7 +111039,7 @@ index 4b80cbf..89f7b42 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1255,6 +1415,62 @@ unacct_error: +@@ -1255,6 +1429,62 @@ unacct_error: return error; } @@ -110966,7 +111102,7 @@ index 4b80cbf..89f7b42 100644 /* Get an address range which is currently unmapped. * For shmat() with addr=0. * -@@ -1274,6 +1490,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1274,6 +1504,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long start_addr; @@ -110974,7 +111110,7 @@ index 4b80cbf..89f7b42 100644 if (len > TASK_SIZE) return -ENOMEM; -@@ -1281,18 +1498,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1281,18 +1512,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -111005,7 +111141,7 @@ index 4b80cbf..89f7b42 100644 } full_search: -@@ -1303,34 +1525,40 @@ full_search: +@@ -1303,34 +1539,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -111057,7 +111193,7 @@ index 4b80cbf..89f7b42 100644 mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1348,7 +1576,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1348,7 +1590,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -111067,7 +111203,7 @@ index 4b80cbf..89f7b42 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1357,13 +1586,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1357,13 +1600,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -111090,7 +111226,7 @@ index 4b80cbf..89f7b42 100644 } /* check if free_area_cache is useful for us */ -@@ -1378,7 +1612,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1378,7 +1626,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, /* make sure it can fit in the remaining address space */ if (addr > len) { vma = find_vma(mm, addr-len); @@ -111099,7 +111235,7 @@ index 4b80cbf..89f7b42 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -1395,7 +1629,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1395,7 +1643,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, * return with success: */ vma = find_vma(mm, addr); @@ -111108,7 +111244,7 @@ index 4b80cbf..89f7b42 100644 /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -1404,8 +1638,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1404,8 +1652,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, mm->cached_hole_size = vma->vm_start - addr; /* try just below the current vma->vm_start */ @@ -111119,7 +111255,7 @@ index 4b80cbf..89f7b42 100644 bottomup: /* -@@ -1414,13 +1648,21 @@ bottomup: +@@ -1414,13 +1662,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -111143,7 +111279,7 @@ index 4b80cbf..89f7b42 100644 mm->cached_hole_size = ~0UL; return addr; -@@ -1429,6 +1671,12 @@ bottomup: +@@ -1429,6 +1685,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -111156,7 +111292,7 @@ index 4b80cbf..89f7b42 100644 /* * Is this a new hole at the highest possible address? */ -@@ -1436,8 +1684,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) +@@ -1436,8 +1698,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -111168,7 +111304,7 @@ index 4b80cbf..89f7b42 100644 } unsigned long -@@ -1510,40 +1760,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) +@@ -1510,40 +1774,49 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr) EXPORT_SYMBOL(find_vma); @@ -111243,7 +111379,7 @@ index 4b80cbf..89f7b42 100644 /* * Verify that the stack growth is acceptable and -@@ -1561,6 +1820,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1561,6 +1834,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns return -ENOMEM; /* Stack limit test */ @@ -111251,7 +111387,7 @@ index 4b80cbf..89f7b42 100644 if (size > rlim[RLIMIT_STACK].rlim_cur) return -ENOMEM; -@@ -1570,6 +1830,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1570,6 +1844,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns unsigned long limit; locked = mm->locked_vm + grow; limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT; @@ -111259,7 +111395,15 @@ index 4b80cbf..89f7b42 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1600,37 +1861,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -1588,7 +1863,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns + return -ENOMEM; + + /* Ok, everything looks good - let it rip */ +- mm->total_vm += grow; + if (vma->vm_flags & VM_LOCKED) + mm->locked_vm += grow; + vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow); +@@ -1600,37 +1874,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -111317,7 +111461,7 @@ index 4b80cbf..89f7b42 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -1643,6 +1915,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -1643,6 +1928,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) vma->vm_end = address; } } @@ -111326,7 +111470,7 @@ index 4b80cbf..89f7b42 100644 anon_vma_unlock(vma); return error; } -@@ -1655,6 +1929,8 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1655,6 +1942,8 @@ static int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -111335,7 +111479,7 @@ index 4b80cbf..89f7b42 100644 /* * We must make sure the anon_vma is allocated -@@ -1668,6 +1944,15 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1668,6 +1957,15 @@ static int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -111351,7 +111495,7 @@ index 4b80cbf..89f7b42 100644 anon_vma_lock(vma); /* -@@ -1677,9 +1962,17 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1677,9 +1975,17 @@ static int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -111370,7 +111514,7 @@ index 4b80cbf..89f7b42 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1689,21 +1982,60 @@ static int expand_downwards(struct vm_area_struct *vma, +@@ -1689,21 +1995,60 @@ static int expand_downwards(struct vm_area_struct *vma, if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -111431,7 +111575,7 @@ index 4b80cbf..89f7b42 100644 return expand_upwards(vma, address); } -@@ -1727,6 +2059,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) +@@ -1727,6 +2072,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) #else int expand_stack(struct vm_area_struct *vma, unsigned long address) { @@ -111446,10 +111590,11 @@ index 4b80cbf..89f7b42 100644 return expand_downwards(vma, address); } -@@ -1768,6 +2108,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -1768,7 +2121,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); +- mm->total_vm -= nrpages; +#ifdef CONFIG_PAX_SEGMEXEC + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) { + vma = remove_vma(vma); @@ -111457,10 +111602,10 @@ index 4b80cbf..89f7b42 100644 + } +#endif + - mm->total_vm -= nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); -@@ -1813,6 +2160,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, + } while (vma); +@@ -1813,6 +2172,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -111477,7 +111622,7 @@ index 4b80cbf..89f7b42 100644 rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1840,10 +2197,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1840,10 +2209,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct mempolicy *pol; struct vm_area_struct *new; @@ -111503,7 +111648,7 @@ index 4b80cbf..89f7b42 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -1851,6 +2223,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1851,6 +2235,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, if (!new) return -ENOMEM; @@ -111520,7 +111665,7 @@ index 4b80cbf..89f7b42 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1861,8 +2243,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1861,8 +2255,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -111550,7 +111695,7 @@ index 4b80cbf..89f7b42 100644 kmem_cache_free(vm_area_cachep, new); return PTR_ERR(pol); } -@@ -1883,6 +2286,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1883,6 +2298,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -111579,7 +111724,7 @@ index 4b80cbf..89f7b42 100644 return 0; } -@@ -1891,11 +2316,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -1891,11 +2328,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -111610,7 +111755,7 @@ index 4b80cbf..89f7b42 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -1959,6 +2403,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -1959,6 +2415,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -111619,7 +111764,7 @@ index 4b80cbf..89f7b42 100644 return 0; } -@@ -1971,22 +2417,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -1971,22 +2429,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) profile_munmap(addr); @@ -111648,7 +111793,7 @@ index 4b80cbf..89f7b42 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2000,6 +2442,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2000,6 +2454,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -111656,7 +111801,7 @@ index 4b80cbf..89f7b42 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2011,16 +2454,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2011,16 +2466,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -111688,7 +111833,7 @@ index 4b80cbf..89f7b42 100644 locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; -@@ -2037,22 +2494,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2037,22 +2506,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -111715,7 +111860,7 @@ index 4b80cbf..89f7b42 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2066,7 +2523,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2066,7 +2535,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -111724,7 +111869,7 @@ index 4b80cbf..89f7b42 100644 return -ENOMEM; } -@@ -2078,11 +2535,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2078,11 +2547,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) vma->vm_page_prot = vm_get_page_prot(flags); vma_link(mm, vma, prev, rb_link, rb_parent); out: @@ -111739,7 +111884,7 @@ index 4b80cbf..89f7b42 100644 return addr; } -@@ -2129,8 +2587,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2129,8 +2599,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -111751,7 +111896,7 @@ index 4b80cbf..89f7b42 100644 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2144,6 +2604,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2144,6 +2616,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -111762,7 +111907,7 @@ index 4b80cbf..89f7b42 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2166,7 +2630,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) +@@ -2166,7 +2642,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -111785,7 +111930,7 @@ index 4b80cbf..89f7b42 100644 return 0; } -@@ -2184,6 +2663,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2184,6 +2675,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -111794,7 +111939,7 @@ index 4b80cbf..89f7b42 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2227,6 +2708,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2227,6 +2720,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; } @@ -111830,20 +111975,15 @@ index 4b80cbf..89f7b42 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2238,6 +2748,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2238,6 +2760,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT; -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ cur -= mm->brk_gap; -+#endif -+ + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1); if (cur + npages > lim) return 0; return 1; -@@ -2307,6 +2823,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2307,6 +2830,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; @@ -112093,7 +112233,7 @@ index 1737c7e..c7faeb4 100644 if (nstart < prev->vm_end) diff --git a/mm/mremap.c b/mm/mremap.c -index 3e98d79..1706cec 100644 +index 3e98d79..36c2b5d 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, @@ -112109,7 +112249,15 @@ index 3e98d79..1706cec 100644 set_pte_at(mm, new_addr, new_pte, pte); } -@@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, +@@ -232,7 +238,6 @@ static unsigned long move_vma(struct vm_area_struct *vma, + * If this were a serious issue, we'd add a flag to do_munmap(). + */ + hiwater_vm = mm->hiwater_vm; +- mm->total_vm += new_len >> PAGE_SHIFT; + vm_stat_account(mm, vma->vm_flags, vma->vm_file, new_len>>PAGE_SHIFT); + + if (do_munmap(mm, old_addr, old_len) < 0) { +@@ -271,6 +276,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, if (is_vm_hugetlb_page(vma)) goto Einval; @@ -112121,7 +112269,7 @@ index 3e98d79..1706cec 100644 /* We can't remap across vm area boundaries */ if (old_len > vma->vm_end - addr) goto Efault; -@@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned long addr, +@@ -327,20 +337,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long ret = -EINVAL; unsigned long charged = 0; unsigned long map_flags; @@ -112152,7 +112300,7 @@ index 3e98d79..1706cec 100644 goto out; ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1); -@@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long addr, +@@ -412,6 +427,7 @@ unsigned long do_mremap(unsigned long addr, struct vm_area_struct *vma; unsigned long ret = -EINVAL; unsigned long charged = 0; @@ -112160,7 +112308,7 @@ index 3e98d79..1706cec 100644 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE)) goto out; -@@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long addr, +@@ -430,6 +446,17 @@ unsigned long do_mremap(unsigned long addr, if (!new_len) goto out; @@ -112178,7 +112326,15 @@ index 3e98d79..1706cec 100644 if (flags & MREMAP_FIXED) { if (flags & MREMAP_MAYMOVE) ret = mremap_to(addr, old_len, new_addr, new_len); -@@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long addr, +@@ -468,7 +495,6 @@ unsigned long do_mremap(unsigned long addr, + vma_adjust(vma, vma->vm_start, + addr + new_len, vma->vm_pgoff, NULL); + +- mm->total_vm += pages; + vm_stat_account(mm, vma->vm_flags, vma->vm_file, pages); + if (vma->vm_flags & VM_LOCKED) { + mm->locked_vm += pages; +@@ -476,6 +502,7 @@ unsigned long do_mremap(unsigned long addr, addr + new_len); } ret = addr; @@ -112186,7 +112342,7 @@ index 3e98d79..1706cec 100644 goto out; } } -@@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long addr, +@@ -502,7 +529,13 @@ unsigned long do_mremap(unsigned long addr, ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1); if (ret) goto out; @@ -120289,7 +120445,7 @@ index c4c6732..bc63d84 100644 int security_settime(struct timespec *ts, struct timezone *tz) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index a106754..ca3a589 100644 +index a106754..bdb434e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -76,6 +76,7 @@ @@ -120352,6 +120508,15 @@ index a106754..ca3a589 100644 default: rc = task_has_system(current, SYSTEM__SYSLOG_MOD); break; +@@ -2366,7 +2368,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) + initrlim = init_task.signal->rlim + i; + rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); + } +- update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur); ++ update_rlimit_cpu(current, current->signal->rlim[RLIMIT_CPU].rlim_cur); + } + } + @@ -5457,7 +5459,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif @@ -120397,6 +120562,19 @@ index ff17820..d68084c 100644 if (!ss_initialized) { avtab_cache_init(); if (policydb_read(&policydb, fp)) { +diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c +index f3cb9ed..22c91e3 100644 +--- a/security/selinux/xfrm.c ++++ b/security/selinux/xfrm.c +@@ -309,7 +309,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, + + if (old_ctx) { + new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!new_ctx) + return -ENOMEM; + diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c33b6bb..b51f19e 100644 --- a/security/smack/smack_lsm.c @@ -127916,6 +128094,25 @@ index 83b3dde..835bee7 100644 } else break; } +diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c +index 9fe140b..69969ae 100644 +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -71,9 +71,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, + u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; + u64 redir_content; + +- ASSERT(redir_index < IOAPIC_NUM_PINS); ++ if (redir_index < IOAPIC_NUM_PINS) ++ redir_content = ++ ioapic->redirtbl[redir_index].bits; ++ else ++ redir_content = ~0ULL; + +- redir_content = ioapic->redirtbl[redir_index].bits; + result = (ioapic->ioregsel & 0x1) ? + (redir_content >> 32) & 0xffffffff : + redir_content & 0xffffffff; diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 82b6fdc..57cc875 100644 --- a/virt/kvm/kvm_main.c |