diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2013-07-15 08:02:23 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2013-07-15 08:02:23 -0400 |
commit | 27d1014ac305f822f0f1acb3056490a8c44ee80a (patch) | |
tree | 337d2e2ce0bdd44a184d82712cc02e5374ba14ab | |
parent | Grsec/PaX: 2.9.1-{2.6.32.61,3.2.48.3.10.0}-201307092224 (diff) | |
download | hardened-patchset-27d1014ac305f822f0f1acb3056490a8c44ee80a.tar.gz hardened-patchset-27d1014ac305f822f0f1acb3056490a8c44ee80a.tar.bz2 hardened-patchset-27d1014ac305f822f0f1acb3056490a8c44ee80a.zip |
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.48.3.10.1}-20130714192320130714
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201307122305.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201307092216.patch) | 21 | ||||
-rw-r--r-- | 3.10.1/0000_README (renamed from 3.10.0/0000_README) | 6 | ||||
-rw-r--r-- | 3.10.1/1000_linux-3.10.1.patch | 511 | ||||
-rw-r--r-- | 3.10.1/4420_grsecurity-2.9.1-3.10.1-201307141923.patch (renamed from 3.10.0/4420_grsecurity-2.9.1-3.10.0-201307092224.patch) | 605 | ||||
-rw-r--r-- | 3.10.1/4425_grsec_remove_EI_PAX.patch (renamed from 3.10.0/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.10.1/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.10.0/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.10.1/4430_grsec-remove-localversion-grsec.patch (renamed from 3.10.0/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.10.1/4435_grsec-mute-warnings.patch (renamed from 3.10.0/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.10.1/4440_grsec-remove-protected-paths.patch (renamed from 3.10.0/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.10.1/4450_grsec-kconfig-default-gids.patch (renamed from 3.10.0/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.10.1/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.10.0/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.10.1/4470_disable-compat_vdso.patch (renamed from 3.10.0/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.10.1/4475_emutramp_default_on.patch (renamed from 3.10.0/4475_emutramp_default_on.patch) | 0 | ||||
-rw-r--r-- | 3.2.48/0000_README | 2 | ||||
-rw-r--r-- | 3.2.48/4420_grsecurity-2.9.1-3.2.48-201307122306.patch (renamed from 3.2.48/4420_grsecurity-2.9.1-3.2.48-201307092217.patch) | 246 |
16 files changed, 1241 insertions, 152 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 0d60549..246c88b 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch From: http://www.kernel.org Desc: Linux 2.6.32.61 -Patch: 4420_grsecurity-2.9.1-2.6.32.61-201307092216.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.61-201307122305.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201307092216.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201307122305.patch index 55e1dcb..bac4e6d 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201307092216.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201307122305.patch @@ -6682,6 +6682,27 @@ index 2782681..77ded84 100644 extra-y := head_$(BITS).o extra-y += init_task.o +diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c +index 6a831bd..b37a849 100644 +--- a/arch/sparc/kernel/ds.c ++++ b/arch/sparc/kernel/ds.c +@@ -780,6 +780,16 @@ void ldom_set_var(const char *var, const char *value) + char *base, *p; + int msg_len, loops; + ++ if (strlen(var) + strlen(value) + 2 > ++ sizeof(pkt) - sizeof(pkt.header)) { ++ printk(KERN_ERR PFX ++ "contents length: %zu, which more than max: %lu," ++ "so could not set (%s) variable to (%s).\n", ++ strlen(var) + strlen(value) + 2, ++ sizeof(pkt) - sizeof(pkt.header), var, value); ++ return; ++ } ++ + memset(&pkt, 0, sizeof(pkt)); + pkt.header.data.tag.type = DS_DATA; + pkt.header.data.handle = cp->handle; diff --git a/arch/sparc/kernel/iommu.c b/arch/sparc/kernel/iommu.c index 7690cc2..ece64c9 100644 --- a/arch/sparc/kernel/iommu.c diff --git a/3.10.0/0000_README b/3.10.1/0000_README index 7b53411..94fa3a6 100644 --- a/3.10.0/0000_README +++ b/3.10.1/0000_README @@ -2,7 +2,11 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.10.0-201307092224.patch +Patch: 1000_linux-3.10.1.patch +From: http://www.kernel.org +Desc: Linux 3.10.1 + +Patch: 4420_grsecurity-2.9.1-3.10.1-201307141923.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.10.1/1000_linux-3.10.1.patch b/3.10.1/1000_linux-3.10.1.patch new file mode 100644 index 0000000..5dd0002 --- /dev/null +++ b/3.10.1/1000_linux-3.10.1.patch @@ -0,0 +1,511 @@ +diff --git a/MAINTAINERS b/MAINTAINERS +index ad7e322..48c7480 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -7667,6 +7667,7 @@ STABLE BRANCH + M: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + L: stable@vger.kernel.org + S: Supported ++F: Documentation/stable_kernel_rules.txt + + STAGING SUBSYSTEM + M: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +diff --git a/Makefile b/Makefile +index e5e3ba0..b75cc30 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 10 +-SUBLEVEL = 0 ++SUBLEVEL = 1 + EXTRAVERSION = + NAME = Unicycling Gorilla + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 260a919..5402c94 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -3399,15 +3399,22 @@ static void vmx_get_segment(struct kvm_vcpu *vcpu, + var->limit = vmx_read_guest_seg_limit(vmx, seg); + var->selector = vmx_read_guest_seg_selector(vmx, seg); + ar = vmx_read_guest_seg_ar(vmx, seg); ++ var->unusable = (ar >> 16) & 1; + var->type = ar & 15; + var->s = (ar >> 4) & 1; + var->dpl = (ar >> 5) & 3; +- var->present = (ar >> 7) & 1; ++ /* ++ * Some userspaces do not preserve unusable property. Since usable ++ * segment has to be present according to VMX spec we can use present ++ * property to amend userspace bug by making unusable segment always ++ * nonpresent. vmx_segment_access_rights() already marks nonpresent ++ * segment as unusable. ++ */ ++ var->present = !var->unusable; + var->avl = (ar >> 12) & 1; + var->l = (ar >> 13) & 1; + var->db = (ar >> 14) & 1; + var->g = (ar >> 15) & 1; +- var->unusable = (ar >> 16) & 1; + } + + static u64 vmx_get_segment_base(struct kvm_vcpu *vcpu, int seg) +diff --git a/block/genhd.c b/block/genhd.c +index 20625ee..cdeb527 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk) + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +diff --git a/crypto/algapi.c b/crypto/algapi.c +index 6149a6e..7a1ae87 100644 +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -495,7 +495,8 @@ static struct crypto_template *__crypto_lookup_template(const char *name) + + struct crypto_template *crypto_lookup_template(const char *name) + { +- return try_then_request_module(__crypto_lookup_template(name), name); ++ return try_then_request_module(__crypto_lookup_template(name), "%s", ++ name); + } + EXPORT_SYMBOL_GPL(crypto_lookup_template); + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 037288e..46b35f7 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, + else + blk_queue_flush(nbd->disk->queue, 0); + +- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); ++ thread = kthread_create(nbd_thread, nbd, "%s", ++ nbd->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&nbd->tx_lock); + return PTR_ERR(thread); +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index d620b44..8a3aff7 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + +diff --git a/drivers/cpufreq/cpufreq_stats.c b/drivers/cpufreq/cpufreq_stats.c +index fb65dec..591b6fb 100644 +--- a/drivers/cpufreq/cpufreq_stats.c ++++ b/drivers/cpufreq/cpufreq_stats.c +@@ -349,6 +349,7 @@ static int __cpuinit cpufreq_stat_cpu_callback(struct notifier_block *nfb, + + switch (action) { + case CPU_ONLINE: ++ case CPU_ONLINE_FROZEN: + cpufreq_update_policy(cpu); + break; + case CPU_DOWN_PREPARE: +diff --git a/drivers/power/charger-manager.c b/drivers/power/charger-manager.c +index fefc39f..98de1dd 100644 +--- a/drivers/power/charger-manager.c ++++ b/drivers/power/charger-manager.c +@@ -450,7 +450,7 @@ static void uevent_notify(struct charger_manager *cm, const char *event) + strncpy(env_str, event, UEVENT_BUF_SIZE); + kobject_uevent(&cm->dev->kobj, KOBJ_CHANGE); + +- dev_info(cm->dev, event); ++ dev_info(cm->dev, "%s", event); + } + + /** +diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c +index 0fab6b5..9d86947 100644 +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index c1c5552..6f6a1b4 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -142,7 +142,7 @@ sd_store_cache_type(struct device *dev, struct device_attribute *attr, + char *buffer_data; + struct scsi_mode_data data; + struct scsi_sense_hdr sshdr; +- const char *temp = "temporary "; ++ static const char temp[] = "temporary "; + int len; + + if (sdp->type != TYPE_DISK) +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index 26e3a97..c52948b 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -4797,10 +4797,6 @@ static struct pci_device_id serial_pci_tbl[] = { + PCI_VENDOR_ID_IBM, 0x0299, + 0, 0, pbn_b0_bt_2_115200 }, + +- { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835, +- 0x1000, 0x0012, +- 0, 0, pbn_b0_bt_2_115200 }, +- + { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9901, + 0xA000, 0x1000, + 0, 0, pbn_b0_1_115200 }, +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 6464029..4476682 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1618,6 +1618,8 @@ static void release_tty(struct tty_struct *tty, int idx) + tty_free_termios(tty); + tty_driver_remove_tty(tty->driver, tty); + tty->port->itty = NULL; ++ if (tty->link) ++ tty->link->port->itty = NULL; + cancel_work_sync(&tty->port->buf.work); + + if (tty->link) +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c +index 9b6b2b6..be661d8 100644 +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -675,17 +675,18 @@ ssize_t ceph_getxattr(struct dentry *dentry, const char *name, void *value, + if (!ceph_is_valid_xattr(name)) + return -ENODATA; + +- spin_lock(&ci->i_ceph_lock); +- dout("getxattr %p ver=%lld index_ver=%lld\n", inode, +- ci->i_xattrs.version, ci->i_xattrs.index_version); + + /* let's see if a virtual xattr was requested */ + vxattr = ceph_match_vxattr(inode, name); + if (vxattr && !(vxattr->exists_cb && !vxattr->exists_cb(ci))) { + err = vxattr->getxattr_cb(ci, value, size); +- goto out; ++ return err; + } + ++ spin_lock(&ci->i_ceph_lock); ++ dout("getxattr %p ver=%lld index_ver=%lld\n", inode, ++ ci->i_xattrs.version, ci->i_xattrs.index_version); ++ + if (__ceph_caps_issued_mask(ci, CEPH_CAP_XATTR_SHARED, 1) && + (ci->i_xattrs.index_version >= ci->i_xattrs.version)) { + goto get_xattr; +diff --git a/fs/hpfs/map.c b/fs/hpfs/map.c +index 4acb19d..803d3da 100644 +--- a/fs/hpfs/map.c ++++ b/fs/hpfs/map.c +@@ -17,7 +17,8 @@ __le32 *hpfs_map_bitmap(struct super_block *s, unsigned bmp_block, + struct quad_buffer_head *qbh, char *id) + { + secno sec; +- if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) { ++ unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14; ++ if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) { + hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id); + return NULL; + } +diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c +index a0617e7..962e90c 100644 +--- a/fs/hpfs/super.c ++++ b/fs/hpfs/super.c +@@ -558,7 +558,13 @@ static int hpfs_fill_super(struct super_block *s, void *options, int silent) + sbi->sb_cp_table = NULL; + sbi->sb_c_bitmap = -1; + sbi->sb_max_fwd_alloc = 0xffffff; +- ++ ++ if (sbi->sb_fs_size >= 0x80000000) { ++ hpfs_error(s, "invalid size in superblock: %08x", ++ (unsigned)sbi->sb_fs_size); ++ goto bail4; ++ } ++ + /* Load bitmap directory */ + if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps)))) + goto bail4; +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 1fab140..2c37442 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -228,19 +228,8 @@ static int nfs41_setup_state_renewal(struct nfs_client *clp) + return status; + } + +-/* +- * Back channel returns NFS4ERR_DELAY for new requests when +- * NFS4_SESSION_DRAINING is set so there is no work to be done when draining +- * is ended. +- */ +-static void nfs4_end_drain_session(struct nfs_client *clp) ++static void nfs4_end_drain_slot_table(struct nfs4_slot_table *tbl) + { +- struct nfs4_session *ses = clp->cl_session; +- struct nfs4_slot_table *tbl; +- +- if (ses == NULL) +- return; +- tbl = &ses->fc_slot_table; + if (test_and_clear_bit(NFS4_SLOT_TBL_DRAINING, &tbl->slot_tbl_state)) { + spin_lock(&tbl->slot_tbl_lock); + nfs41_wake_slot_table(tbl); +@@ -248,6 +237,16 @@ static void nfs4_end_drain_session(struct nfs_client *clp) + } + } + ++static void nfs4_end_drain_session(struct nfs_client *clp) ++{ ++ struct nfs4_session *ses = clp->cl_session; ++ ++ if (ses != NULL) { ++ nfs4_end_drain_slot_table(&ses->bc_slot_table); ++ nfs4_end_drain_slot_table(&ses->fc_slot_table); ++ } ++} ++ + /* + * Signal state manager thread if session fore channel is drained + */ +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 6cd86e0..582321a 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -162,8 +162,8 @@ static __be32 *read_buf(struct nfsd4_compoundargs *argp, u32 nbytes) + */ + memcpy(p, argp->p, avail); + /* step to next page */ +- argp->p = page_address(argp->pagelist[0]); + argp->pagelist++; ++ argp->p = page_address(argp->pagelist[0]); + if (argp->pagelen < PAGE_SIZE) { + argp->end = argp->p + (argp->pagelen>>2); + argp->pagelen = 0; +diff --git a/include/linux/ceph/decode.h b/include/linux/ceph/decode.h +index 379f715..0442c3d 100644 +--- a/include/linux/ceph/decode.h ++++ b/include/linux/ceph/decode.h +@@ -160,11 +160,6 @@ static inline void ceph_decode_timespec(struct timespec *ts, + static inline void ceph_encode_timespec(struct ceph_timespec *tv, + const struct timespec *ts) + { +- BUG_ON(ts->tv_sec < 0); +- BUG_ON(ts->tv_sec > (__kernel_time_t)U32_MAX); +- BUG_ON(ts->tv_nsec < 0); +- BUG_ON(ts->tv_nsec > (long)U32_MAX); +- + tv->tv_sec = cpu_to_le32((u32)ts->tv_sec); + tv->tv_nsec = cpu_to_le32((u32)ts->tv_nsec); + } +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h +index 6b4890f..feaf0c7 100644 +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -358,6 +358,17 @@ static inline int hstate_index(struct hstate *h) + return h - hstates; + } + ++pgoff_t __basepage_index(struct page *page); ++ ++/* Return page->index in PAGE_SIZE units */ ++static inline pgoff_t basepage_index(struct page *page) ++{ ++ if (!PageCompound(page)) ++ return page->index; ++ ++ return __basepage_index(page); ++} ++ + #else /* CONFIG_HUGETLB_PAGE */ + struct hstate {}; + #define alloc_huge_page_node(h, nid) NULL +@@ -378,6 +389,11 @@ static inline unsigned int pages_per_huge_page(struct hstate *h) + } + #define hstate_index_to_shift(index) 0 + #define hstate_index(h) 0 ++ ++static inline pgoff_t basepage_index(struct page *page) ++{ ++ return page->index; ++} + #endif /* CONFIG_HUGETLB_PAGE */ + + #endif /* _LINUX_HUGETLB_H */ +diff --git a/kernel/futex.c b/kernel/futex.c +index b26dcfc..49dacfb 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -61,6 +61,7 @@ + #include <linux/nsproxy.h> + #include <linux/ptrace.h> + #include <linux/sched/rt.h> ++#include <linux/hugetlb.h> + + #include <asm/futex.h> + +@@ -365,7 +366,7 @@ again: + } else { + key->both.offset |= FUT_OFF_INODE; /* inode-based key */ + key->shared.inode = page_head->mapping->host; +- key->shared.pgoff = page_head->index; ++ key->shared.pgoff = basepage_index(page); + } + + get_futex_key_refs(key); +diff --git a/kernel/module.c b/kernel/module.c +index cab4bce..fa53db8 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2927,7 +2927,6 @@ static struct module *layout_and_allocate(struct load_info *info, int flags) + { + /* Module within temporary copy. */ + struct module *mod; +- Elf_Shdr *pcpusec; + int err; + + mod = setup_load_info(info, flags); +@@ -2942,17 +2941,10 @@ static struct module *layout_and_allocate(struct load_info *info, int flags) + err = module_frob_arch_sections(info->hdr, info->sechdrs, + info->secstrings, mod); + if (err < 0) +- goto out; ++ return ERR_PTR(err); + +- pcpusec = &info->sechdrs[info->index.pcpu]; +- if (pcpusec->sh_size) { +- /* We have a special allocation for this section. */ +- err = percpu_modalloc(mod, +- pcpusec->sh_size, pcpusec->sh_addralign); +- if (err) +- goto out; +- pcpusec->sh_flags &= ~(unsigned long)SHF_ALLOC; +- } ++ /* We will do a special allocation for per-cpu sections later. */ ++ info->sechdrs[info->index.pcpu].sh_flags &= ~(unsigned long)SHF_ALLOC; + + /* Determine total sizes, and put offsets in sh_entsize. For now + this is done generically; there doesn't appear to be any +@@ -2963,17 +2955,22 @@ static struct module *layout_and_allocate(struct load_info *info, int flags) + /* Allocate and move to the final place */ + err = move_module(mod, info); + if (err) +- goto free_percpu; ++ return ERR_PTR(err); + + /* Module has been copied to its final place now: return it. */ + mod = (void *)info->sechdrs[info->index.mod].sh_addr; + kmemleak_load_module(mod, info); + return mod; ++} + +-free_percpu: +- percpu_modfree(mod); +-out: +- return ERR_PTR(err); ++static int alloc_module_percpu(struct module *mod, struct load_info *info) ++{ ++ Elf_Shdr *pcpusec = &info->sechdrs[info->index.pcpu]; ++ if (!pcpusec->sh_size) ++ return 0; ++ ++ /* We have a special allocation for this section. */ ++ return percpu_modalloc(mod, pcpusec->sh_size, pcpusec->sh_addralign); + } + + /* mod is no longer valid after this! */ +@@ -3237,6 +3234,11 @@ static int load_module(struct load_info *info, const char __user *uargs, + } + #endif + ++ /* To avoid stressing percpu allocator, do this once we're unique. */ ++ err = alloc_module_percpu(mod, info); ++ if (err) ++ goto unlink_mod; ++ + /* Now module is in final location, initialize linked lists, etc. */ + err = module_unload_init(mod); + if (err) +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index e2bfbf7..5cf99bf 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -690,6 +690,23 @@ int PageHuge(struct page *page) + } + EXPORT_SYMBOL_GPL(PageHuge); + ++pgoff_t __basepage_index(struct page *page) ++{ ++ struct page *page_head = compound_head(page); ++ pgoff_t index = page_index(page_head); ++ unsigned long compound_idx; ++ ++ if (!PageHuge(page_head)) ++ return page_index(page); ++ ++ if (compound_order(page_head) >= MAX_ORDER) ++ compound_idx = page_to_pfn(page) - page_to_pfn(page_head); ++ else ++ compound_idx = page - page_head; ++ ++ return (index << compound_order(page_head)) + compound_idx; ++} ++ + static struct page *alloc_fresh_huge_page_node(struct hstate *h, int nid) + { + struct page *page; +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 1947218..fd79df5 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -6303,8 +6303,6 @@ mem_cgroup_css_online(struct cgroup *cont) + * call __mem_cgroup_free, so return directly + */ + mem_cgroup_put(memcg); +- if (parent->use_hierarchy) +- mem_cgroup_put(parent); + } + return error; + } +diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c +index 925ca58..8c93fa8 100644 +--- a/net/ceph/auth_none.c ++++ b/net/ceph/auth_none.c +@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac) + return xi->starting; + } + ++static int build_request(struct ceph_auth_client *ac, void *buf, void *end) ++{ ++ return 0; ++} ++ + /* + * the generic auth code decode the global_id, and we carry no actual + * authenticate state, so nothing happens here. +@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = { + .destroy = destroy, + .is_authenticated = is_authenticated, + .should_authenticate = should_authenticate, ++ .build_request = build_request, + .handle_reply = handle_reply, + .create_authorizer = ceph_auth_none_create_authorizer, + .destroy_authorizer = ceph_auth_none_destroy_authorizer, diff --git a/3.10.0/4420_grsecurity-2.9.1-3.10.0-201307092224.patch b/3.10.1/4420_grsecurity-2.9.1-3.10.1-201307141923.patch index 7c0943d..5c9341b 100644 --- a/3.10.0/4420_grsecurity-2.9.1-3.10.0-201307092224.patch +++ b/3.10.1/4420_grsecurity-2.9.1-3.10.1-201307141923.patch @@ -263,7 +263,7 @@ index 2fe6e76..3dd8184 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index e5e3ba0..02c9b98 100644 +index b75cc30..6abd111 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -2139,7 +2139,7 @@ index 1995d1a..76693a2 100644 /* * Change these and you break ASM code in entry-common.S diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h -index 7e1f760..510061e 100644 +index 7e1f760..d42d7f8 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h @@ -18,6 +18,7 @@ @@ -2164,7 +2164,7 @@ index 7e1f760..510061e 100644 +{ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (segment_eq(get_fs(), USER_DS) { ++ if (segment_eq(get_fs(), USER_DS)) { + BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF)); + modify_domain(DOMAIN_USER, DOMAIN_UDEREF); + } @@ -2176,7 +2176,7 @@ index 7e1f760..510061e 100644 +{ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (segment_eq(get_fs(), USER_DS) { ++ if (segment_eq(get_fs(), USER_DS)) { + BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS)); + modify_domain(DOMAIN_USER, DOMAIN_NOACCESS); + } @@ -3983,7 +3983,7 @@ index 10062ce..8695745 100644 mm->unmap_area = arch_unmap_area_topdown; } diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c -index 4d409e6..0015a7b 100644 +index 4d409e6..f375351 100644 --- a/arch/arm/mm/mmu.c +++ b/arch/arm/mm/mmu.c @@ -36,6 +36,22 @@ @@ -4050,7 +4050,7 @@ index 4d409e6..0015a7b 100644 .domain = DOMAIN_KERNEL, }, #endif -@@ -277,36 +301,54 @@ static struct mem_type mem_types[] = { +@@ -277,36 +301,65 @@ static struct mem_type mem_types[] = { .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | L_PTE_RDONLY, .prot_l1 = PMD_TYPE_TABLE, @@ -4058,9 +4058,21 @@ index 4d409e6..0015a7b 100644 + .domain = DOMAIN_VECTORS, }, [MT_HIGH_VECTORS] = { - .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | +- .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | - L_PTE_USER | L_PTE_RDONLY, -+ L_PTE_RDONLY, ++ /* we always want the vector page to be noaccess for userland on archs with ++ XN where we can enforce some reasonable measure of security ++ therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY ++ which turns into supervisor rwx, userland rx, we instead omit that entirely, ++ leaving it as supervisor rwx only ++ */ ++#ifdef CONFIG_PAX_KERNEXEC ++ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | L_PTE_RDONLY, ++#elif __LINUX_ARM_ARCH__ >= 6 ++ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY, ++#else ++ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | L_PTE_USER | L_PTE_RDONLY, ++#endif .prot_l1 = PMD_TYPE_TABLE, - .domain = DOMAIN_USER, + .domain = DOMAIN_VECTORS, @@ -4114,7 +4126,7 @@ index 4d409e6..0015a7b 100644 .domain = DOMAIN_KERNEL, }, [MT_MEMORY_ITCM] = { -@@ -316,10 +358,10 @@ static struct mem_type mem_types[] = { +@@ -316,10 +369,10 @@ static struct mem_type mem_types[] = { }, [MT_MEMORY_SO] = { .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | @@ -4127,7 +4139,7 @@ index 4d409e6..0015a7b 100644 .domain = DOMAIN_KERNEL, }, [MT_MEMORY_DMA_READY] = { -@@ -405,9 +447,35 @@ static void __init build_mem_type_table(void) +@@ -405,9 +458,35 @@ static void __init build_mem_type_table(void) * to prevent speculative instruction fetches. */ mem_types[MT_DEVICE].prot_sect |= PMD_SECT_XN; @@ -4163,7 +4175,7 @@ index 4d409e6..0015a7b 100644 } if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { /* -@@ -468,6 +536,9 @@ static void __init build_mem_type_table(void) +@@ -468,6 +547,9 @@ static void __init build_mem_type_table(void) * from SVC mode and no access from userspace. */ mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; @@ -4173,7 +4185,7 @@ index 4d409e6..0015a7b 100644 mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; #endif -@@ -485,11 +556,17 @@ static void __init build_mem_type_table(void) +@@ -485,11 +567,17 @@ static void __init build_mem_type_table(void) mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED; mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S; mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED; @@ -4195,7 +4207,7 @@ index 4d409e6..0015a7b 100644 } } -@@ -500,15 +577,20 @@ static void __init build_mem_type_table(void) +@@ -500,15 +588,20 @@ static void __init build_mem_type_table(void) if (cpu_arch >= CPU_ARCH_ARMv6) { if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { /* Non-cacheable Normal is XCB = 001 */ @@ -4219,7 +4231,7 @@ index 4d409e6..0015a7b 100644 } #ifdef CONFIG_ARM_LPAE -@@ -524,6 +606,8 @@ static void __init build_mem_type_table(void) +@@ -524,6 +617,8 @@ static void __init build_mem_type_table(void) vecs_pgprot |= PTE_EXT_AF; #endif @@ -4228,7 +4240,7 @@ index 4d409e6..0015a7b 100644 for (i = 0; i < 16; i++) { pteval_t v = pgprot_val(protection_map[i]); protection_map[i] = __pgprot(v | user_pgprot); -@@ -541,10 +625,15 @@ static void __init build_mem_type_table(void) +@@ -541,10 +636,15 @@ static void __init build_mem_type_table(void) mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask; mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask; @@ -4247,7 +4259,7 @@ index 4d409e6..0015a7b 100644 mem_types[MT_ROM].prot_sect |= cp->pmd; switch (cp->pmd) { -@@ -1166,18 +1255,15 @@ void __init arm_mm_memblock_reserve(void) +@@ -1166,18 +1266,15 @@ void __init arm_mm_memblock_reserve(void) * called function. This means you can't use any function or debugging * method which may touch any device, otherwise the kernel _will_ crash. */ @@ -4270,7 +4282,7 @@ index 4d409e6..0015a7b 100644 for (addr = VMALLOC_START; addr; addr += PMD_SIZE) pmd_clear(pmd_off_k(addr)); -@@ -1217,7 +1303,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc) +@@ -1217,7 +1314,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc) * location (0xffff0000). If we aren't using high-vectors, also * create a mapping at the low-vectors virtual address. */ @@ -4279,7 +4291,7 @@ index 4d409e6..0015a7b 100644 map.virtual = 0xffff0000; map.length = PAGE_SIZE; map.type = MT_HIGH_VECTORS; -@@ -1275,8 +1361,39 @@ static void __init map_lowmem(void) +@@ -1275,8 +1372,39 @@ static void __init map_lowmem(void) map.pfn = __phys_to_pfn(start); map.virtual = __phys_to_virt(start); map.length = end - start; @@ -8260,6 +8272,27 @@ index d432fb2..6056af1 100644 extra-y := head_$(BITS).o +diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c +index 5ef48da..11d460f 100644 +--- a/arch/sparc/kernel/ds.c ++++ b/arch/sparc/kernel/ds.c +@@ -783,6 +783,16 @@ void ldom_set_var(const char *var, const char *value) + char *base, *p; + int msg_len, loops; + ++ if (strlen(var) + strlen(value) + 2 > ++ sizeof(pkt) - sizeof(pkt.header)) { ++ printk(KERN_ERR PFX ++ "contents length: %zu, which more than max: %lu," ++ "so could not set (%s) variable to (%s).\n", ++ strlen(var) + strlen(value) + 2, ++ sizeof(pkt) - sizeof(pkt.header), var, value); ++ return; ++ } ++ + memset(&pkt, 0, sizeof(pkt)); + pkt.header.data.tag.type = DS_DATA; + pkt.header.data.handle = cp->handle; diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c index fdd819d..5af08c8 100644 --- a/arch/sparc/kernel/process_32.c @@ -8396,7 +8429,7 @@ index 3a8d184..49498a8 100644 info.flags = 0; info.length = len; diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c -index 2daaaa6..d29bb82 100644 +index 2daaaa6..4fb84dc 100644 --- a/arch/sparc/kernel/sys_sparc_64.c +++ b/arch/sparc/kernel/sys_sparc_64.c @@ -90,13 +90,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi @@ -8517,7 +8550,12 @@ index 2daaaa6..d29bb82 100644 info.high_limit = STACK_TOP32; addr = vm_unmapped_area(&info); } -@@ -264,6 +286,10 @@ static unsigned long mmap_rnd(void) +@@ -260,10 +282,14 @@ unsigned long get_fb_unmapped_area(struct file *filp, unsigned long orig_addr, u + EXPORT_SYMBOL(get_fb_unmapped_area); + + /* Essentially the same as PowerPC. */ +-static unsigned long mmap_rnd(void) ++static unsigned long mmap_rnd(struct mm_struct *mm) { unsigned long rnd = 0UL; @@ -8528,6 +8566,15 @@ index 2daaaa6..d29bb82 100644 if (current->flags & PF_RANDOMIZE) { unsigned long val = get_random_int(); if (test_thread_flag(TIF_32BIT)) +@@ -276,7 +302,7 @@ static unsigned long mmap_rnd(void) + + void arch_pick_mmap_layout(struct mm_struct *mm) + { +- unsigned long random_factor = mmap_rnd(); ++ unsigned long random_factor = mmap_rnd(mm); + unsigned long gap; + + /* @@ -289,6 +315,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm) gap == RLIM_INFINITY || sysctl_legacy_va_layout) { @@ -24057,7 +24104,7 @@ index a14a6ea..dc86cf0 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 260a919..65ddd76 100644 +index 5402c94..c3bdeee 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1311,12 +1311,12 @@ static void vmcs_write64(unsigned long field, u64 value) @@ -24132,7 +24179,7 @@ index 260a919..65ddd76 100644 if (nested) nested_vmx_setup_ctls_msrs(); -@@ -4069,7 +4082,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) +@@ -4076,7 +4089,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */ vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */ @@ -24143,7 +24190,7 @@ index 260a919..65ddd76 100644 vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ #ifdef CONFIG_X86_64 -@@ -4091,7 +4107,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) +@@ -4098,7 +4114,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx) vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */ vmx->host_idt_base = dt.address; @@ -24152,7 +24199,7 @@ index 260a919..65ddd76 100644 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); vmcs_write32(HOST_IA32_SYSENTER_CS, low32); -@@ -7023,6 +7039,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -7030,6 +7046,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) "jmp 2f \n\t" "1: " __ex(ASM_VMX_VMRESUME) "\n\t" "2: " @@ -24165,7 +24212,7 @@ index 260a919..65ddd76 100644 /* Save guest registers, load host registers, keep flags */ "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" "pop %0 \n\t" -@@ -7075,6 +7097,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -7082,6 +7104,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) #endif [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), [wordsize]"i"(sizeof(ulong)) @@ -24177,7 +24224,7 @@ index 260a919..65ddd76 100644 : "cc", "memory" #ifdef CONFIG_X86_64 , "rax", "rbx", "rdi", "rsi" -@@ -7088,7 +7115,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -7095,7 +7122,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) if (debugctlmsr) update_debugctlmsr(debugctlmsr); @@ -24186,7 +24233,7 @@ index 260a919..65ddd76 100644 /* * The sysexit path does not restore ds/es, so we must set them to * a reasonable value ourselves. -@@ -7097,8 +7124,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) +@@ -7104,8 +7131,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) * may be executed in interrupt context, which saves and restore segments * around it, nullifying its effect. */ @@ -31680,7 +31727,7 @@ index 7c668c8..db3521c 100644 err = -EFAULT; goto out; diff --git a/block/genhd.c b/block/genhd.c -index 20625ee..10aa34d 100644 +index cdeb527..10aa34d 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -467,21 +467,24 @@ static char *bdevt_str(dev_t devt, char *buf) @@ -31711,15 +31758,6 @@ index 20625ee..10aa34d 100644 } EXPORT_SYMBOL(blk_unregister_region); -@@ -512,7 +515,7 @@ static void register_disk(struct gendisk *disk) - - ddev->parent = disk->driverfs_dev; - -- dev_set_name(ddev, disk->disk_name); -+ dev_set_name(ddev, "%s", disk->disk_name); - - /* delay uevents, until we scanned partition table */ - dev_set_uevent_suppress(ddev, 1); diff --git a/block/partitions/efi.c b/block/partitions/efi.c index c85fc89..51e690b 100644 --- a/block/partitions/efi.c @@ -31800,19 +31838,6 @@ index a5ffcc9..3cedc9c 100644 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len)) goto error; -diff --git a/crypto/algapi.c b/crypto/algapi.c -index 6149a6e..55ed50d 100644 ---- a/crypto/algapi.c -+++ b/crypto/algapi.c -@@ -495,7 +495,7 @@ static struct crypto_template *__crypto_lookup_template(const char *name) - - struct crypto_template *crypto_lookup_template(const char *name) - { -- return try_then_request_module(__crypto_lookup_template(name), name); -+ return try_then_request_module(__crypto_lookup_template(name), "%s", name); - } - EXPORT_SYMBOL_GPL(crypto_lookup_template); - diff --git a/crypto/cryptd.c b/crypto/cryptd.c index 7bdd61b..afec999 100644 --- a/crypto/cryptd.c @@ -33710,19 +33735,6 @@ index d92d50f..a7e9d97 100644 set_fs(old_fs); file_end_write(file); if (likely(bw == len)) -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index 037288e..00f80b3 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -714,7 +714,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, - else - blk_queue_flush(nbd->disk->queue, 0); - -- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); -+ thread = kthread_create(nbd_thread, nbd, "%s", nbd->disk->disk_name); - if (IS_ERR(thread)) { - mutex_lock(&nbd->tx_lock); - return PTR_ERR(thread); diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c index f5d0ea1..c62380a 100644 --- a/drivers/block/pktcdvd.c @@ -33737,7 +33749,7 @@ index f5d0ea1..c62380a 100644 static DEFINE_MUTEX(pktcdvd_mutex); static struct pktcdvd_device *pkt_devs[MAX_WRITERS]; diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index d620b44..d7538c2 100644 +index 8a3aff7..d7538c2 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -416,7 +416,6 @@ int register_cdrom(struct cdrom_device_info *cdi) @@ -33779,15 +33791,6 @@ index d620b44..d7538c2 100644 if (cgc.buffer) break; -@@ -2882,7 +2883,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, - if (lba < 0) - return -EINVAL; - -- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); -+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); - if (cgc->buffer == NULL) - return -ENOMEM; - @@ -3429,7 +3430,7 @@ static int cdrom_print_info(const char *header, int val, char *info, struct cdrom_device_info *cdi; int ret; @@ -34427,6 +34430,23 @@ index a33f46f..a720eed 100644 composite = kzalloc(sizeof(*composite), GFP_KERNEL); if (!composite) { +diff --git a/drivers/clk/socfpga/clk.c b/drivers/clk/socfpga/clk.c +index bd11315..2f14eae 100644 +--- a/drivers/clk/socfpga/clk.c ++++ b/drivers/clk/socfpga/clk.c +@@ -135,8 +135,10 @@ static __init struct clk *socfpga_clk_init(struct device_node *node, + if (strcmp(clk_name, "main_pll") || strcmp(clk_name, "periph_pll") || + strcmp(clk_name, "sdram_pll")) { + socfpga_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA; +- clk_pll_ops.enable = clk_gate_ops.enable; +- clk_pll_ops.disable = clk_gate_ops.disable; ++ pax_open_kernel(); ++ *(void **)&clk_pll_ops.enable = clk_gate_ops.enable; ++ *(void **)&clk_pll_ops.disable = clk_gate_ops.disable; ++ pax_close_kernel(); + } + + clk = clk_register(NULL, &socfpga_clk->hw.hw); diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c index a2b2541..bc1e7ff 100644 --- a/drivers/clocksource/arm_arch_timer.c @@ -34602,10 +34622,10 @@ index 93eb5cb..f8ab572 100644 } EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler); diff --git a/drivers/cpufreq/cpufreq_stats.c b/drivers/cpufreq/cpufreq_stats.c -index fb65dec..b88254d 100644 +index 591b6fb..2a01183 100644 --- a/drivers/cpufreq/cpufreq_stats.c +++ b/drivers/cpufreq/cpufreq_stats.c -@@ -366,7 +366,7 @@ static int __cpuinit cpufreq_stat_cpu_callback(struct notifier_block *nfb, +@@ -367,7 +367,7 @@ static int __cpuinit cpufreq_stat_cpu_callback(struct notifier_block *nfb, } /* priority=1 so this will get called before cpufreq_remove_dev */ @@ -40008,6 +40028,42 @@ index 151675d..0139a9d 100644 /* multicast configuration controlling object */ bnx2x_init_mcast_obj(bp, &bp->mcast_obj, bp->fp->cl_id, bp->fp->cid, +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +index ce1a916..10b52b0 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +@@ -960,6 +960,9 @@ static int bnx2x_set_dump(struct net_device *dev, struct ethtool_dump *val) + struct bnx2x *bp = netdev_priv(dev); + + /* Use the ethtool_dump "flag" field as the dump preset index */ ++ if (val->flag < 1 || val->flag > DUMP_MAX_PRESETS) ++ return -EINVAL; ++ + bp->dump_preset_idx = val->flag; + return 0; + } +@@ -986,8 +989,6 @@ static int bnx2x_get_dump_data(struct net_device *dev, + struct bnx2x *bp = netdev_priv(dev); + struct dump_header dump_hdr = {0}; + +- memset(p, 0, dump->len); +- + /* Disable parity attentions as long as following dump may + * cause false alarms by reading never written registers. We + * will re-enable parity attentions right after the dump. +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index b4c9dea..2a9927f 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -11497,6 +11497,8 @@ static int bnx2x_init_bp(struct bnx2x *bp) + bp->min_msix_vec_cnt = 2; + BNX2X_DEV_INFO("bp->min_msix_vec_cnt %d", bp->min_msix_vec_cnt); + ++ bp->dump_preset_idx = 1; ++ + return rc; + } + diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c index 32a9609..0b1c53a 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c @@ -40059,6 +40115,20 @@ index ff6e30e..87e8452 100644 #define CHIPREV_ID_5750_C2 0x4202 #define CHIPREV_ID_5752_A0_HW 0x5000 #define CHIPREV_ID_5752_A0 0x6000 +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index 71497e8..b650951 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -3037,7 +3037,9 @@ static void t3_io_resume(struct pci_dev *pdev) + CH_ALERT(adapter, "adapter recovering, PEX ERR 0x%x\n", + t3_read_reg(adapter, A_PCIE_PEX_ERR)); + ++ rtnl_lock(); + t3_resume_ports(adapter); ++ rtnl_unlock(); + } + + static const struct pci_error_handlers t3_err_handler = { diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h index 8cffcdf..aadf043 100644 --- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h @@ -42914,7 +42984,7 @@ index f379c7f..e8fc69c 100644 transport_setup_device(&rport->dev); diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index c1c5552..1cf226c 100644 +index 6f6a1b4..80704a9 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -2918,7 +2918,7 @@ static int sd_probe(struct device *dev) @@ -44202,10 +44272,10 @@ index b51c154..17d55d1 100644 if (get_user(c, buf)) diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 6464029..9ff6738 100644 +index 4476682..d77e748 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c -@@ -3464,7 +3464,7 @@ EXPORT_SYMBOL_GPL(get_current_tty); +@@ -3466,7 +3466,7 @@ EXPORT_SYMBOL_GPL(get_current_tty); void tty_default_fops(struct file_operations *fops) { @@ -44879,6 +44949,40 @@ index 6ef94bc..1b41265 100644 } /* +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index f80d3dd..8ca5ac7 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -150,6 +150,11 @@ static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs) + { + kref_put(&ubufs->kref, vhost_net_zerocopy_done_signal); + wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount)); ++} ++ ++static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs) ++{ ++ vhost_net_ubuf_put_and_wait(ubufs); + kfree(ubufs); + } + +@@ -948,7 +953,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) + mutex_unlock(&vq->mutex); + + if (oldubufs) { +- vhost_net_ubuf_put_and_wait(oldubufs); ++ vhost_net_ubuf_put_wait_and_free(oldubufs); + mutex_lock(&vq->mutex); + vhost_zerocopy_signal_used(n, vq); + mutex_unlock(&vq->mutex); +@@ -966,7 +971,7 @@ err_used: + rcu_assign_pointer(vq->private_data, oldsock); + vhost_net_enable_vq(n, vq); + if (ubufs) +- vhost_net_ubuf_put_and_wait(ubufs); ++ vhost_net_ubuf_put_wait_and_free(ubufs); + err_ubufs: + fput(sock->file); + err_vq: diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c index 5174eba..86e764a 100644 --- a/drivers/vhost/vringh.c @@ -54166,10 +54270,10 @@ index c1c7a9d..7afa0b8 100644 void nfs_fattr_init(struct nfs_fattr *fattr) diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c -index 1fab140..73d0f75 100644 +index 2c37442..9b9538b 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c -@@ -1194,7 +1194,7 @@ void nfs4_schedule_state_manager(struct nfs_client *clp) +@@ -1193,7 +1193,7 @@ void nfs4_schedule_state_manager(struct nfs_client *clp) snprintf(buf, sizeof(buf), "%s-manager", rpc_peeraddr2str(clp->cl_rpcclient, RPC_DISPLAY_ADDR)); rcu_read_unlock(); @@ -54192,7 +54296,7 @@ index 27d74a2..c4c2a73 100644 static struct nfsd4_operation nfsd4_ops[]; diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index 6cd86e0..0369a36 100644 +index 582321a..0224663 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -1458,7 +1458,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p) @@ -73369,6 +73473,18 @@ index 5bba80f..8520a82 100644 }; #define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0])) +diff --git a/include/net/udp.h b/include/net/udp.h +index 065f379..ad99eed 100644 +--- a/include/net/udp.h ++++ b/include/net/udp.h +@@ -181,6 +181,7 @@ extern int udp_get_port(struct sock *sk, unsigned short snum, + extern void udp_err(struct sk_buff *, u32); + extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk, + struct msghdr *msg, size_t len); ++extern int udp_push_pending_frames(struct sock *sk); + extern void udp_flush_pending_frames(struct sock *sk); + extern int udp_rcv(struct sk_buff *skb); + extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg); diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 94ce082..62b278d 100644 --- a/include/net/xfrm.h @@ -75493,7 +75609,7 @@ index 7bb73f9..d7978ed 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index 987b28a..60e5ad2 100644 +index 987b28a..4e03c05 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -319,7 +319,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -75742,7 +75858,7 @@ index 987b28a..60e5ad2 100644 return 0; } -@@ -1197,6 +1247,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1197,10 +1247,13 @@ static struct task_struct *copy_process(unsigned long clone_flags, DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif retval = -EAGAIN; @@ -75751,7 +75867,13 @@ index 987b28a..60e5ad2 100644 + if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && +- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && +- p->real_cred->user != INIT_USER) ++ if (p->real_cred->user != INIT_USER && ++ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) + goto bad_fork_free; + } + current->flags &= ~PF_NPROC_EXCEEDED; @@ -1446,6 +1499,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_free_pid; } @@ -75826,7 +75948,7 @@ index 987b28a..60e5ad2 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index b26dcfc..39e266a 100644 +index 49dacfb..5c6b450 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -75837,7 +75959,7 @@ index b26dcfc..39e266a 100644 #include <linux/signal.h> #include <linux/export.h> #include <linux/magic.h> -@@ -241,6 +242,11 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw) +@@ -242,6 +243,11 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw) struct page *page, *page_head; int err, ro = 0; @@ -75849,7 +75971,7 @@ index b26dcfc..39e266a 100644 /* * The futex address must be "naturally" aligned. */ -@@ -2732,6 +2738,7 @@ static int __init futex_init(void) +@@ -2733,6 +2739,7 @@ static int __init futex_init(void) { u32 curval; int i; @@ -75857,7 +75979,7 @@ index b26dcfc..39e266a 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2743,8 +2750,11 @@ static int __init futex_init(void) +@@ -2744,8 +2751,11 @@ static int __init futex_init(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -76433,7 +76555,7 @@ index b2c71c5..7b88d63 100644 seq_printf(m, "%40s %14lu %29s %pS\n", name, stats->contending_point[i], diff --git a/kernel/module.c b/kernel/module.c -index cab4bce..2025a6e 100644 +index fa53db8..6f17200 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -61,6 +61,7 @@ @@ -77003,7 +77125,7 @@ index cab4bce..2025a6e 100644 set_fs(old_fs); } -@@ -2980,8 +3085,10 @@ out: +@@ -2977,8 +3082,10 @@ static int alloc_module_percpu(struct module *mod, struct load_info *info) static void module_deallocate(struct module *mod, struct load_info *info) { percpu_modfree(mod); @@ -77016,7 +77138,7 @@ index cab4bce..2025a6e 100644 } int __weak module_finalize(const Elf_Ehdr *hdr, -@@ -2994,7 +3101,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, +@@ -2991,7 +3098,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, static int post_relocation(struct module *mod, const struct load_info *info) { /* Sort exception table now relocations are done. */ @@ -77026,7 +77148,7 @@ index cab4bce..2025a6e 100644 /* Copy relocated percpu area over. */ percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr, -@@ -3048,16 +3157,16 @@ static int do_init_module(struct module *mod) +@@ -3045,16 +3154,16 @@ static int do_init_module(struct module *mod) MODULE_STATE_COMING, mod); /* Set RO and NX regions for core */ @@ -77051,7 +77173,7 @@ index cab4bce..2025a6e 100644 do_mod_ctors(mod); /* Start the module */ -@@ -3119,11 +3228,12 @@ static int do_init_module(struct module *mod) +@@ -3116,11 +3225,12 @@ static int do_init_module(struct module *mod) mod->strtab = mod->core_strtab; #endif unset_module_init_ro_nx(mod); @@ -77069,7 +77191,7 @@ index cab4bce..2025a6e 100644 mutex_unlock(&module_mutex); wake_up_all(&module_wq); -@@ -3250,9 +3360,38 @@ static int load_module(struct load_info *info, const char __user *uargs, +@@ -3252,9 +3362,38 @@ static int load_module(struct load_info *info, const char __user *uargs, if (err) goto free_unload; @@ -77108,7 +77230,7 @@ index cab4bce..2025a6e 100644 /* Fix up syms, so that st_value is a pointer to location. */ err = simplify_symbols(mod, info); if (err < 0) -@@ -3268,13 +3407,6 @@ static int load_module(struct load_info *info, const char __user *uargs, +@@ -3270,13 +3409,6 @@ static int load_module(struct load_info *info, const char __user *uargs, flush_module_icache(mod); @@ -77122,7 +77244,7 @@ index cab4bce..2025a6e 100644 dynamic_debug_setup(info->debug, info->num_debug); /* Finally it's fully formed, ready to start executing. */ -@@ -3309,11 +3441,10 @@ static int load_module(struct load_info *info, const char __user *uargs, +@@ -3311,11 +3443,10 @@ static int load_module(struct load_info *info, const char __user *uargs, ddebug_cleanup: dynamic_debug_remove(info->debug); synchronize_sched(); @@ -77135,7 +77257,7 @@ index cab4bce..2025a6e 100644 free_unload: module_unload_free(mod); unlink_mod: -@@ -3396,10 +3527,16 @@ static const char *get_ksymbol(struct module *mod, +@@ -3398,10 +3529,16 @@ static const char *get_ksymbol(struct module *mod, unsigned long nextval; /* At worse, next value is at end of module */ @@ -77155,7 +77277,7 @@ index cab4bce..2025a6e 100644 /* Scan for closest preceding symbol, and next symbol. (ELF starts real symbols at 1). */ -@@ -3652,7 +3789,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3654,7 +3791,7 @@ static int m_show(struct seq_file *m, void *p) return 0; seq_printf(m, "%s %u", @@ -77164,7 +77286,7 @@ index cab4bce..2025a6e 100644 print_unload_info(m, mod); /* Informative for users. */ -@@ -3661,7 +3798,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3663,7 +3800,7 @@ static int m_show(struct seq_file *m, void *p) mod->state == MODULE_STATE_COMING ? "Loading": "Live"); /* Used by oprofile and other similar tools. */ @@ -77173,7 +77295,7 @@ index cab4bce..2025a6e 100644 /* Taints info */ if (mod->taints) -@@ -3697,7 +3834,17 @@ static const struct file_operations proc_modules_operations = { +@@ -3699,7 +3836,17 @@ static const struct file_operations proc_modules_operations = { static int __init proc_modules_init(void) { @@ -77191,7 +77313,7 @@ index cab4bce..2025a6e 100644 return 0; } module_init(proc_modules_init); -@@ -3758,14 +3905,14 @@ struct module *__module_address(unsigned long addr) +@@ -3760,14 +3907,14 @@ struct module *__module_address(unsigned long addr) { struct module *mod; @@ -77209,7 +77331,7 @@ index cab4bce..2025a6e 100644 return mod; } return NULL; -@@ -3800,11 +3947,20 @@ bool is_module_text_address(unsigned long addr) +@@ -3802,11 +3949,20 @@ bool is_module_text_address(unsigned long addr) */ struct module *__module_text_address(unsigned long addr) { @@ -81124,10 +81246,10 @@ index b32b70c..e512eb0 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index e2bfbf7..aa59ead 100644 +index 5cf99bf..28634c8 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c -@@ -2005,15 +2005,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, +@@ -2022,15 +2022,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, struct hstate *h = &default_hstate; unsigned long tmp; int ret; @@ -81148,7 +81270,7 @@ index e2bfbf7..aa59ead 100644 if (ret) goto out; -@@ -2070,15 +2072,17 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write, +@@ -2087,15 +2089,17 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write, struct hstate *h = &default_hstate; unsigned long tmp; int ret; @@ -81169,7 +81291,7 @@ index e2bfbf7..aa59ead 100644 if (ret) goto out; -@@ -2528,6 +2532,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2545,6 +2549,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -81197,7 +81319,7 @@ index e2bfbf7..aa59ead 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. * Called with hugetlb_instantiation_mutex held and pte_page locked so we -@@ -2646,6 +2671,11 @@ retry_avoidcopy: +@@ -2663,6 +2688,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -81209,7 +81331,7 @@ index e2bfbf7..aa59ead 100644 /* Make the old page be freed below */ new_page = old_page; } -@@ -2804,6 +2834,10 @@ retry: +@@ -2821,6 +2851,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -81220,7 +81342,7 @@ index e2bfbf7..aa59ead 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page); -@@ -2833,6 +2867,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2850,6 +2884,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, static DEFINE_MUTEX(hugetlb_instantiation_mutex); struct hstate *h = hstate_vma(vma); @@ -81231,7 +81353,7 @@ index e2bfbf7..aa59ead 100644 address &= huge_page_mask(h); ptep = huge_pte_offset(mm, address); -@@ -2846,6 +2884,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2863,6 +2901,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(hstate_index(h)); } @@ -81315,7 +81437,7 @@ index d53adf9..03a24bf 100644 set_fs(old_fs); diff --git a/mm/madvise.c b/mm/madvise.c -index 7055883..4e8c835 100644 +index 7055883..aafb1ed 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -51,6 +51,10 @@ static long madvise_behavior(struct vm_area_struct * vma, @@ -81384,16 +81506,35 @@ index 7055883..4e8c835 100644 +#ifdef CONFIG_PAX_SEGMEXEC + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) { + if (end > SEGMEXEC_TASK_SIZE) -+ goto out; ++ return error; + } else +#endif + + if (end > TASK_SIZE) -+ goto out; ++ return error; + error = 0; if (end == start) return error; +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index fd79df5..15b0409 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -6296,14 +6296,6 @@ mem_cgroup_css_online(struct cgroup *cont) + + error = memcg_init_kmem(memcg, &mem_cgroup_subsys); + mutex_unlock(&memcg_create_mutex); +- if (error) { +- /* +- * We call put now because our (and parent's) refcnts +- * are already in place. mem_cgroup_put() will internally +- * call __mem_cgroup_free, so return directly +- */ +- mem_cgroup_put(memcg); +- } + return error; + } + diff --git a/mm/memory-failure.c b/mm/memory-failure.c index ceb0c7f..b2b8e94 100644 --- a/mm/memory-failure.c @@ -84419,7 +84560,7 @@ index 5e6a842..b41916e 100644 return -ENOMEM; diff --git a/mm/slab.c b/mm/slab.c -index 8ccd296..9645f16 100644 +index 8ccd296..012fe4e 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -366,10 +366,10 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent) @@ -84455,6 +84596,21 @@ index 8ccd296..9645f16 100644 &cpuup_callback, NULL, 0 }; +@@ -1565,12 +1565,12 @@ void __init kmem_cache_init(void) + */ + + kmalloc_caches[INDEX_AC] = create_kmalloc_cache("kmalloc-ac", +- kmalloc_size(INDEX_AC), ARCH_KMALLOC_FLAGS); ++ kmalloc_size(INDEX_AC), SLAB_USERCOPY | ARCH_KMALLOC_FLAGS); + + if (INDEX_AC != INDEX_NODE) + kmalloc_caches[INDEX_NODE] = + create_kmalloc_cache("kmalloc-node", +- kmalloc_size(INDEX_NODE), ARCH_KMALLOC_FLAGS); ++ kmalloc_size(INDEX_NODE), SLAB_USERCOPY | ARCH_KMALLOC_FLAGS); + + slab_early_init = 0; + @@ -3800,6 +3800,7 @@ void kfree(const void *objp) if (unlikely(ZERO_OR_NULL_PTR(objp))) @@ -84697,7 +84853,7 @@ index 2d41450..e22088e 100644 #endif /* !CONFIG_SLOB */ diff --git a/mm/slob.c b/mm/slob.c -index eeed4a0..6ee34ec 100644 +index eeed4a0..c414c12 100644 --- a/mm/slob.c +++ b/mm/slob.c @@ -157,7 +157,7 @@ static void set_slob(slob_t *s, slobidx_t size, slob_t *next) @@ -84752,7 +84908,7 @@ index eeed4a0..6ee34ec 100644 current->reclaim_state->reclaimed_slab += 1 << order; - free_pages((unsigned long)b, order); + __ClearPageSlab(sp); -+ reset_page_mapcount(sp); ++ page_mapcount_reset(sp); + sp->private = 0; + __free_pages(sp, order); } @@ -84866,7 +85022,7 @@ index eeed4a0..6ee34ec 100644 + slob_free(m, m[0].units + align); + } else { + __ClearPageSlab(sp); -+ reset_page_mapcount(sp); ++ page_mapcount_reset(sp); + sp->private = 0; __free_pages(sp, compound_order(sp)); + } @@ -86499,6 +86655,48 @@ index 5b7d0e1..cb960fc 100644 } } EXPORT_SYMBOL(dev_load); +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index ce91766..3b71cdb 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1319,10 +1319,19 @@ static int ethtool_get_dump_data(struct net_device *dev, + if (ret) + return ret; + +- len = (tmp.len > dump.len) ? dump.len : tmp.len; ++ len = min(tmp.len, dump.len); + if (!len) + return -EFAULT; + ++ /* Don't ever let the driver think there's more space available ++ * than it requested with .get_dump_flag(). ++ */ ++ dump.len = len; ++ ++ /* Always allocate enough space to hold the whole thing so that the ++ * driver does not need to check the length and bother with partial ++ * dumping. ++ */ + data = vzalloc(tmp.len); + if (!data) + return -ENOMEM; +@@ -1330,6 +1339,16 @@ static int ethtool_get_dump_data(struct net_device *dev, + if (ret) + goto out; + ++ /* There are two sane possibilities: ++ * 1. The driver's .get_dump_data() does not touch dump.len. ++ * 2. Or it may set dump.len to how much it really writes, which ++ * should be tmp.len (or len if it can do a partial dump). ++ * In any case respond to userspace with the actual length of data ++ * it's receiving. ++ */ ++ WARN_ON(dump.len != len && dump.len != tmp.len); ++ dump.len = len; ++ + if (copy_to_user(useraddr, &dump, sizeof(dump))) { + ret = -EFAULT; + goto out; diff --git a/net/core/flow.c b/net/core/flow.c index 7102f16..146b4bd 100644 --- a/net/core/flow.c @@ -87252,7 +87450,7 @@ index b66910a..cfe416e 100644 return -ENOMEM; } diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index 2a83591..0064080 100644 +index 2a83591..68e7458 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -115,7 +115,7 @@ static bool log_ecn_error = true; @@ -87264,7 +87462,23 @@ index 2a83591..0064080 100644 static int ipgre_tunnel_init(struct net_device *dev); static int ipgre_net_id __read_mostly; -@@ -918,7 +918,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { +@@ -503,10 +503,11 @@ static int ipgre_tunnel_ioctl(struct net_device *dev, + + if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p))) + return -EFAULT; +- if (p.iph.version != 4 || p.iph.protocol != IPPROTO_GRE || +- p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF)) || +- ((p.i_flags|p.o_flags)&(GRE_VERSION|GRE_ROUTING))) { +- return -EINVAL; ++ if (cmd == SIOCADDTUNNEL || cmd == SIOCCHGTUNNEL) { ++ if (p.iph.version != 4 || p.iph.protocol != IPPROTO_GRE || ++ p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF)) || ++ ((p.i_flags|p.o_flags)&(GRE_VERSION|GRE_ROUTING))) ++ return -EINVAL; + } + p.i_flags = gre_flags_to_tnl_flags(p.i_flags); + p.o_flags = gre_flags_to_tnl_flags(p.o_flags); +@@ -918,7 +919,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { [IFLA_GRE_PMTUDISC] = { .type = NLA_U8 }, }; @@ -87273,7 +87487,7 @@ index 2a83591..0064080 100644 .kind = "gre", .maxtype = IFLA_GRE_MAX, .policy = ipgre_policy, -@@ -932,7 +932,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { +@@ -932,7 +933,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { .fill_info = ipgre_fill_info, }; @@ -87306,7 +87520,7 @@ index d9c4f11..02b82dbc 100644 msg.msg_flags = flags; diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c -index c118f6b..3ad0680 100644 +index c118f6b..63856c4 100644 --- a/net/ipv4/ip_vti.c +++ b/net/ipv4/ip_vti.c @@ -47,7 +47,7 @@ @@ -87318,7 +87532,25 @@ index c118f6b..3ad0680 100644 static int vti_net_id __read_mostly; struct vti_net { -@@ -847,7 +847,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = { +@@ -606,17 +606,10 @@ static int __net_init vti_fb_tunnel_init(struct net_device *dev) + struct iphdr *iph = &tunnel->parms.iph; + struct vti_net *ipn = net_generic(dev_net(dev), vti_net_id); + +- tunnel->dev = dev; +- strcpy(tunnel->parms.name, dev->name); +- + iph->version = 4; + iph->protocol = IPPROTO_IPIP; + iph->ihl = 5; + +- dev->tstats = alloc_percpu(struct pcpu_tstats); +- if (!dev->tstats) +- return -ENOMEM; +- + dev_hold(dev); + rcu_assign_pointer(ipn->tunnels_wc[0], tunnel); + return 0; +@@ -847,7 +840,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = { [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) }, }; @@ -87922,7 +88154,7 @@ index 4b85e6f..22f9ac9 100644 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) { /* Has it gone just too far? */ diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 0bf5d399..79a725f 100644 +index 0bf5d399..5a2dd92 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -87,6 +87,7 @@ @@ -87954,7 +88186,24 @@ index 0bf5d399..79a725f 100644 /* * This routine is called by the ICMP module when it gets some * sort of error condition. If err < 0 then the socket should -@@ -889,9 +897,18 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -799,7 +807,7 @@ send: + /* + * Push out all pending data as one UDP datagram. Socket is locked. + */ +-static int udp_push_pending_frames(struct sock *sk) ++int udp_push_pending_frames(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + struct inet_sock *inet = inet_sk(sk); +@@ -818,6 +826,7 @@ out: + up->pending = 0; + return err; + } ++EXPORT_SYMBOL(udp_push_pending_frames); + + int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + size_t len) +@@ -889,9 +898,18 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, dport = usin->sin_port; if (dport == 0) return -EINVAL; @@ -87973,7 +88222,7 @@ index 0bf5d399..79a725f 100644 daddr = inet->inet_daddr; dport = inet->inet_dport; /* Open fast path for connected socket. -@@ -1135,7 +1152,7 @@ static unsigned int first_packet_length(struct sock *sk) +@@ -1135,7 +1153,7 @@ static unsigned int first_packet_length(struct sock *sk) IS_UDPLITE(sk)); UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, IS_UDPLITE(sk)); @@ -87982,7 +88231,7 @@ index 0bf5d399..79a725f 100644 __skb_unlink(skb, rcvq); __skb_queue_tail(&list_kill, skb); } -@@ -1221,6 +1238,10 @@ try_again: +@@ -1221,6 +1239,10 @@ try_again: if (!skb) goto out; @@ -87993,7 +88242,7 @@ index 0bf5d399..79a725f 100644 ulen = skb->len - sizeof(struct udphdr); copied = len; if (copied > ulen) -@@ -1254,7 +1275,7 @@ try_again: +@@ -1254,7 +1276,7 @@ try_again: if (unlikely(err)) { trace_kfree_skb(skb, udp_recvmsg); if (!peeked) { @@ -88002,7 +88251,7 @@ index 0bf5d399..79a725f 100644 UDP_INC_STATS_USER(sock_net(sk), UDP_MIB_INERRORS, is_udplite); } -@@ -1541,7 +1562,7 @@ csum_error: +@@ -1541,7 +1563,7 @@ csum_error: UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite); drop: UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite); @@ -88011,7 +88260,7 @@ index 0bf5d399..79a725f 100644 kfree_skb(skb); return -1; } -@@ -1560,7 +1581,7 @@ static void flush_stack(struct sock **stack, unsigned int count, +@@ -1560,7 +1582,7 @@ static void flush_stack(struct sock **stack, unsigned int count, skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC); if (!skb1) { @@ -88020,7 +88269,7 @@ index 0bf5d399..79a725f 100644 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk)); UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, -@@ -1729,6 +1750,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -1729,6 +1751,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, goto csum_error; UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); @@ -88030,7 +88279,7 @@ index 0bf5d399..79a725f 100644 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); /* -@@ -2159,7 +2183,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, +@@ -2159,7 +2184,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -88189,6 +88438,60 @@ index ecd6073..58162ae 100644 .kind = "ip6gretap", .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index d5d20cd..6e3ddf8 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1098,11 +1098,12 @@ static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src, + return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL; + } + +-static void ip6_append_data_mtu(int *mtu, ++static void ip6_append_data_mtu(unsigned int *mtu, + int *maxfraglen, + unsigned int fragheaderlen, + struct sk_buff *skb, +- struct rt6_info *rt) ++ struct rt6_info *rt, ++ bool pmtuprobe) + { + if (!(rt->dst.flags & DST_XFRM_TUNNEL)) { + if (skb == NULL) { +@@ -1114,7 +1115,9 @@ static void ip6_append_data_mtu(int *mtu, + * this fragment is not first, the headers + * space is regarded as data space. + */ +- *mtu = dst_mtu(rt->dst.path); ++ *mtu = min(*mtu, pmtuprobe ? ++ rt->dst.dev->mtu : ++ dst_mtu(rt->dst.path)); + } + *maxfraglen = ((*mtu - fragheaderlen) & ~7) + + fragheaderlen - sizeof(struct frag_hdr); +@@ -1131,11 +1134,10 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, + struct ipv6_pinfo *np = inet6_sk(sk); + struct inet_cork *cork; + struct sk_buff *skb, *skb_prev = NULL; +- unsigned int maxfraglen, fragheaderlen; ++ unsigned int maxfraglen, fragheaderlen, mtu; + int exthdrlen; + int dst_exthdrlen; + int hh_len; +- int mtu; + int copy; + int err; + int offset = 0; +@@ -1292,7 +1294,9 @@ alloc_new_skb: + /* update mtu and maxfraglen if necessary */ + if (skb == NULL || skb_prev == NULL) + ip6_append_data_mtu(&mtu, &maxfraglen, +- fragheaderlen, skb, rt); ++ fragheaderlen, skb, rt, ++ np->pmtudisc == ++ IPV6_PMTUDISC_PROBE); + + skb_prev = skb; + diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 1e55866..b398dab 100644 --- a/net/ipv6/ip6_tunnel.c @@ -88549,7 +88852,7 @@ index 0a17ed9..2526cc3 100644 } diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 42923b1..8ca3d6e 100644 +index 42923b1..d09c290 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -52,6 +52,10 @@ @@ -88600,7 +88903,25 @@ index 42923b1..8ca3d6e 100644 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); kfree_skb(skb); -@@ -1387,7 +1394,7 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket +@@ -955,11 +962,16 @@ static int udp_v6_push_pending_frames(struct sock *sk) + struct udphdr *uh; + struct udp_sock *up = udp_sk(sk); + struct inet_sock *inet = inet_sk(sk); +- struct flowi6 *fl6 = &inet->cork.fl.u.ip6; ++ struct flowi6 *fl6; + int err = 0; + int is_udplite = IS_UDPLITE(sk); + __wsum csum = 0; + ++ if (up->pending == AF_INET) ++ return udp_push_pending_frames(sk); ++ ++ fl6 = &inet->cork.fl.u.ip6; ++ + /* Grab the skbuff where UDP header space exists. */ + if ((skb = skb_peek(&sk->sk_write_queue)) == NULL) + goto out; +@@ -1387,7 +1399,7 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -88770,6 +89091,20 @@ index 9da8620..97070ad 100644 } while (!res); return res; } +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 8dec687..5ebee2d 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1793,7 +1793,8 @@ static const struct proto_ops pppol2tp_ops = { + + static const struct pppox_proto pppol2tp_proto = { + .create = pppol2tp_create, +- .ioctl = pppol2tp_ioctl ++ .ioctl = pppol2tp_ioctl, ++ .owner = THIS_MODULE, + }; + + #ifdef CONFIG_L2TP_V3 diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 4fdb306e..920086a 100644 --- a/net/mac80211/cfg.c @@ -91449,14 +91784,14 @@ index 0000000..5e0222d + [[ "$plugincc" =~ "$2" ]] && echo "$2" +fi diff --git a/scripts/headers_install.sh b/scripts/headers_install.sh -index 643764f..c437ded 100644 +index 643764f..6cc0137 100644 --- a/scripts/headers_install.sh +++ b/scripts/headers_install.sh @@ -29,6 +29,7 @@ do FILE="$(basename "$i")" sed -r \ -e 's/([ \t(])(__user|__force|__iomem)[ \t]/\1/g' \ -+ -e 's/__intentional_overflow\([ \t,0-9]*\)//g' \ ++ -e 's/__intentional_overflow\([- \t,0-9]*\)//g' \ -e 's/__attribute_const__([ \t]|$)/\1/g' \ -e 's@^#include <linux/compiler.h>@@' \ -e 's/(^|[^a-zA-Z0-9])__packed([^a-zA-Z0-9_]|$)/\1__attribute__((packed))\2/g' \ diff --git a/3.10.0/4425_grsec_remove_EI_PAX.patch b/3.10.1/4425_grsec_remove_EI_PAX.patch index 415fda5..415fda5 100644 --- a/3.10.0/4425_grsec_remove_EI_PAX.patch +++ b/3.10.1/4425_grsec_remove_EI_PAX.patch diff --git a/3.10.0/4427_force_XATTR_PAX_tmpfs.patch b/3.10.1/4427_force_XATTR_PAX_tmpfs.patch index e2a9551..e2a9551 100644 --- a/3.10.0/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.10.1/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.10.0/4430_grsec-remove-localversion-grsec.patch b/3.10.1/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.10.0/4430_grsec-remove-localversion-grsec.patch +++ b/3.10.1/4430_grsec-remove-localversion-grsec.patch diff --git a/3.10.0/4435_grsec-mute-warnings.patch b/3.10.1/4435_grsec-mute-warnings.patch index ed941d5..ed941d5 100644 --- a/3.10.0/4435_grsec-mute-warnings.patch +++ b/3.10.1/4435_grsec-mute-warnings.patch diff --git a/3.10.0/4440_grsec-remove-protected-paths.patch b/3.10.1/4440_grsec-remove-protected-paths.patch index 637934a..637934a 100644 --- a/3.10.0/4440_grsec-remove-protected-paths.patch +++ b/3.10.1/4440_grsec-remove-protected-paths.patch diff --git a/3.10.0/4450_grsec-kconfig-default-gids.patch b/3.10.1/4450_grsec-kconfig-default-gids.patch index f144c0e..f144c0e 100644 --- a/3.10.0/4450_grsec-kconfig-default-gids.patch +++ b/3.10.1/4450_grsec-kconfig-default-gids.patch diff --git a/3.10.0/4465_selinux-avc_audit-log-curr_ip.patch b/3.10.1/4465_selinux-avc_audit-log-curr_ip.patch index b0786d4..b0786d4 100644 --- a/3.10.0/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.10.1/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.10.0/4470_disable-compat_vdso.patch b/3.10.1/4470_disable-compat_vdso.patch index 424d91f..424d91f 100644 --- a/3.10.0/4470_disable-compat_vdso.patch +++ b/3.10.1/4470_disable-compat_vdso.patch diff --git a/3.10.0/4475_emutramp_default_on.patch b/3.10.1/4475_emutramp_default_on.patch index 27bfc2d..27bfc2d 100644 --- a/3.10.0/4475_emutramp_default_on.patch +++ b/3.10.1/4475_emutramp_default_on.patch diff --git a/3.2.48/0000_README b/3.2.48/0000_README index a54f771..d175731 100644 --- a/3.2.48/0000_README +++ b/3.2.48/0000_README @@ -110,7 +110,7 @@ Patch: 1047_linux-3.2.48.patch From: http://www.kernel.org Desc: Linux 3.2.48 -Patch: 4420_grsecurity-2.9.1-3.2.48-201307092217.patch +Patch: 4420_grsecurity-2.9.1-3.2.48-201307122306.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.48/4420_grsecurity-2.9.1-3.2.48-201307092217.patch b/3.2.48/4420_grsecurity-2.9.1-3.2.48-201307122306.patch index 798931c..f78c339 100644 --- a/3.2.48/4420_grsecurity-2.9.1-3.2.48-201307092217.patch +++ b/3.2.48/4420_grsecurity-2.9.1-3.2.48-201307122306.patch @@ -6539,6 +6539,27 @@ index cb85458..e063f17 100644 extra-y := head_$(BITS).o extra-y += init_task.o +diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c +index 27728e1..0010e923 100644 +--- a/arch/sparc/kernel/ds.c ++++ b/arch/sparc/kernel/ds.c +@@ -783,6 +783,16 @@ void ldom_set_var(const char *var, const char *value) + char *base, *p; + int msg_len, loops; + ++ if (strlen(var) + strlen(value) + 2 > ++ sizeof(pkt) - sizeof(pkt.header)) { ++ printk(KERN_ERR PFX ++ "contents length: %zu, which more than max: %lu," ++ "so could not set (%s) variable to (%s).\n", ++ strlen(var) + strlen(value) + 2, ++ sizeof(pkt) - sizeof(pkt.header), var, value); ++ return; ++ } ++ + memset(&pkt, 0, sizeof(pkt)); + pkt.header.data.tag.type = DS_DATA; + pkt.header.data.handle = cp->handle; diff --git a/arch/sparc/kernel/leon_kernel.c b/arch/sparc/kernel/leon_kernel.c index a19c8a0..d04a60b 100644 --- a/arch/sparc/kernel/leon_kernel.c @@ -39484,6 +39505,20 @@ index da90ba5..dcba1fd 100644 #define CHIPREV_ID_5750_C2 0x4202 #define CHIPREV_ID_5752_A0_HW 0x5000 #define CHIPREV_ID_5752_A0 0x6000 +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index 4d15c8f..1bc7689 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -3031,7 +3031,9 @@ static void t3_io_resume(struct pci_dev *pdev) + CH_ALERT(adapter, "adapter recovering, PEX ERR 0x%x\n", + t3_read_reg(adapter, A_PCIE_PEX_ERR)); + ++ rtnl_lock(); + t3_resume_ports(adapter); ++ rtnl_unlock(); + } + + static struct pci_error_handlers t3_err_handler = { diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h index c5f5479..2e8c260 100644 --- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h @@ -74367,6 +74402,18 @@ index fe46019..1422c5a 100644 }; #define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0])) +diff --git a/include/net/udp.h b/include/net/udp.h +index 3b285f4..e158330 100644 +--- a/include/net/udp.h ++++ b/include/net/udp.h +@@ -180,6 +180,7 @@ extern int udp_get_port(struct sock *sk, unsigned short snum, + extern void udp_err(struct sk_buff *, u32); + extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk, + struct msghdr *msg, size_t len); ++extern int udp_push_pending_frames(struct sock *sk); + extern void udp_flush_pending_frames(struct sock *sk); + extern int udp_rcv(struct sk_buff *skb); + extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg); diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 921f627..4ec32de 100644 --- a/include/net/xfrm.h @@ -76161,7 +76208,7 @@ index 234e152..0ae0243 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index ce0c182..8adf56a 100644 +index ce0c182..64aeae3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -270,19 +270,24 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -76450,7 +76497,7 @@ index ce0c182..8adf56a 100644 return 0; } -@@ -1104,6 +1171,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1104,10 +1171,13 @@ static struct task_struct *copy_process(unsigned long clone_flags, DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif retval = -EAGAIN; @@ -76459,7 +76506,13 @@ index ce0c182..8adf56a 100644 + if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && +- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && +- p->real_cred->user != INIT_USER) ++ if (p->real_cred->user != INIT_USER && ++ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) + goto bad_fork_free; + } + current->flags &= ~PF_NPROC_EXCEEDED; @@ -1341,6 +1411,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_free_pid; } @@ -87446,6 +87499,30 @@ index f78f898..d7aa843 100644 register_netdevice_notifier(¬ifier); if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { +diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c +index 214c2bb..9f78c5f 100644 +--- a/net/ceph/auth_none.c ++++ b/net/ceph/auth_none.c +@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac) + return xi->starting; + } + ++static int build_request(struct ceph_auth_client *ac, void *buf, void *end) ++{ ++ return 0; ++} ++ + /* + * the generic auth code decode the global_id, and we carry no actual + * authenticate state, so nothing happens here. +@@ -107,6 +112,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = { + .destroy = destroy, + .is_authenticated = is_authenticated, + .should_authenticate = should_authenticate, ++ .build_request = build_request, + .handle_reply = handle_reply, + .create_authorizer = ceph_auth_none_create_authorizer, + .destroy_authorizer = ceph_auth_none_destroy_authorizer, diff --git a/net/compat.c b/net/compat.c index 8c979cc..5800e81 100644 --- a/net/compat.c @@ -87744,6 +87821,48 @@ index cd09414..d070f83 100644 .init = dev_mc_net_init, .exit = dev_mc_net_exit, }; +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index 2367246..4a0a677 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1612,10 +1612,19 @@ static int ethtool_get_dump_data(struct net_device *dev, + if (ret) + return ret; + +- len = (tmp.len > dump.len) ? dump.len : tmp.len; ++ len = min(tmp.len, dump.len); + if (!len) + return -EFAULT; + ++ /* Don't ever let the driver think there's more space available ++ * than it requested with .get_dump_flag(). ++ */ ++ dump.len = len; ++ ++ /* Always allocate enough space to hold the whole thing so that the ++ * driver does not need to check the length and bother with partial ++ * dumping. ++ */ + data = vzalloc(tmp.len); + if (!data) + return -ENOMEM; +@@ -1623,6 +1632,16 @@ static int ethtool_get_dump_data(struct net_device *dev, + if (ret) + goto out; + ++ /* There are two sane possibilities: ++ * 1. The driver's .get_dump_data() does not touch dump.len. ++ * 2. Or it may set dump.len to how much it really writes, which ++ * should be tmp.len (or len if it can do a partial dump). ++ * In any case respond to userspace with the actual length of data ++ * it's receiving. ++ */ ++ WARN_ON(dump.len != len && dump.len != tmp.len); ++ dump.len = len; ++ + if (copy_to_user(useraddr, &dump, sizeof(dump))) { + ret = -EFAULT; + goto out; diff --git a/net/core/flow.c b/net/core/flow.c index e318c7e..168b1d0 100644 --- a/net/core/flow.c @@ -89374,7 +89493,7 @@ index 2e0f0af..e2948bf 100644 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) { /* Has it gone just too far? */ diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 5a65eea..bd913a1 100644 +index 5a65eea..79830d4 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -86,6 +86,7 @@ @@ -89406,7 +89525,24 @@ index 5a65eea..bd913a1 100644 /* * This routine is called by the ICMP module when it gets some * sort of error condition. If err < 0 then the socket should -@@ -856,9 +864,18 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -766,7 +774,7 @@ send: + /* + * Push out all pending data as one UDP datagram. Socket is locked. + */ +-static int udp_push_pending_frames(struct sock *sk) ++int udp_push_pending_frames(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + struct inet_sock *inet = inet_sk(sk); +@@ -785,6 +793,7 @@ out: + up->pending = 0; + return err; + } ++EXPORT_SYMBOL(udp_push_pending_frames); + + int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + size_t len) +@@ -856,9 +865,18 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, dport = usin->sin_port; if (dport == 0) return -EINVAL; @@ -89425,7 +89561,7 @@ index 5a65eea..bd913a1 100644 daddr = inet->inet_daddr; dport = inet->inet_dport; /* Open fast path for connected socket. -@@ -1099,7 +1116,7 @@ static unsigned int first_packet_length(struct sock *sk) +@@ -1099,7 +1117,7 @@ static unsigned int first_packet_length(struct sock *sk) udp_lib_checksum_complete(skb)) { UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, IS_UDPLITE(sk)); @@ -89434,7 +89570,7 @@ index 5a65eea..bd913a1 100644 __skb_unlink(skb, rcvq); __skb_queue_tail(&list_kill, skb); } -@@ -1185,6 +1202,10 @@ try_again: +@@ -1185,6 +1203,10 @@ try_again: if (!skb) goto out; @@ -89445,7 +89581,7 @@ index 5a65eea..bd913a1 100644 ulen = skb->len - sizeof(struct udphdr); copied = len; if (copied > ulen) -@@ -1487,7 +1508,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) +@@ -1487,7 +1509,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) drop: UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite); @@ -89454,7 +89590,7 @@ index 5a65eea..bd913a1 100644 kfree_skb(skb); return -1; } -@@ -1506,7 +1527,7 @@ static void flush_stack(struct sock **stack, unsigned int count, +@@ -1506,7 +1528,7 @@ static void flush_stack(struct sock **stack, unsigned int count, skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC); if (!skb1) { @@ -89463,7 +89599,7 @@ index 5a65eea..bd913a1 100644 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk)); UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, -@@ -1675,6 +1696,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, +@@ -1675,6 +1697,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, goto csum_error; UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); @@ -89473,7 +89609,7 @@ index 5a65eea..bd913a1 100644 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); /* -@@ -2098,8 +2122,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, +@@ -2098,8 +2123,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, sk_wmem_alloc_get(sp), sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -89563,7 +89699,7 @@ index 1567fb1..29af910 100644 dst = NULL; } diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 6aadaa8..7a0f168 100644 +index 6aadaa8..db60043 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -909,11 +909,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk, @@ -89585,6 +89721,56 @@ index 6aadaa8..7a0f168 100644 /* Yes, checking route validity in not connected * case is not very simple. Take into account, * that we do not support routing by source, TOS, +@@ -1178,11 +1184,12 @@ static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src, + return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL; + } + +-static void ip6_append_data_mtu(int *mtu, ++static void ip6_append_data_mtu(unsigned int *mtu, + int *maxfraglen, + unsigned int fragheaderlen, + struct sk_buff *skb, +- struct rt6_info *rt) ++ struct rt6_info *rt, ++ bool pmtuprobe) + { + if (!(rt->dst.flags & DST_XFRM_TUNNEL)) { + if (skb == NULL) { +@@ -1194,7 +1201,9 @@ static void ip6_append_data_mtu(int *mtu, + * this fragment is not first, the headers + * space is regarded as data space. + */ +- *mtu = dst_mtu(rt->dst.path); ++ *mtu = min(*mtu, pmtuprobe ? ++ rt->dst.dev->mtu : ++ dst_mtu(rt->dst.path)); + } + *maxfraglen = ((*mtu - fragheaderlen) & ~7) + + fragheaderlen - sizeof(struct frag_hdr); +@@ -1211,11 +1220,10 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, + struct ipv6_pinfo *np = inet6_sk(sk); + struct inet_cork *cork; + struct sk_buff *skb, *skb_prev = NULL; +- unsigned int maxfraglen, fragheaderlen; ++ unsigned int maxfraglen, fragheaderlen, mtu; + int exthdrlen; + int dst_exthdrlen; + int hh_len; +- int mtu; + int copy; + int err; + int offset = 0; +@@ -1378,7 +1386,9 @@ alloc_new_skb: + /* update mtu and maxfraglen if necessary */ + if (skb == NULL || skb_prev == NULL) + ip6_append_data_mtu(&mtu, &maxfraglen, +- fragheaderlen, skb, rt); ++ fragheaderlen, skb, rt, ++ np->pmtudisc == ++ IPV6_PMTUDISC_PROBE); + + skb_prev = skb; + diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index b204df8..8f274f4 100644 --- a/net/ipv6/ipv6_sockglue.c @@ -89908,7 +90094,7 @@ index c69358c..d1e5855 100644 static int tcp6_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 20f0812..7d4ede1 100644 +index 20f0812..729da61 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -50,6 +50,10 @@ @@ -89959,7 +90145,25 @@ index 20f0812..7d4ede1 100644 bh_unlock_sock(sk); sock_put(sk); goto discard; -@@ -1407,8 +1414,13 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket +@@ -893,11 +900,16 @@ static int udp_v6_push_pending_frames(struct sock *sk) + struct udphdr *uh; + struct udp_sock *up = udp_sk(sk); + struct inet_sock *inet = inet_sk(sk); +- struct flowi6 *fl6 = &inet->cork.fl.u.ip6; ++ struct flowi6 *fl6; + int err = 0; + int is_udplite = IS_UDPLITE(sk); + __wsum csum = 0; + ++ if (up->pending == AF_INET) ++ return udp_push_pending_frames(sk); ++ ++ fl6 = &inet->cork.fl.u.ip6; ++ + /* Grab the skbuff where UDP header space exists. */ + if ((skb = skb_peek(&sk->sk_write_queue)) == NULL) + goto out; +@@ -1407,8 +1419,13 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), @@ -90244,6 +90448,20 @@ index 93a41a0..d4b4edb 100644 NLA_PUT_U32(skb, L2TP_ATTR_CONN_ID, tunnel->tunnel_id); NLA_PUT_U32(skb, L2TP_ATTR_SESSION_ID, session->session_id); +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 74410e6..e579006 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1778,7 +1778,8 @@ static const struct proto_ops pppol2tp_ops = { + + static const struct pppox_proto pppol2tp_proto = { + .create = pppol2tp_create, +- .ioctl = pppol2tp_ioctl ++ .ioctl = pppol2tp_ioctl, ++ .owner = THIS_MODULE, + }; + + #ifdef CONFIG_L2TP_V3 diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 73495f1..ad51356 100644 --- a/net/mac80211/ieee80211_i.h |