diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2014-04-12 09:28:29 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2014-04-12 09:28:29 -0400 |
commit | 5e6fbb4f285c55db71cccc1ff23ab96a16ada8d3 (patch) | |
tree | 7c6d79801963e595fe8d6b5f5a955af7b0d8a07a | |
parent | Grsec/PaX: 3.0-{3.2.56,3.13.8}-201404062127 (diff) | |
download | hardened-patchset-5e6fbb4f285c55db71cccc1ff23ab96a16ada8d3.tar.gz hardened-patchset-5e6fbb4f285c55db71cccc1ff23ab96a16ada8d3.tar.bz2 hardened-patchset-5e6fbb4f285c55db71cccc1ff23ab96a16ada8d3.zip |
Grsec/PaX: 3.0-{3.2.57,3.13.9}-201404111812
-rw-r--r-- | 3.13.8/4425_grsec_remove_EI_PAX.patch | 19 | ||||
-rw-r--r-- | 3.13.9/0000_README (renamed from 3.13.8/0000_README) | 4 | ||||
-rw-r--r-- | 3.13.9/4420_grsecurity-3.0-3.13.9-201404111815.patch (renamed from 3.13.8/4420_grsecurity-3.0-3.13.9-201404062127.patch) | 234 | ||||
-rw-r--r-- | 3.13.9/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.13.8/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.13.9/4430_grsec-remove-localversion-grsec.patch (renamed from 3.13.8/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.13.9/4435_grsec-mute-warnings.patch (renamed from 3.13.8/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.13.9/4440_grsec-remove-protected-paths.patch (renamed from 3.13.8/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.13.9/4450_grsec-kconfig-default-gids.patch (renamed from 3.13.8/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.13.9/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.13.8/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.13.9/4470_disable-compat_vdso.patch (renamed from 3.13.8/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.13.9/4475_emutramp_default_on.patch (renamed from 3.13.8/4475_emutramp_default_on.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/0000_README (renamed from 3.2.56/0000_README) | 6 | ||||
-rw-r--r-- | 3.2.57/1021_linux-3.2.22.patch (renamed from 3.2.56/1021_linux-3.2.22.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1022_linux-3.2.23.patch (renamed from 3.2.56/1022_linux-3.2.23.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1023_linux-3.2.24.patch (renamed from 3.2.56/1023_linux-3.2.24.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1024_linux-3.2.25.patch (renamed from 3.2.56/1024_linux-3.2.25.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1025_linux-3.2.26.patch (renamed from 3.2.56/1025_linux-3.2.26.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1026_linux-3.2.27.patch (renamed from 3.2.56/1026_linux-3.2.27.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1027_linux-3.2.28.patch (renamed from 3.2.56/1027_linux-3.2.28.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1028_linux-3.2.29.patch (renamed from 3.2.56/1028_linux-3.2.29.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1029_linux-3.2.30.patch (renamed from 3.2.56/1029_linux-3.2.30.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1030_linux-3.2.31.patch (renamed from 3.2.56/1030_linux-3.2.31.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1031_linux-3.2.32.patch (renamed from 3.2.56/1031_linux-3.2.32.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1032_linux-3.2.33.patch (renamed from 3.2.56/1032_linux-3.2.33.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1033_linux-3.2.34.patch (renamed from 3.2.56/1033_linux-3.2.34.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1034_linux-3.2.35.patch (renamed from 3.2.56/1034_linux-3.2.35.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1035_linux-3.2.36.patch (renamed from 3.2.56/1035_linux-3.2.36.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1036_linux-3.2.37.patch (renamed from 3.2.56/1036_linux-3.2.37.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1037_linux-3.2.38.patch (renamed from 3.2.56/1037_linux-3.2.38.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1038_linux-3.2.39.patch (renamed from 3.2.56/1038_linux-3.2.39.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1039_linux-3.2.40.patch (renamed from 3.2.56/1039_linux-3.2.40.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1040_linux-3.2.41.patch (renamed from 3.2.56/1040_linux-3.2.41.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1041_linux-3.2.42.patch (renamed from 3.2.56/1041_linux-3.2.42.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1042_linux-3.2.43.patch (renamed from 3.2.56/1042_linux-3.2.43.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1043_linux-3.2.44.patch (renamed from 3.2.56/1043_linux-3.2.44.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1044_linux-3.2.45.patch (renamed from 3.2.56/1044_linux-3.2.45.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1045_linux-3.2.46.patch (renamed from 3.2.56/1045_linux-3.2.46.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1046_linux-3.2.47.patch (renamed from 3.2.56/1046_linux-3.2.47.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1047_linux-3.2.48.patch (renamed from 3.2.56/1047_linux-3.2.48.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1048_linux-3.2.49.patch (renamed from 3.2.56/1048_linux-3.2.49.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1049_linux-3.2.50.patch (renamed from 3.2.56/1049_linux-3.2.50.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1050_linux-3.2.51.patch (renamed from 3.2.56/1050_linux-3.2.51.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1051_linux-3.2.52.patch (renamed from 3.2.56/1051_linux-3.2.52.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1052_linux-3.2.53.patch (renamed from 3.2.56/1052_linux-3.2.53.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1053_linux-3.2.54.patch (renamed from 3.2.56/1053_linux-3.2.54.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1054_linux-3.2.55.patch (renamed from 3.2.56/1054_linux-3.2.55.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1055_linux-3.2.56.patch (renamed from 3.2.56/1055_linux-3.2.56.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/1056_linux-3.2.57.patch | 905 | ||||
-rw-r--r-- | 3.2.57/4420_grsecurity-3.0-3.2.57-201404111812.patch (renamed from 3.2.56/4420_grsecurity-3.0-3.2.56-201404062126.patch) | 196 | ||||
-rw-r--r-- | 3.2.57/4425_grsec_remove_EI_PAX.patch (renamed from 3.2.56/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.2.56/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.56/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/4435_grsec-mute-warnings.patch (renamed from 3.2.56/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/4440_grsec-remove-protected-paths.patch (renamed from 3.2.56/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.56/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.56/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/4470_disable-compat_vdso.patch (renamed from 3.2.56/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.2.57/4475_emutramp_default_on.patch (renamed from 3.2.56/4475_emutramp_default_on.patch) | 0 |
58 files changed, 1269 insertions, 95 deletions
diff --git a/3.13.8/4425_grsec_remove_EI_PAX.patch b/3.13.8/4425_grsec_remove_EI_PAX.patch deleted file mode 100644 index fc51f79..0000000 --- a/3.13.8/4425_grsec_remove_EI_PAX.patch +++ /dev/null @@ -1,19 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> - -Deprecate EI_PAX. - -X-Gentoo-Bug: 445600 -X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 - -diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig ---- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 -+++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 -@@ -268,7 +268,7 @@ - - config PAX_EI_PAX - bool 'Use legacy ELF header marking' -- default y if GRKERNSEC_CONFIG_AUTO -+ depends on BROKEN - help - Enabling this option will allow you to control PaX features on - a per executable basis via the 'chpax' utility available at diff --git a/3.13.8/0000_README b/3.13.9/0000_README index 02b8064..97a73be 100644 --- a/3.13.8/0000_README +++ b/3.13.9/0000_README @@ -6,10 +6,6 @@ Patch: 4420_grsecurity-3.0-3.13.9-201404062127.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity -Patch: 4425_grsec_remove_EI_PAX.patch -From: Anthony G. Basile <blueness@gentoo.org> -Desc: Remove EI_PAX option and force off - Patch: 4430_grsec-remove-localversion-grsec.patch From: Kerin Millar <kerframil@gmail.com> Desc: Removes grsecurity's localversion-grsec file diff --git a/3.13.8/4420_grsecurity-3.0-3.13.9-201404062127.patch b/3.13.9/4420_grsecurity-3.0-3.13.9-201404111815.patch index 3408709..a875b82 100644 --- a/3.13.8/4420_grsecurity-3.0-3.13.9-201404062127.patch +++ b/3.13.9/4420_grsecurity-3.0-3.13.9-201404111815.patch @@ -25367,7 +25367,7 @@ index 898160b..758cde8 100644 reset_current_kprobe(); preempt_enable_no_resched(); diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c -index ebc9873..1b9724b 100644 +index ebc9873..37b8776 100644 --- a/arch/x86/kernel/ldt.c +++ b/arch/x86/kernel/ldt.c @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload) @@ -25420,7 +25420,7 @@ index ebc9873..1b9724b 100644 return retval; } -@@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) +@@ -229,6 +247,24 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) } } @@ -25431,6 +25431,17 @@ index ebc9873..1b9724b 100644 + } +#endif + ++ /* ++ * On x86-64 we do not support 16-bit segments due to ++ * IRET leaking the high bits of the kernel stack address. ++ */ ++#ifdef CONFIG_X86_64 ++ if (!ldt_info.seg_32bit) { ++ error = -EINVAL; ++ goto out_unlock; ++ } ++#endif ++ fill_ldt(&ldt, &ldt_info); if (oldmode) ldt.avl = 0; @@ -43395,10 +43406,31 @@ index 53d487f..f020f41 100644 } else memcpy(msg, buf, count); diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c -index 02125e6..e1f8748 100644 +index 02125e6..5a4da94 100644 --- a/drivers/isdn/isdnloop/isdnloop.c +++ b/drivers/isdn/isdnloop/isdnloop.c -@@ -1070,6 +1070,12 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp) +@@ -518,9 +518,9 @@ static isdnloop_stat isdnloop_cmd_table[] = + static void + isdnloop_fake_err(isdnloop_card *card) + { +- char buf[60]; ++ char buf[64]; + +- sprintf(buf, "E%s", card->omsg); ++ snprintf(buf, sizeof(buf), "E%s", card->omsg); + isdnloop_fake(card, buf, -1); + isdnloop_fake(card, "NAK", -1); + } +@@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card *card) + case 7: + /* 0x;EAZ */ + p += 3; ++ if (strlen(p) >= sizeof(card->eazlist[0])) ++ break; + strcpy(card->eazlist[ch - 1], p); + break; + case 8: +@@ -1070,6 +1072,12 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp) return -EBUSY; if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef))) return -EFAULT; @@ -43411,6 +43443,38 @@ index 02125e6..e1f8748 100644 spin_lock_irqsave(&card->isdnloop_lock, flags); switch (sdef.ptype) { case ISDN_PTYPE_EURO: +@@ -1127,7 +1135,7 @@ isdnloop_command(isdn_ctrl *c, isdnloop_card *card) + { + ulong a; + int i; +- char cbuf[60]; ++ char cbuf[80]; + isdn_ctrl cmd; + isdnloop_cdef cdef; + +@@ -1192,7 +1200,6 @@ isdnloop_command(isdn_ctrl *c, isdnloop_card *card) + break; + if ((c->arg & 255) < ISDNLOOP_BCH) { + char *p; +- char dial[50]; + char dcode[4]; + + a = c->arg; +@@ -1204,10 +1211,10 @@ isdnloop_command(isdn_ctrl *c, isdnloop_card *card) + } else + /* Normal Dial */ + strcpy(dcode, "CAL"); +- strcpy(dial, p); +- sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), +- dcode, dial, c->parm.setup.si1, +- c->parm.setup.si2, c->parm.setup.eazmsn); ++ snprintf(cbuf, sizeof(cbuf), ++ "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), ++ dcode, p, c->parm.setup.si1, ++ c->parm.setup.si2, c->parm.setup.eazmsn); + i = isdnloop_writecmd(cbuf, strlen(cbuf), 0, card); + } + break; diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c index a4f05c5..1433bc5 100644 --- a/drivers/isdn/mISDN/dsp_cmx.c @@ -61953,6 +62017,58 @@ index 5d94c02..630214f 100644 } void nfs_fattr_init(struct nfs_fattr *fattr) +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 0e90bf0..134691e 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1070,6 +1070,7 @@ static void nfs4_opendata_free(struct kref *kref) + dput(p->dentry); + nfs_sb_deactive(sb); + nfs_fattr_free_names(&p->f_attr); ++ kfree(p->f_attr.mdsthreshold); + kfree(p); + } + +@@ -2246,10 +2247,12 @@ static int _nfs4_do_open(struct inode *dir, + } + } + +- if (ctx_th && server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) { +- opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc(); +- if (!opendata->f_attr.mdsthreshold) +- goto err_free_label; ++ if (server->attr_bitmask[2] & FATTR4_WORD2_MDSTHRESHOLD) { ++ if (!opendata->f_attr.mdsthreshold) { ++ opendata->f_attr.mdsthreshold = pnfs_mdsthreshold_alloc(); ++ if (!opendata->f_attr.mdsthreshold) ++ goto err_free_label; ++ } + opendata->o_arg.open_bitmap = &nfs4_pnfs_open_bitmap[0]; + } + if (dentry->d_inode != NULL) +@@ -2277,11 +2280,10 @@ static int _nfs4_do_open(struct inode *dir, + if (opendata->file_created) + *opened |= FILE_CREATED; + +- if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server)) ++ if (pnfs_use_threshold(ctx_th, opendata->f_attr.mdsthreshold, server)) { + *ctx_th = opendata->f_attr.mdsthreshold; +- else +- kfree(opendata->f_attr.mdsthreshold); +- opendata->f_attr.mdsthreshold = NULL; ++ opendata->f_attr.mdsthreshold = NULL; ++ } + + nfs4_label_free(olabel); + +@@ -2291,7 +2293,6 @@ static int _nfs4_do_open(struct inode *dir, + err_free_label: + nfs4_label_free(olabel); + err_opendata_put: +- kfree(opendata->f_attr.mdsthreshold); + nfs4_opendata_put(opendata); + err_put_state_owner: + nfs4_put_state_owner(sp); diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 419572f..5414a23 100644 --- a/fs/nfsd/nfs4proc.c @@ -65158,10 +65274,10 @@ index 104455b..764c512 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..81a6826 +index 0000000..3abaf02 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1160 @@ +@@ -0,0 +1,1161 @@ +# +# grecurity configuration +# @@ -65217,7 +65333,8 @@ index 0000000..81a6826 + the most notable of which are XFree86 and hwclock. hwclock can be + remedied by having RTC support in the kernel, so real-time + clock support is enabled if this option is enabled, to ensure -+ that hwclock operates correctly. ++ that hwclock operates correctly. If hwclock still does not work, ++ either update udev or symlink /dev/rtc to /dev/rtc0. + + If you're using XFree86 or a version of Xorg from 2012 or earlier, + you may not be able to boot into a graphical environment with this @@ -83026,6 +83143,21 @@ index 8ba8ce2..99b7fff 100644 struct sk_buff *skb, int offset, struct iovec *to, size_t len, struct dma_pinned_list *pinned_list); +diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h +index 956b175..55d1504 100644 +--- a/include/net/netfilter/nf_conntrack_extend.h ++++ b/include/net/netfilter/nf_conntrack_extend.h +@@ -47,8 +47,8 @@ enum nf_ct_ext_id { + /* Extensions: optional stuff which isn't permanently in struct. */ + struct nf_ct_ext { + struct rcu_head rcu; +- u8 offset[NF_CT_EXT_NUM]; +- u8 len; ++ u16 offset[NF_CT_EXT_NUM]; ++ u16 len; + char data[0]; + }; + diff --git a/include/net/netlink.h b/include/net/netlink.h index 2b47eaa..6d5bcc2 100644 --- a/include/net/netlink.h @@ -98170,7 +98302,7 @@ index 718dfbd..cef4152 100644 case IPT_SO_GET_ENTRIES: diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 242e7f4..a084e95 100644 +index 242e7f4..76cc7ee 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -55,7 +55,7 @@ @@ -98182,7 +98314,39 @@ index 242e7f4..a084e95 100644 EXPORT_SYMBOL_GPL(pingv6_ops); static u16 ping_port_rover; -@@ -334,7 +334,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, +@@ -251,23 +251,28 @@ int ping_init_sock(struct sock *sk) + struct group_info *group_info = get_current_groups(); + int i, j, count = group_info->ngroups; + kgid_t low, high; ++ int ret = 0; + + inet_get_ping_group_range_net(net, &low, &high); + if (gid_lte(low, group) && gid_lte(group, high)) +- return 0; ++ goto out_release_group; + + for (i = 0; i < group_info->nblocks; i++) { + int cp_count = min_t(int, NGROUPS_PER_BLOCK, count); + for (j = 0; j < cp_count; j++) { + kgid_t gid = group_info->blocks[i][j]; + if (gid_lte(low, gid) && gid_lte(gid, high)) +- return 0; ++ goto out_release_group; + } + + count -= cp_count; + } + +- return -EACCES; ++ ret = -EACCES; ++ ++out_release_group: ++ put_group_info(group_info); ++ return ret; + } + EXPORT_SYMBOL_GPL(ping_init_sock); + +@@ -334,7 +339,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, return -ENODEV; } } @@ -98191,7 +98355,7 @@ index 242e7f4..a084e95 100644 scoped); rcu_read_unlock(); -@@ -542,7 +542,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -542,7 +547,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) } #if IS_ENABLED(CONFIG_IPV6) } else if (skb->protocol == htons(ETH_P_IPV6)) { @@ -98200,7 +98364,7 @@ index 242e7f4..a084e95 100644 #endif } -@@ -560,7 +560,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -560,7 +565,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) info, (u8 *)icmph); #if IS_ENABLED(CONFIG_IPV6) } else if (family == AF_INET6) { @@ -98209,7 +98373,7 @@ index 242e7f4..a084e95 100644 info, (u8 *)icmph); #endif } -@@ -830,6 +830,8 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -830,6 +835,8 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, { struct inet_sock *isk = inet_sk(sk); int family = sk->sk_family; @@ -98218,7 +98382,7 @@ index 242e7f4..a084e95 100644 struct sk_buff *skb; int copied, err; -@@ -839,12 +841,19 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -839,12 +846,19 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, if (flags & MSG_OOB) goto out; @@ -98239,7 +98403,7 @@ index 242e7f4..a084e95 100644 addr_len); #endif } -@@ -876,7 +885,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -876,7 +890,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, sin->sin_port = 0 /* skb->h.uh->source */; sin->sin_addr.s_addr = ip_hdr(skb)->saddr; memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); @@ -98247,7 +98411,7 @@ index 242e7f4..a084e95 100644 } if (isk->cmsg_flags) -@@ -899,11 +907,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -899,11 +912,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr, IP6CB(skb)->iif); @@ -98260,7 +98424,7 @@ index 242e7f4..a084e95 100644 #endif } else { BUG(); -@@ -1093,7 +1100,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, +@@ -1093,7 +1105,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -100434,6 +100598,31 @@ index f042ae5..30ea486 100644 mutex_unlock(&nf_sockopt_mutex); } EXPORT_SYMBOL(nf_unregister_sockopt); +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 71a9f49..c09b60c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -148,8 +148,8 @@ static int nf_tables_chain_type_lookup(const struct nft_af_info *afi, + #ifdef CONFIG_MODULES + if (type < 0 && autoload) { + nfnl_unlock(NFNL_SUBSYS_NFTABLES); +- request_module("nft-chain-%u-%*.s", afi->family, +- nla_len(nla)-1, (const char *)nla_data(nla)); ++ request_module("nft-chain-%u-%.*s", afi->family, ++ nla_len(nla), (const char *)nla_data(nla)); + nfnl_lock(NFNL_SUBSYS_NFTABLES); + type = __nf_tables_chain_type_lookup(afi->family, nla); + } +@@ -1916,7 +1916,8 @@ static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const + + static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { + [NFTA_SET_TABLE] = { .type = NLA_STRING }, +- [NFTA_SET_NAME] = { .type = NLA_STRING }, ++ [NFTA_SET_NAME] = { .type = NLA_STRING, ++ .len = IFNAMSIZ - 1 }, + [NFTA_SET_FLAGS] = { .type = NLA_U32 }, + [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, + [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index a155d19..726b0f2 100644 --- a/net/netfilter/nfnetlink_log.c @@ -119392,6 +119581,19 @@ index b003ad7..c0a02f8 100644 +#endif + #endif +diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c +index 2d68297..39dc5bc 100644 +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -306,7 +306,7 @@ static int ioapic_deliver(struct kvm_ioapic *ioapic, int irq, bool line_status) + BUG_ON(ioapic->rtc_status.pending_eoi != 0); + ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, + ioapic->rtc_status.dest_map); +- ioapic->rtc_status.pending_eoi = ret; ++ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret); + } else + ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL); + diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 4f588bc..a543c97 100644 --- a/virt/kvm/kvm_main.c diff --git a/3.13.8/4427_force_XATTR_PAX_tmpfs.patch b/3.13.9/4427_force_XATTR_PAX_tmpfs.patch index 23e60cd..23e60cd 100644 --- a/3.13.8/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.13.9/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.13.8/4430_grsec-remove-localversion-grsec.patch b/3.13.9/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.13.8/4430_grsec-remove-localversion-grsec.patch +++ b/3.13.9/4430_grsec-remove-localversion-grsec.patch diff --git a/3.13.8/4435_grsec-mute-warnings.patch b/3.13.9/4435_grsec-mute-warnings.patch index cb51a05..cb51a05 100644 --- a/3.13.8/4435_grsec-mute-warnings.patch +++ b/3.13.9/4435_grsec-mute-warnings.patch diff --git a/3.13.8/4440_grsec-remove-protected-paths.patch b/3.13.9/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.13.8/4440_grsec-remove-protected-paths.patch +++ b/3.13.9/4440_grsec-remove-protected-paths.patch diff --git a/3.13.8/4450_grsec-kconfig-default-gids.patch b/3.13.9/4450_grsec-kconfig-default-gids.patch index abff221..abff221 100644 --- a/3.13.8/4450_grsec-kconfig-default-gids.patch +++ b/3.13.9/4450_grsec-kconfig-default-gids.patch diff --git a/3.13.8/4465_selinux-avc_audit-log-curr_ip.patch b/3.13.9/4465_selinux-avc_audit-log-curr_ip.patch index 6caf9de..6caf9de 100644 --- a/3.13.8/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.13.9/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.13.8/4470_disable-compat_vdso.patch b/3.13.9/4470_disable-compat_vdso.patch index a25c029..a25c029 100644 --- a/3.13.8/4470_disable-compat_vdso.patch +++ b/3.13.9/4470_disable-compat_vdso.patch diff --git a/3.13.8/4475_emutramp_default_on.patch b/3.13.9/4475_emutramp_default_on.patch index a453a5b..a453a5b 100644 --- a/3.13.8/4475_emutramp_default_on.patch +++ b/3.13.9/4475_emutramp_default_on.patch diff --git a/3.2.56/0000_README b/3.2.57/0000_README index 0adc45a..c153165 100644 --- a/3.2.56/0000_README +++ b/3.2.57/0000_README @@ -142,7 +142,11 @@ Patch: 1055_linux-3.2.56.patch From: http://www.kernel.org Desc: Linux 3.2.56 -Patch: 4420_grsecurity-3.0-3.2.56-201404062126.patch +Patch: 1056_linux-3.2.57.patch +From: http://www.kernel.org +Desc: Linux 3.2.57 + +Patch: 4420_grsecurity-3.0-3.2.57-201404111812.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.56/1021_linux-3.2.22.patch b/3.2.57/1021_linux-3.2.22.patch index e6ad93a..e6ad93a 100644 --- a/3.2.56/1021_linux-3.2.22.patch +++ b/3.2.57/1021_linux-3.2.22.patch diff --git a/3.2.56/1022_linux-3.2.23.patch b/3.2.57/1022_linux-3.2.23.patch index 3d796d0..3d796d0 100644 --- a/3.2.56/1022_linux-3.2.23.patch +++ b/3.2.57/1022_linux-3.2.23.patch diff --git a/3.2.56/1023_linux-3.2.24.patch b/3.2.57/1023_linux-3.2.24.patch index 4692eb4..4692eb4 100644 --- a/3.2.56/1023_linux-3.2.24.patch +++ b/3.2.57/1023_linux-3.2.24.patch diff --git a/3.2.56/1024_linux-3.2.25.patch b/3.2.57/1024_linux-3.2.25.patch index e95c213..e95c213 100644 --- a/3.2.56/1024_linux-3.2.25.patch +++ b/3.2.57/1024_linux-3.2.25.patch diff --git a/3.2.56/1025_linux-3.2.26.patch b/3.2.57/1025_linux-3.2.26.patch index 44065b9..44065b9 100644 --- a/3.2.56/1025_linux-3.2.26.patch +++ b/3.2.57/1025_linux-3.2.26.patch diff --git a/3.2.56/1026_linux-3.2.27.patch b/3.2.57/1026_linux-3.2.27.patch index 5878eb4..5878eb4 100644 --- a/3.2.56/1026_linux-3.2.27.patch +++ b/3.2.57/1026_linux-3.2.27.patch diff --git a/3.2.56/1027_linux-3.2.28.patch b/3.2.57/1027_linux-3.2.28.patch index 4dbba4b..4dbba4b 100644 --- a/3.2.56/1027_linux-3.2.28.patch +++ b/3.2.57/1027_linux-3.2.28.patch diff --git a/3.2.56/1028_linux-3.2.29.patch b/3.2.57/1028_linux-3.2.29.patch index 3c65179..3c65179 100644 --- a/3.2.56/1028_linux-3.2.29.patch +++ b/3.2.57/1028_linux-3.2.29.patch diff --git a/3.2.56/1029_linux-3.2.30.patch b/3.2.57/1029_linux-3.2.30.patch index 86aea4b..86aea4b 100644 --- a/3.2.56/1029_linux-3.2.30.patch +++ b/3.2.57/1029_linux-3.2.30.patch diff --git a/3.2.56/1030_linux-3.2.31.patch b/3.2.57/1030_linux-3.2.31.patch index c6accf5..c6accf5 100644 --- a/3.2.56/1030_linux-3.2.31.patch +++ b/3.2.57/1030_linux-3.2.31.patch diff --git a/3.2.56/1031_linux-3.2.32.patch b/3.2.57/1031_linux-3.2.32.patch index 247fc0b..247fc0b 100644 --- a/3.2.56/1031_linux-3.2.32.patch +++ b/3.2.57/1031_linux-3.2.32.patch diff --git a/3.2.56/1032_linux-3.2.33.patch b/3.2.57/1032_linux-3.2.33.patch index c32fb75..c32fb75 100644 --- a/3.2.56/1032_linux-3.2.33.patch +++ b/3.2.57/1032_linux-3.2.33.patch diff --git a/3.2.56/1033_linux-3.2.34.patch b/3.2.57/1033_linux-3.2.34.patch index d647b38..d647b38 100644 --- a/3.2.56/1033_linux-3.2.34.patch +++ b/3.2.57/1033_linux-3.2.34.patch diff --git a/3.2.56/1034_linux-3.2.35.patch b/3.2.57/1034_linux-3.2.35.patch index 76a9c19..76a9c19 100644 --- a/3.2.56/1034_linux-3.2.35.patch +++ b/3.2.57/1034_linux-3.2.35.patch diff --git a/3.2.56/1035_linux-3.2.36.patch b/3.2.57/1035_linux-3.2.36.patch index 5d192a3..5d192a3 100644 --- a/3.2.56/1035_linux-3.2.36.patch +++ b/3.2.57/1035_linux-3.2.36.patch diff --git a/3.2.56/1036_linux-3.2.37.patch b/3.2.57/1036_linux-3.2.37.patch index ad13251..ad13251 100644 --- a/3.2.56/1036_linux-3.2.37.patch +++ b/3.2.57/1036_linux-3.2.37.patch diff --git a/3.2.56/1037_linux-3.2.38.patch b/3.2.57/1037_linux-3.2.38.patch index a3c106f..a3c106f 100644 --- a/3.2.56/1037_linux-3.2.38.patch +++ b/3.2.57/1037_linux-3.2.38.patch diff --git a/3.2.56/1038_linux-3.2.39.patch b/3.2.57/1038_linux-3.2.39.patch index 5639e92..5639e92 100644 --- a/3.2.56/1038_linux-3.2.39.patch +++ b/3.2.57/1038_linux-3.2.39.patch diff --git a/3.2.56/1039_linux-3.2.40.patch b/3.2.57/1039_linux-3.2.40.patch index f26b39c..f26b39c 100644 --- a/3.2.56/1039_linux-3.2.40.patch +++ b/3.2.57/1039_linux-3.2.40.patch diff --git a/3.2.56/1040_linux-3.2.41.patch b/3.2.57/1040_linux-3.2.41.patch index 0d27fcb..0d27fcb 100644 --- a/3.2.56/1040_linux-3.2.41.patch +++ b/3.2.57/1040_linux-3.2.41.patch diff --git a/3.2.56/1041_linux-3.2.42.patch b/3.2.57/1041_linux-3.2.42.patch index 77a08ed..77a08ed 100644 --- a/3.2.56/1041_linux-3.2.42.patch +++ b/3.2.57/1041_linux-3.2.42.patch diff --git a/3.2.56/1042_linux-3.2.43.patch b/3.2.57/1042_linux-3.2.43.patch index a3f878b..a3f878b 100644 --- a/3.2.56/1042_linux-3.2.43.patch +++ b/3.2.57/1042_linux-3.2.43.patch diff --git a/3.2.56/1043_linux-3.2.44.patch b/3.2.57/1043_linux-3.2.44.patch index 3d5e6ff..3d5e6ff 100644 --- a/3.2.56/1043_linux-3.2.44.patch +++ b/3.2.57/1043_linux-3.2.44.patch diff --git a/3.2.56/1044_linux-3.2.45.patch b/3.2.57/1044_linux-3.2.45.patch index 44e1767..44e1767 100644 --- a/3.2.56/1044_linux-3.2.45.patch +++ b/3.2.57/1044_linux-3.2.45.patch diff --git a/3.2.56/1045_linux-3.2.46.patch b/3.2.57/1045_linux-3.2.46.patch index bc10efd..bc10efd 100644 --- a/3.2.56/1045_linux-3.2.46.patch +++ b/3.2.57/1045_linux-3.2.46.patch diff --git a/3.2.56/1046_linux-3.2.47.patch b/3.2.57/1046_linux-3.2.47.patch index b74563c..b74563c 100644 --- a/3.2.56/1046_linux-3.2.47.patch +++ b/3.2.57/1046_linux-3.2.47.patch diff --git a/3.2.56/1047_linux-3.2.48.patch b/3.2.57/1047_linux-3.2.48.patch index 6d55b1f..6d55b1f 100644 --- a/3.2.56/1047_linux-3.2.48.patch +++ b/3.2.57/1047_linux-3.2.48.patch diff --git a/3.2.56/1048_linux-3.2.49.patch b/3.2.57/1048_linux-3.2.49.patch index 2dab0cf..2dab0cf 100644 --- a/3.2.56/1048_linux-3.2.49.patch +++ b/3.2.57/1048_linux-3.2.49.patch diff --git a/3.2.56/1049_linux-3.2.50.patch b/3.2.57/1049_linux-3.2.50.patch index 20b3015..20b3015 100644 --- a/3.2.56/1049_linux-3.2.50.patch +++ b/3.2.57/1049_linux-3.2.50.patch diff --git a/3.2.56/1050_linux-3.2.51.patch b/3.2.57/1050_linux-3.2.51.patch index 5d5832b..5d5832b 100644 --- a/3.2.56/1050_linux-3.2.51.patch +++ b/3.2.57/1050_linux-3.2.51.patch diff --git a/3.2.56/1051_linux-3.2.52.patch b/3.2.57/1051_linux-3.2.52.patch index 94b9359..94b9359 100644 --- a/3.2.56/1051_linux-3.2.52.patch +++ b/3.2.57/1051_linux-3.2.52.patch diff --git a/3.2.56/1052_linux-3.2.53.patch b/3.2.57/1052_linux-3.2.53.patch index 986d714..986d714 100644 --- a/3.2.56/1052_linux-3.2.53.patch +++ b/3.2.57/1052_linux-3.2.53.patch diff --git a/3.2.56/1053_linux-3.2.54.patch b/3.2.57/1053_linux-3.2.54.patch index a907496..a907496 100644 --- a/3.2.56/1053_linux-3.2.54.patch +++ b/3.2.57/1053_linux-3.2.54.patch diff --git a/3.2.56/1054_linux-3.2.55.patch b/3.2.57/1054_linux-3.2.55.patch index 6071ff5..6071ff5 100644 --- a/3.2.56/1054_linux-3.2.55.patch +++ b/3.2.57/1054_linux-3.2.55.patch diff --git a/3.2.56/1055_linux-3.2.56.patch b/3.2.57/1055_linux-3.2.56.patch index 2e8239c..2e8239c 100644 --- a/3.2.56/1055_linux-3.2.56.patch +++ b/3.2.57/1055_linux-3.2.56.patch diff --git a/3.2.57/1056_linux-3.2.57.patch b/3.2.57/1056_linux-3.2.57.patch new file mode 100644 index 0000000..7b8f174 --- /dev/null +++ b/3.2.57/1056_linux-3.2.57.patch @@ -0,0 +1,905 @@ +diff --git a/Makefile b/Makefile +index ec90bfb..c92db9b 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 3 + PATCHLEVEL = 2 +-SUBLEVEL = 56 ++SUBLEVEL = 57 + EXTRAVERSION = + NAME = Saber-toothed Squirrel + +diff --git a/arch/s390/kernel/head64.S b/arch/s390/kernel/head64.S +index 99348c0..78be245 100644 +--- a/arch/s390/kernel/head64.S ++++ b/arch/s390/kernel/head64.S +@@ -61,7 +61,7 @@ ENTRY(startup_continue) + .quad 0 # cr12: tracing off + .quad 0 # cr13: home space segment table + .quad 0xc0000000 # cr14: machine check handling off +- .quad 0 # cr15: linkage stack operations ++ .quad .Llinkage_stack # cr15: linkage stack operations + .Lpcmsk:.quad 0x0000000180000000 + .L4malign:.quad 0xffffffffffc00000 + .Lscan2g:.quad 0x80000000 + 0x20000 - 8 # 2GB + 128K - 8 +@@ -69,12 +69,15 @@ ENTRY(startup_continue) + .Lparmaddr: + .quad PARMAREA + .align 64 +-.Lduct: .long 0,0,0,0,.Lduald,0,0,0 ++.Lduct: .long 0,.Laste,.Laste,0,.Lduald,0,0,0 + .long 0,0,0,0,0,0,0,0 ++.Laste: .quad 0,0xffffffffffffffff,0,0,0,0,0,0 + .align 128 + .Lduald:.rept 8 + .long 0x80000000,0,0,0 # invalid access-list entries + .endr ++.Llinkage_stack: ++ .long 0,0,0x89000000,0,0,0,0x8a000000,0 + + ENTRY(_ehead) + +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index f1b36cf..db2ffef 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2451,6 +2451,9 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write, + int emulate = 0; + gfn_t pseudo_gfn; + ++ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) ++ return 0; ++ + for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) { + if (iterator.level == level) { + unsigned pte_access = ACC_ALL; +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index aac5ea7..a4f6bda 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6273,8 +6273,8 @@ static void vmx_free_vcpu(struct kvm_vcpu *vcpu) + struct vcpu_vmx *vmx = to_vmx(vcpu); + + free_vpid(vmx); +- free_nested(vmx); + free_loaded_vmcs(vmx->loaded_vmcs); ++ free_nested(vmx); + kfree(vmx->guest_msrs); + kvm_vcpu_uninit(vcpu); + kmem_cache_free(kvm_vcpu_cache, vmx); +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c +index 7be5fd9..bc35070 100644 +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -237,11 +237,22 @@ static int synaptics_identify(struct psmouse *psmouse) + * Read touchpad resolution and maximum reported coordinates + * Resolution is left zero if touchpad does not support the query + */ ++ ++static const int *quirk_min_max; ++ + static int synaptics_resolution(struct psmouse *psmouse) + { + struct synaptics_data *priv = psmouse->private; + unsigned char resp[3]; + ++ if (quirk_min_max) { ++ priv->x_min = quirk_min_max[0]; ++ priv->x_max = quirk_min_max[1]; ++ priv->y_min = quirk_min_max[2]; ++ priv->y_max = quirk_min_max[3]; ++ return 0; ++ } ++ + if (SYN_ID_MAJOR(priv->identity) < 4) + return 0; + +@@ -1364,10 +1375,54 @@ static const struct dmi_system_id __initconst olpc_dmi_table[] = { + { } + }; + ++static const struct dmi_system_id min_max_dmi_table[] __initconst = { ++#if defined(CONFIG_DMI) ++ { ++ /* Lenovo ThinkPad Helix */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Helix"), ++ }, ++ .driver_data = (int []){1024, 5052, 2258, 4832}, ++ }, ++ { ++ /* Lenovo ThinkPad X240 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad X240"), ++ }, ++ .driver_data = (int []){1232, 5710, 1156, 4696}, ++ }, ++ { ++ /* Lenovo ThinkPad T440s */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T440"), ++ }, ++ .driver_data = (int []){1024, 5112, 2024, 4832}, ++ }, ++ { ++ /* Lenovo ThinkPad T540p */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T540"), ++ }, ++ .driver_data = (int []){1024, 5056, 2058, 4832}, ++ }, ++#endif ++ { } ++}; ++ + void __init synaptics_module_init(void) + { ++ const struct dmi_system_id *min_max_dmi; ++ + impaired_toshiba_kbc = dmi_check_system(toshiba_dmi_table); + broken_olpc_ec = dmi_check_system(olpc_dmi_table); ++ ++ min_max_dmi = dmi_first_match(min_max_dmi_table); ++ if (min_max_dmi) ++ quirk_min_max = min_max_dmi->driver_data; + } + + int synaptics_init(struct psmouse *psmouse) +diff --git a/drivers/net/usb/asix.c b/drivers/net/usb/asix.c +index 6729585..98ab759 100644 +--- a/drivers/net/usb/asix.c ++++ b/drivers/net/usb/asix.c +@@ -183,6 +183,17 @@ struct ax88172_int_data { + __le16 res3; + } __packed; + ++struct asix_rx_fixup_info { ++ struct sk_buff *ax_skb; ++ u32 header; ++ u16 size; ++ bool split_head; ++}; ++ ++struct asix_common_private { ++ struct asix_rx_fixup_info rx_fixup_info; ++}; ++ + static int asix_read_cmd(struct usbnet *dev, u8 cmd, u16 value, u16 index, + u16 size, void *data) + { +@@ -304,97 +315,89 @@ asix_write_cmd_async(struct usbnet *dev, u8 cmd, u16 value, u16 index, + } + } + +-static int asix_rx_fixup(struct usbnet *dev, struct sk_buff *skb) ++static int asix_rx_fixup_internal(struct usbnet *dev, struct sk_buff *skb, ++ struct asix_rx_fixup_info *rx) + { +- u8 *head; +- u32 header; +- char *packet; +- struct sk_buff *ax_skb; +- u16 size; ++ int offset = 0; ++ ++ while (offset + sizeof(u16) <= skb->len) { ++ u16 remaining = 0; ++ unsigned char *data; ++ ++ if (!rx->size) { ++ if ((skb->len - offset == sizeof(u16)) || ++ rx->split_head) { ++ if(!rx->split_head) { ++ rx->header = get_unaligned_le16( ++ skb->data + offset); ++ rx->split_head = true; ++ offset += sizeof(u16); ++ break; ++ } else { ++ rx->header |= (get_unaligned_le16( ++ skb->data + offset) ++ << 16); ++ rx->split_head = false; ++ offset += sizeof(u16); ++ } ++ } else { ++ rx->header = get_unaligned_le32(skb->data + ++ offset); ++ offset += sizeof(u32); ++ } + +- head = (u8 *) skb->data; +- memcpy(&header, head, sizeof(header)); +- le32_to_cpus(&header); +- packet = head + sizeof(header); +- +- skb_pull(skb, 4); +- +- while (skb->len > 0) { +- if ((header & 0x07ff) != ((~header >> 16) & 0x07ff)) +- netdev_err(dev->net, "asix_rx_fixup() Bad Header Length\n"); +- +- /* get the packet length */ +- size = (u16) (header & 0x000007ff); +- +- if ((skb->len) - ((size + 1) & 0xfffe) == 0) { +- u8 alignment = (unsigned long)skb->data & 0x3; +- if (alignment != 0x2) { +- /* +- * not 16bit aligned so use the room provided by +- * the 32 bit header to align the data +- * +- * note we want 16bit alignment as MAC header is +- * 14bytes thus ip header will be aligned on +- * 32bit boundary so accessing ipheader elements +- * using a cast to struct ip header wont cause +- * an unaligned accesses. +- */ +- u8 realignment = (alignment + 2) & 0x3; +- memmove(skb->data - realignment, +- skb->data, +- size); +- skb->data -= realignment; +- skb_set_tail_pointer(skb, size); ++ /* get the packet length */ ++ rx->size = (u16) (rx->header & 0x7ff); ++ if (rx->size != ((~rx->header >> 16) & 0x7ff)) { ++ netdev_err(dev->net, "asix_rx_fixup() Bad Header Length 0x%x, offset %d\n", ++ rx->header, offset); ++ rx->size = 0; ++ return 0; + } +- return 2; ++ rx->ax_skb = netdev_alloc_skb_ip_align(dev->net, ++ rx->size); ++ if (!rx->ax_skb) ++ return 0; + } + +- if (size > dev->net->mtu + ETH_HLEN + VLAN_HLEN) { ++ if (rx->size > dev->net->mtu + ETH_HLEN + VLAN_HLEN) { + netdev_err(dev->net, "asix_rx_fixup() Bad RX Length %d\n", +- size); +- return 0; +- } +- ax_skb = skb_clone(skb, GFP_ATOMIC); +- if (ax_skb) { +- u8 alignment = (unsigned long)packet & 0x3; +- ax_skb->len = size; +- +- if (alignment != 0x2) { +- /* +- * not 16bit aligned use the room provided by +- * the 32 bit header to align the data +- */ +- u8 realignment = (alignment + 2) & 0x3; +- memmove(packet - realignment, packet, size); +- packet -= realignment; +- } +- ax_skb->data = packet; +- skb_set_tail_pointer(ax_skb, size); +- usbnet_skb_return(dev, ax_skb); +- } else { ++ rx->size); ++ kfree_skb(rx->ax_skb); + return 0; + } + +- skb_pull(skb, (size + 1) & 0xfffe); ++ if (rx->size > skb->len - offset) { ++ remaining = rx->size - (skb->len - offset); ++ rx->size = skb->len - offset; ++ } + +- if (skb->len < sizeof(header)) +- break; ++ data = skb_put(rx->ax_skb, rx->size); ++ memcpy(data, skb->data + offset, rx->size); ++ if (!remaining) ++ usbnet_skb_return(dev, rx->ax_skb); + +- head = (u8 *) skb->data; +- memcpy(&header, head, sizeof(header)); +- le32_to_cpus(&header); +- packet = head + sizeof(header); +- skb_pull(skb, 4); ++ offset += (rx->size + 1) & 0xfffe; ++ rx->size = remaining; + } + +- if (skb->len < 0) { +- netdev_err(dev->net, "asix_rx_fixup() Bad SKB Length %d\n", +- skb->len); ++ if (skb->len != offset) { ++ netdev_err(dev->net, "asix_rx_fixup() Bad SKB Length %d, %d\n", ++ skb->len, offset); + return 0; + } ++ + return 1; + } + ++static int asix_rx_fixup_common(struct usbnet *dev, struct sk_buff *skb) ++{ ++ struct asix_common_private *dp = dev->driver_priv; ++ struct asix_rx_fixup_info *rx = &dp->rx_fixup_info; ++ ++ return asix_rx_fixup_internal(dev, skb, rx); ++} ++ + static struct sk_buff *asix_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + gfp_t flags) + { +@@ -1154,9 +1157,19 @@ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) + dev->rx_urb_size = 2048; + } + ++ dev->driver_priv = kzalloc(sizeof(struct asix_common_private), GFP_KERNEL); ++ if (!dev->driver_priv) ++ return -ENOMEM; ++ + return 0; + } + ++static void ax88772_unbind(struct usbnet *dev, struct usb_interface *intf) ++{ ++ if (dev->driver_priv) ++ kfree(dev->driver_priv); ++} ++ + static struct ethtool_ops ax88178_ethtool_ops = { + .get_drvinfo = asix_get_drvinfo, + .get_link = asix_get_link, +@@ -1489,6 +1502,10 @@ static int ax88178_bind(struct usbnet *dev, struct usb_interface *intf) + dev->rx_urb_size = 2048; + } + ++ dev->driver_priv = kzalloc(sizeof(struct asix_common_private), GFP_KERNEL); ++ if (!dev->driver_priv) ++ return -ENOMEM; ++ + return 0; + } + +@@ -1535,22 +1552,25 @@ static const struct driver_info hawking_uf200_info = { + static const struct driver_info ax88772_info = { + .description = "ASIX AX88772 USB 2.0 Ethernet", + .bind = ax88772_bind, ++ .unbind = ax88772_unbind, + .status = asix_status, + .link_reset = ax88772_link_reset, + .reset = ax88772_reset, +- .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_LINK_INTR, +- .rx_fixup = asix_rx_fixup, ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_LINK_INTR | FLAG_MULTI_PACKET, ++ .rx_fixup = asix_rx_fixup_common, + .tx_fixup = asix_tx_fixup, + }; + + static const struct driver_info ax88178_info = { + .description = "ASIX AX88178 USB 2.0 Ethernet", + .bind = ax88178_bind, ++ .unbind = ax88772_unbind, + .status = asix_status, + .link_reset = ax88178_link_reset, + .reset = ax88178_reset, +- .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_LINK_INTR, +- .rx_fixup = asix_rx_fixup, ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_LINK_INTR | ++ FLAG_MULTI_PACKET, ++ .rx_fixup = asix_rx_fixup_common, + .tx_fixup = asix_tx_fixup, + }; + +diff --git a/drivers/staging/speakup/kobjects.c b/drivers/staging/speakup/kobjects.c +index 07a7f54..6829195 100644 +--- a/drivers/staging/speakup/kobjects.c ++++ b/drivers/staging/speakup/kobjects.c +@@ -521,9 +521,9 @@ static ssize_t punc_store(struct kobject *kobj, struct kobj_attribute *attr, + spk_lock(flags); + + if (*punc_buf == 'd' || *punc_buf == 'r') +- x = set_mask_bits(0, var->value, 3); ++ x = spk_set_mask_bits(0, var->value, 3); + else +- x = set_mask_bits(punc_buf, var->value, 3); ++ x = spk_set_mask_bits(punc_buf, var->value, 3); + + spk_unlock(flags); + return count; +diff --git a/drivers/staging/speakup/main.c b/drivers/staging/speakup/main.c +index 0d70f68..a076351 100644 +--- a/drivers/staging/speakup/main.c ++++ b/drivers/staging/speakup/main.c +@@ -2265,7 +2265,7 @@ static int __init speakup_init(void) + (var->var_id >= 0) && (var->var_id < MAXVARS); var++) + speakup_register_var(var); + for (i = 1; punc_info[i].mask != 0; i++) +- set_mask_bits(0, i, 2); ++ spk_set_mask_bits(0, i, 2); + + set_key_info(key_defaults, key_buf); + if (quiet_boot) +diff --git a/drivers/staging/speakup/speakup.h b/drivers/staging/speakup/speakup.h +index 412b879..f39c0a2 100644 +--- a/drivers/staging/speakup/speakup.h ++++ b/drivers/staging/speakup/speakup.h +@@ -71,7 +71,7 @@ extern struct st_var_header *var_header_by_name(const char *name); + extern struct punc_var_t *get_punc_var(enum var_id_t var_id); + extern int set_num_var(int val, struct st_var_header *var, int how); + extern int set_string_var(const char *page, struct st_var_header *var, int len); +-extern int set_mask_bits(const char *input, const int which, const int how); ++extern int spk_set_mask_bits(const char *input, const int which, const int how); + extern special_func special_handler; + extern int handle_help(struct vc_data *vc, u_char type, u_char ch, u_short key); + extern int synth_init(char *name); +diff --git a/drivers/staging/speakup/varhandlers.c b/drivers/staging/speakup/varhandlers.c +index ab7de93..75eaf27 100644 +--- a/drivers/staging/speakup/varhandlers.c ++++ b/drivers/staging/speakup/varhandlers.c +@@ -267,11 +267,11 @@ int set_string_var(const char *page, struct st_var_header *var, int len) + return ret; + } + +-/* set_mask_bits sets or clears the punc/delim/repeat bits, ++/* spk_set_mask_bits sets or clears the punc/delim/repeat bits, + * if input is null uses the defaults. + * values for how: 0 clears bits of chars supplied, + * 1 clears allk, 2 sets bits for chars */ +-int set_mask_bits(const char *input, const int which, const int how) ++int spk_set_mask_bits(const char *input, const int which, const int how) + { + u_char *cp; + short mask = punc_info[which].mask; +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index c55808e..aa05d5e 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -2107,7 +2107,7 @@ cifs_iovec_write(struct file *file, const struct iovec *iov, + { + unsigned int written; + unsigned long num_pages, npages, i; +- size_t copied, len, cur_len; ++ size_t bytes, copied, len, cur_len; + ssize_t total_written = 0; + struct kvec *to_send; + struct page **pages; +@@ -2165,17 +2165,45 @@ cifs_iovec_write(struct file *file, const struct iovec *iov, + do { + size_t save_len = cur_len; + for (i = 0; i < npages; i++) { +- copied = min_t(const size_t, cur_len, PAGE_CACHE_SIZE); ++ bytes = min_t(const size_t, cur_len, PAGE_CACHE_SIZE); + copied = iov_iter_copy_from_user(pages[i], &it, 0, +- copied); ++ bytes); + cur_len -= copied; + iov_iter_advance(&it, copied); + to_send[i+1].iov_base = kmap(pages[i]); + to_send[i+1].iov_len = copied; ++ /* ++ * If we didn't copy as much as we expected, then that ++ * may mean we trod into an unmapped area. Stop copying ++ * at that point. On the next pass through the big ++ * loop, we'll likely end up getting a zero-length ++ * write and bailing out of it. ++ */ ++ if (copied < bytes) ++ break; + } + + cur_len = save_len - cur_len; + ++ /* ++ * If we have no data to send, then that probably means that ++ * the copy above failed altogether. That's most likely because ++ * the address in the iovec was bogus. Set the rc to -EFAULT, ++ * free anything we allocated and bail out. ++ */ ++ if (!cur_len) { ++ kunmap(pages[0]); ++ if (!total_written) ++ total_written = -EFAULT; ++ break; ++ } ++ ++ /* ++ * i + 1 now represents the number of pages we actually used in ++ * the copy phase above. ++ */ ++ npages = min(npages, i + 1); ++ + do { + if (open_file->invalidHandle) { + rc = cifs_reopen_file(open_file, false); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 45778a6..dc9f0ec 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -38,6 +38,7 @@ + #include <linux/printk.h> + #include <linux/slab.h> + #include <linux/ratelimit.h> ++#include <linux/bitops.h> + + #include "ext4_jbd2.h" + #include "xattr.h" +@@ -3694,18 +3695,20 @@ int ext4_get_inode_loc(struct inode *inode, struct ext4_iloc *iloc) + void ext4_set_inode_flags(struct inode *inode) + { + unsigned int flags = EXT4_I(inode)->i_flags; ++ unsigned int new_fl = 0; + +- inode->i_flags &= ~(S_SYNC|S_APPEND|S_IMMUTABLE|S_NOATIME|S_DIRSYNC); + if (flags & EXT4_SYNC_FL) +- inode->i_flags |= S_SYNC; ++ new_fl |= S_SYNC; + if (flags & EXT4_APPEND_FL) +- inode->i_flags |= S_APPEND; ++ new_fl |= S_APPEND; + if (flags & EXT4_IMMUTABLE_FL) +- inode->i_flags |= S_IMMUTABLE; ++ new_fl |= S_IMMUTABLE; + if (flags & EXT4_NOATIME_FL) +- inode->i_flags |= S_NOATIME; ++ new_fl |= S_NOATIME; + if (flags & EXT4_DIRSYNC_FL) +- inode->i_flags |= S_DIRSYNC; ++ new_fl |= S_DIRSYNC; ++ set_mask_bits(&inode->i_flags, ++ S_SYNC|S_APPEND|S_IMMUTABLE|S_NOATIME|S_DIRSYNC, new_fl); + } + + /* Propagate flags from i_flags to EXT4_I(inode)->i_flags */ +diff --git a/include/linux/bitops.h b/include/linux/bitops.h +index fc8a3ff..87a375f 100644 +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -168,6 +168,21 @@ static inline unsigned long __ffs64(u64 word) + + #ifdef __KERNEL__ + ++#ifndef set_mask_bits ++#define set_mask_bits(ptr, _mask, _bits) \ ++({ \ ++ const typeof(*ptr) mask = (_mask), bits = (_bits); \ ++ typeof(*ptr) old, new; \ ++ \ ++ do { \ ++ old = ACCESS_ONCE(*ptr); \ ++ new = (old & ~mask) | bits; \ ++ } while (cmpxchg(ptr, old, new) != old); \ ++ \ ++ new; \ ++}) ++#endif ++ + #ifndef find_last_bit + /** + * find_last_bit - find the last set bit in a memory region +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 85180bf..13bd6d0 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2143,6 +2143,8 @@ extern int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, + + extern struct sk_buff *skb_segment(struct sk_buff *skb, u32 features); + ++unsigned int skb_gso_transport_seglen(const struct sk_buff *skb); ++ + static inline void *skb_header_pointer(const struct sk_buff *skb, int offset, + int len, void *buffer) + { +@@ -2555,5 +2557,22 @@ static inline bool skb_is_recycleable(const struct sk_buff *skb, int skb_size) + + return true; + } ++ ++/** ++ * skb_gso_network_seglen - Return length of individual segments of a gso packet ++ * ++ * @skb: GSO skb ++ * ++ * skb_gso_network_seglen is used to determine the real size of the ++ * individual segments, including Layer3 (IP, IPv6) and L4 headers (TCP/UDP). ++ * ++ * The MAC/L2 header is not accounted for. ++ */ ++static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb) ++{ ++ unsigned int hdr_len = skb_transport_header(skb) - ++ skb_network_header(skb); ++ return hdr_len + skb_gso_transport_seglen(skb); ++} + #endif /* __KERNEL__ */ + #endif /* _LINUX_SKBUFF_H */ +diff --git a/ipc/msg.c b/ipc/msg.c +index 7385de2..25f1a61 100644 +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -296,7 +296,9 @@ static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) + } + atomic_sub(msq->q_cbytes, &ns->msg_bytes); + security_msg_queue_free(msq); ++ ipc_lock_by_ptr(&msq->q_perm); + ipc_rcu_putref(msq); ++ ipc_unlock(&msq->q_perm); + } + + /* +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 5d6cb54..8ac4a0f 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -45,6 +45,8 @@ + #include <linux/in.h> + #include <linux/inet.h> + #include <linux/slab.h> ++#include <linux/tcp.h> ++#include <linux/udp.h> + #include <linux/netdevice.h> + #ifdef CONFIG_NET_CLS_ACT + #include <net/pkt_sched.h> +@@ -3181,3 +3183,26 @@ void __skb_warn_lro_forwarding(const struct sk_buff *skb) + " while LRO is enabled\n", skb->dev->name); + } + EXPORT_SYMBOL(__skb_warn_lro_forwarding); ++ ++/** ++ * skb_gso_transport_seglen - Return length of individual segments of a gso packet ++ * ++ * @skb: GSO skb ++ * ++ * skb_gso_transport_seglen is used to determine the real size of the ++ * individual segments, including Layer4 headers (TCP/UDP). ++ * ++ * The MAC/L2 or network (IP, IPv6) headers are not accounted for. ++ */ ++unsigned int skb_gso_transport_seglen(const struct sk_buff *skb) ++{ ++ const struct skb_shared_info *shinfo = skb_shinfo(skb); ++ unsigned int hdr_len; ++ ++ if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) ++ hdr_len = tcp_hdrlen(skb); ++ else ++ hdr_len = sizeof(struct udphdr); ++ return hdr_len + shinfo->gso_size; ++} ++EXPORT_SYMBOL_GPL(skb_gso_transport_seglen); +diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c +index 29a07b6..e0d9f02 100644 +--- a/net/ipv4/ip_forward.c ++++ b/net/ipv4/ip_forward.c +@@ -39,6 +39,68 @@ + #include <net/route.h> + #include <net/xfrm.h> + ++static bool ip_may_fragment(const struct sk_buff *skb) ++{ ++ return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) || ++ !skb->local_df; ++} ++ ++static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu) ++{ ++ if (skb->len <= mtu || skb->local_df) ++ return false; ++ ++ if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu) ++ return false; ++ ++ return true; ++} ++ ++static bool ip_gso_exceeds_dst_mtu(const struct sk_buff *skb) ++{ ++ unsigned int mtu; ++ ++ if (skb->local_df || !skb_is_gso(skb)) ++ return false; ++ ++ mtu = dst_mtu(skb_dst(skb)); ++ ++ /* if seglen > mtu, do software segmentation for IP fragmentation on ++ * output. DF bit cannot be set since ip_forward would have sent ++ * icmp error. ++ */ ++ return skb_gso_network_seglen(skb) > mtu; ++} ++ ++/* called if GSO skb needs to be fragmented on forward */ ++static int ip_forward_finish_gso(struct sk_buff *skb) ++{ ++ struct sk_buff *segs; ++ int ret = 0; ++ ++ segs = skb_gso_segment(skb, 0); ++ if (IS_ERR(segs)) { ++ kfree_skb(skb); ++ return -ENOMEM; ++ } ++ ++ consume_skb(skb); ++ ++ do { ++ struct sk_buff *nskb = segs->next; ++ int err; ++ ++ segs->next = NULL; ++ err = dst_output(segs); ++ ++ if (err && ret == 0) ++ ret = err; ++ segs = nskb; ++ } while (segs); ++ ++ return ret; ++} ++ + static int ip_forward_finish(struct sk_buff *skb) + { + struct ip_options * opt = &(IPCB(skb)->opt); +@@ -48,6 +110,9 @@ static int ip_forward_finish(struct sk_buff *skb) + if (unlikely(opt->optlen)) + ip_forward_options(skb); + ++ if (ip_gso_exceeds_dst_mtu(skb)) ++ return ip_forward_finish_gso(skb); ++ + return dst_output(skb); + } + +@@ -87,8 +152,7 @@ int ip_forward(struct sk_buff *skb) + if (opt->is_strictroute && opt->nexthop != rt->rt_gateway) + goto sr_failed; + +- if (unlikely(skb->len > dst_mtu(&rt->dst) && !skb_is_gso(skb) && +- (ip_hdr(skb)->frag_off & htons(IP_DF))) && !skb->local_df) { ++ if (!ip_may_fragment(skb) && ip_exceeds_mtu(skb, dst_mtu(&rt->dst))) { + IP_INC_STATS(dev_net(rt->dst.dev), IPSTATS_MIB_FRAGFAILS); + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, + htonl(dst_mtu(&rt->dst))); +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index d3fde7e..cd4b529 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -381,6 +381,17 @@ static inline int ip6_forward_finish(struct sk_buff *skb) + return dst_output(skb); + } + ++static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu) ++{ ++ if (skb->len <= mtu || skb->local_df) ++ return false; ++ ++ if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu) ++ return false; ++ ++ return true; ++} ++ + int ip6_forward(struct sk_buff *skb) + { + struct dst_entry *dst = skb_dst(skb); +@@ -504,7 +515,7 @@ int ip6_forward(struct sk_buff *skb) + if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; + +- if (skb->len > mtu && !skb_is_gso(skb)) { ++ if (ip6_pkt_too_big(skb, mtu)) { + /* Again, force OUTPUT device used as source address */ + skb->dev = dst->dev; + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); +diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c +index 2e664a6..8aa94ee 100644 +--- a/net/netfilter/nf_conntrack_proto_dccp.c ++++ b/net/netfilter/nf_conntrack_proto_dccp.c +@@ -431,7 +431,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, + const char *msg; + u_int8_t state; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + BUG_ON(dh == NULL); + + state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; +@@ -483,7 +483,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, + u_int8_t type, old_state, new_state; + enum ct_dccp_roles role; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + BUG_ON(dh == NULL); + type = dh->dccph_type; + +@@ -575,7 +575,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, + unsigned int cscov; + const char *msg; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + if (dh == NULL) { + msg = "nf_ct_dccp: short packet "; + goto out_invalid; +diff --git a/scripts/package/builddeb b/scripts/package/builddeb +index 3c6c0b1..bee55f6 100644 +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -41,9 +41,9 @@ create_package() { + parisc*) + debarch=hppa ;; + mips*) +- debarch=mips$(grep -q CPU_LITTLE_ENDIAN=y .config && echo el) ;; ++ debarch=mips$(grep -q CPU_LITTLE_ENDIAN=y $KCONFIG_CONFIG && echo el || true) ;; + arm*) +- debarch=arm$(grep -q CONFIG_AEABI=y .config && echo el) ;; ++ debarch=arm$(grep -q CONFIG_AEABI=y $KCONFIG_CONFIG && echo el || true) ;; + *) + echo "" >&2 + echo "** ** ** WARNING ** ** **" >&2 +@@ -62,7 +62,7 @@ create_package() { + fi + + # Create the package +- dpkg-gencontrol -isp $forcearch -p$pname -P"$pdir" ++ dpkg-gencontrol -isp $forcearch -Vkernel:debarch="${debarch:-$(dpkg --print-architecture)}" -p$pname -P"$pdir" + dpkg --build "$pdir" .. + } + +@@ -105,12 +105,12 @@ fi + if [ "$ARCH" = "um" ] ; then + $MAKE linux + cp System.map "$tmpdir/usr/lib/uml/modules/$version/System.map" +- cp .config "$tmpdir/usr/share/doc/$packagename/config" ++ cp $KCONFIG_CONFIG "$tmpdir/usr/share/doc/$packagename/config" + gzip "$tmpdir/usr/share/doc/$packagename/config" + cp $KBUILD_IMAGE "$tmpdir/usr/bin/linux-$version" + else + cp System.map "$tmpdir/boot/System.map-$version" +- cp .config "$tmpdir/boot/config-$version" ++ cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version" + # Not all arches include the boot path in KBUILD_IMAGE + if [ -e $KBUILD_IMAGE ]; then + cp $KBUILD_IMAGE "$tmpdir/boot/vmlinuz-$version" +@@ -119,7 +119,7 @@ else + fi + fi + +-if grep -q '^CONFIG_MODULES=y' .config ; then ++if grep -q '^CONFIG_MODULES=y' $KCONFIG_CONFIG ; then + INSTALL_MOD_PATH="$tmpdir" make KBUILD_SRC= modules_install + if [ "$ARCH" = "um" ] ; then + mv "$tmpdir/lib/modules/$version"/* "$tmpdir/usr/lib/uml/modules/$version/" +@@ -240,21 +240,21 @@ fi + # Build header package + (cd $srctree; find . -name Makefile -o -name Kconfig\* -o -name \*.pl > "$objtree/debian/hdrsrcfiles") + (cd $srctree; find arch/$SRCARCH/include include scripts -type f >> "$objtree/debian/hdrsrcfiles") +-(cd $objtree; find .config Module.symvers include scripts -type f >> "$objtree/debian/hdrobjfiles") ++(cd $objtree; find Module.symvers include scripts -type f >> "$objtree/debian/hdrobjfiles") + destdir=$kernel_headers_dir/usr/src/linux-headers-$version + mkdir -p "$destdir" + (cd $srctree; tar -c -f - -T "$objtree/debian/hdrsrcfiles") | (cd $destdir; tar -xf -) + (cd $objtree; tar -c -f - -T "$objtree/debian/hdrobjfiles") | (cd $destdir; tar -xf -) ++(cd $objtree; cp $KCONFIG_CONFIG $destdir/.config) # copy .config manually to be where it's expected to be + rm -f "$objtree/debian/hdrsrcfiles" "$objtree/debian/hdrobjfiles" +-arch=$(dpkg --print-architecture) + + cat <<EOF >> debian/control + + Package: $kernel_headers_packagename + Provides: linux-headers, linux-headers-2.6 +-Architecture: $arch +-Description: Linux kernel headers for $KERNELRELEASE on $arch +- This package provides kernel header files for $KERNELRELEASE on $arch ++Architecture: any ++Description: Linux kernel headers for $KERNELRELEASE on \${kernel:debarch} ++ This package provides kernel header files for $KERNELRELEASE on \${kernel:debarch} + . + This is useful for people who need to build external modules + EOF diff --git a/3.2.56/4420_grsecurity-3.0-3.2.56-201404062126.patch b/3.2.57/4420_grsecurity-3.0-3.2.57-201404111812.patch index f93b78b..8dc447e 100644 --- a/3.2.56/4420_grsecurity-3.0-3.2.56-201404062126.patch +++ b/3.2.57/4420_grsecurity-3.0-3.2.57-201404111812.patch @@ -273,7 +273,7 @@ index 88fd7f5..b318a78 100644 ============================================================== diff --git a/Makefile b/Makefile -index ec90bfb..3e09b31 100644 +index c92db9b..500e773 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -21638,7 +21638,7 @@ index a9c2116..94c1e1a 100644 }; #endif diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c -index ea69726..604d066 100644 +index ea69726..2476f99 100644 --- a/arch/x86/kernel/ldt.c +++ b/arch/x86/kernel/ldt.c @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload) @@ -21691,7 +21691,7 @@ index ea69726..604d066 100644 return retval; } -@@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) +@@ -230,6 +248,24 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode) } } @@ -21702,6 +21702,17 @@ index ea69726..604d066 100644 + } +#endif + ++ /* ++ * On x86-64 we do not support 16-bit segments due to ++ * IRET leaking the high bits of the kernel stack address. ++ */ ++#ifdef CONFIG_X86_64 ++ if (!ldt_info.seg_32bit) { ++ error = -EINVAL; ++ goto out_unlock; ++ } ++#endif ++ fill_ldt(&ldt, &ldt_info); if (oldmode) ldt.avl = 0; @@ -24403,10 +24414,10 @@ index 176205a..920cd58 100644 #define APIC_LVT_NUM 6 /* 14 is the version for Xeon and Pentium 8.4.8*/ diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c -index f1b36cf..af8a124 100644 +index db2ffef..1e6c37a 100644 --- a/arch/x86/kvm/mmu.c +++ b/arch/x86/kvm/mmu.c -@@ -3555,7 +3555,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa, +@@ -3558,7 +3558,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa, pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes); @@ -24415,7 +24426,7 @@ index f1b36cf..af8a124 100644 /* * Assume that the pte write on a page table of the same type -@@ -3587,7 +3587,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa, +@@ -3590,7 +3590,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa, } spin_lock(&vcpu->kvm->mmu_lock); @@ -24474,7 +24485,7 @@ index 2102a17..16e1531 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index aac5ea7..266eda9 100644 +index a4f6bda..40eb721 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1099,12 +1099,12 @@ static void vmcs_write64(unsigned long field, u64 value) @@ -41308,10 +41319,31 @@ index 1f355bb..43f1fea 100644 } else memcpy(msg, buf, count); diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c -index 4df80fb..6a58169 100644 +index 4df80fb..75ca5d2 100644 --- a/drivers/isdn/isdnloop/isdnloop.c +++ b/drivers/isdn/isdnloop/isdnloop.c -@@ -1070,6 +1070,12 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp) +@@ -518,9 +518,9 @@ static isdnloop_stat isdnloop_cmd_table[] = + static void + isdnloop_fake_err(isdnloop_card * card) + { +- char buf[60]; ++ char buf[64]; + +- sprintf(buf, "E%s", card->omsg); ++ snprintf(buf, sizeof(buf), "E%s", card->omsg); + isdnloop_fake(card, buf, -1); + isdnloop_fake(card, "NAK", -1); + } +@@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card * card) + case 7: + /* 0x;EAZ */ + p += 3; ++ if (strlen(p) >= sizeof(card->eazlist[0])) ++ break; + strcpy(card->eazlist[ch - 1], p); + break; + case 8: +@@ -1070,6 +1072,12 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp) return -EBUSY; if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef))) return -EFAULT; @@ -41324,6 +41356,38 @@ index 4df80fb..6a58169 100644 spin_lock_irqsave(&card->isdnloop_lock, flags); switch (sdef.ptype) { case ISDN_PTYPE_EURO: +@@ -1127,7 +1135,7 @@ isdnloop_command(isdn_ctrl * c, isdnloop_card * card) + { + ulong a; + int i; +- char cbuf[60]; ++ char cbuf[80]; + isdn_ctrl cmd; + isdnloop_cdef cdef; + +@@ -1192,7 +1200,6 @@ isdnloop_command(isdn_ctrl * c, isdnloop_card * card) + break; + if ((c->arg & 255) < ISDNLOOP_BCH) { + char *p; +- char dial[50]; + char dcode[4]; + + a = c->arg; +@@ -1204,10 +1211,10 @@ isdnloop_command(isdn_ctrl * c, isdnloop_card * card) + } else + /* Normal Dial */ + strcpy(dcode, "CAL"); +- strcpy(dial, p); +- sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), +- dcode, dial, c->parm.setup.si1, +- c->parm.setup.si2, c->parm.setup.eazmsn); ++ snprintf(cbuf, sizeof(cbuf), ++ "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), ++ dcode, p, c->parm.setup.si1, ++ c->parm.setup.si2, c->parm.setup.eazmsn); + i = isdnloop_writecmd(cbuf, strlen(cbuf), 0, card); + } + break; diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c index 4d395de..c504763 100644 --- a/drivers/isdn/mISDN/dsp_cmx.c @@ -55031,7 +55095,7 @@ index 7b68088..17a275b 100644 GLOBAL_EXTERN atomic_t smBufAllocCount; GLOBAL_EXTERN atomic_t midCount; diff --git a/fs/cifs/file.c b/fs/cifs/file.c -index c55808e..c1814ab 100644 +index aa05d5e..4c7ee5d 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -1690,10 +1690,14 @@ static int cifs_writepages(struct address_space *mapping, @@ -63454,10 +63518,10 @@ index 8a89949..6776861 100644 xfs_init_zones(void) diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..d913d1e +index 0000000..802b13c --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1146 @@ +@@ -0,0 +1,1147 @@ +# +# grecurity configuration +# @@ -63513,7 +63577,8 @@ index 0000000..d913d1e + the most notable of which are XFree86 and hwclock. hwclock can be + remedied by having RTC support in the kernel, so real-time + clock support is enabled if this option is enabled, to ensure -+ that hwclock operates correctly. ++ that hwclock operates correctly. If hwclock still does not work, ++ either update udev or symlink /dev/rtc to /dev/rtc0. + + If you're using XFree86 or a version of Xorg from 2012 or earlier, + you may not be able to boot into a graphical environment with this @@ -75464,7 +75529,7 @@ index d337419..1d6a512f 100644 extern int __register_binfmt(struct linux_binfmt *fmt, int insert); diff --git a/include/linux/bitops.h b/include/linux/bitops.h -index fc8a3ff..ad5938b 100644 +index 87a375f..94c85dd 100644 --- a/include/linux/bitops.h +++ b/include/linux/bitops.h @@ -74,7 +74,7 @@ static inline __u64 ror64(__u64 word, unsigned int shift) @@ -80523,7 +80588,7 @@ index 92808b8..c28cac4 100644 /* shm_mode upper byte flags */ diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 85180bf..78919aa 100644 +index 13bd6d0..fbdc193 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -538,7 +538,7 @@ extern void consume_skb(struct sk_buff *skb); @@ -80589,7 +80654,7 @@ index 85180bf..78919aa 100644 int offset, struct iovec *to, int size); extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, -@@ -2380,6 +2380,9 @@ static inline void nf_reset(struct sk_buff *skb) +@@ -2382,6 +2382,9 @@ static inline void nf_reset(struct sk_buff *skb) nf_bridge_put(skb->nf_bridge); skb->nf_bridge = NULL; #endif @@ -82072,6 +82137,21 @@ index 8ba8ce2..99b7fff 100644 struct sk_buff *skb, int offset, struct iovec *to, size_t len, struct dma_pinned_list *pinned_list); +diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h +index 2dcf317..d918074 100644 +--- a/include/net/netfilter/nf_conntrack_extend.h ++++ b/include/net/netfilter/nf_conntrack_extend.h +@@ -33,8 +33,8 @@ enum nf_ct_ext_id { + /* Extensions: optional stuff which isn't permanently in struct. */ + struct nf_ct_ext { + struct rcu_head rcu; +- u8 offset[NF_CT_EXT_NUM]; +- u8 len; ++ u16 offset[NF_CT_EXT_NUM]; ++ u16 len; + char data[0]; + }; + diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h index 252fd10..aa1421f 100644 --- a/include/net/netfilter/nf_queue.h @@ -83516,10 +83596,10 @@ index 5b4293d..f179875 100644 if (u->mq_bytes + mq_bytes < u->mq_bytes || u->mq_bytes + mq_bytes > task_rlimit(p, RLIMIT_MSGQUEUE)) { diff --git a/ipc/msg.c b/ipc/msg.c -index 7385de2..a8180e08 100644 +index 25f1a61..58f7ac1 100644 --- a/ipc/msg.c +++ b/ipc/msg.c -@@ -309,18 +309,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) +@@ -311,18 +311,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) return security_msg_queue_associate(msq, msgflg); } @@ -98338,10 +98418,10 @@ index 925991a..209a505 100644 #ifdef CONFIG_INET static u32 seq_scale(u32 seq) diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 5d6cb54..6367e1e 100644 +index 8ac4a0f..4ca060b 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c -@@ -2872,13 +2872,15 @@ void __init skb_init(void) +@@ -2874,13 +2874,15 @@ void __init skb_init(void) skbuff_head_cache = kmem_cache_create("skbuff_head_cache", sizeof(struct sk_buff), 0, @@ -99266,10 +99346,43 @@ index b550815..c3b44d5 100644 /* copy_len <= skb->len, so can't fail. */ if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 00975b6..e922b06 100644 +index 00975b6..ebd3af9 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c -@@ -835,7 +835,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, +@@ -205,10 +205,11 @@ static int ping_init_sock(struct sock *sk) + gid_t range[2]; + struct group_info *group_info = get_current_groups(); + int i, j, count = group_info->ngroups; ++ int ret = 0; + + inet_get_ping_group_range_net(net, range, range+1); + if (range[0] <= group && group <= range[1]) +- return 0; ++ goto out_release_group; + + for (i = 0; i < group_info->nblocks; i++) { + int cp_count = min_t(int, NGROUPS_PER_BLOCK, count); +@@ -216,13 +217,17 @@ static int ping_init_sock(struct sock *sk) + for (j = 0; j < cp_count; j++) { + group = group_info->blocks[i][j]; + if (range[0] <= group && group <= range[1]) +- return 0; ++ goto out_release_group; + } + + count -= cp_count; + } + +- return -EACCES; ++ ret = -EACCES; ++ ++out_release_group: ++ put_group_info(group_info); ++ return ret; + } + + static void ping_close(struct sock *sk, long timeout) +@@ -835,7 +840,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -100195,10 +100308,10 @@ index 1567fb1..29af910 100644 dst = NULL; } diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index d3fde7e..f526e49 100644 +index cd4b529..b059726 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c -@@ -600,8 +600,8 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) +@@ -611,8 +611,8 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) { @@ -100209,7 +100322,7 @@ index d3fde7e..f526e49 100644 if (rt && !(rt->dst.flags & DST_NOPEER)) { struct inet_peer *peer; -@@ -614,13 +614,10 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) +@@ -625,13 +625,10 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) return; } } @@ -101488,7 +101601,7 @@ index 14af632..9914188 100644 table = kmemdup(event_sysctl_table, sizeof(event_sysctl_table), GFP_KERNEL); diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c -index 2e664a6..c854e4a 100644 +index 8aa94ee..c854e4a 100644 --- a/net/netfilter/nf_conntrack_proto_dccp.c +++ b/net/netfilter/nf_conntrack_proto_dccp.c @@ -391,7 +391,7 @@ struct dccp_net { @@ -101500,15 +101613,6 @@ index 2e664a6..c854e4a 100644 #endif }; -@@ -431,7 +431,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, - const char *msg; - u_int8_t state; - -- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); -+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); - BUG_ON(dh == NULL); - - state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; @@ -459,7 +459,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, out_invalid: @@ -101518,24 +101622,6 @@ index 2e664a6..c854e4a 100644 return false; } -@@ -483,7 +483,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, - u_int8_t type, old_state, new_state; - enum ct_dccp_roles role; - -- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); -+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); - BUG_ON(dh == NULL); - type = dh->dccph_type; - -@@ -575,7 +575,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, - unsigned int cscov; - const char *msg; - -- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); -+ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); - if (dh == NULL) { - msg = "nf_ct_dccp: short packet "; - goto out_invalid; @@ -612,7 +612,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, out_invalid: @@ -104859,13 +104945,13 @@ index 0865b3e..7235dd4 100644 __ksymtab_gpl : { *(SORT(___ksymtab_gpl+*)) } __ksymtab_unused : { *(SORT(___ksymtab_unused+*)) } diff --git a/scripts/package/builddeb b/scripts/package/builddeb -index 3c6c0b1..3e4dbf3 100644 +index bee55f6..4108c4b 100644 --- a/scripts/package/builddeb +++ b/scripts/package/builddeb @@ -241,6 +241,7 @@ fi (cd $srctree; find . -name Makefile -o -name Kconfig\* -o -name \*.pl > "$objtree/debian/hdrsrcfiles") (cd $srctree; find arch/$SRCARCH/include include scripts -type f >> "$objtree/debian/hdrsrcfiles") - (cd $objtree; find .config Module.symvers include scripts -type f >> "$objtree/debian/hdrobjfiles") + (cd $objtree; find Module.symvers include scripts -type f >> "$objtree/debian/hdrobjfiles") +(cd $objtree; find tools/gcc -name \*.so >> "$objtree/debian/hdrobjfiles") destdir=$kernel_headers_dir/usr/src/linux-headers-$version mkdir -p "$destdir" diff --git a/3.2.56/4425_grsec_remove_EI_PAX.patch b/3.2.57/4425_grsec_remove_EI_PAX.patch index cf65d90..cf65d90 100644 --- a/3.2.56/4425_grsec_remove_EI_PAX.patch +++ b/3.2.57/4425_grsec_remove_EI_PAX.patch diff --git a/3.2.56/4427_force_XATTR_PAX_tmpfs.patch b/3.2.57/4427_force_XATTR_PAX_tmpfs.patch index 8c7a533..8c7a533 100644 --- a/3.2.56/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.2.57/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.2.56/4430_grsec-remove-localversion-grsec.patch b/3.2.57/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.56/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.57/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.56/4435_grsec-mute-warnings.patch b/3.2.57/4435_grsec-mute-warnings.patch index f099757..f099757 100644 --- a/3.2.56/4435_grsec-mute-warnings.patch +++ b/3.2.57/4435_grsec-mute-warnings.patch diff --git a/3.2.56/4440_grsec-remove-protected-paths.patch b/3.2.57/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.2.56/4440_grsec-remove-protected-paths.patch +++ b/3.2.57/4440_grsec-remove-protected-paths.patch diff --git a/3.2.56/4450_grsec-kconfig-default-gids.patch b/3.2.57/4450_grsec-kconfig-default-gids.patch index 2c2c6ec..2c2c6ec 100644 --- a/3.2.56/4450_grsec-kconfig-default-gids.patch +++ b/3.2.57/4450_grsec-kconfig-default-gids.patch diff --git a/3.2.56/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.57/4465_selinux-avc_audit-log-curr_ip.patch index 610fb07..610fb07 100644 --- a/3.2.56/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.57/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.2.56/4470_disable-compat_vdso.patch b/3.2.57/4470_disable-compat_vdso.patch index f6eb9f7..f6eb9f7 100644 --- a/3.2.56/4470_disable-compat_vdso.patch +++ b/3.2.57/4470_disable-compat_vdso.patch diff --git a/3.2.56/4475_emutramp_default_on.patch b/3.2.57/4475_emutramp_default_on.patch index 10a2580..10a2580 100644 --- a/3.2.56/4475_emutramp_default_on.patch +++ b/3.2.57/4475_emutramp_default_on.patch |