Grsec/PaX: 3.0-3.12.8-20140116093120140116

author: Anthony G. Basile <blueness@gentoo.org> 2014-01-17 12:35:43 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2014-01-17 12:35:43 -0500
commit: 3ab1dd0edfaae6fb788b197bdea9688b0c041591 (patch)
tree: 3e6d8e7b6f92207f52b6a68caaa3ee7b1ad24f2a
parent: Grsec/PaX: 3.0-{3.2.54,3.12.7}-201401131812 (diff)
download: hardened-patchset-3ab1dd0edfaae6fb788b197bdea9688b0c041591.tar.gz
hardened-patchset-3ab1dd0edfaae6fb788b197bdea9688b0c041591.tar.bz2
hardened-patchset-3ab1dd0edfaae6fb788b197bdea9688b0c041591.zip
11 files changed, 102 insertions, 163 deletions
diff --git a/3.12.7/0000_README b/3.12.8/0000_README
index 6d218ae..9b6bc77 100644
--- a/3.12.7/0000_README
+++ b/3.12.8/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.12.7-201401131812.patch
+Patch:	4420_grsecurity-3.0-3.12.8-201401160931.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.12.7/4420_grsecurity-3.0-3.12.7-201401131812.patch b/3.12.8/4420_grsecurity-3.0-3.12.8-201401160931.patch
index ef22dd5..7bb3c7f 100644
--- a/3.12.7/4420_grsecurity-3.0-3.12.7-201401131812.patch
+++ b/3.12.8/4420_grsecurity-3.0-3.12.8-201401160931.patch
@@ -1,5 +1,5 @@
 diff --git a/Documentation/dontdiff b/Documentation/dontdiff
-index b89a739..79768fb 100644
+index b89a739..903b673 100644
 --- a/Documentation/dontdiff
 +++ b/Documentation/dontdiff
 @@ -2,9 +2,11 @@
@@ -61,7 +61,7 @@ index b89a739..79768fb 100644
  asm-offsets.h
  asm_offsets.h
  autoconf.h*
-@@ -92,19 +101,24 @@ bounds.h
+@@ -92,32 +101,40 @@ bounds.h
  bsetup
  btfixupprep
  build
@@ -86,7 +86,11 @@ index b89a739..79768fb 100644
  conmakehash
  consolemap_deftbl.c*
  cpustr.h
-@@ -115,9 +129,11 @@ devlist.h*
+ crc32table.h*
+ cscope.*
+ defkeymap.c
++devicetable-offsets.h
+ devlist.h*
  dnotify_test
  docproc
  dslm
@@ -98,7 +102,7 @@ index b89a739..79768fb 100644
  fixdep
  flask.h
  fore200e_mkfirm
-@@ -125,12 +141,15 @@ fore200e_pca_fw.c*
+@@ -125,12 +142,15 @@ fore200e_pca_fw.c*
  gconf
  gconf.glade.h
  gen-devlist
@@ -114,7 +118,7 @@ index b89a739..79768fb 100644
  hpet_example
  hugepage-mmap
  hugepage-shm
-@@ -145,14 +164,14 @@ int32.c
+@@ -145,14 +165,14 @@ int32.c
  int4.c
  int8.c
  kallsyms
@@ -131,7 +135,7 @@ index b89a739..79768fb 100644
  logo_*.c
  logo_*_clut224.c
  logo_*_mono.c
-@@ -162,14 +181,15 @@ mach-types.h
+@@ -162,14 +182,15 @@ mach-types.h
  machtypes.h
  map
  map_hugetlb
@@ -148,7 +152,7 @@ index b89a739..79768fb 100644
  mkprep
  mkregtable
  mktables
-@@ -185,6 +205,8 @@ oui.c*
+@@ -185,6 +206,8 @@ oui.c*
  page-types
  parse.c
  parse.h
@@ -157,7 +161,7 @@ index b89a739..79768fb 100644
  patches*
  pca200e.bin
  pca200e_ecd.bin2
-@@ -194,6 +216,7 @@ perf-archive
+@@ -194,6 +217,7 @@ perf-archive
  piggyback
  piggy.gzip
  piggy.S
@@ -165,7 +169,7 @@ index b89a739..79768fb 100644
  pnmtologo
  ppc_defs.h*
  pss_boot.h
-@@ -203,7 +226,10 @@ r200_reg_safe.h
+@@ -203,7 +227,10 @@ r200_reg_safe.h
  r300_reg_safe.h
  r420_reg_safe.h
  r600_reg_safe.h
@@ -176,7 +180,7 @@ index b89a739..79768fb 100644
  relocs
  rlim_names.h
  rn50_reg_safe.h
-@@ -213,8 +239,12 @@ series
+@@ -213,8 +240,12 @@ series
  setup
  setup.bin
  setup.elf
@@ -189,7 +193,7 @@ index b89a739..79768fb 100644
  split-include
  syscalltab.h
  tables.c
-@@ -224,6 +254,7 @@ tftpboot.img
+@@ -224,6 +255,7 @@ tftpboot.img
  timeconst.h
  times.h*
  trix_boot.h
@@ -197,7 +201,7 @@ index b89a739..79768fb 100644
  utsrelease.h*
  vdso-syms.lds
  vdso.lds
-@@ -235,13 +266,17 @@ vdso32.lds
+@@ -235,13 +267,17 @@ vdso32.lds
  vdso32.so.dbg
  vdso64.lds
  vdso64.so.dbg
@@ -215,7 +219,7 @@ index b89a739..79768fb 100644
  vmlinuz
  voffset.h
  vsyscall.lds
-@@ -249,9 +284,12 @@ vsyscall_32.lds
+@@ -249,9 +285,12 @@ vsyscall_32.lds
  wanxlfw.inc
  uImage
  unifdef
@@ -281,7 +285,7 @@ index 4f7c57c..a2dc685 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index c2f0b79..2e5e090 100644
+index 5d0ec13..d3dcef2 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -400,7 +404,13 @@ index c2f0b79..2e5e090 100644
  	$(Q)$(MAKE) $(build)=$@
  
  define filechk_kernel.release
-@@ -838,6 +900,7 @@ prepare0: archprepare FORCE
+@@ -834,10 +896,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
+ 
+ archprepare: archheaders archscripts prepare1 scripts_basic
+ 
++prepare0: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
++prepare0: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
+ prepare0: archprepare FORCE
  	$(Q)$(MAKE) $(build)=.
  
  # All the preparing..
@@ -408,7 +418,7 @@ index c2f0b79..2e5e090 100644
  prepare: prepare0
  
  # Generate some files
-@@ -945,6 +1008,8 @@ all: modules
+@@ -945,6 +1010,8 @@ all: modules
  #	using awk while concatenating to the final file.
  
  PHONY += modules
@@ -417,7 +427,7 @@ index c2f0b79..2e5e090 100644
  modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
  	$(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
  	@$(kecho) '  Building modules, stage 2.';
-@@ -960,7 +1025,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
+@@ -960,7 +1027,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
  
  # Target to prepare building external modules
  PHONY += modules_prepare
@@ -426,7 +436,7 @@ index c2f0b79..2e5e090 100644
  
  # Target to install modules
  PHONY += modules_install
-@@ -1026,7 +1091,7 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \
+@@ -1026,7 +1093,7 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \
  		  Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
  		  signing_key.priv signing_key.x509 x509.genkey		\
  		  extra_certificates signing_key.x509.keyid		\
@@ -435,7 +445,7 @@ index c2f0b79..2e5e090 100644
  
  # clean - Delete most, but leave enough to build external modules
  #
-@@ -1066,6 +1131,7 @@ distclean: mrproper
+@@ -1066,6 +1133,7 @@ distclean: mrproper
  		\( -name '*.orig' -o -name '*.rej' -o -name '*~' \
  		-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
  		-o -name '.*.rej' \
@@ -443,7 +453,7 @@ index c2f0b79..2e5e090 100644
  		-o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
  		-type f -print | xargs rm -f
  
-@@ -1227,6 +1293,8 @@ PHONY += $(module-dirs) modules
+@@ -1227,6 +1295,8 @@ PHONY += $(module-dirs) modules
  $(module-dirs): crmodverdir $(objtree)/Module.symvers
  	$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
  
@@ -452,7 +462,7 @@ index c2f0b79..2e5e090 100644
  modules: $(module-dirs)
  	@$(kecho) '  Building modules, stage 2.';
  	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-@@ -1366,17 +1434,21 @@ else
+@@ -1366,17 +1436,21 @@ else
          target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
  endif
  
@@ -478,7 +488,7 @@ index c2f0b79..2e5e090 100644
  	$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
  %.symtypes: %.c prepare scripts FORCE
  	$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
-@@ -1386,11 +1458,15 @@ endif
+@@ -1386,11 +1460,15 @@ endif
  	$(cmd_crmodverdir)
  	$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
  	$(build)=$(build-dir)
@@ -3083,10 +3093,10 @@ index 72024ea..ae302dd 100644
  void __init smp_set_ops(struct smp_operations *ops)
  {
 diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
-index 65ed63f..430c478 100644
+index 1f735aa..08af6f7 100644
 --- a/arch/arm/kernel/traps.c
 +++ b/arch/arm/kernel/traps.c
-@@ -55,7 +55,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
+@@ -61,7 +61,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
  void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame)
  {
  #ifdef CONFIG_KALLSYMS
@@ -3095,7 +3105,7 @@ index 65ed63f..430c478 100644
  #else
  	printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from);
  #endif
-@@ -257,6 +257,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED;
+@@ -263,6 +263,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED;
  static int die_owner = -1;
  static unsigned int die_nest_count;
  
@@ -3104,7 +3114,7 @@ index 65ed63f..430c478 100644
  static unsigned long oops_begin(void)
  {
  	int cpu;
-@@ -299,6 +301,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
+@@ -305,6 +307,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
  		panic("Fatal exception in interrupt");
  	if (panic_on_oops)
  		panic("Fatal exception");
@@ -3114,7 +3124,7 @@ index 65ed63f..430c478 100644
  	if (signr)
  		do_exit(signr);
  }
-@@ -629,7 +634,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs)
+@@ -635,7 +640,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs)
  			 * The user helper at 0xffff0fe0 must be used instead.
  			 * (see entry-armv.S for details)
  			 */
@@ -3124,7 +3134,7 @@ index 65ed63f..430c478 100644
  		}
  		return 0;
  
-@@ -886,7 +893,11 @@ void __init early_trap_init(void *vectors_base)
+@@ -892,7 +899,11 @@ void __init early_trap_init(void *vectors_base)
  	kuser_init(vectors_base);
  
  	flush_icache_range(vectors, vectors + PAGE_SIZE * 2);
@@ -15990,7 +16000,7 @@ index 77a99ac..39ff7f5 100644
  
  #endif /* _ASM_X86_EMERGENCY_RESTART_H */
 diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h
-index 4d0bda7..221da4d 100644
+index 5be9f87..0320912 100644
 --- a/arch/x86/include/asm/fpu-internal.h
 +++ b/arch/x86/include/asm/fpu-internal.h
 @@ -124,8 +124,11 @@ static inline void sanitize_i387_state(struct task_struct *tsk)
@@ -16015,14 +16025,14 @@ index 4d0bda7..221da4d 100644
  })
  
 @@ -298,7 +302,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk)
- 		"emms\n\t"		/* clear stack tags */
- 		"fildl %P[addr]",	/* set F?P to defined value */
- 		X86_FEATURE_FXSAVE_LEAK,
--		[addr] "m" (tsk->thread.fpu.has_fpu));
-+		[addr] "m" (init_tss[raw_smp_processor_id()].x86_tss.sp0));
+ 			"fnclex\n\t"
+ 			"emms\n\t"
+ 			"fildl %P[addr]"	/* set F?P to defined value */
+-			: : [addr] "m" (tsk->thread.fpu.has_fpu));
++			: : [addr] "m" (init_tss[raw_smp_processor_id()].x86_tss.sp0));
+ 	}
  
  	return fpu_restore_checking(&tsk->thread.fpu);
- }
 diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h
 index be27ba1..04a8801 100644
 --- a/arch/x86/include/asm/futex.h
@@ -24240,7 +24250,7 @@ index 22d0687..e07b2a5 100644
  }
  
 diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
-index 4186755..784efa0 100644
+index 4186755..18d6a9e 100644
 --- a/arch/x86/kernel/irq_32.c
 +++ b/arch/x86/kernel/irq_32.c
 @@ -39,7 +39,7 @@ static int check_stack_overflow(void)
@@ -24310,7 +24320,7 @@ index 4186755..784efa0 100644
  	return 1;
  }
  
-@@ -121,29 +125,14 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
+@@ -121,29 +125,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
   */
  void irq_ctx_init(int cpu)
  {
@@ -24326,9 +24336,7 @@ index 4186755..784efa0 100644
 -	irqctx->tinfo.cpu		= cpu;
 -	irqctx->tinfo.preempt_count	= HARDIRQ_OFFSET;
 -	irqctx->tinfo.addr_limit	= MAKE_MM_SEG(0);
-+	per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
-+	per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
- 
+-
 -	per_cpu(hardirq_ctx, cpu) = irqctx;
 -
 -	irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
@@ -24339,12 +24347,12 @@ index 4186755..784efa0 100644
 -	irqctx->tinfo.addr_limit	= MAKE_MM_SEG(0);
 -
 -	per_cpu(softirq_ctx, cpu) = irqctx;
-+	printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
-+	       cpu, per_cpu(hardirq_ctx, cpu),  per_cpu(softirq_ctx, cpu));
++	per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
++	per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
  
  	printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
  	       cpu, per_cpu(hardirq_ctx, cpu),  per_cpu(softirq_ctx, cpu));
-@@ -152,7 +141,6 @@ void irq_ctx_init(int cpu)
+@@ -152,7 +138,6 @@ void irq_ctx_init(int cpu)
  asmlinkage void do_softirq(void)
  {
  	unsigned long flags;
@@ -24352,7 +24360,7 @@ index 4186755..784efa0 100644
  	union irq_ctx *irqctx;
  	u32 *isp;
  
-@@ -162,15 +150,22 @@ asmlinkage void do_softirq(void)
+@@ -162,15 +147,22 @@ asmlinkage void do_softirq(void)
  	local_irq_save(flags);
  
  	if (local_softirq_pending()) {
@@ -24379,7 +24387,7 @@ index 4186755..784efa0 100644
  		/*
  		 * Shouldn't happen, we returned above if in_interrupt():
  		 */
-@@ -191,7 +186,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
+@@ -191,7 +183,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
  	if (unlikely(!desc))
  		return false;
  
@@ -44335,10 +44343,10 @@ index fb3f8dc..9d2ff38 100644
  	int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
  	int (*get_settings)(struct net_device *, struct ethtool_cmd *);
 diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c
-index 03acf57..e1251ff 100644
+index 3dd39dc..85efa46 100644
 --- a/drivers/net/ethernet/sfc/ptp.c
 +++ b/drivers/net/ethernet/sfc/ptp.c
-@@ -539,7 +539,7 @@ static int efx_ptp_synchronize(struct efx_nic *efx, unsigned int num_readings)
+@@ -541,7 +541,7 @@ static int efx_ptp_synchronize(struct efx_nic *efx, unsigned int num_readings)
  		       ptp->start.dma_addr);
  
  	/* Clear flag that signals MC ready */
@@ -44362,19 +44370,6 @@ index 50617c5..b13724c 100644
  }
  
  /* To mask all all interrupts.*/
-diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
-index 3169252..5d78c1d 100644
---- a/drivers/net/hamradio/hdlcdrv.c
-+++ b/drivers/net/hamradio/hdlcdrv.c
-@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
- 	case HDLCDRVCTL_CALIBRATE:
- 		if(!capable(CAP_SYS_RAWIO))
- 			return -EPERM;
-+		if (bi.data.calibrate > INT_MAX / s->par.bitrate)
-+			return -EINVAL;
- 		s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
- 		return 0;
- 
 diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
 index e6fe0d8..2b7d752 100644
 --- a/drivers/net/hyperv/hyperv_net.h
@@ -44460,10 +44455,10 @@ index 9bf46bd..bfdaa84 100644
  };
  
 diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index dc76670..e18f39c 100644
+index 5895e4d..0343d45 100644
 --- a/drivers/net/macvtap.c
 +++ b/drivers/net/macvtap.c
-@@ -1189,7 +1189,7 @@ static int macvtap_device_event(struct notifier_block *unused,
+@@ -1182,7 +1182,7 @@ static int macvtap_device_event(struct notifier_block *unused,
  	return NOTIFY_DONE;
  }
  
@@ -44533,10 +44528,10 @@ index 6327df2..e6e1ebe 100644
  };
  
 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 782e38b..d076fdc 100644
+index 7c8343a..80d1e69 100644
 --- a/drivers/net/tun.c
 +++ b/drivers/net/tun.c
-@@ -1834,7 +1834,7 @@ unlock:
+@@ -1838,7 +1838,7 @@ unlock:
  }
  
  static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
@@ -44545,7 +44540,7 @@ index 782e38b..d076fdc 100644
  {
  	struct tun_file *tfile = file->private_data;
  	struct tun_struct *tun;
-@@ -1847,6 +1847,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+@@ -1851,6 +1851,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
  	unsigned int ifindex;
  	int ret;
  
@@ -44669,7 +44664,7 @@ index a79e9d3..78cd4fa 100644
  
  	/* we will have to manufacture ethernet headers, prepare template */
 diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
-index 2ef5b62..6fa0ec3 100644
+index 1462368..578941c 100644
 --- a/drivers/net/vxlan.c
 +++ b/drivers/net/vxlan.c
 @@ -2615,7 +2615,7 @@ nla_put_failure:
@@ -47377,10 +47372,10 @@ index f379c7f..e8fc69c 100644
  
  	transport_setup_device(&rport->dev);
 diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
-index 2634d69..fcf7a81 100644
+index dbc024b..6e3b837 100644
 --- a/drivers/scsi/sd.c
 +++ b/drivers/scsi/sd.c
-@@ -2940,7 +2940,7 @@ static int sd_probe(struct device *dev)
+@@ -2943,7 +2943,7 @@ static int sd_probe(struct device *dev)
  	sdkp->disk = gd;
  	sdkp->index = index;
  	atomic_set(&sdkp->openers, 0);
@@ -77611,7 +77606,7 @@ index 8e47bc7..c70fd73 100644
  	return nd->saved_names[nd->depth];
  }
 diff --git a/include/linux/net.h b/include/linux/net.h
-index 8bd9d92..08b1c20 100644
+index 41103f8..631edff 100644
 --- a/include/linux/net.h
 +++ b/include/linux/net.h
 @@ -191,7 +191,7 @@ struct net_proto_family {
@@ -77624,7 +77619,7 @@ index 8bd9d92..08b1c20 100644
  struct iovec;
  struct kvec;
 diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index 25f5d2d1..5cf2120 100644
+index 21eae43..4fff130 100644
 --- a/include/linux/netdevice.h
 +++ b/include/linux/netdevice.h
 @@ -1098,6 +1098,7 @@ struct net_device_ops {
@@ -78610,7 +78605,7 @@ index 429c199..4d42e38 100644
  
  /* shm_mode upper byte flags */
 diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index f66f346..2e304d5 100644
+index efa1649..ff898ac 100644
 --- a/include/linux/skbuff.h
 +++ b/include/linux/skbuff.h
 @@ -639,7 +639,7 @@ extern bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
@@ -78649,7 +78644,7 @@ index f66f346..2e304d5 100644
  }
  
  /**
-@@ -1741,7 +1741,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
+@@ -1746,7 +1746,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
   * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
   */
  #ifndef NET_SKB_PAD
@@ -78658,7 +78653,7 @@ index f66f346..2e304d5 100644
  #endif
  
  extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
-@@ -2339,7 +2339,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags,
+@@ -2344,7 +2344,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags,
  					 int noblock, int *err);
  extern unsigned int    datagram_poll(struct file *file, struct socket *sock,
  				     struct poll_table_struct *wait);
@@ -78667,7 +78662,7 @@ index f66f346..2e304d5 100644
  					       int offset, struct iovec *to,
  					       int size);
  extern int	       skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
-@@ -2618,6 +2618,9 @@ static inline void nf_reset(struct sk_buff *skb)
+@@ -2623,6 +2623,9 @@ static inline void nf_reset(struct sk_buff *skb)
  	nf_bridge_put(skb->nf_bridge);
  	skb->nf_bridge = NULL;
  #endif
@@ -85655,7 +85650,7 @@ index 4a07353..66b5291 100644
  #ifdef CONFIG_RT_GROUP_SCHED
  	/*
 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 5ac63c9..d912786 100644
+index ceae65e..3ac1344 100644
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
 @@ -2868,7 +2868,7 @@ EXPORT_SYMBOL(wait_for_completion_interruptible);
@@ -85827,7 +85822,7 @@ index 5ac63c9..d912786 100644
  #else
  static void register_sched_domain_sysctl(void)
 diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
-index 7765ad8..774519f 100644
+index 4117323..91c91ac 100644
 --- a/kernel/sched/fair.c
 +++ b/kernel/sched/fair.c
 @@ -869,7 +869,7 @@ void task_numa_fault(int node, int pages, bool migrated)
@@ -85839,7 +85834,7 @@ index 7765ad8..774519f 100644
  	p->mm->numa_scan_offset = 0;
  }
  
-@@ -5847,7 +5847,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { }
+@@ -5864,7 +5864,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { }
   * run_rebalance_domains is triggered when needed from the scheduler tick.
   * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
   */
@@ -85849,7 +85844,7 @@ index 7765ad8..774519f 100644
  	int this_cpu = smp_processor_id();
  	struct rq *this_rq = cpu_rq(this_cpu);
 diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
-index b3c5653..a4d192a 100644
+index a6208af..a2d7bb5 100644
 --- a/kernel/sched/sched.h
 +++ b/kernel/sched/sched.h
 @@ -1004,7 +1004,7 @@ struct sched_class {
@@ -93741,7 +93736,7 @@ index 7d84ea1..55385ae 100644
  
  	m->msg_iov = iov;
 diff --git a/net/core/neighbour.c b/net/core/neighbour.c
-index 6072610..7374c18 100644
+index 11af243..7357d84 100644
 --- a/net/core/neighbour.c
 +++ b/net/core/neighbour.c
 @@ -2774,7 +2774,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
@@ -93825,10 +93820,10 @@ index 81d3a9a..a0bd7a8 100644
  	return error;
  }
 diff --git a/net/core/netpoll.c b/net/core/netpoll.c
-index fc75c9e..8c8e9be 100644
+index 0c1482c..f7ae314 100644
 --- a/net/core/netpoll.c
 +++ b/net/core/netpoll.c
-@@ -428,7 +428,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
+@@ -435,7 +435,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
  	struct udphdr *udph;
  	struct iphdr *iph;
  	struct ethhdr *eth;
@@ -93837,7 +93832,7 @@ index fc75c9e..8c8e9be 100644
  	struct ipv6hdr *ip6h;
  
  	udp_len = len + sizeof(*udph);
-@@ -499,7 +499,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
+@@ -506,7 +506,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
  		put_unaligned(0x45, (unsigned char *)iph);
  		iph->tos      = 0;
  		put_unaligned(htons(ip_len), &(iph->tot_len));
@@ -93926,7 +93921,7 @@ index b442e7e..6f5b5a2 100644
  	{
  		struct socket *sock;
 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index c28c7fe..a399a6d 100644
+index 743e6eb..a399a6d 100644
 --- a/net/core/skbuff.c
 +++ b/net/core/skbuff.c
 @@ -3104,13 +3104,15 @@ void __init skb_init(void)
@@ -93947,16 +93942,8 @@ index c28c7fe..a399a6d 100644
  						NULL);
  }
  
-@@ -3541,6 +3543,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
- 	skb->tstamp.tv64 = 0;
- 	skb->pkt_type = PACKET_HOST;
- 	skb->skb_iif = 0;
-+	skb->local_df = 0;
- 	skb_dst_drop(skb);
- 	skb->mark = 0;
- 	secpath_reset(skb);
 diff --git a/net/core/sock.c b/net/core/sock.c
-index 0b39e7a..5e9f91e 100644
+index 5cec994..81aa1dd 100644
 --- a/net/core/sock.c
 +++ b/net/core/sock.c
 @@ -393,7 +393,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -94401,55 +94388,6 @@ index 6acb541..9ea617d 100644
  EXPORT_SYMBOL(sysctl_local_reserved_ports);
  
  void inet_get_local_port_range(int *low, int *high)
-diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
-index 5f64875..31cf54d 100644
---- a/net/ipv4/inet_diag.c
-+++ b/net/ipv4/inet_diag.c
-@@ -106,6 +106,10 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
- 
- 	r->id.idiag_sport = inet->inet_sport;
- 	r->id.idiag_dport = inet->inet_dport;
-+
-+	memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src));
-+	memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst));
-+
- 	r->id.idiag_src[0] = inet->inet_rcv_saddr;
- 	r->id.idiag_dst[0] = inet->inet_daddr;
- 
-@@ -240,12 +244,19 @@ static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
- 
- 	r->idiag_family	      = tw->tw_family;
- 	r->idiag_retrans      = 0;
-+
- 	r->id.idiag_if	      = tw->tw_bound_dev_if;
- 	sock_diag_save_cookie(tw, r->id.idiag_cookie);
-+
- 	r->id.idiag_sport     = tw->tw_sport;
- 	r->id.idiag_dport     = tw->tw_dport;
-+
-+	memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src));
-+	memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst));
-+
- 	r->id.idiag_src[0]    = tw->tw_rcv_saddr;
- 	r->id.idiag_dst[0]    = tw->tw_daddr;
-+
- 	r->idiag_state	      = tw->tw_substate;
- 	r->idiag_timer	      = 3;
- 	r->idiag_expires      = DIV_ROUND_UP(tmo * 1000, HZ);
-@@ -732,8 +743,13 @@ static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk,
- 
- 	r->id.idiag_sport = inet->inet_sport;
- 	r->id.idiag_dport = ireq->rmt_port;
-+
-+	memset(&r->id.idiag_src, 0, sizeof(r->id.idiag_src));
-+	memset(&r->id.idiag_dst, 0, sizeof(r->id.idiag_dst));
-+
- 	r->id.idiag_src[0] = ireq->loc_addr;
- 	r->id.idiag_dst[0] = ireq->rmt_addr;
-+
- 	r->idiag_expires = jiffies_to_msecs(tmo);
- 	r->idiag_rqueue = 0;
- 	r->idiag_wqueue = 0;
 diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
 index 96da9c7..b956690 100644
 --- a/net/ipv4/inet_hashtables.c
@@ -94546,7 +94484,7 @@ index b66910a..cfe416e 100644
  	return -ENOMEM;
  }
 diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
-index d7aea4c..a8ee872 100644
+index e560ef3..218c5c5 100644
 --- a/net/ipv4/ip_gre.c
 +++ b/net/ipv4/ip_gre.c
 @@ -115,7 +115,7 @@ static bool log_ecn_error = true;
@@ -94558,7 +94496,7 @@ index d7aea4c..a8ee872 100644
  static int ipgre_tunnel_init(struct net_device *dev);
  
  static int ipgre_net_id __read_mostly;
-@@ -731,7 +731,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
+@@ -732,7 +732,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
  	[IFLA_GRE_PMTUDISC]	= { .type = NLA_U8 },
  };
  
@@ -94567,7 +94505,7 @@ index d7aea4c..a8ee872 100644
  	.kind		= "gre",
  	.maxtype	= IFLA_GRE_MAX,
  	.policy		= ipgre_policy,
-@@ -745,7 +745,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
+@@ -746,7 +746,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
  	.fill_info	= ipgre_fill_info,
  };
  
@@ -95294,7 +95232,7 @@ index 4b85e6f..22f9ac9 100644
  				  syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
  		/* Has it gone just too far? */
 diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index 5e2c2f1..6473c22 100644
+index 6ca9907..a1e6c00 100644
 --- a/net/ipv4/udp.c
 +++ b/net/ipv4/udp.c
 @@ -87,6 +87,7 @@
@@ -95929,10 +95867,10 @@ index 1aeb473..bea761c 100644
  	return -ENOMEM;
  }
 diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 77308af..36ed509 100644
+index 0accb13..f793130 100644
 --- a/net/ipv6/route.c
 +++ b/net/ipv6/route.c
-@@ -3009,7 +3009,7 @@ struct ctl_table ipv6_route_table_template[] = {
+@@ -3003,7 +3003,7 @@ struct ctl_table ipv6_route_table_template[] = {
  
  struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
  {
@@ -97128,10 +97066,10 @@ index 53c19a3..b0ac04a 100644
  		*uaddr_len = sizeof(struct sockaddr_ax25);
  	}
 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index ba2548b..1a4e98e 100644
+index 88cfbc1..05d73f5 100644
 --- a/net/packet/af_packet.c
 +++ b/net/packet/af_packet.c
-@@ -1699,7 +1699,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1720,7 +1720,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
  
  	spin_lock(&sk->sk_receive_queue.lock);
  	po->stats.stats1.tp_packets++;
@@ -97140,7 +97078,7 @@ index ba2548b..1a4e98e 100644
  	__skb_queue_tail(&sk->sk_receive_queue, skb);
  	spin_unlock(&sk->sk_receive_queue.lock);
  	sk->sk_data_ready(sk, skb->len);
-@@ -1708,7 +1708,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1729,7 +1729,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
  drop_n_acct:
  	spin_lock(&sk->sk_receive_queue.lock);
  	po->stats.stats1.tp_drops++;
@@ -97149,7 +97087,7 @@ index ba2548b..1a4e98e 100644
  	spin_unlock(&sk->sk_receive_queue.lock);
  
  drop_n_restore:
-@@ -3261,7 +3261,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3275,7 +3275,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  	case PACKET_HDRLEN:
  		if (len > sizeof(int))
  			len = sizeof(int);
@@ -97158,7 +97096,7 @@ index ba2548b..1a4e98e 100644
  			return -EFAULT;
  		switch (val) {
  		case TPACKET_V1:
-@@ -3304,7 +3304,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3318,7 +3318,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  		len = lv;
  	if (put_user(len, optlen))
  		return -EFAULT;
@@ -98456,10 +98394,10 @@ index d38bb45..4fd6ac6 100644
  
  	sub->evt.event = htohl(event, sub->swap);
 diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 01625cc..d486b64 100644
+index a427623..387c80b 100644
 --- a/net/unix/af_unix.c
 +++ b/net/unix/af_unix.c
-@@ -784,6 +784,12 @@ static struct sock *unix_find_other(struct net *net,
+@@ -790,6 +790,12 @@ static struct sock *unix_find_other(struct net *net,
  		err = -ECONNREFUSED;
  		if (!S_ISSOCK(inode->i_mode))
  			goto put_fail;
@@ -98472,7 +98410,7 @@ index 01625cc..d486b64 100644
  		u = unix_find_socket_byinode(inode);
  		if (!u)
  			goto put_fail;
-@@ -804,6 +810,13 @@ static struct sock *unix_find_other(struct net *net,
+@@ -810,6 +816,13 @@ static struct sock *unix_find_other(struct net *net,
  		if (u) {
  			struct dentry *dentry;
  			dentry = unix_sk(u)->path.dentry;
@@ -98486,7 +98424,7 @@ index 01625cc..d486b64 100644
  			if (dentry)
  				touch_atime(&unix_sk(u)->path);
  		} else
-@@ -837,12 +850,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
+@@ -843,12 +856,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
  	 */
  	err = security_path_mknod(&path, dentry, mode, 0);
  	if (!err) {
@@ -98505,7 +98443,7 @@ index 01625cc..d486b64 100644
  	done_path_create(&path, dentry);
  	return err;
  }
-@@ -2328,9 +2347,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2336,9 +2355,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
  		seq_puts(seq, "Num       RefCount Protocol Flags    Type St "
  			 "Inode Path\n");
  	else {
@@ -98520,7 +98458,7 @@ index 01625cc..d486b64 100644
  
  		seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
  			s,
-@@ -2357,8 +2380,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2365,8 +2388,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
  			}
  			for ( ; i < len; i++)
  				seq_putc(seq, u->addr->name->sun_path[i]);
@@ -101691,10 +101629,10 @@ index 0000000..414fe5e
 +}
 diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c
 new file mode 100644
-index 0000000..ba59e50
+index 0000000..3e46b2f
 --- /dev/null
 +++ b/tools/gcc/constify_plugin.c
-@@ -0,0 +1,558 @@
+@@ -0,0 +1,559 @@
 +/*
 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
 + * Copyright 2011-2013 by PaX Team <pageexec@freemail.hu>
@@ -101741,7 +101679,7 @@ index 0000000..ba59e50
 +int plugin_is_GPL_compatible;
 +
 +static struct plugin_info const_plugin_info = {
-+	.version	= "201312032345",
++	.version	= "201401121315",
 +	.help		= "no-constify\tturn off constification\n",
 +};
 +
@@ -101921,7 +101859,6 @@ index 0000000..ba59e50
 +	}
 +
 +	if (TYPE_P(*node)) {
-+		*no_add_attrs = false;
 +		type = *node;
 +	} else {
 +		gcc_assert(TREE_CODE(*node) == TYPE_DECL);
@@ -101941,6 +101878,8 @@ index 0000000..ba59e50
 +	if (TYPE_P(*node)) {
 +		if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type)))
 +			error("%qE attribute used on type %qT is incompatible with 'do_const'", name, type);
++		else
++			*no_add_attrs = false;
 +		return NULL_TREE;
 +	}
 +
diff --git a/3.12.7/4425_grsec_remove_EI_PAX.patch b/3.12.8/4425_grsec_remove_EI_PAX.patch
index cf65d90..cf65d90 100644
--- a/3.12.7/4425_grsec_remove_EI_PAX.patch
+++ b/3.12.8/4425_grsec_remove_EI_PAX.patch
diff --git a/3.12.7/4427_force_XATTR_PAX_tmpfs.patch b/3.12.8/4427_force_XATTR_PAX_tmpfs.patch
index 23e60cd..23e60cd 100644
--- a/3.12.7/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.12.8/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.12.7/4430_grsec-remove-localversion-grsec.patch b/3.12.8/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.12.7/4430_grsec-remove-localversion-grsec.patch
+++ b/3.12.8/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.12.7/4435_grsec-mute-warnings.patch b/3.12.8/4435_grsec-mute-warnings.patch
index ed941d5..ed941d5 100644
--- a/3.12.7/4435_grsec-mute-warnings.patch
+++ b/3.12.8/4435_grsec-mute-warnings.patch
diff --git a/3.12.7/4440_grsec-remove-protected-paths.patch b/3.12.8/4440_grsec-remove-protected-paths.patch
index 05710b1..05710b1 100644
--- a/3.12.7/4440_grsec-remove-protected-paths.patch
+++ b/3.12.8/4440_grsec-remove-protected-paths.patch
diff --git a/3.12.7/4450_grsec-kconfig-default-gids.patch b/3.12.8/4450_grsec-kconfig-default-gids.patch
index cdd1703..cdd1703 100644
--- a/3.12.7/4450_grsec-kconfig-default-gids.patch
+++ b/3.12.8/4450_grsec-kconfig-default-gids.patch
diff --git a/3.12.7/4465_selinux-avc_audit-log-curr_ip.patch b/3.12.8/4465_selinux-avc_audit-log-curr_ip.patch
index 04ec3fb..04ec3fb 100644
--- a/3.12.7/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.12.8/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.12.7/4470_disable-compat_vdso.patch b/3.12.8/4470_disable-compat_vdso.patch
index 209dfae..209dfae 100644
--- a/3.12.7/4470_disable-compat_vdso.patch
+++ b/3.12.8/4470_disable-compat_vdso.patch
diff --git a/3.12.7/4475_emutramp_default_on.patch b/3.12.8/4475_emutramp_default_on.patch
index cfde6f8..cfde6f8 100644
--- a/3.12.7/4475_emutramp_default_on.patch
+++ b/3.12.8/4475_emutramp_default_on.patch
author	Anthony G. Basile <blueness@gentoo.org>	2014-01-17 12:35:43 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2014-01-17 12:35:43 -0500
commit	3ab1dd0edfaae6fb788b197bdea9688b0c041591 (patch)
tree	3e6d8e7b6f92207f52b6a68caaa3ee7b1ad24f2a
parent	Grsec/PaX: 3.0-{3.2.54,3.12.7}-201401131812 (diff)
download	hardened-patchset-3ab1dd0edfaae6fb788b197bdea9688b0c041591.tar.gz hardened-patchset-3ab1dd0edfaae6fb788b197bdea9688b0c041591.tar.bz2 hardened-patchset-3ab1dd0edfaae6fb788b197bdea9688b0c041591.zip