diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2014-08-04 19:21:16 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-08-04 19:21:16 -0400 |
| commit | 4a92f461e0d93abd298cf9f5ac60e9d4dbdba86c (patch) | |
| tree | 7f0147fab0f3eee7658b701e7ee651bba91e6fda | |
| parent | Grsec/PaX: 3.0-{3.2.60,3.14.14,3.15.7}-201407282112 (diff) | |
| download | hardened-patchset-20140804.tar.gz hardened-patchset-20140804.tar.bz2 hardened-patchset-20140804.zip | |
Grsec/PaX: 3.0-{3.2.61,3.14.15,3.15.8}-20140804070820140804
| -rw-r--r-- | 3.14.15/0000_README (renamed from 3.14.14/0000_README) | 2 | ||||
| -rw-r--r-- | 3.14.15/4420_grsecurity-3.0-3.14.15-201408032014.patch (renamed from 3.14.14/4420_grsecurity-3.0-3.14.14-201407282111.patch) | 1074 | ||||
| -rw-r--r-- | 3.14.15/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.14/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.14.15/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.14/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.14.15/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.14/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.14.15/4435_grsec-mute-warnings.patch (renamed from 3.14.14/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.14.15/4440_grsec-remove-protected-paths.patch (renamed from 3.14.14/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.14.15/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.14/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.14.15/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.14/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.14.15/4470_disable-compat_vdso.patch (renamed from 3.14.14/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.14.15/4475_emutramp_default_on.patch (renamed from 3.14.14/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.15.8/0000_README (renamed from 3.15.7/0000_README) | 2 | ||||
| -rw-r--r-- | 3.15.8/4420_grsecurity-3.0-3.15.8-201408040708.patch (renamed from 3.15.7/4420_grsecurity-3.0-3.15.7-201407282112.patch) | 1145 | ||||
| -rw-r--r-- | 3.15.8/4425_grsec_remove_EI_PAX.patch (renamed from 3.15.7/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.15.8/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.15.7/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.15.8/4430_grsec-remove-localversion-grsec.patch (renamed from 3.15.7/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.15.8/4435_grsec-mute-warnings.patch (renamed from 3.15.7/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.15.8/4440_grsec-remove-protected-paths.patch (renamed from 3.15.7/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.15.8/4450_grsec-kconfig-default-gids.patch (renamed from 3.15.7/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.15.8/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.15.7/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.15.8/4470_disable-compat_vdso.patch (renamed from 3.15.7/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.15.8/4475_emutramp_default_on.patch (renamed from 3.15.7/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.2.61/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.61/4420_grsecurity-3.0-3.2.61-201408032011.patch (renamed from 3.2.61/4420_grsecurity-3.0-3.2.61-201407280723.patch) | 411 |
24 files changed, 1985 insertions, 651 deletions
diff --git a/3.14.14/0000_README b/3.14.15/0000_README index 2765c33..d7dc469 100644 --- a/3.14.14/0000_README +++ b/3.14.15/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.14-201407282111.patch +Patch: 4420_grsecurity-3.0-3.14.15-201408032014.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.14/4420_grsecurity-3.0-3.14.14-201407282111.patch b/3.14.15/4420_grsecurity-3.0-3.14.15-201408032014.patch index f2197e0..96db0fa 100644 --- a/3.14.14/4420_grsecurity-3.0-3.14.14-201407282111.patch +++ b/3.14.15/4420_grsecurity-3.0-3.14.15-201408032014.patch @@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 230c7f6..64a1278 100644 +index 188523e..5c8d8ee 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -386,16 +386,7 @@ index 230c7f6..64a1278 100644 include $(srctree)/arch/$(SRCARCH)/Makefile ifdef CONFIG_READABLE_ASM -@@ -639,6 +706,8 @@ KBUILD_CFLAGS += -fomit-frame-pointer - endif - endif - -+KBUILD_CFLAGS += $(call cc-option, -fno-var-tracking-assignments) -+ - ifdef CONFIG_DEBUG_INFO - KBUILD_CFLAGS += -g - KBUILD_AFLAGS += -Wa,--gdwarf-2 -@@ -779,7 +848,7 @@ export mod_sign_cmd +@@ -781,7 +848,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -404,7 +395,7 @@ index 230c7f6..64a1278 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -828,6 +897,8 @@ endif +@@ -830,6 +897,8 @@ endif # The actual objects are generated when descending, # make sure no implicit rule kicks in @@ -413,7 +404,7 @@ index 230c7f6..64a1278 100644 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -837,7 +908,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; +@@ -839,7 +908,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -422,7 +413,7 @@ index 230c7f6..64a1278 100644 $(Q)$(MAKE) $(build)=$@ define filechk_kernel.release -@@ -880,10 +951,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -882,10 +951,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -436,7 +427,7 @@ index 230c7f6..64a1278 100644 prepare: prepare0 # Generate some files -@@ -991,6 +1065,8 @@ all: modules +@@ -993,6 +1065,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules @@ -445,7 +436,7 @@ index 230c7f6..64a1278 100644 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -1006,7 +1082,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -1008,7 +1082,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -454,7 +445,7 @@ index 230c7f6..64a1278 100644 # Target to install modules PHONY += modules_install -@@ -1072,7 +1148,10 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ +@@ -1074,7 +1148,10 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.priv signing_key.x509 x509.genkey \ extra_certificates signing_key.x509.keyid \ @@ -466,7 +457,7 @@ index 230c7f6..64a1278 100644 # clean - Delete most, but leave enough to build external modules # -@@ -1111,7 +1190,7 @@ distclean: mrproper +@@ -1113,7 +1190,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -475,7 +466,7 @@ index 230c7f6..64a1278 100644 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1273,6 +1352,8 @@ PHONY += $(module-dirs) modules +@@ -1275,6 +1352,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -484,7 +475,7 @@ index 230c7f6..64a1278 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1412,17 +1493,21 @@ else +@@ -1414,17 +1493,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -510,7 +501,7 @@ index 230c7f6..64a1278 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1432,11 +1517,15 @@ endif +@@ -1434,11 +1517,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -13105,10 +13096,10 @@ index 100a9a1..bb3bdb0 100644 err = check_cpuflags(); } diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S -index ec3b8ba..6a0db1f 100644 +index 04da6c2..a151f55 100644 --- a/arch/x86/boot/header.S +++ b/arch/x86/boot/header.S -@@ -416,10 +416,14 @@ setup_data: .quad 0 # 64-bit physical pointer to +@@ -434,10 +434,14 @@ setup_data: .quad 0 # 64-bit physical pointer to # single linked list of # struct setup_data @@ -19772,7 +19763,7 @@ index 04905bf..49203ca 100644 } diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h -index 0d592e0..7437fcc 100644 +index 0d592e0..526f797 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -7,6 +7,7 @@ @@ -20189,7 +20180,7 @@ index 0d592e0..7437fcc 100644 + copy_from_user_overflow(); + else + __copy_from_user_overflow(sz, n); -+ } if (access_ok(VERIFY_READ, from, n)) ++ } else if (access_ok(VERIFY_READ, from, n)) + n = __copy_from_user(to, from, n); + else if ((long)n > 0) + memset(to, 0, n); @@ -22498,7 +22489,7 @@ index 01d1c18..8073693 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 6491353..a918952 100644 +index c87810b..413d83f 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -177,13 +177,153 @@ @@ -22841,7 +22832,7 @@ index 6491353..a918952 100644 # system call tracing in operation / emulation testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) jnz syscall_trace_entry -@@ -525,6 +723,15 @@ syscall_exit: +@@ -526,6 +724,15 @@ syscall_exit: testl $_TIF_ALLWORK_MASK, %ecx # current->work jne syscall_exit_work @@ -22857,7 +22848,7 @@ index 6491353..a918952 100644 restore_all: TRACE_IRQS_IRET restore_all_notrace: -@@ -576,14 +783,34 @@ ldt_ss: +@@ -577,14 +784,34 @@ ldt_ss: * compensating for the offset by changing to the ESPFIX segment with * a base address that matches for the difference. */ @@ -22895,7 +22886,7 @@ index 6491353..a918952 100644 pushl_cfi $__ESPFIX_SS pushl_cfi %eax /* new kernel esp */ /* Disable interrupts, but do not irqtrace this section: we -@@ -612,20 +839,18 @@ work_resched: +@@ -613,20 +840,18 @@ work_resched: movl TI_flags(%ebp), %ecx andl $_TIF_WORK_MASK, %ecx # is there any work to be done other # than syscall tracing? @@ -22918,7 +22909,7 @@ index 6491353..a918952 100644 #endif TRACE_IRQS_ON ENABLE_INTERRUPTS(CLBR_NONE) -@@ -646,7 +871,7 @@ work_notifysig_v86: +@@ -647,7 +872,7 @@ work_notifysig_v86: movl %eax, %esp jmp 1b #endif @@ -22927,7 +22918,7 @@ index 6491353..a918952 100644 # perform syscall exit tracing ALIGN -@@ -654,11 +879,14 @@ syscall_trace_entry: +@@ -655,11 +880,14 @@ syscall_trace_entry: movl $-ENOSYS,PT_EAX(%esp) movl %esp, %eax call syscall_trace_enter @@ -22943,7 +22934,7 @@ index 6491353..a918952 100644 # perform syscall exit tracing ALIGN -@@ -671,26 +899,30 @@ syscall_exit_work: +@@ -672,26 +900,30 @@ syscall_exit_work: movl %esp, %eax call syscall_trace_leave jmp resume_userspace @@ -22965,20 +22956,20 @@ index 6491353..a918952 100644 +ENDPROC(syscall_fault) syscall_badsys: - movl $-ENOSYS,PT_EAX(%esp) - jmp syscall_exit + movl $-ENOSYS,%eax + jmp syscall_after_call -END(syscall_badsys) +ENDPROC(syscall_badsys) sysenter_badsys: - movl $-ENOSYS,PT_EAX(%esp) + movl $-ENOSYS,%eax jmp sysenter_after_call -END(syscall_badsys) +ENDPROC(sysenter_badsys) CFI_ENDPROC /* * End of kprobes section -@@ -706,8 +938,15 @@ END(syscall_badsys) +@@ -707,8 +939,15 @@ END(syscall_badsys) * normal stack and adjusts ESP with the matching offset. */ /* fixup the stack */ @@ -22996,7 +22987,7 @@ index 6491353..a918952 100644 shl $16, %eax addl %esp, %eax /* the adjusted stack pointer */ pushl_cfi $__KERNEL_DS -@@ -760,7 +999,7 @@ vector=vector+1 +@@ -761,7 +1000,7 @@ vector=vector+1 .endr 2: jmp common_interrupt .endr @@ -23005,7 +22996,7 @@ index 6491353..a918952 100644 .previous END(interrupt) -@@ -821,7 +1060,7 @@ ENTRY(coprocessor_error) +@@ -822,7 +1061,7 @@ ENTRY(coprocessor_error) pushl_cfi $do_coprocessor_error jmp error_code CFI_ENDPROC @@ -23014,7 +23005,7 @@ index 6491353..a918952 100644 ENTRY(simd_coprocessor_error) RING0_INT_FRAME -@@ -834,7 +1073,7 @@ ENTRY(simd_coprocessor_error) +@@ -835,7 +1074,7 @@ ENTRY(simd_coprocessor_error) .section .altinstructions,"a" altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f .previous @@ -23023,7 +23014,7 @@ index 6491353..a918952 100644 663: pushl $do_simd_coprocessor_error 664: .previous -@@ -843,7 +1082,7 @@ ENTRY(simd_coprocessor_error) +@@ -844,7 +1083,7 @@ ENTRY(simd_coprocessor_error) #endif jmp error_code CFI_ENDPROC @@ -23032,7 +23023,7 @@ index 6491353..a918952 100644 ENTRY(device_not_available) RING0_INT_FRAME -@@ -852,18 +1091,18 @@ ENTRY(device_not_available) +@@ -853,18 +1092,18 @@ ENTRY(device_not_available) pushl_cfi $do_device_not_available jmp error_code CFI_ENDPROC @@ -23054,7 +23045,7 @@ index 6491353..a918952 100644 #endif ENTRY(overflow) -@@ -873,7 +1112,7 @@ ENTRY(overflow) +@@ -874,7 +1113,7 @@ ENTRY(overflow) pushl_cfi $do_overflow jmp error_code CFI_ENDPROC @@ -23063,7 +23054,7 @@ index 6491353..a918952 100644 ENTRY(bounds) RING0_INT_FRAME -@@ -882,7 +1121,7 @@ ENTRY(bounds) +@@ -883,7 +1122,7 @@ ENTRY(bounds) pushl_cfi $do_bounds jmp error_code CFI_ENDPROC @@ -23072,7 +23063,7 @@ index 6491353..a918952 100644 ENTRY(invalid_op) RING0_INT_FRAME -@@ -891,7 +1130,7 @@ ENTRY(invalid_op) +@@ -892,7 +1131,7 @@ ENTRY(invalid_op) pushl_cfi $do_invalid_op jmp error_code CFI_ENDPROC @@ -23081,7 +23072,7 @@ index 6491353..a918952 100644 ENTRY(coprocessor_segment_overrun) RING0_INT_FRAME -@@ -900,7 +1139,7 @@ ENTRY(coprocessor_segment_overrun) +@@ -901,7 +1140,7 @@ ENTRY(coprocessor_segment_overrun) pushl_cfi $do_coprocessor_segment_overrun jmp error_code CFI_ENDPROC @@ -23090,7 +23081,7 @@ index 6491353..a918952 100644 ENTRY(invalid_TSS) RING0_EC_FRAME -@@ -908,7 +1147,7 @@ ENTRY(invalid_TSS) +@@ -909,7 +1148,7 @@ ENTRY(invalid_TSS) pushl_cfi $do_invalid_TSS jmp error_code CFI_ENDPROC @@ -23099,7 +23090,7 @@ index 6491353..a918952 100644 ENTRY(segment_not_present) RING0_EC_FRAME -@@ -916,7 +1155,7 @@ ENTRY(segment_not_present) +@@ -917,7 +1156,7 @@ ENTRY(segment_not_present) pushl_cfi $do_segment_not_present jmp error_code CFI_ENDPROC @@ -23108,7 +23099,7 @@ index 6491353..a918952 100644 ENTRY(stack_segment) RING0_EC_FRAME -@@ -924,7 +1163,7 @@ ENTRY(stack_segment) +@@ -925,7 +1164,7 @@ ENTRY(stack_segment) pushl_cfi $do_stack_segment jmp error_code CFI_ENDPROC @@ -23117,7 +23108,7 @@ index 6491353..a918952 100644 ENTRY(alignment_check) RING0_EC_FRAME -@@ -932,7 +1171,7 @@ ENTRY(alignment_check) +@@ -933,7 +1172,7 @@ ENTRY(alignment_check) pushl_cfi $do_alignment_check jmp error_code CFI_ENDPROC @@ -23126,7 +23117,7 @@ index 6491353..a918952 100644 ENTRY(divide_error) RING0_INT_FRAME -@@ -941,7 +1180,7 @@ ENTRY(divide_error) +@@ -942,7 +1181,7 @@ ENTRY(divide_error) pushl_cfi $do_divide_error jmp error_code CFI_ENDPROC @@ -23135,7 +23126,7 @@ index 6491353..a918952 100644 #ifdef CONFIG_X86_MCE ENTRY(machine_check) -@@ -951,7 +1190,7 @@ ENTRY(machine_check) +@@ -952,7 +1191,7 @@ ENTRY(machine_check) pushl_cfi machine_check_vector jmp error_code CFI_ENDPROC @@ -23144,7 +23135,7 @@ index 6491353..a918952 100644 #endif ENTRY(spurious_interrupt_bug) -@@ -961,7 +1200,7 @@ ENTRY(spurious_interrupt_bug) +@@ -962,7 +1201,7 @@ ENTRY(spurious_interrupt_bug) pushl_cfi $do_spurious_interrupt_bug jmp error_code CFI_ENDPROC @@ -23153,7 +23144,7 @@ index 6491353..a918952 100644 /* * End of kprobes section */ -@@ -1071,7 +1310,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, +@@ -1072,7 +1311,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, ENTRY(mcount) ret @@ -23162,7 +23153,7 @@ index 6491353..a918952 100644 ENTRY(ftrace_caller) cmpl $0, function_trace_stop -@@ -1104,7 +1343,7 @@ ftrace_graph_call: +@@ -1105,7 +1344,7 @@ ftrace_graph_call: .globl ftrace_stub ftrace_stub: ret @@ -23171,7 +23162,7 @@ index 6491353..a918952 100644 ENTRY(ftrace_regs_caller) pushf /* push flags before compare (in cs location) */ -@@ -1208,7 +1447,7 @@ trace: +@@ -1209,7 +1448,7 @@ trace: popl %ecx popl %eax jmp ftrace_stub @@ -23180,7 +23171,7 @@ index 6491353..a918952 100644 #endif /* CONFIG_DYNAMIC_FTRACE */ #endif /* CONFIG_FUNCTION_TRACER */ -@@ -1226,7 +1465,7 @@ ENTRY(ftrace_graph_caller) +@@ -1227,7 +1466,7 @@ ENTRY(ftrace_graph_caller) popl %ecx popl %eax ret @@ -23189,7 +23180,7 @@ index 6491353..a918952 100644 .globl return_to_handler return_to_handler: -@@ -1292,15 +1531,18 @@ error_code: +@@ -1293,15 +1532,18 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -23210,7 +23201,7 @@ index 6491353..a918952 100644 /* * Debug traps and NMI can happen at the one SYSENTER instruction -@@ -1343,7 +1585,7 @@ debug_stack_correct: +@@ -1344,7 +1586,7 @@ debug_stack_correct: call do_debug jmp ret_from_exception CFI_ENDPROC @@ -23219,7 +23210,7 @@ index 6491353..a918952 100644 /* * NMI is doubly nasty. It can happen _while_ we're handling -@@ -1381,6 +1623,9 @@ nmi_stack_correct: +@@ -1382,6 +1624,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer call do_nmi @@ -23229,7 +23220,7 @@ index 6491353..a918952 100644 jmp restore_all_notrace CFI_ENDPROC -@@ -1417,12 +1662,15 @@ nmi_espfix_stack: +@@ -1418,12 +1663,15 @@ nmi_espfix_stack: FIXUP_ESPFIX_STACK # %eax == %esp xorl %edx,%edx # zero error code call do_nmi @@ -23246,7 +23237,7 @@ index 6491353..a918952 100644 ENTRY(int3) RING0_INT_FRAME -@@ -1435,14 +1683,14 @@ ENTRY(int3) +@@ -1436,14 +1684,14 @@ ENTRY(int3) call do_int3 jmp ret_from_exception CFI_ENDPROC @@ -23263,7 +23254,7 @@ index 6491353..a918952 100644 #ifdef CONFIG_KVM_GUEST ENTRY(async_page_fault) -@@ -1451,7 +1699,7 @@ ENTRY(async_page_fault) +@@ -1452,7 +1700,7 @@ ENTRY(async_page_fault) pushl_cfi $do_async_page_fault jmp error_code CFI_ENDPROC @@ -24632,7 +24623,7 @@ index 85126cc..1bbce17 100644 init_level4_pgt[511] = early_level4_pgt[511]; diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index f36bd42..56ee1534 100644 +index f36bd42..0ab4474 100644 --- a/arch/x86/kernel/head_32.S +++ b/arch/x86/kernel/head_32.S @@ -26,6 +26,12 @@ @@ -25044,7 +25035,7 @@ index f36bd42..56ee1534 100644 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */ + .quad 0x004093000000ffff /* 0xc8 APM DS data */ + -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */ ++ .quad 0x00c093000000ffff /* 0xd0 - ESPFIX SS */ + .quad 0x0040930000000000 /* 0xd8 - PERCPU */ + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */ + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */ @@ -27377,7 +27368,7 @@ index 5cdff03..80fa283 100644 * Up to this point, the boot CPU has been using .init.data * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index 9e5de68..16c53cb 100644 +index 9e5de68..147c254 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -190,7 +190,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -27394,7 +27385,7 @@ index 9e5de68..16c53cb 100644 if (current->mm->context.vdso) - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); ++ restorer = (void __force_user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); else - restorer = &frame->retcode; + restorer = (void __user *)&frame->retcode; @@ -27416,9 +27407,9 @@ index 9e5de68..16c53cb 100644 /* Set up to return from userspace. */ - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); + if (current->mm->context.vdso) -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); ++ restorer = (void __force_user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); + else -+ restorer = (void __user *)&frame->retcode; ++ restorer = (void __user *)&frame->retcode; if (ksig->ka.sa.sa_flags & SA_RESTORER) restorer = ksig->ka.sa.sa_restorer; put_user_ex(restorer, &frame->pretcode); @@ -36357,7 +36348,7 @@ index af00795..2bb8105 100644 #define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */ #define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */ diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index dd0dd2d..e59db49 100644 +index d8f80e7..5f41702 100644 --- a/block/blk-cgroup.c +++ b/block/blk-cgroup.c @@ -809,7 +809,7 @@ static void blkcg_css_free(struct cgroup_subsys_state *css) @@ -36449,7 +36440,7 @@ index 420a5a9..23834aa 100644 if (blk_verify_command(rq->cmd, has_write_perm)) return -EPERM; diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c -index fbd5a67..f24fd95 100644 +index a0926a6..b2b14b2 100644 --- a/block/compat_ioctl.c +++ b/block/compat_ioctl.c @@ -156,7 +156,7 @@ static int compat_cdrom_generic_command(struct block_device *bdev, fmode_t mode, @@ -36591,6 +36582,26 @@ index 2648797..92ed21f 100644 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len)) goto error; +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 966f893..6a3ad80 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -21,6 +21,7 @@ + #include <linux/module.h> + #include <linux/net.h> + #include <linux/rwsem.h> ++#include <linux/security.h> + + struct alg_type_list { + const struct af_alg_type *type; +@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) + + sock_init_data(newsock, sk2); + sock_graft(sk2, newsock); ++ security_sk_clone(sk, sk2); + + err = type->accept(ask->private, sk2); + if (err) { diff --git a/crypto/cryptd.c b/crypto/cryptd.c index 7bdd61b..afec999 100644 --- a/crypto/cryptd.c @@ -36782,7 +36793,7 @@ index 36605ab..6ef6d4b 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 62fda16..8063873 100644 +index f761603..3042d5c 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev); @@ -36794,7 +36805,7 @@ index 62fda16..8063873 100644 struct ata_force_param { const char *name; -@@ -4858,7 +4858,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) +@@ -4863,7 +4863,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) struct ata_port *ap; unsigned int tag; @@ -36803,7 +36814,7 @@ index 62fda16..8063873 100644 ap = qc->ap; qc->flags = 0; -@@ -4874,7 +4874,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) +@@ -4879,7 +4879,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) struct ata_port *ap; struct ata_link *link; @@ -36812,7 +36823,7 @@ index 62fda16..8063873 100644 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); ap = qc->ap; link = qc->dev->link; -@@ -5993,6 +5993,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5998,6 +5998,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) return; spin_lock(&lock); @@ -36820,7 +36831,7 @@ index 62fda16..8063873 100644 for (cur = ops->inherits; cur; cur = cur->inherits) { void **inherit = (void **)cur; -@@ -6006,8 +6007,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -6011,8 +6012,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) if (IS_ERR(*pp)) *pp = NULL; @@ -36831,7 +36842,7 @@ index 62fda16..8063873 100644 spin_unlock(&lock); } -@@ -6200,7 +6202,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) +@@ -6208,7 +6210,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) /* give ports names and add SCSI hosts */ for (i = 0; i < host->n_ports; i++) { @@ -37499,7 +37510,7 @@ index 4217f29..88f547a 100644 vcc->tx_quota = vcc->tx_quota * 3 / 4; printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota ); diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c -index fa7d701..1e404c7 100644 +index fa7d7019..1e404c7 100644 --- a/drivers/atm/lanai.c +++ b/drivers/atm/lanai.c @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct lanai_dev *lanai, @@ -43517,10 +43528,10 @@ index 24c41ba..102d71f 100644 gameport->dev.release = gameport_release_port; if (gameport->parent) diff --git a/drivers/input/input.c b/drivers/input/input.c -index 1c4c0db..6f7abe3 100644 +index 29ca0bb..f4bc2e3 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c -@@ -1772,7 +1772,7 @@ EXPORT_SYMBOL_GPL(input_class); +@@ -1774,7 +1774,7 @@ EXPORT_SYMBOL_GPL(input_class); */ struct input_dev *input_allocate_device(void) { @@ -43529,7 +43540,7 @@ index 1c4c0db..6f7abe3 100644 struct input_dev *dev; dev = kzalloc(sizeof(struct input_dev), GFP_KERNEL); -@@ -1787,7 +1787,7 @@ struct input_dev *input_allocate_device(void) +@@ -1789,7 +1789,7 @@ struct input_dev *input_allocate_device(void) INIT_LIST_HEAD(&dev->node); dev_set_name(&dev->dev, "input%ld", @@ -47174,6 +47185,19 @@ index 72ff14b..11d442d 100644 break; err = 0; break; +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index 0180531..1aff970 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -281,7 +281,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + nf_reset(skb); + + skb->ip_summed = CHECKSUM_NONE; +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + ip_send_check(iph); + + ip_local_out(skb); diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c index 1252d9c..80e660b 100644 --- a/drivers/net/slip/slhc.c @@ -50446,10 +50470,25 @@ index d8afec8..3ec7152 100644 /* check if the device is still usable */ if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 62ec84b..93159d8 100644 +index 62ec84b..384f684 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -1474,7 +1474,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) +@@ -831,6 +831,14 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) + scsi_next_command(cmd); + return; + } ++ } else if (blk_rq_bytes(req) == 0 && result && !sense_deferred) { ++ /* ++ * Certain non BLOCK_PC requests are commands that don't ++ * actually transfer anything (FLUSH), so cannot use ++ * good_bytes != blk_rq_bytes(req) as the signal for an error. ++ * This sets the error explicitly for the problem case. ++ */ ++ error = __scsi_error_from_host_byte(cmd, result); + } + + /* no bidi support for !REQ_TYPE_BLOCK_PC yet */ +@@ -1474,7 +1482,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) shost = sdev->host; scsi_init_cmd_errh(cmd); cmd->result = DID_NO_CONNECT << 16; @@ -50458,7 +50497,7 @@ index 62ec84b..93159d8 100644 /* * SCSI request completion path will do scsi_device_unbusy(), -@@ -1500,9 +1500,9 @@ static void scsi_softirq_done(struct request *rq) +@@ -1500,9 +1508,9 @@ static void scsi_softirq_done(struct request *rq) INIT_LIST_HEAD(&cmd->eh_entry); @@ -59099,7 +59138,7 @@ index e081acb..911df21 100644 /* * We'll have a dentry and an inode for diff --git a/fs/coredump.c b/fs/coredump.c -index 0b2528f..836c55f 100644 +index a93f7e6..d58bcbe 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -442,8 +442,8 @@ static void wait_for_dump_helpers(struct file *file) @@ -62372,7 +62411,7 @@ index b29e42f..5ea7fdf 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index 8274c8d..e242796 100644 +index bdea109..e242796 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -330,17 +330,34 @@ int generic_permission(struct inode *inode, int mask) @@ -62508,19 +62547,7 @@ index 8274c8d..e242796 100644 return retval; } -@@ -2247,9 +2280,10 @@ done: - goto out; - } - path->dentry = dentry; -- path->mnt = mntget(nd->path.mnt); -+ path->mnt = nd->path.mnt; - if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW)) - return 1; -+ mntget(path->mnt); - follow_mount(path); - error = 0; - out: -@@ -2557,6 +2591,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2558,6 +2591,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -62534,7 +62561,7 @@ index 8274c8d..e242796 100644 return 0; } -@@ -2788,7 +2829,7 @@ looked_up: +@@ -2789,7 +2829,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -62543,7 +62570,7 @@ index 8274c8d..e242796 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2823,6 +2864,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2824,6 +2864,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -62561,7 +62588,7 @@ index 8274c8d..e242796 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2844,6 +2896,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2845,6 +2896,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -62570,7 +62597,7 @@ index 8274c8d..e242796 100644 } out_no_open: path->dentry = dentry; -@@ -2858,7 +2912,7 @@ out_dput: +@@ -2859,7 +2912,7 @@ out_dput: /* * Handle the last step of open() */ @@ -62579,7 +62606,7 @@ index 8274c8d..e242796 100644 struct file *file, const struct open_flags *op, int *opened, struct filename *name) { -@@ -2908,6 +2962,15 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2909,6 +2962,15 @@ static int do_last(struct nameidata *nd, struct path *path, if (error) return error; @@ -62595,7 +62622,7 @@ index 8274c8d..e242796 100644 audit_inode(name, dir, LOOKUP_PARENT); error = -EISDIR; /* trailing slashes? */ -@@ -2927,7 +2990,7 @@ retry_lookup: +@@ -2928,7 +2990,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -62604,7 +62631,7 @@ index 8274c8d..e242796 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2951,11 +3014,28 @@ retry_lookup: +@@ -2952,11 +3014,28 @@ retry_lookup: goto finish_open_created; } @@ -62634,7 +62661,7 @@ index 8274c8d..e242796 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -2996,6 +3076,11 @@ finish_lookup: +@@ -2997,6 +3076,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -62646,7 +62673,7 @@ index 8274c8d..e242796 100644 return 1; } -@@ -3005,7 +3090,6 @@ finish_lookup: +@@ -3006,7 +3090,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -62654,7 +62681,7 @@ index 8274c8d..e242796 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -3015,7 +3099,18 @@ finish_open: +@@ -3016,7 +3099,18 @@ finish_open: path_put(&save_parent); return error; } @@ -62673,7 +62700,7 @@ index 8274c8d..e242796 100644 error = -EISDIR; if ((open_flag & O_CREAT) && (d_is_directory(nd->path.dentry) || d_is_autodir(nd->path.dentry))) -@@ -3179,7 +3274,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3180,7 +3274,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, if (unlikely(error)) goto out; @@ -62682,7 +62709,7 @@ index 8274c8d..e242796 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -3197,7 +3292,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3198,7 +3292,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -62691,7 +62718,7 @@ index 8274c8d..e242796 100644 put_link(nd, &link, cookie); } out: -@@ -3297,9 +3392,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, +@@ -3298,9 +3392,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, goto unlock; error = -EEXIST; @@ -62705,7 +62732,7 @@ index 8274c8d..e242796 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3351,6 +3448,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3352,6 +3448,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -62726,7 +62753,7 @@ index 8274c8d..e242796 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3413,6 +3524,17 @@ retry: +@@ -3414,6 +3524,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62744,7 +62771,7 @@ index 8274c8d..e242796 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3429,6 +3551,8 @@ retry: +@@ -3430,6 +3551,8 @@ retry: break; } out: @@ -62753,7 +62780,7 @@ index 8274c8d..e242796 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3481,9 +3605,16 @@ retry: +@@ -3482,9 +3605,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62770,7 +62797,7 @@ index 8274c8d..e242796 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3564,6 +3695,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3565,6 +3695,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct filename *name; struct dentry *dentry; struct nameidata nd; @@ -62779,7 +62806,7 @@ index 8274c8d..e242796 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3596,10 +3729,21 @@ retry: +@@ -3597,10 +3729,21 @@ retry: error = -ENOENT; goto exit3; } @@ -62801,7 +62828,7 @@ index 8274c8d..e242796 100644 exit3: dput(dentry); exit2: -@@ -3689,6 +3833,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3690,6 +3833,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct nameidata nd; struct inode *inode = NULL; struct inode *delegated_inode = NULL; @@ -62810,7 +62837,7 @@ index 8274c8d..e242796 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3715,10 +3861,22 @@ retry_deleg: +@@ -3716,10 +3861,22 @@ retry_deleg: if (d_is_negative(dentry)) goto slashes; ihold(inode); @@ -62833,7 +62860,7 @@ index 8274c8d..e242796 100644 exit2: dput(dentry); } -@@ -3806,9 +3964,17 @@ retry: +@@ -3807,9 +3964,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -62851,7 +62878,7 @@ index 8274c8d..e242796 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3911,6 +4077,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3912,6 +4077,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, struct dentry *new_dentry; struct path old_path, new_path; struct inode *delegated_inode = NULL; @@ -62859,7 +62886,7 @@ index 8274c8d..e242796 100644 int how = 0; int error; -@@ -3934,7 +4101,7 @@ retry: +@@ -3935,7 +4101,7 @@ retry: if (error) return error; @@ -62868,7 +62895,7 @@ index 8274c8d..e242796 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -3946,11 +4113,28 @@ retry: +@@ -3947,11 +4113,28 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -62897,7 +62924,7 @@ index 8274c8d..e242796 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4237,6 +4421,12 @@ retry_deleg: +@@ -4238,6 +4421,12 @@ retry_deleg: if (new_dentry == trap) goto exit5; @@ -62910,7 +62937,7 @@ index 8274c8d..e242796 100644 error = security_path_rename(&oldnd.path, old_dentry, &newnd.path, new_dentry); if (error) -@@ -4244,6 +4434,9 @@ retry_deleg: +@@ -4245,6 +4434,9 @@ retry_deleg: error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry, &delegated_inode); @@ -62920,7 +62947,7 @@ index 8274c8d..e242796 100644 exit5: dput(new_dentry); exit4: -@@ -4280,6 +4473,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -4281,6 +4473,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -62929,7 +62956,7 @@ index 8274c8d..e242796 100644 int len; len = PTR_ERR(link); -@@ -4289,7 +4484,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -4290,7 +4484,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -71963,7 +71990,7 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..361a099 +index 0000000..3f8ade0 --- /dev/null +++ b/grsecurity/gracl_policy.c @@ -0,0 +1,1782 @@ @@ -72022,9 +72049,9 @@ index 0000000..361a099 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum); +extern void gr_clear_learn_entries(void); + -+static struct gr_arg gr_usermode; -+static unsigned char gr_system_salt[GR_SALT_LEN]; -+static unsigned char gr_system_sum[GR_SHA_LEN]; ++struct gr_arg *gr_usermode __read_only; ++unsigned char *gr_system_salt __read_only; ++unsigned char *gr_system_sum __read_only; + +static unsigned int gr_auth_attempts = 0; +static unsigned long gr_auth_expires = 0UL; @@ -73266,8 +73293,8 @@ index 0000000..361a099 +{ + int error = 0; + -+ memcpy(&gr_system_salt, args->salt, sizeof(gr_system_salt)); -+ memcpy(&gr_system_sum, args->sum, sizeof(gr_system_sum)); ++ memcpy(gr_system_salt, args->salt, GR_SALT_LEN); ++ memcpy(gr_system_sum, args->sum, GR_SHA_LEN); + + if (init_variables(args, false)) { + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION); @@ -73494,11 +73521,11 @@ index 0000000..361a099 + if (error) + goto out; + -+ error = copy_gr_arg(uwrap.arg, &gr_usermode); ++ error = copy_gr_arg(uwrap.arg, gr_usermode); + if (error) + goto out; + -+ if (gr_usermode.mode != GR_SPROLE && gr_usermode.mode != GR_SPROLEPAM && ++ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM && + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES && + time_after(gr_auth_expires, get_seconds())) { + error = -EBUSY; @@ -73510,8 +73537,8 @@ index 0000000..361a099 + locking + */ + -+ if (gr_usermode.mode != GR_SPROLE && gr_usermode.mode != GR_STATUS && -+ gr_usermode.mode != GR_UNSPROLE && gr_usermode.mode != GR_SPROLEPAM && ++ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS && ++ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM && + gr_is_global_nonroot(current_uid())) { + error = -EPERM; + goto out; @@ -73519,15 +73546,15 @@ index 0000000..361a099 + + /* ensure pw and special role name are null terminated */ + -+ gr_usermode.pw[GR_PW_LEN - 1] = '\0'; -+ gr_usermode.sp_role[GR_SPROLE_LEN - 1] = '\0'; ++ gr_usermode->pw[GR_PW_LEN - 1] = '\0'; ++ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0'; + + /* Okay. + * We have our enough of the argument structure..(we have yet + * to copy_from_user the tables themselves) . Copy the tables + * only if we need them, i.e. for loading operations. */ + -+ switch (gr_usermode.mode) { ++ switch (gr_usermode->mode) { + case GR_STATUS: + if (gr_acl_is_enabled()) { + error = 1; @@ -73537,12 +73564,12 @@ index 0000000..361a099 + error = 2; + goto out; + case GR_SHUTDOWN: -+ if (gr_acl_is_enabled() && !(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { ++ if (gr_acl_is_enabled() && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(false); -+ memset(&gr_usermode, 0, sizeof(gr_usermode)); -+ memset(&gr_system_salt, 0, sizeof(gr_system_salt)); -+ memset(&gr_system_sum, 0, sizeof(gr_system_sum)); ++ memset(gr_usermode, 0, sizeof(struct gr_arg)); ++ memset(gr_system_salt, 0, GR_SALT_LEN); ++ memset(gr_system_sum, 0, GR_SHA_LEN); + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); + } else if (gr_acl_is_enabled()) { + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG); @@ -73553,7 +73580,7 @@ index 0000000..361a099 + } + break; + case GR_ENABLE: -+ if (!gr_acl_is_enabled() && !(error2 = gracl_init(&gr_usermode))) ++ if (!gr_acl_is_enabled() && !(error2 = gracl_init(gr_usermode))) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION); + else { + if (gr_acl_is_enabled()) @@ -73569,8 +73596,8 @@ index 0000000..361a099 + if (!gr_acl_is_enabled()) { + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION); + error = -EAGAIN; -+ } else if (!(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { -+ error2 = gracl_reload(&gr_usermode, oldmode); ++ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { ++ error2 = gracl_reload(gr_usermode, oldmode); + if (!error2) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION); + else { @@ -73589,20 +73616,20 @@ index 0000000..361a099 + break; + } + -+ if (!(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { ++ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG); -+ if (gr_usermode.segv_device && gr_usermode.segv_inode) { ++ if (gr_usermode->segv_device && gr_usermode->segv_inode) { + struct acl_subject_label *segvacl; + segvacl = -+ lookup_acl_subj_label(gr_usermode.segv_inode, -+ gr_usermode.segv_device, ++ lookup_acl_subj_label(gr_usermode->segv_inode, ++ gr_usermode->segv_device, + current->role); + if (segvacl) { + segvacl->crashes = 0; + segvacl->expires = 0; + } -+ } else if (gr_find_uid(gr_usermode.segv_uid) >= 0) { -+ gr_remove_uid(gr_usermode.segv_uid); ++ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) { ++ gr_remove_uid(gr_usermode->segv_uid); + } + } else { + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG); @@ -73629,11 +73656,11 @@ index 0000000..361a099 + } + + if (lookup_special_role_auth -+ (gr_usermode.mode, gr_usermode.sp_role, &sprole_salt, &sprole_sum) ++ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum) + && ((!sprole_salt && !sprole_sum) -+ || !(chkpw(&gr_usermode, sprole_salt, sprole_sum)))) { ++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) { + char *p = ""; -+ assign_special_role(gr_usermode.sp_role); ++ assign_special_role(gr_usermode->sp_role); + read_lock(&tasklist_lock); + if (current->real_parent) + p = current->real_parent->role->rolename; @@ -73641,7 +73668,7 @@ index 0000000..361a099 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG, + p, acl_sp_role_value); + } else { -+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode.sp_role); ++ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role); + error = -EPERM; + if(!(current->role->auth_attempts++)) + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT; @@ -73675,7 +73702,7 @@ index 0000000..361a099 + } + break; + default: -+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode.mode); ++ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode); + error = -EINVAL; + break; + } @@ -75299,10 +75326,10 @@ index 0000000..8ca18bf +} diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c new file mode 100644 -index 0000000..ae6c028 +index 0000000..b7cb191 --- /dev/null +++ b/grsecurity/grsec_init.c -@@ -0,0 +1,272 @@ +@@ -0,0 +1,286 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -75382,6 +75409,10 @@ index 0000000..ae6c028 +char *gr_alert_log_buf; +char *gr_audit_log_buf; + ++extern struct gr_arg *gr_usermode; ++extern unsigned char *gr_system_salt; ++extern unsigned char *gr_system_sum; ++ +void __init +grsecurity_init(void) +{ @@ -75422,6 +75453,16 @@ index 0000000..ae6c028 + return; + } + ++ /* allocate memory for authentication structure */ ++ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL); ++ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL); ++ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL); ++ ++ if (!gr_usermode || !gr_system_salt || !gr_system_sum) { ++ panic("Unable to allocate grsecurity authentication structure"); ++ return; ++ } ++ +#ifdef CONFIG_GRKERNSEC_IO +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO) + grsec_disable_privio = 1; @@ -77379,10 +77420,10 @@ index 0000000..ae02d8e +EXPORT_SYMBOL_GPL(gr_handle_new_usb); diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c new file mode 100644 -index 0000000..9f7b1ac +index 0000000..158b330 --- /dev/null +++ b/grsecurity/grsum.c -@@ -0,0 +1,61 @@ +@@ -0,0 +1,64 @@ +#include <linux/err.h> +#include <linux/kernel.h> +#include <linux/sched.h> @@ -77399,47 +77440,50 @@ index 0000000..9f7b1ac +int +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum) +{ -+ char *p; + struct crypto_hash *tfm; + struct hash_desc desc; -+ struct scatterlist sg; -+ unsigned char temp_sum[GR_SHA_LEN]; -+ volatile int retval = 0; ++ struct scatterlist sg[2]; ++ unsigned char temp_sum[GR_SHA_LEN] __attribute__((aligned(__alignof__(unsigned long)))); ++ unsigned long *tmpsumptr = (unsigned long *)temp_sum; ++ unsigned long *sumptr = (unsigned long *)sum; ++ int cryptres; ++ int retval = 1; ++ volatile int mismatched = 0; + volatile int dummy = 0; + unsigned int i; + -+ sg_init_table(&sg, 1); -+ + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(tfm)) { + /* should never happen, since sha256 should be built in */ ++ memset(entry->pw, 0, GR_PW_LEN); + return 1; + } + ++ sg_init_table(sg, 2); ++ sg_set_buf(&sg[0], salt, GR_SALT_LEN); ++ sg_set_buf(&sg[1], entry->pw, strlen(entry->pw)); ++ + desc.tfm = tfm; + desc.flags = 0; + -+ crypto_hash_init(&desc); -+ -+ p = salt; -+ sg_set_buf(&sg, p, GR_SALT_LEN); -+ crypto_hash_update(&desc, &sg, sg.length); -+ -+ p = entry->pw; -+ sg_set_buf(&sg, p, strlen(p)); -+ -+ crypto_hash_update(&desc, &sg, sg.length); -+ -+ crypto_hash_final(&desc, temp_sum); ++ cryptres = crypto_hash_digest(&desc, sg, GR_SALT_LEN + strlen(entry->pw), ++ temp_sum); + + memset(entry->pw, 0, GR_PW_LEN); + -+ for (i = 0; i < GR_SHA_LEN; i++) -+ if (sum[i] != temp_sum[i]) -+ retval = 1; ++ if (cryptres) ++ goto out; ++ ++ for (i = 0; i < GR_SHA_LEN/sizeof(tmpsumptr[0]); i++) ++ if (sumptr[i] != tmpsumptr[i]) ++ mismatched = 1; + else + dummy = 1; // waste a cycle + ++ if (!mismatched) ++ retval = dummy - 1; ++ ++out: + crypto_free_hash(tfm); + + return retval; @@ -81138,10 +81182,10 @@ index b8e9a43..632678d 100644 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu); diff --git a/include/linux/libata.h b/include/linux/libata.h -index 3fee55e..42565b7 100644 +index e13b3ae..5f450e6 100644 --- a/include/linux/libata.h +++ b/include/linux/libata.h -@@ -976,7 +976,7 @@ struct ata_port_operations { +@@ -977,7 +977,7 @@ struct ata_port_operations { * fields must be pointers. */ const struct ata_port_operations *inherits; @@ -82419,7 +82463,7 @@ index cc7494a..1e27036 100644 extern bool qid_valid(struct kqid qid); diff --git a/include/linux/random.h b/include/linux/random.h -index 1cfce0e..b0b9235 100644 +index 1cfce0e..bf99e0b 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -9,9 +9,19 @@ @@ -82469,6 +82513,15 @@ index 1cfce0e..b0b9235 100644 /** * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro) * @ep_ro: right open interval endpoint +@@ -49,7 +64,7 @@ void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes); + * + * Returns: pseudo-random number in interval [0, ep_ro) + */ +-static inline u32 prandom_u32_max(u32 ep_ro) ++static inline u32 __intentional_overflow(-1) prandom_u32_max(u32 ep_ro) + { + return (u32)(((u64) prandom_u32() * ep_ro) >> 32); + } diff --git a/include/linux/rbtree_augmented.h b/include/linux/rbtree_augmented.h index fea49b5..2ac22bb 100644 --- a/include/linux/rbtree_augmented.h @@ -84221,31 +84274,52 @@ index c55aeed..b3393f4 100644 /** inet_connection_sock - INET connection oriented sock * diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h -index 058271b..1a44af7 100644 +index 058271b..1af4453 100644 --- a/include/net/inetpeer.h +++ b/include/net/inetpeer.h -@@ -47,8 +47,8 @@ struct inet_peer { +@@ -41,14 +41,13 @@ struct inet_peer { + struct rcu_head gc_rcu; + }; + /* +- * Once inet_peer is queued for deletion (refcnt == -1), following fields +- * are not available: rid, ip_id_count ++ * Once inet_peer is queued for deletion (refcnt == -1), following field ++ * is not available: rid + * We can share memory with rcu_head to help keep inet_peer small. */ union { struct { - atomic_t rid; /* Frag reception counter */ - atomic_t ip_id_count; /* IP ID for the next packet */ -+ atomic_unchecked_t rid; /* Frag reception counter */ -+ atomic_unchecked_t ip_id_count; /* IP ID for the next packet */ ++ atomic_unchecked_t rid; /* Frag reception counter */ }; struct rcu_head rcu; struct inet_peer *gc_next; -@@ -179,7 +179,7 @@ static inline int inet_getid(struct inet_peer *p, int more) - { - more++; - inet_peer_refcheck(p); -- return atomic_add_return(more, &p->ip_id_count) - more; -+ return atomic_add_return_unchecked(more, &p->ip_id_count) - more; +@@ -165,7 +164,7 @@ bool inet_peer_xrlim_allow(struct inet_peer *peer, int timeout); + void inetpeer_invalidate_tree(struct inet_peer_base *); + + /* +- * temporary check to make sure we dont access rid, ip_id_count, tcp_ts, ++ * temporary check to make sure we dont access rid, tcp_ts, + * tcp_ts_stamp if no refcount is taken on inet_peer + */ + static inline void inet_peer_refcheck(const struct inet_peer *p) +@@ -173,13 +172,4 @@ static inline void inet_peer_refcheck(const struct inet_peer *p) + WARN_ON_ONCE(atomic_read(&p->refcnt) <= 0); } +- +-/* can be called with or without local BH being disabled */ +-static inline int inet_getid(struct inet_peer *p, int more) +-{ +- more++; +- inet_peer_refcheck(p); +- return atomic_add_return(more, &p->ip_id_count) - more; +-} +- #endif /* _NET_INETPEER_H */ diff --git a/include/net/ip.h b/include/net/ip.h -index 23be0fd..0cb3e2c 100644 +index 23be0fd..7251808 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -214,7 +214,7 @@ static inline void snmp_mib_free(void __percpu *ptr[SNMP_ARRAY_SZ]) @@ -84257,6 +84331,55 @@ index 23be0fd..0cb3e2c 100644 static inline int inet_is_reserved_local_port(int port) { return test_bit(port, sysctl_local_reserved_ports); +@@ -297,9 +297,10 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb) + } + } + +-void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more); ++u32 ip_idents_reserve(u32 hash, int segs) __intentional_overflow(-1); ++void __ip_select_ident(struct iphdr *iph, int segs); + +-static inline void ip_select_ident(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk) ++static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, int segs) + { + struct iphdr *iph = ip_hdr(skb); + +@@ -309,24 +310,20 @@ static inline void ip_select_ident(struct sk_buff *skb, struct dst_entry *dst, s + * does not change, they drop every other packet in + * a TCP stream using header compression. + */ +- iph->id = (sk && inet_sk(sk)->inet_daddr) ? +- htons(inet_sk(sk)->inet_id++) : 0; +- } else +- __ip_select_ident(iph, dst, 0); +-} +- +-static inline void ip_select_ident_more(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk, int more) +-{ +- struct iphdr *iph = ip_hdr(skb); +- +- if ((iph->frag_off & htons(IP_DF)) && !skb->local_df) { + if (sk && inet_sk(sk)->inet_daddr) { + iph->id = htons(inet_sk(sk)->inet_id); +- inet_sk(sk)->inet_id += 1 + more; +- } else ++ inet_sk(sk)->inet_id += segs; ++ } else { + iph->id = 0; +- } else +- __ip_select_ident(iph, dst, more); ++ } ++ } else { ++ __ip_select_ident(iph, segs); ++ } ++} ++ ++static inline void ip_select_ident(struct sk_buff *skb, struct sock *sk) ++{ ++ ip_select_ident_segs(skb, sk, 1); + } + + /* diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index 9922093..a1755d6 100644 --- a/include/net/ip_fib.h @@ -84306,6 +84429,19 @@ index 5679d92..2e7a690 100644 /* ip_vs_est */ struct list_head est_list; /* estimator list */ spinlock_t est_lock; +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index 4f541f1..9ac6578 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -660,8 +660,6 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add + return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr)); + } + +-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt); +- + int ip6_dst_hoplimit(struct dst_entry *dst); + + /* diff --git a/include/net/irda/ircomm_tty.h b/include/net/irda/ircomm_tty.h index 8d4f588..2e37ad2 100644 --- a/include/net/irda/ircomm_tty.h @@ -84706,6 +84842,19 @@ index 0dfcc92..7967849 100644 /* Structure to track chunk fragments that have been acked, but peer +diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h +index f257486..3f36d45 100644 +--- a/include/net/secure_seq.h ++++ b/include/net/secure_seq.h +@@ -3,8 +3,6 @@ + + #include <linux/types.h> + +-__u32 secure_ip_id(__be32 daddr); +-__u32 secure_ipv6_id(const __be32 daddr[4]); + u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); + u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, + __be16 dport); diff --git a/include/net/sock.h b/include/net/sock.h index 2f7bc43..530dadc 100644 --- a/include/net/sock.h @@ -91981,7 +92130,7 @@ index 0954450..0ed035c 100644 *data_page = bpage; diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 7e259b2..e9d9452 100644 +index 7113672..e8a9c80 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -3412,7 +3412,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) @@ -92007,10 +92156,10 @@ index c8bd809..33d7539 100644 /* * Normal trace_printk() and friends allocates special buffers diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c -index 26dc348..8708ca7 100644 +index 57b67b1..66082a9 100644 --- a/kernel/trace/trace_clock.c +++ b/kernel/trace/trace_clock.c -@@ -123,7 +123,7 @@ u64 notrace trace_clock_global(void) +@@ -124,7 +124,7 @@ u64 notrace trace_clock_global(void) return now; } @@ -92019,7 +92168,7 @@ index 26dc348..8708ca7 100644 /* * trace_clock_counter(): simply an atomic counter. -@@ -132,5 +132,5 @@ static atomic64_t trace_counter; +@@ -133,5 +133,5 @@ static atomic64_t trace_counter; */ u64 notrace trace_clock_counter(void) { @@ -93131,7 +93280,7 @@ index b32b70c..e512eb0 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 30dd626..e0a6729 100644 +index 923f38e..74e159a 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2070,15 +2070,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, @@ -93176,7 +93325,7 @@ index 30dd626..e0a6729 100644 if (ret) goto out; -@@ -2615,6 +2619,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2616,6 +2620,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -93204,7 +93353,7 @@ index 30dd626..e0a6729 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. * Called with hugetlb_instantiation_mutex held and pte_page locked so we -@@ -2731,6 +2756,11 @@ retry_avoidcopy: +@@ -2732,6 +2757,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -93216,7 +93365,7 @@ index 30dd626..e0a6729 100644 /* Make the old page be freed below */ new_page = old_page; } -@@ -2895,6 +2925,10 @@ retry: +@@ -2896,6 +2926,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -93227,7 +93376,7 @@ index 30dd626..e0a6729 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl); -@@ -2925,6 +2959,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2926,6 +2960,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, static DEFINE_MUTEX(hugetlb_instantiation_mutex); struct hstate *h = hstate_vma(vma); @@ -93238,7 +93387,7 @@ index 30dd626..e0a6729 100644 address &= huge_page_mask(h); ptep = huge_pte_offset(mm, address); -@@ -2938,6 +2976,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2939,6 +2977,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(hstate_index(h)); } @@ -93410,6 +93559,23 @@ index 539eeb9..e24a987 100644 error = 0; if (end == start) return error; +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 5b6b003..9b35da2 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5670,8 +5670,12 @@ static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg) + { + struct mem_cgroup_eventfd_list *ev; + ++ spin_lock(&memcg_oom_lock); ++ + list_for_each_entry(ev, &memcg->oom_notify, list) + eventfd_signal(ev->eventfd, 1); ++ ++ spin_unlock(&memcg_oom_lock); + return 0; + } + diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 33365e9..2234ef9 100644 --- a/mm/memory-failure.c @@ -96641,7 +96807,7 @@ index 8184a7c..ab27737 100644 if (slab_equal_or_root(cachep, s)) return cachep; diff --git a/mm/slab_common.c b/mm/slab_common.c -index 1ec3c61..2067c11 100644 +index f149e67..b366f92 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -23,11 +23,22 @@ @@ -98613,7 +98779,7 @@ index 988721a..947846d 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index f50161f..94fa415 100644 +index f50161f..ab7644e 100644 --- a/net/compat.c +++ b/net/compat.c @@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -98629,17 +98795,28 @@ index f50161f..94fa415 100644 return 0; } -@@ -87,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -85,21 +85,22 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + { + int tot_len; - if (kern_msg->msg_namelen) { +- if (kern_msg->msg_namelen) { ++ if (kern_msg->msg_name && kern_msg->msg_namelen) { if (mode == VERIFY_READ) { - int err = move_addr_to_kernel(kern_msg->msg_name, + int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name, kern_msg->msg_namelen, kern_address); if (err < 0) -@@ -99,7 +99,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + return err; + } +- if (kern_msg->msg_name) +- kern_msg->msg_name = kern_address; +- } else ++ kern_msg->msg_name = kern_address; ++ } else { kern_msg->msg_name = NULL; ++ kern_msg->msg_namelen = 0; ++ } tot_len = iov_from_user_compat_to_kern(kern_iov, - (struct compat_iovec __user *)kern_msg->msg_iov, @@ -98647,7 +98824,7 @@ index f50161f..94fa415 100644 kern_msg->msg_iovlen); if (tot_len >= 0) kern_msg->msg_iov = kern_iov; -@@ -119,20 +119,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -119,20 +120,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, #define CMSG_COMPAT_FIRSTHDR(msg) \ (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ @@ -98671,7 +98848,7 @@ index f50161f..94fa415 100644 msg->msg_controllen) return NULL; return (struct compat_cmsghdr __user *)ptr; -@@ -222,7 +222,7 @@ Efault: +@@ -222,7 +223,7 @@ Efault: int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data) { @@ -98680,7 +98857,7 @@ index f50161f..94fa415 100644 struct compat_cmsghdr cmhdr; struct compat_timeval ctv; struct compat_timespec cts[3]; -@@ -278,7 +278,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -278,7 +279,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) { @@ -98689,7 +98866,7 @@ index f50161f..94fa415 100644 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); int fdnum = scm->fp->count; struct file **fp = scm->fp->fp; -@@ -366,7 +366,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, +@@ -366,7 +367,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, return -EFAULT; old_fs = get_fs(); set_fs(KERNEL_DS); @@ -98698,7 +98875,7 @@ index f50161f..94fa415 100644 set_fs(old_fs); return err; -@@ -427,7 +427,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, +@@ -427,7 +428,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, len = sizeof(ktime); old_fs = get_fs(); set_fs(KERNEL_DS); @@ -98707,7 +98884,7 @@ index f50161f..94fa415 100644 set_fs(old_fs); if (!err) { -@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -570,7 +571,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_JOIN_GROUP: case MCAST_LEAVE_GROUP: { @@ -98716,7 +98893,7 @@ index f50161f..94fa415 100644 struct group_req __user *kgr = compat_alloc_user_space(sizeof(struct group_req)); u32 interface; -@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -591,7 +592,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_BLOCK_SOURCE: case MCAST_UNBLOCK_SOURCE: { @@ -98725,7 +98902,7 @@ index f50161f..94fa415 100644 struct group_source_req __user *kgsr = compat_alloc_user_space( sizeof(struct group_source_req)); u32 interface; -@@ -612,7 +612,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -612,7 +613,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, } case MCAST_MSFILTER: { @@ -98734,7 +98911,7 @@ index f50161f..94fa415 100644 struct group_filter __user *kgf; u32 interface, fmode, numsrc; -@@ -650,7 +650,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, +@@ -650,7 +651,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, char __user *optval, int __user *optlen, int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) { @@ -98743,7 +98920,7 @@ index f50161f..94fa415 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -803,7 +803,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -803,7 +804,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -98968,11 +99145,15 @@ index dfa602c..3103d88 100644 fle->object = flo; else diff --git a/net/core/iovec.c b/net/core/iovec.c -index b618694..192bbba 100644 +index b618694..cd5f0af 100644 --- a/net/core/iovec.c +++ b/net/core/iovec.c -@@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a - if (m->msg_namelen) { +@@ -39,23 +39,23 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a + { + int size, ct, err; + +- if (m->msg_namelen) { ++ if (m->msg_name && m->msg_namelen) { if (mode == VERIFY_READ) { void __user *namep; - namep = (void __user __force *) m->msg_name; @@ -98980,7 +99161,14 @@ index b618694..192bbba 100644 err = move_addr_to_kernel(namep, m->msg_namelen, address); if (err < 0) -@@ -55,7 +55,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a + return err; + } +- if (m->msg_name) +- m->msg_name = address; ++ m->msg_name = address; + } else { + m->msg_name = NULL; ++ m->msg_namelen = 0; } size = m->msg_iovlen * sizeof(struct iovec); @@ -99233,6 +99421,42 @@ index b442e7e..6f5b5a2 100644 i++, cmfptr++) { struct socket *sock; +diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c +index 897da56..ba71212 100644 +--- a/net/core/secure_seq.c ++++ b/net/core/secure_seq.c +@@ -85,31 +85,6 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral); + #endif + + #ifdef CONFIG_INET +-__u32 secure_ip_id(__be32 daddr) +-{ +- u32 hash[MD5_DIGEST_WORDS]; +- +- net_secret_init(); +- hash[0] = (__force __u32) daddr; +- hash[1] = net_secret[13]; +- hash[2] = net_secret[14]; +- hash[3] = net_secret[15]; +- +- md5_transform(hash, net_secret); +- +- return hash[0]; +-} +- +-__u32 secure_ipv6_id(const __be32 daddr[4]) +-{ +- __u32 hash[4]; +- +- net_secret_init(); +- memcpy(hash, daddr, 16); +- md5_transform(hash, net_secret); +- +- return hash[0]; +-} + + __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr, + __be16 sport, __be16 dport) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 7f2e1fc..6206b10 100644 --- a/net/core/skbuff.c @@ -99697,6 +99921,28 @@ index 9d43468..ffa28cc 100644 return nh->nh_saddr; } +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 9db3b87..0ffcd4d 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -369,7 +369,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size) + pip->saddr = fl4.saddr; + pip->protocol = IPPROTO_IGMP; + pip->tot_len = 0; /* filled in later */ +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + ((u8 *)&pip[1])[0] = IPOPT_RA; + ((u8 *)&pip[1])[1] = 4; + ((u8 *)&pip[1])[2] = 0; +@@ -714,7 +714,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc, + iph->daddr = dst; + iph->saddr = fl4.saddr; + iph->protocol = IPPROTO_IGMP; +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + ((u8 *)&iph[1])[0] = IPOPT_RA; + ((u8 *)&iph[1])[1] = 4; + ((u8 *)&iph[1])[2] = 0; diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index 0d1e2cb..4501a2c 100644 --- a/net/ipv4/inet_connection_sock.c @@ -99741,20 +99987,51 @@ index 8b9cf27..0d8d592 100644 inet_twsk_deschedule(tw, death_row); while (twrefcnt) { diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c -index 48f4244..f56d83a 100644 +index 48f4244..d83ba8a 100644 --- a/net/ipv4/inetpeer.c +++ b/net/ipv4/inetpeer.c -@@ -496,8 +496,8 @@ relookup: +@@ -26,20 +26,7 @@ + * Theory of operations. + * We keep one entry for each peer IP address. The nodes contains long-living + * information about the peer which doesn't depend on routes. +- * At this moment this information consists only of ID field for the next +- * outgoing IP packet. This field is incremented with each packet as encoded +- * in inet_getid() function (include/net/inetpeer.h). +- * At the moment of writing this notes identifier of IP packets is generated +- * to be unpredictable using this code only for packets subjected +- * (actually or potentially) to defragmentation. I.e. DF packets less than +- * PMTU in size when local fragmentation is disabled use a constant ID and do +- * not use this code (see ip_select_ident() in include/net/ip.h). + * +- * Route cache entries hold references to our nodes. +- * New cache entries get references via lookup by destination IP address in +- * the avl tree. The reference is grabbed only when it's needed i.e. only +- * when we try to output IP packet which needs an unpredictable ID (see +- * __ip_select_ident() in net/ipv4/route.c). + * Nodes are removed only when reference counter goes to 0. + * When it's happened the node may be removed when a sufficient amount of + * time has been passed since its last use. The less-recently-used entry can +@@ -62,7 +49,6 @@ + * refcnt: atomically against modifications on other CPU; + * usually under some other lock to prevent node disappearing + * daddr: unchangeable +- * ip_id_count: atomic value (no lock needed) + */ + + static struct kmem_cache *peer_cachep __read_mostly; +@@ -496,11 +482,7 @@ relookup: if (p) { p->daddr = *daddr; atomic_set(&p->refcnt, 1); - atomic_set(&p->rid, 0); - atomic_set(&p->ip_id_count, +- (daddr->family == AF_INET) ? +- secure_ip_id(daddr->addr.a4) : +- secure_ipv6_id(daddr->addr.a6)); + atomic_set_unchecked(&p->rid, 0); -+ atomic_set_unchecked(&p->ip_id_count, - (daddr->family == AF_INET) ? - secure_ip_id(daddr->addr.a4) : - secure_ipv6_id(daddr->addr.a6)); + p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW; + p->rate_tokens = 0; + /* 60*HZ is arbitrary, but chosen enough high so that the first diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index c10a3ce..dd71f84 100644 --- a/net/ipv4/ip_fragment.c @@ -99837,6 +100114,38 @@ index 94213c8..8bdb342 100644 .kind = "gretap", .maxtype = IFLA_GRE_MAX, .policy = ipgre_policy, +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 73c6b63..ed88d78 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -148,7 +148,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk, + iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); + iph->saddr = saddr; + iph->protocol = sk->sk_protocol; +- ip_select_ident(skb, &rt->dst, sk); ++ ip_select_ident(skb, sk); + + if (opt && opt->opt.optlen) { + iph->ihl += opt->opt.optlen>>2; +@@ -386,8 +386,7 @@ packet_routed: + ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0); + } + +- ip_select_ident_more(skb, &rt->dst, sk, +- (skb_shinfo(skb)->gso_segs ?: 1) - 1); ++ ip_select_ident_segs(skb, sk, skb_shinfo(skb)->gso_segs ?: 1); + + skb->priority = sk->sk_priority; + skb->mark = sk->sk_mark; +@@ -1338,7 +1337,7 @@ struct sk_buff *__ip_make_skb(struct sock *sk, + iph->ttl = ttl; + iph->protocol = sk->sk_protocol; + ip_copy_addrs(iph, fl4); +- ip_select_ident(skb, &rt->dst, sk); ++ ip_select_ident(skb, sk); + + if (opt) { + iph->ihl += opt->optlen>>2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 580dd96..9fcef7e 100644 --- a/net/ipv4/ip_sockglue.c @@ -99860,6 +100169,19 @@ index 580dd96..9fcef7e 100644 msg.msg_controllen = len; msg.msg_flags = flags; +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 8d69626..65b664d 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -74,7 +74,7 @@ int iptunnel_xmit(struct rtable *rt, struct sk_buff *skb, + iph->daddr = dst; + iph->saddr = src; + iph->ttl = ttl; +- __ip_select_ident(iph, &rt->dst, (skb_shinfo(skb)->gso_segs ?: 1) - 1); ++ __ip_select_ident(iph, skb_shinfo(skb)->gso_segs ?: 1); + + err = ip_local_out(skb); + if (unlikely(net_xmit_eval(err))) diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c index e4a8f76..dd8ad72 100644 --- a/net/ipv4/ip_vti.c @@ -99935,6 +100257,19 @@ index 62eaa00..29b2dc2 100644 .kind = "ipip", .maxtype = IFLA_IPTUN_MAX, .policy = ipip_policy, +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 2886357..1149fc2 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1663,7 +1663,7 @@ static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr) + iph->protocol = IPPROTO_IPIP; + iph->ihl = 5; + iph->tot_len = htons(skb->len); +- ip_select_ident(skb, skb_dst(skb), NULL); ++ ip_select_ident(skb, NULL); + ip_send_check(iph); + + memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index f95b6f9..2ee2097 100644 --- a/net/ipv4/netfilter/arp_tables.c @@ -100118,7 +100453,7 @@ index e21934b..4e7cb58 100644 static int ping_v4_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index c04518f..c402063 100644 +index c04518f..d67116b 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -311,7 +311,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -100130,6 +100465,15 @@ index c04518f..c402063 100644 kfree_skb(skb); return NET_RX_DROP; } +@@ -389,7 +389,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, + iph->check = 0; + iph->tot_len = htons(length); + if (!iph->id) +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + + iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); + } @@ -748,16 +748,20 @@ static int raw_init(struct sock *sk) static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen) @@ -100173,10 +100517,18 @@ index c04518f..c402063 100644 static int raw_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 031553f..e482974 100644 +index 031553f..1f6f4e2 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c -@@ -233,7 +233,7 @@ static const struct seq_operations rt_cache_seq_ops = { +@@ -89,6 +89,7 @@ + #include <linux/rcupdate.h> + #include <linux/times.h> + #include <linux/slab.h> ++#include <linux/jhash.h> + #include <net/dst.h> + #include <net/net_namespace.h> + #include <net/protocol.h> +@@ -233,7 +234,7 @@ static const struct seq_operations rt_cache_seq_ops = { static int rt_cache_seq_open(struct inode *inode, struct file *file) { @@ -100185,7 +100537,7 @@ index 031553f..e482974 100644 } static const struct file_operations rt_cache_seq_fops = { -@@ -324,7 +324,7 @@ static const struct seq_operations rt_cpu_seq_ops = { +@@ -324,7 +325,7 @@ static const struct seq_operations rt_cpu_seq_ops = { static int rt_cpu_seq_open(struct inode *inode, struct file *file) { @@ -100194,7 +100546,7 @@ index 031553f..e482974 100644 } static const struct file_operations rt_cpu_seq_fops = { -@@ -362,7 +362,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) +@@ -362,7 +363,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) static int rt_acct_proc_open(struct inode *inode, struct file *file) { @@ -100203,7 +100555,78 @@ index 031553f..e482974 100644 } static const struct file_operations rt_acct_proc_fops = { -@@ -2624,34 +2624,34 @@ static struct ctl_table ipv4_route_flush_table[] = { +@@ -462,39 +463,45 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst, + return neigh_create(&arp_tbl, pkey, dev); + } + +-/* +- * Peer allocation may fail only in serious out-of-memory conditions. However +- * we still can generate some output. +- * Random ID selection looks a bit dangerous because we have no chances to +- * select ID being unique in a reasonable period of time. +- * But broken packet identifier may be better than no packet at all. ++#define IP_IDENTS_SZ 2048u ++struct ip_ident_bucket { ++ atomic_unchecked_t id; ++ u32 stamp32; ++}; ++ ++static struct ip_ident_bucket *ip_idents __read_mostly; ++ ++/* In order to protect privacy, we add a perturbation to identifiers ++ * if one generator is seldom used. This makes hard for an attacker ++ * to infer how many packets were sent between two points in time. + */ +-static void ip_select_fb_ident(struct iphdr *iph) ++u32 ip_idents_reserve(u32 hash, int segs) + { +- static DEFINE_SPINLOCK(ip_fb_id_lock); +- static u32 ip_fallback_id; +- u32 salt; ++ struct ip_ident_bucket *bucket = ip_idents + hash % IP_IDENTS_SZ; ++ u32 old = ACCESS_ONCE(bucket->stamp32); ++ u32 now = (u32)jiffies; ++ u32 delta = 0; + +- spin_lock_bh(&ip_fb_id_lock); +- salt = secure_ip_id((__force __be32)ip_fallback_id ^ iph->daddr); +- iph->id = htons(salt & 0xFFFF); +- ip_fallback_id = salt; +- spin_unlock_bh(&ip_fb_id_lock); ++ if (old != now && cmpxchg(&bucket->stamp32, old, now) == old) ++ delta = prandom_u32_max(now - old); ++ ++ return atomic_add_return_unchecked(segs + delta, &bucket->id) - segs; + } ++EXPORT_SYMBOL(ip_idents_reserve); + +-void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more) ++void __ip_select_ident(struct iphdr *iph, int segs) + { +- struct net *net = dev_net(dst->dev); +- struct inet_peer *peer; ++ static u32 ip_idents_hashrnd __read_mostly; ++ u32 hash, id; + +- peer = inet_getpeer_v4(net->ipv4.peers, iph->daddr, 1); +- if (peer) { +- iph->id = htons(inet_getid(peer, more)); +- inet_putpeer(peer); +- return; +- } ++ net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); + +- ip_select_fb_ident(iph); ++ hash = jhash_3words((__force u32)iph->daddr, ++ (__force u32)iph->saddr, ++ iph->protocol, ++ ip_idents_hashrnd); ++ id = ip_idents_reserve(hash, segs); ++ iph->id = htons(id); + } + EXPORT_SYMBOL(__ip_select_ident); + +@@ -2624,34 +2631,34 @@ static struct ctl_table ipv4_route_flush_table[] = { .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -100246,7 +100669,7 @@ index 031553f..e482974 100644 err_dup: return -ENOMEM; } -@@ -2674,8 +2674,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { +@@ -2674,8 +2681,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { static __net_init int rt_genid_init(struct net *net) { @@ -100257,6 +100680,19 @@ index 031553f..e482974 100644 get_random_bytes(&net->ipv4.dev_addr_genid, sizeof(net->ipv4.dev_addr_genid)); return 0; +@@ -2718,6 +2725,12 @@ int __init ip_rt_init(void) + { + int rc = 0; + ++ ip_idents = kmalloc(IP_IDENTS_SZ * sizeof(*ip_idents), GFP_KERNEL); ++ if (!ip_idents) ++ panic("IP: failed to allocate ip_idents\n"); ++ ++ prandom_bytes(ip_idents, IP_IDENTS_SZ * sizeof(*ip_idents)); ++ + #ifdef CONFIG_IP_ROUTE_CLASSID + ip_rt_acct = __alloc_percpu(256 * sizeof(struct ip_rt_acct), __alignof__(struct ip_rt_acct)); + if (!ip_rt_acct) diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 44eba05..b36864b 100644 --- a/net/ipv4/sysctl_net_ipv4.c @@ -100553,6 +100989,33 @@ index 64f0354..a81b39d 100644 if (retransmits_timed_out(sk, retry_until, syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) { /* Has it gone just too far? */ +diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c +index 06cae62..6b1a5fd 100644 +--- a/net/ipv4/tcp_vegas.c ++++ b/net/ipv4/tcp_vegas.c +@@ -219,7 +219,8 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked, + * This is: + * (actual rate in segments) * baseRTT + */ +- target_cwnd = tp->snd_cwnd * vegas->baseRTT / rtt; ++ target_cwnd = (u64)tp->snd_cwnd * vegas->baseRTT; ++ do_div(target_cwnd, rtt); + + /* Calculate the difference between the window we had, + * and the window we would like to have. This quantity +diff --git a/net/ipv4/tcp_veno.c b/net/ipv4/tcp_veno.c +index 326475a..603ad49 100644 +--- a/net/ipv4/tcp_veno.c ++++ b/net/ipv4/tcp_veno.c +@@ -145,7 +145,7 @@ static void tcp_veno_cong_avoid(struct sock *sk, u32 ack, u32 acked, + + rtt = veno->minrtt; + +- target_cwnd = (tp->snd_cwnd * veno->basertt); ++ target_cwnd = (u64)tp->snd_cwnd * veno->basertt; + target_cwnd <<= V_PARAM_SHIFT; + do_div(target_cwnd, rtt); + diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index b25e852..cdc3258 100644 --- a/net/ipv4/udp.c @@ -100671,6 +101134,24 @@ index b25e852..cdc3258 100644 } int udp4_seq_show(struct seq_file *seq, void *v) +diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c +index 31b1815..1f564a1 100644 +--- a/net/ipv4/xfrm4_mode_tunnel.c ++++ b/net/ipv4/xfrm4_mode_tunnel.c +@@ -117,12 +117,12 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb) + + top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ? + 0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF)); +- ip_select_ident(skb, dst->child, NULL); + + top_iph->ttl = ip4_dst_hoplimit(dst->child); + + top_iph->saddr = x->props.saddr.a4; + top_iph->daddr = x->id.daddr.a4; ++ ip_select_ident(skb, NULL); + + return 0; + } diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index e1a6393..f634ce5 100644 --- a/net/ipv4/xfrm4_policy.c @@ -100884,6 +101365,31 @@ index 2465d18..bc5bf7f 100644 .kind = "ip6gretap", .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index a62b610..073e5a6 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -537,6 +537,20 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from) + skb_copy_secmark(to, from); + } + ++static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) ++{ ++ static u32 ip6_idents_hashrnd __read_mostly; ++ u32 hash, id; ++ ++ net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); ++ ++ hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd); ++ hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash); ++ ++ id = ip_idents_reserve(hash, 1); ++ fhdr->identification = htonl(id); ++} ++ + int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) + { + struct sk_buff *frag; diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index 9120339..cfdd84f 100644 --- a/net/ipv6/ip6_tunnel.c @@ -101033,27 +101539,40 @@ index 767ab8d..c5ec70a 100644 return -ENOMEM; } diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c -index b31a012..c36f09c 100644 +index b31a012..ab2f47d 100644 --- a/net/ipv6/output_core.c +++ b/net/ipv6/output_core.c -@@ -9,7 +9,7 @@ +@@ -7,30 +7,6 @@ + #include <net/ip6_fib.h> + #include <net/addrconf.h> - void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) - { +-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) +-{ - static atomic_t ipv6_fragmentation_id; -+ static atomic_unchecked_t ipv6_fragmentation_id; - int ident; - - #if IS_ENABLED(CONFIG_IPV6) -@@ -26,7 +26,7 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) - } - } - #endif +- int ident; +- +-#if IS_ENABLED(CONFIG_IPV6) +- if (rt && !(rt->dst.flags & DST_NOPEER)) { +- struct inet_peer *peer; +- struct net *net; +- +- net = dev_net(rt->dst.dev); +- peer = inet_getpeer_v6(net->ipv6.peers, &rt->rt6i_dst.addr, 1); +- if (peer) { +- fhdr->identification = htonl(inet_getid(peer, 0)); +- inet_putpeer(peer); +- return; +- } +- } +-#endif - ident = atomic_inc_return(&ipv6_fragmentation_id); -+ ident = atomic_inc_return_unchecked(&ipv6_fragmentation_id); - fhdr->identification = htonl(ident); - } - EXPORT_SYMBOL(ipv6_select_ident); +- fhdr->identification = htonl(ident); +-} +-EXPORT_SYMBOL(ipv6_select_ident); +- + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { + u16 offset = sizeof(struct ipv6hdr); diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c index bda7429..469b26b 100644 --- a/net/ipv6/ping.c @@ -102094,9 +102613,18 @@ index db80126..ef7110e 100644 cp->old_state = cp->state; /* diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c -index c47444e..b0961c6 100644 +index c47444e..e9a86e6 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -883,7 +883,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, + iph->daddr = cp->daddr.ip; + iph->saddr = saddr; + iph->ttl = old_iph->ttl; +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + + /* Another hack: avoid icmp_send in ip_fragment */ + skb->local_df = 1; @@ -1102,7 +1102,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, else rc = NF_ACCEPT; @@ -109632,10 +110160,10 @@ index 0000000..39d7cc7 +} diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c new file mode 100644 -index 0000000..8dafb22 +index 0000000..a5cb46b --- /dev/null +++ b/tools/gcc/randomize_layout_plugin.c -@@ -0,0 +1,910 @@ +@@ -0,0 +1,915 @@ +/* + * Copyright 2014 by Open Source Security, Inc., Brad Spengler <spender@grsecurity.net> + * and PaX Team <pageexec@freemail.hu> @@ -109954,6 +110482,11 @@ index 0000000..8dafb22 + lookup_attribute("no_randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type)))) + return 0; + ++ /* Workaround for 3rd-party VirtualBox source that we can't modify ourselves */ ++ if (!strcmp((const char *)ORIG_TYPE_NAME(type), "INTNETTRUNKFACTORY") || ++ !strcmp((const char *)ORIG_TYPE_NAME(type), "RAWPCIFACTORY")) ++ return 0; ++ + /* throw out any structs in uapi */ + xloc = expand_location(DECL_SOURCE_LOCATION(TYPE_FIELDS(type))); + @@ -121617,10 +122150,10 @@ index 0000000..0888f6c + diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c new file mode 100644 -index 0000000..dd94983 +index 0000000..924652b --- /dev/null +++ b/tools/gcc/stackleak_plugin.c -@@ -0,0 +1,376 @@ +@@ -0,0 +1,395 @@ +/* + * Copyright 2011-2014 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -121652,7 +122185,7 @@ index 0000000..dd94983 +static bool init_locals; + +static struct plugin_info stackleak_plugin_info = { -+ .version = "201402131920", ++ .version = "201408011900", + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n" +// "initialize-locals\t\tforcibly initialize all stack frames\n" +}; @@ -121798,6 +122331,25 @@ index 0000000..dd94983 + +static bool gate_stackleak_track_stack(void) +{ ++ tree section; ++ ++ if (ix86_cmodel != CM_KERNEL) ++ return false; ++ ++ section = lookup_attribute("section", DECL_ATTRIBUTES(current_function_decl)); ++ if (section && TREE_VALUE(section)) { ++ section = TREE_VALUE(TREE_VALUE(section)); ++ ++ if (!strncmp(TREE_STRING_POINTER(section), ".init.text", 10)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".devinit.text", 13)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".cpuinit.text", 13)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".meminit.text", 13)) ++ return false; ++ } ++ + return track_frame_size >= 0; +} + diff --git a/3.14.14/4425_grsec_remove_EI_PAX.patch b/3.14.15/4425_grsec_remove_EI_PAX.patch index fc51f79..fc51f79 100644 --- a/3.14.14/4425_grsec_remove_EI_PAX.patch +++ b/3.14.15/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.14/4427_force_XATTR_PAX_tmpfs.patch b/3.14.15/4427_force_XATTR_PAX_tmpfs.patch index 11a7d2c..11a7d2c 100644 --- a/3.14.14/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.15/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.14/4430_grsec-remove-localversion-grsec.patch b/3.14.15/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.14/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.15/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.14/4435_grsec-mute-warnings.patch b/3.14.15/4435_grsec-mute-warnings.patch index 392cefb..392cefb 100644 --- a/3.14.14/4435_grsec-mute-warnings.patch +++ b/3.14.15/4435_grsec-mute-warnings.patch diff --git a/3.14.14/4440_grsec-remove-protected-paths.patch b/3.14.15/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.14/4440_grsec-remove-protected-paths.patch +++ b/3.14.15/4440_grsec-remove-protected-paths.patch diff --git a/3.14.14/4450_grsec-kconfig-default-gids.patch b/3.14.15/4450_grsec-kconfig-default-gids.patch index af218a8..af218a8 100644 --- a/3.14.14/4450_grsec-kconfig-default-gids.patch +++ b/3.14.15/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.14/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.15/4465_selinux-avc_audit-log-curr_ip.patch index fb528d0..fb528d0 100644 --- a/3.14.14/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.15/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.14/4470_disable-compat_vdso.patch b/3.14.15/4470_disable-compat_vdso.patch index 677174c..677174c 100644 --- a/3.14.14/4470_disable-compat_vdso.patch +++ b/3.14.15/4470_disable-compat_vdso.patch diff --git a/3.14.14/4475_emutramp_default_on.patch b/3.14.15/4475_emutramp_default_on.patch index cf88fd9..cf88fd9 100644 --- a/3.14.14/4475_emutramp_default_on.patch +++ b/3.14.15/4475_emutramp_default_on.patch diff --git a/3.15.7/0000_README b/3.15.8/0000_README index 2a1a393..e6666ca 100644 --- a/3.15.7/0000_README +++ b/3.15.8/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.15.7-201407282112.patch +Patch: 4420_grsecurity-3.0-3.15.8-201408040708.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.15.7/4420_grsecurity-3.0-3.15.7-201407282112.patch b/3.15.8/4420_grsecurity-3.0-3.15.8-201408040708.patch index 6902f76..923c63e 100644 --- a/3.15.7/4420_grsecurity-3.0-3.15.7-201407282112.patch +++ b/3.15.8/4420_grsecurity-3.0-3.15.8-201408040708.patch @@ -287,7 +287,7 @@ index 30a8ad0d..2ed9efd 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 833f67f..3689bcf 100644 +index d5d9a22..998d19e 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -386,16 +386,7 @@ index 833f67f..3689bcf 100644 include $(srctree)/arch/$(SRCARCH)/Makefile ifdef CONFIG_READABLE_ASM -@@ -669,6 +736,8 @@ KBUILD_CFLAGS += -fomit-frame-pointer - endif - endif - -+KBUILD_CFLAGS += $(call cc-option, -fno-var-tracking-assignments) -+ - ifdef CONFIG_DEBUG_INFO - KBUILD_CFLAGS += -g - KBUILD_AFLAGS += -Wa,--gdwarf-2 -@@ -816,7 +885,7 @@ export mod_sign_cmd +@@ -818,7 +885,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -404,7 +395,7 @@ index 833f67f..3689bcf 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -865,6 +934,8 @@ endif +@@ -867,6 +934,8 @@ endif # The actual objects are generated when descending, # make sure no implicit rule kicks in @@ -413,7 +404,7 @@ index 833f67f..3689bcf 100644 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -874,7 +945,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; +@@ -876,7 +945,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -422,7 +413,7 @@ index 833f67f..3689bcf 100644 $(Q)$(MAKE) $(build)=$@ define filechk_kernel.release -@@ -917,10 +988,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -919,10 +988,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -436,7 +427,7 @@ index 833f67f..3689bcf 100644 prepare: prepare0 # Generate some files -@@ -1028,6 +1102,8 @@ all: modules +@@ -1030,6 +1102,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules @@ -445,7 +436,7 @@ index 833f67f..3689bcf 100644 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -1043,7 +1119,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -1045,7 +1119,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -454,7 +445,7 @@ index 833f67f..3689bcf 100644 # Target to install modules PHONY += modules_install -@@ -1109,7 +1185,10 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ +@@ -1111,7 +1185,10 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.priv signing_key.x509 x509.genkey \ extra_certificates signing_key.x509.keyid \ @@ -466,7 +457,7 @@ index 833f67f..3689bcf 100644 # clean - Delete most, but leave enough to build external modules # -@@ -1148,7 +1227,7 @@ distclean: mrproper +@@ -1150,7 +1227,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -475,7 +466,7 @@ index 833f67f..3689bcf 100644 -type f -print | xargs rm -f -@@ -1309,6 +1388,8 @@ PHONY += $(module-dirs) modules +@@ -1311,6 +1388,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -484,7 +475,7 @@ index 833f67f..3689bcf 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1448,17 +1529,21 @@ else +@@ -1450,17 +1529,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -510,7 +501,7 @@ index 833f67f..3689bcf 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1468,11 +1553,15 @@ endif +@@ -1470,11 +1553,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -3306,7 +3297,7 @@ index 7bcee5c..e2f3249 100644 __data_loc = .; #endif diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c -index f0e50a0..8d5d36c 100644 +index f0e50a0..cab3a75 100644 --- a/arch/arm/kvm/arm.c +++ b/arch/arm/kvm/arm.c @@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors; @@ -3345,6 +3336,15 @@ index f0e50a0..8d5d36c 100644 kvm->arch.vmid = kvm_next_vmid; kvm_next_vmid++; +@@ -1033,7 +1033,7 @@ static void check_kvm_target_cpu(void *ret) + /** + * Initialize Hyp-mode and memory mappings on all CPUs. + */ +-int kvm_arch_init(void *opaque) ++int kvm_arch_init(const void *opaque) + { + int err; + int ret, cpu; diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S index 14a0d98..7771a7d 100644 --- a/arch/arm/lib/clear_user.S @@ -7173,6 +7173,19 @@ index 8119ac2..b229939 100644 info.si_code = FPE_INTOVF; info.si_signo = SIGFPE; +diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c +index 3e0ff8d..9eafbf0b 100644 +--- a/arch/mips/kvm/kvm_mips.c ++++ b/arch/mips/kvm/kvm_mips.c +@@ -832,7 +832,7 @@ long kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg) + return r; + } + +-int kvm_arch_init(void *opaque) ++int kvm_arch_init(const void *opaque) + { + int ret; + diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c index becc42b..9e43d4b 100644 --- a/arch/mips/mm/fault.c @@ -19343,7 +19356,7 @@ index 04905bf..49203ca 100644 } diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h -index 0d592e0..7437fcc 100644 +index 0d592e0..526f797 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -7,6 +7,7 @@ @@ -19760,7 +19773,7 @@ index 0d592e0..7437fcc 100644 + copy_from_user_overflow(); + else + __copy_from_user_overflow(sz, n); -+ } if (access_ok(VERIFY_READ, from, n)) ++ } else if (access_ok(VERIFY_READ, from, n)) + n = __copy_from_user(to, from, n); + else if ((long)n > 0) + memset(to, 0, n); @@ -22021,7 +22034,7 @@ index 01d1c18..8073693 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 6491353..a918952 100644 +index c87810b..413d83f 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -177,13 +177,153 @@ @@ -22364,7 +22377,7 @@ index 6491353..a918952 100644 # system call tracing in operation / emulation testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) jnz syscall_trace_entry -@@ -525,6 +723,15 @@ syscall_exit: +@@ -526,6 +724,15 @@ syscall_exit: testl $_TIF_ALLWORK_MASK, %ecx # current->work jne syscall_exit_work @@ -22380,7 +22393,7 @@ index 6491353..a918952 100644 restore_all: TRACE_IRQS_IRET restore_all_notrace: -@@ -576,14 +783,34 @@ ldt_ss: +@@ -577,14 +784,34 @@ ldt_ss: * compensating for the offset by changing to the ESPFIX segment with * a base address that matches for the difference. */ @@ -22418,7 +22431,7 @@ index 6491353..a918952 100644 pushl_cfi $__ESPFIX_SS pushl_cfi %eax /* new kernel esp */ /* Disable interrupts, but do not irqtrace this section: we -@@ -612,20 +839,18 @@ work_resched: +@@ -613,20 +840,18 @@ work_resched: movl TI_flags(%ebp), %ecx andl $_TIF_WORK_MASK, %ecx # is there any work to be done other # than syscall tracing? @@ -22441,7 +22454,7 @@ index 6491353..a918952 100644 #endif TRACE_IRQS_ON ENABLE_INTERRUPTS(CLBR_NONE) -@@ -646,7 +871,7 @@ work_notifysig_v86: +@@ -647,7 +872,7 @@ work_notifysig_v86: movl %eax, %esp jmp 1b #endif @@ -22450,7 +22463,7 @@ index 6491353..a918952 100644 # perform syscall exit tracing ALIGN -@@ -654,11 +879,14 @@ syscall_trace_entry: +@@ -655,11 +880,14 @@ syscall_trace_entry: movl $-ENOSYS,PT_EAX(%esp) movl %esp, %eax call syscall_trace_enter @@ -22466,7 +22479,7 @@ index 6491353..a918952 100644 # perform syscall exit tracing ALIGN -@@ -671,26 +899,30 @@ syscall_exit_work: +@@ -672,26 +900,30 @@ syscall_exit_work: movl %esp, %eax call syscall_trace_leave jmp resume_userspace @@ -22488,20 +22501,20 @@ index 6491353..a918952 100644 +ENDPROC(syscall_fault) syscall_badsys: - movl $-ENOSYS,PT_EAX(%esp) - jmp syscall_exit + movl $-ENOSYS,%eax + jmp syscall_after_call -END(syscall_badsys) +ENDPROC(syscall_badsys) sysenter_badsys: - movl $-ENOSYS,PT_EAX(%esp) + movl $-ENOSYS,%eax jmp sysenter_after_call -END(syscall_badsys) +ENDPROC(sysenter_badsys) CFI_ENDPROC /* * End of kprobes section -@@ -706,8 +938,15 @@ END(syscall_badsys) +@@ -707,8 +939,15 @@ END(syscall_badsys) * normal stack and adjusts ESP with the matching offset. */ /* fixup the stack */ @@ -22519,7 +22532,7 @@ index 6491353..a918952 100644 shl $16, %eax addl %esp, %eax /* the adjusted stack pointer */ pushl_cfi $__KERNEL_DS -@@ -760,7 +999,7 @@ vector=vector+1 +@@ -761,7 +1000,7 @@ vector=vector+1 .endr 2: jmp common_interrupt .endr @@ -22528,7 +22541,7 @@ index 6491353..a918952 100644 .previous END(interrupt) -@@ -821,7 +1060,7 @@ ENTRY(coprocessor_error) +@@ -822,7 +1061,7 @@ ENTRY(coprocessor_error) pushl_cfi $do_coprocessor_error jmp error_code CFI_ENDPROC @@ -22537,7 +22550,7 @@ index 6491353..a918952 100644 ENTRY(simd_coprocessor_error) RING0_INT_FRAME -@@ -834,7 +1073,7 @@ ENTRY(simd_coprocessor_error) +@@ -835,7 +1074,7 @@ ENTRY(simd_coprocessor_error) .section .altinstructions,"a" altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f .previous @@ -22546,7 +22559,7 @@ index 6491353..a918952 100644 663: pushl $do_simd_coprocessor_error 664: .previous -@@ -843,7 +1082,7 @@ ENTRY(simd_coprocessor_error) +@@ -844,7 +1083,7 @@ ENTRY(simd_coprocessor_error) #endif jmp error_code CFI_ENDPROC @@ -22555,7 +22568,7 @@ index 6491353..a918952 100644 ENTRY(device_not_available) RING0_INT_FRAME -@@ -852,18 +1091,18 @@ ENTRY(device_not_available) +@@ -853,18 +1092,18 @@ ENTRY(device_not_available) pushl_cfi $do_device_not_available jmp error_code CFI_ENDPROC @@ -22577,7 +22590,7 @@ index 6491353..a918952 100644 #endif ENTRY(overflow) -@@ -873,7 +1112,7 @@ ENTRY(overflow) +@@ -874,7 +1113,7 @@ ENTRY(overflow) pushl_cfi $do_overflow jmp error_code CFI_ENDPROC @@ -22586,7 +22599,7 @@ index 6491353..a918952 100644 ENTRY(bounds) RING0_INT_FRAME -@@ -882,7 +1121,7 @@ ENTRY(bounds) +@@ -883,7 +1122,7 @@ ENTRY(bounds) pushl_cfi $do_bounds jmp error_code CFI_ENDPROC @@ -22595,7 +22608,7 @@ index 6491353..a918952 100644 ENTRY(invalid_op) RING0_INT_FRAME -@@ -891,7 +1130,7 @@ ENTRY(invalid_op) +@@ -892,7 +1131,7 @@ ENTRY(invalid_op) pushl_cfi $do_invalid_op jmp error_code CFI_ENDPROC @@ -22604,7 +22617,7 @@ index 6491353..a918952 100644 ENTRY(coprocessor_segment_overrun) RING0_INT_FRAME -@@ -900,7 +1139,7 @@ ENTRY(coprocessor_segment_overrun) +@@ -901,7 +1140,7 @@ ENTRY(coprocessor_segment_overrun) pushl_cfi $do_coprocessor_segment_overrun jmp error_code CFI_ENDPROC @@ -22613,7 +22626,7 @@ index 6491353..a918952 100644 ENTRY(invalid_TSS) RING0_EC_FRAME -@@ -908,7 +1147,7 @@ ENTRY(invalid_TSS) +@@ -909,7 +1148,7 @@ ENTRY(invalid_TSS) pushl_cfi $do_invalid_TSS jmp error_code CFI_ENDPROC @@ -22622,7 +22635,7 @@ index 6491353..a918952 100644 ENTRY(segment_not_present) RING0_EC_FRAME -@@ -916,7 +1155,7 @@ ENTRY(segment_not_present) +@@ -917,7 +1156,7 @@ ENTRY(segment_not_present) pushl_cfi $do_segment_not_present jmp error_code CFI_ENDPROC @@ -22631,7 +22644,7 @@ index 6491353..a918952 100644 ENTRY(stack_segment) RING0_EC_FRAME -@@ -924,7 +1163,7 @@ ENTRY(stack_segment) +@@ -925,7 +1164,7 @@ ENTRY(stack_segment) pushl_cfi $do_stack_segment jmp error_code CFI_ENDPROC @@ -22640,7 +22653,7 @@ index 6491353..a918952 100644 ENTRY(alignment_check) RING0_EC_FRAME -@@ -932,7 +1171,7 @@ ENTRY(alignment_check) +@@ -933,7 +1172,7 @@ ENTRY(alignment_check) pushl_cfi $do_alignment_check jmp error_code CFI_ENDPROC @@ -22649,7 +22662,7 @@ index 6491353..a918952 100644 ENTRY(divide_error) RING0_INT_FRAME -@@ -941,7 +1180,7 @@ ENTRY(divide_error) +@@ -942,7 +1181,7 @@ ENTRY(divide_error) pushl_cfi $do_divide_error jmp error_code CFI_ENDPROC @@ -22658,7 +22671,7 @@ index 6491353..a918952 100644 #ifdef CONFIG_X86_MCE ENTRY(machine_check) -@@ -951,7 +1190,7 @@ ENTRY(machine_check) +@@ -952,7 +1191,7 @@ ENTRY(machine_check) pushl_cfi machine_check_vector jmp error_code CFI_ENDPROC @@ -22667,7 +22680,7 @@ index 6491353..a918952 100644 #endif ENTRY(spurious_interrupt_bug) -@@ -961,7 +1200,7 @@ ENTRY(spurious_interrupt_bug) +@@ -962,7 +1201,7 @@ ENTRY(spurious_interrupt_bug) pushl_cfi $do_spurious_interrupt_bug jmp error_code CFI_ENDPROC @@ -22676,7 +22689,7 @@ index 6491353..a918952 100644 /* * End of kprobes section */ -@@ -1071,7 +1310,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, +@@ -1072,7 +1311,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, ENTRY(mcount) ret @@ -22685,7 +22698,7 @@ index 6491353..a918952 100644 ENTRY(ftrace_caller) cmpl $0, function_trace_stop -@@ -1104,7 +1343,7 @@ ftrace_graph_call: +@@ -1105,7 +1344,7 @@ ftrace_graph_call: .globl ftrace_stub ftrace_stub: ret @@ -22694,7 +22707,7 @@ index 6491353..a918952 100644 ENTRY(ftrace_regs_caller) pushf /* push flags before compare (in cs location) */ -@@ -1208,7 +1447,7 @@ trace: +@@ -1209,7 +1448,7 @@ trace: popl %ecx popl %eax jmp ftrace_stub @@ -22703,7 +22716,7 @@ index 6491353..a918952 100644 #endif /* CONFIG_DYNAMIC_FTRACE */ #endif /* CONFIG_FUNCTION_TRACER */ -@@ -1226,7 +1465,7 @@ ENTRY(ftrace_graph_caller) +@@ -1227,7 +1466,7 @@ ENTRY(ftrace_graph_caller) popl %ecx popl %eax ret @@ -22712,7 +22725,7 @@ index 6491353..a918952 100644 .globl return_to_handler return_to_handler: -@@ -1292,15 +1531,18 @@ error_code: +@@ -1293,15 +1532,18 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -22733,7 +22746,7 @@ index 6491353..a918952 100644 /* * Debug traps and NMI can happen at the one SYSENTER instruction -@@ -1343,7 +1585,7 @@ debug_stack_correct: +@@ -1344,7 +1586,7 @@ debug_stack_correct: call do_debug jmp ret_from_exception CFI_ENDPROC @@ -22742,7 +22755,7 @@ index 6491353..a918952 100644 /* * NMI is doubly nasty. It can happen _while_ we're handling -@@ -1381,6 +1623,9 @@ nmi_stack_correct: +@@ -1382,6 +1624,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer call do_nmi @@ -22752,7 +22765,7 @@ index 6491353..a918952 100644 jmp restore_all_notrace CFI_ENDPROC -@@ -1417,12 +1662,15 @@ nmi_espfix_stack: +@@ -1418,12 +1663,15 @@ nmi_espfix_stack: FIXUP_ESPFIX_STACK # %eax == %esp xorl %edx,%edx # zero error code call do_nmi @@ -22769,7 +22782,7 @@ index 6491353..a918952 100644 ENTRY(int3) RING0_INT_FRAME -@@ -1435,14 +1683,14 @@ ENTRY(int3) +@@ -1436,14 +1684,14 @@ ENTRY(int3) call do_int3 jmp ret_from_exception CFI_ENDPROC @@ -22786,7 +22799,7 @@ index 6491353..a918952 100644 #ifdef CONFIG_KVM_GUEST ENTRY(async_page_fault) -@@ -1451,7 +1699,7 @@ ENTRY(async_page_fault) +@@ -1452,7 +1700,7 @@ ENTRY(async_page_fault) pushl_cfi $do_async_page_fault jmp error_code CFI_ENDPROC @@ -24146,7 +24159,7 @@ index 068054f..c248bcd 100644 init_level4_pgt[511] = early_level4_pgt[511]; diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index f36bd42..56ee1534 100644 +index f36bd42..0ab4474 100644 --- a/arch/x86/kernel/head_32.S +++ b/arch/x86/kernel/head_32.S @@ -26,6 +26,12 @@ @@ -24558,7 +24571,7 @@ index f36bd42..56ee1534 100644 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */ + .quad 0x004093000000ffff /* 0xc8 APM DS data */ + -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */ ++ .quad 0x00c093000000ffff /* 0xd0 - ESPFIX SS */ + .quad 0x0040930000000000 /* 0xd8 - PERCPU */ + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */ + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */ @@ -26916,7 +26929,7 @@ index 5cdff03..80fa283 100644 * Up to this point, the boot CPU has been using .init.data * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index 9e5de68..16c53cb 100644 +index 9e5de68..147c254 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -190,7 +190,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -26933,7 +26946,7 @@ index 9e5de68..16c53cb 100644 if (current->mm->context.vdso) - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); ++ restorer = (void __force_user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn); else - restorer = &frame->retcode; + restorer = (void __user *)&frame->retcode; @@ -26955,9 +26968,9 @@ index 9e5de68..16c53cb 100644 /* Set up to return from userspace. */ - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); + if (current->mm->context.vdso) -+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); ++ restorer = (void __force_user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); + else -+ restorer = (void __user *)&frame->retcode; ++ restorer = (void __user *)&frame->retcode; if (ksig->ka.sa.sa_flags & SA_RESTORER) restorer = ksig->ka.sa.sa_restorer; put_user_ex(restorer, &frame->pretcode); @@ -35871,7 +35884,7 @@ index af00795..2bb8105 100644 #define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */ #define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */ diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index 95ee425..c9c7237 100644 +index f1e3803..05e2d06 100644 --- a/block/blk-cgroup.c +++ b/block/blk-cgroup.c @@ -822,7 +822,7 @@ static void blkcg_css_free(struct cgroup_subsys_state *css) @@ -35963,7 +35976,7 @@ index 420a5a9..23834aa 100644 if (blk_verify_command(rq->cmd, has_write_perm)) return -EPERM; diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c -index fbd5a67..f24fd95 100644 +index a0926a6..b2b14b2 100644 --- a/block/compat_ioctl.c +++ b/block/compat_ioctl.c @@ -156,7 +156,7 @@ static int compat_cdrom_generic_command(struct block_device *bdev, fmode_t mode, @@ -36105,6 +36118,26 @@ index 2648797..92ed21f 100644 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len)) goto error; +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index 966f893..6a3ad80 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -21,6 +21,7 @@ + #include <linux/module.h> + #include <linux/net.h> + #include <linux/rwsem.h> ++#include <linux/security.h> + + struct alg_type_list { + const struct af_alg_type *type; +@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) + + sock_init_data(newsock, sk2); + sock_graft(sk2, newsock); ++ security_sk_clone(sk, sk2); + + err = type->accept(ask->private, sk2); + if (err) { diff --git a/crypto/cryptd.c b/crypto/cryptd.c index 7bdd61b..afec999 100644 --- a/crypto/cryptd.c @@ -36296,7 +36329,7 @@ index b986145..82bddb8 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 18d97d5..be690af 100644 +index 677c0c1..354b89b 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev); @@ -36308,7 +36341,7 @@ index 18d97d5..be690af 100644 struct ata_force_param { const char *name; -@@ -4858,7 +4858,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) +@@ -4863,7 +4863,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) struct ata_port *ap; unsigned int tag; @@ -36317,7 +36350,7 @@ index 18d97d5..be690af 100644 ap = qc->ap; qc->flags = 0; -@@ -4874,7 +4874,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) +@@ -4879,7 +4879,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) struct ata_port *ap; struct ata_link *link; @@ -36326,7 +36359,7 @@ index 18d97d5..be690af 100644 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); ap = qc->ap; link = qc->dev->link; -@@ -5978,6 +5978,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5983,6 +5983,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) return; spin_lock(&lock); @@ -36334,7 +36367,7 @@ index 18d97d5..be690af 100644 for (cur = ops->inherits; cur; cur = cur->inherits) { void **inherit = (void **)cur; -@@ -5991,8 +5992,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) +@@ -5996,8 +5997,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) if (IS_ERR(*pp)) *pp = NULL; @@ -36345,7 +36378,7 @@ index 18d97d5..be690af 100644 spin_unlock(&lock); } -@@ -6185,7 +6187,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) +@@ -6193,7 +6195,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) /* give ports names and add SCSI hosts */ for (i = 0; i < host->n_ports; i++) { @@ -37013,7 +37046,7 @@ index 4217f29..88f547a 100644 vcc->tx_quota = vcc->tx_quota * 3 / 4; printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota ); diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c -index fa7d701..1e404c7 100644 +index fa7d7019..1e404c7 100644 --- a/drivers/atm/lanai.c +++ b/drivers/atm/lanai.c @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct lanai_dev *lanai, @@ -38973,7 +39006,7 @@ index 501d513..fb0ecf9 100644 rc = of_property_read_u32(node, "fixed-divider", &fixed_div); diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c -index de6da95..a2e72c0 100644 +index de6da95..c98278b 100644 --- a/drivers/clk/socfpga/clk-pll.c +++ b/drivers/clk/socfpga/clk-pll.c @@ -21,6 +21,7 @@ @@ -38989,7 +39022,7 @@ index de6da95..a2e72c0 100644 } -static struct clk_ops clk_pll_ops = { -+static struct clk_ops_no_const clk_pll_ops __read_only = { ++static clk_ops_no_const clk_pll_ops __read_only = { .recalc_rate = clk_pll_recalc_rate, .get_parent = clk_pll_get_parent, }; @@ -39980,6 +40013,36 @@ index 66cbcc1..0c5e622 100644 return -EINVAL; } +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index f48817d..d35d7f8 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1458,8 +1458,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip) + } + + if (gpiochip->irqchip) { +- gpiochip->irqchip->irq_request_resources = NULL; +- gpiochip->irqchip->irq_release_resources = NULL; ++ pax_open_kernel(); ++ *(void **)&gpiochip->irqchip->irq_request_resources = NULL; ++ *(void **)&gpiochip->irqchip->irq_release_resources = NULL; ++ pax_close_kernel(); + gpiochip->irqchip = NULL; + } + } +@@ -1524,8 +1526,10 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip, + gpiochip->irqchip = NULL; + return -EINVAL; + } +- irqchip->irq_request_resources = gpiochip_irq_reqres; +- irqchip->irq_release_resources = gpiochip_irq_relres; ++ pax_open_kernel(); ++ *(void **)&irqchip->irq_request_resources = gpiochip_irq_reqres; ++ *(void **)&irqchip->irq_release_resources = gpiochip_irq_relres; ++ pax_close_kernel(); + + /* + * Prepare the mapping since the irqchip shall be orthogonal to diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index d8b7099..8a314a5 100644 --- a/drivers/gpu/drm/drm_crtc.c @@ -42853,10 +42916,10 @@ index 24c41ba..102d71f 100644 gameport->dev.release = gameport_release_port; if (gameport->parent) diff --git a/drivers/input/input.c b/drivers/input/input.c -index 1c4c0db..6f7abe3 100644 +index 29ca0bb..f4bc2e3 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c -@@ -1772,7 +1772,7 @@ EXPORT_SYMBOL_GPL(input_class); +@@ -1774,7 +1774,7 @@ EXPORT_SYMBOL_GPL(input_class); */ struct input_dev *input_allocate_device(void) { @@ -42865,7 +42928,7 @@ index 1c4c0db..6f7abe3 100644 struct input_dev *dev; dev = kzalloc(sizeof(struct input_dev), GFP_KERNEL); -@@ -1787,7 +1787,7 @@ struct input_dev *input_allocate_device(void) +@@ -1789,7 +1789,7 @@ struct input_dev *input_allocate_device(void) INIT_LIST_HEAD(&dev->node); dev_set_name(&dev->dev, "input%ld", @@ -46106,6 +46169,19 @@ index 80f6c79..fb7d12d 100644 /** * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters. +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h +index 6929adb..cc68830 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h +@@ -571,7 +571,7 @@ static inline void __iomem *bnx2x_vf_doorbells(struct bnx2x *bp) + return NULL; + } + +-static inline void bnx2x_vf_pci_dealloc(struct bnx2 *bp) {return 0; } ++static inline void bnx2x_vf_pci_dealloc(struct bnx2x *bp) { } + static inline int bnx2x_vf_pci_alloc(struct bnx2x *bp) {return 0; } + static inline void bnx2x_pf_set_vfs_vlan(struct bnx2x *bp) {} + static inline int bnx2x_sriov_configure(struct pci_dev *dev, int num_vfs) {return 0; } diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h index 04321e5..b51cdc4 100644 --- a/drivers/net/ethernet/broadcom/tg3.h @@ -46521,6 +46597,19 @@ index 3c41a83..5fe2d7f 100644 break; err = 0; break; +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index 0180531..1aff970 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -281,7 +281,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + nf_reset(skb); + + skb->ip_summed = CHECKSUM_NONE; +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + ip_send_check(iph); + + ip_local_out(skb); diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c index 1252d9c..80e660b 100644 --- a/drivers/net/slip/slhc.c @@ -49804,10 +49893,25 @@ index 88d46fe..7351be5 100644 /* check if the device is still usable */ if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 9db097a..ca5c291 100644 +index 9db097a..c4ccdef 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -1464,7 +1464,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) +@@ -806,6 +806,14 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) + scsi_next_command(cmd); + return; + } ++ } else if (blk_rq_bytes(req) == 0 && result && !sense_deferred) { ++ /* ++ * Certain non BLOCK_PC requests are commands that don't ++ * actually transfer anything (FLUSH), so cannot use ++ * good_bytes != blk_rq_bytes(req) as the signal for an error. ++ * This sets the error explicitly for the problem case. ++ */ ++ error = __scsi_error_from_host_byte(cmd, result); + } + + /* no bidi support for !REQ_TYPE_BLOCK_PC yet */ +@@ -1464,7 +1472,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) shost = sdev->host; scsi_init_cmd_errh(cmd); cmd->result = DID_NO_CONNECT << 16; @@ -49816,7 +49920,7 @@ index 9db097a..ca5c291 100644 /* * SCSI request completion path will do scsi_device_unbusy(), -@@ -1490,9 +1490,9 @@ static void scsi_softirq_done(struct request *rq) +@@ -1490,9 +1498,9 @@ static void scsi_softirq_done(struct request *rq) INIT_LIST_HEAD(&cmd->eh_entry); @@ -58501,7 +58605,7 @@ index e081acb..911df21 100644 /* * We'll have a dentry and an inode for diff --git a/fs/coredump.c b/fs/coredump.c -index 0b2528f..836c55f 100644 +index a93f7e6..d58bcbe 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -442,8 +442,8 @@ static void wait_for_dump_helpers(struct file *file) @@ -61774,7 +61878,7 @@ index d55297f..f5b28c5 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index 985c6f3..5f520b67 100644 +index 9eb787e..5f520b67 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -330,17 +330,32 @@ int generic_permission(struct inode *inode, int mask) @@ -61909,19 +62013,7 @@ index 985c6f3..5f520b67 100644 return retval; } -@@ -2256,9 +2287,10 @@ done: - goto out; - } - path->dentry = dentry; -- path->mnt = mntget(nd->path.mnt); -+ path->mnt = nd->path.mnt; - if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW)) - return 1; -+ mntget(path->mnt); - follow_mount(path); - error = 0; - out: -@@ -2569,6 +2601,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2570,6 +2601,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -61935,7 +62027,7 @@ index 985c6f3..5f520b67 100644 return 0; } -@@ -2800,7 +2839,7 @@ looked_up: +@@ -2801,7 +2839,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -61944,7 +62036,7 @@ index 985c6f3..5f520b67 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2835,6 +2874,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2836,6 +2874,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -61962,7 +62054,7 @@ index 985c6f3..5f520b67 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2856,6 +2906,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2857,6 +2906,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -61971,7 +62063,7 @@ index 985c6f3..5f520b67 100644 } out_no_open: path->dentry = dentry; -@@ -2870,7 +2922,7 @@ out_dput: +@@ -2871,7 +2922,7 @@ out_dput: /* * Handle the last step of open() */ @@ -61980,7 +62072,7 @@ index 985c6f3..5f520b67 100644 struct file *file, const struct open_flags *op, int *opened, struct filename *name) { -@@ -2920,6 +2972,15 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2921,6 +2972,15 @@ static int do_last(struct nameidata *nd, struct path *path, if (error) return error; @@ -61996,7 +62088,7 @@ index 985c6f3..5f520b67 100644 audit_inode(name, dir, LOOKUP_PARENT); error = -EISDIR; /* trailing slashes? */ -@@ -2939,7 +3000,7 @@ retry_lookup: +@@ -2940,7 +3000,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -62005,7 +62097,7 @@ index 985c6f3..5f520b67 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2963,11 +3024,28 @@ retry_lookup: +@@ -2964,11 +3024,28 @@ retry_lookup: goto finish_open_created; } @@ -62035,7 +62127,7 @@ index 985c6f3..5f520b67 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -3008,6 +3086,11 @@ finish_lookup: +@@ -3009,6 +3086,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -62047,7 +62139,7 @@ index 985c6f3..5f520b67 100644 return 1; } -@@ -3017,7 +3100,6 @@ finish_lookup: +@@ -3018,7 +3100,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -62055,7 +62147,7 @@ index 985c6f3..5f520b67 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -3027,7 +3109,18 @@ finish_open: +@@ -3028,7 +3109,18 @@ finish_open: path_put(&save_parent); return error; } @@ -62074,7 +62166,7 @@ index 985c6f3..5f520b67 100644 error = -EISDIR; if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry)) goto out; -@@ -3190,7 +3283,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3191,7 +3283,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, if (unlikely(error)) goto out; @@ -62083,7 +62175,7 @@ index 985c6f3..5f520b67 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -3208,7 +3301,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3209,7 +3301,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -62092,7 +62184,7 @@ index 985c6f3..5f520b67 100644 put_link(nd, &link, cookie); } out: -@@ -3308,9 +3401,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, +@@ -3309,9 +3401,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, goto unlock; error = -EEXIST; @@ -62106,7 +62198,7 @@ index 985c6f3..5f520b67 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3362,6 +3457,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3363,6 +3457,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -62127,7 +62219,7 @@ index 985c6f3..5f520b67 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3425,6 +3534,17 @@ retry: +@@ -3426,6 +3534,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62145,7 +62237,7 @@ index 985c6f3..5f520b67 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3441,6 +3561,8 @@ retry: +@@ -3442,6 +3561,8 @@ retry: break; } out: @@ -62154,7 +62246,7 @@ index 985c6f3..5f520b67 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3494,9 +3616,16 @@ retry: +@@ -3495,9 +3616,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62171,7 +62263,7 @@ index 985c6f3..5f520b67 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3579,6 +3708,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3580,6 +3708,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct filename *name; struct dentry *dentry; struct nameidata nd; @@ -62180,7 +62272,7 @@ index 985c6f3..5f520b67 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3611,10 +3742,21 @@ retry: +@@ -3612,10 +3742,21 @@ retry: error = -ENOENT; goto exit3; } @@ -62202,7 +62294,7 @@ index 985c6f3..5f520b67 100644 exit3: dput(dentry); exit2: -@@ -3705,6 +3847,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3706,6 +3847,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct nameidata nd; struct inode *inode = NULL; struct inode *delegated_inode = NULL; @@ -62211,7 +62303,7 @@ index 985c6f3..5f520b67 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3731,10 +3875,22 @@ retry_deleg: +@@ -3732,10 +3875,22 @@ retry_deleg: if (d_is_negative(dentry)) goto slashes; ihold(inode); @@ -62234,7 +62326,7 @@ index 985c6f3..5f520b67 100644 exit2: dput(dentry); } -@@ -3823,9 +3979,17 @@ retry: +@@ -3824,9 +3979,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -62252,7 +62344,7 @@ index 985c6f3..5f520b67 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3929,6 +4093,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3930,6 +4093,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, struct dentry *new_dentry; struct path old_path, new_path; struct inode *delegated_inode = NULL; @@ -62260,7 +62352,7 @@ index 985c6f3..5f520b67 100644 int how = 0; int error; -@@ -3952,7 +4117,7 @@ retry: +@@ -3953,7 +4117,7 @@ retry: if (error) return error; @@ -62269,7 +62361,7 @@ index 985c6f3..5f520b67 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -3964,11 +4129,28 @@ retry: +@@ -3965,11 +4129,28 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -62298,7 +62390,7 @@ index 985c6f3..5f520b67 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4278,6 +4460,12 @@ retry_deleg: +@@ -4279,6 +4460,12 @@ retry_deleg: if (new_dentry == trap) goto exit5; @@ -62311,7 +62403,7 @@ index 985c6f3..5f520b67 100644 error = security_path_rename(&oldnd.path, old_dentry, &newnd.path, new_dentry, flags); if (error) -@@ -4285,6 +4473,9 @@ retry_deleg: +@@ -4286,6 +4473,9 @@ retry_deleg: error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry, &delegated_inode, flags); @@ -62321,7 +62413,7 @@ index 985c6f3..5f520b67 100644 exit5: dput(new_dentry); exit4: -@@ -4327,14 +4518,24 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -4328,14 +4518,24 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int readlink_copy(char __user *buffer, int buflen, const char *link) { @@ -71377,7 +71469,7 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..361a099 +index 0000000..3f8ade0 --- /dev/null +++ b/grsecurity/gracl_policy.c @@ -0,0 +1,1782 @@ @@ -71436,9 +71528,9 @@ index 0000000..361a099 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum); +extern void gr_clear_learn_entries(void); + -+static struct gr_arg gr_usermode; -+static unsigned char gr_system_salt[GR_SALT_LEN]; -+static unsigned char gr_system_sum[GR_SHA_LEN]; ++struct gr_arg *gr_usermode __read_only; ++unsigned char *gr_system_salt __read_only; ++unsigned char *gr_system_sum __read_only; + +static unsigned int gr_auth_attempts = 0; +static unsigned long gr_auth_expires = 0UL; @@ -72680,8 +72772,8 @@ index 0000000..361a099 +{ + int error = 0; + -+ memcpy(&gr_system_salt, args->salt, sizeof(gr_system_salt)); -+ memcpy(&gr_system_sum, args->sum, sizeof(gr_system_sum)); ++ memcpy(gr_system_salt, args->salt, GR_SALT_LEN); ++ memcpy(gr_system_sum, args->sum, GR_SHA_LEN); + + if (init_variables(args, false)) { + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION); @@ -72908,11 +73000,11 @@ index 0000000..361a099 + if (error) + goto out; + -+ error = copy_gr_arg(uwrap.arg, &gr_usermode); ++ error = copy_gr_arg(uwrap.arg, gr_usermode); + if (error) + goto out; + -+ if (gr_usermode.mode != GR_SPROLE && gr_usermode.mode != GR_SPROLEPAM && ++ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM && + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES && + time_after(gr_auth_expires, get_seconds())) { + error = -EBUSY; @@ -72924,8 +73016,8 @@ index 0000000..361a099 + locking + */ + -+ if (gr_usermode.mode != GR_SPROLE && gr_usermode.mode != GR_STATUS && -+ gr_usermode.mode != GR_UNSPROLE && gr_usermode.mode != GR_SPROLEPAM && ++ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS && ++ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM && + gr_is_global_nonroot(current_uid())) { + error = -EPERM; + goto out; @@ -72933,15 +73025,15 @@ index 0000000..361a099 + + /* ensure pw and special role name are null terminated */ + -+ gr_usermode.pw[GR_PW_LEN - 1] = '\0'; -+ gr_usermode.sp_role[GR_SPROLE_LEN - 1] = '\0'; ++ gr_usermode->pw[GR_PW_LEN - 1] = '\0'; ++ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0'; + + /* Okay. + * We have our enough of the argument structure..(we have yet + * to copy_from_user the tables themselves) . Copy the tables + * only if we need them, i.e. for loading operations. */ + -+ switch (gr_usermode.mode) { ++ switch (gr_usermode->mode) { + case GR_STATUS: + if (gr_acl_is_enabled()) { + error = 1; @@ -72951,12 +73043,12 @@ index 0000000..361a099 + error = 2; + goto out; + case GR_SHUTDOWN: -+ if (gr_acl_is_enabled() && !(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { ++ if (gr_acl_is_enabled() && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(false); -+ memset(&gr_usermode, 0, sizeof(gr_usermode)); -+ memset(&gr_system_salt, 0, sizeof(gr_system_salt)); -+ memset(&gr_system_sum, 0, sizeof(gr_system_sum)); ++ memset(gr_usermode, 0, sizeof(struct gr_arg)); ++ memset(gr_system_salt, 0, GR_SALT_LEN); ++ memset(gr_system_sum, 0, GR_SHA_LEN); + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); + } else if (gr_acl_is_enabled()) { + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG); @@ -72967,7 +73059,7 @@ index 0000000..361a099 + } + break; + case GR_ENABLE: -+ if (!gr_acl_is_enabled() && !(error2 = gracl_init(&gr_usermode))) ++ if (!gr_acl_is_enabled() && !(error2 = gracl_init(gr_usermode))) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION); + else { + if (gr_acl_is_enabled()) @@ -72983,8 +73075,8 @@ index 0000000..361a099 + if (!gr_acl_is_enabled()) { + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION); + error = -EAGAIN; -+ } else if (!(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { -+ error2 = gracl_reload(&gr_usermode, oldmode); ++ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { ++ error2 = gracl_reload(gr_usermode, oldmode); + if (!error2) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION); + else { @@ -73003,20 +73095,20 @@ index 0000000..361a099 + break; + } + -+ if (!(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { ++ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG); -+ if (gr_usermode.segv_device && gr_usermode.segv_inode) { ++ if (gr_usermode->segv_device && gr_usermode->segv_inode) { + struct acl_subject_label *segvacl; + segvacl = -+ lookup_acl_subj_label(gr_usermode.segv_inode, -+ gr_usermode.segv_device, ++ lookup_acl_subj_label(gr_usermode->segv_inode, ++ gr_usermode->segv_device, + current->role); + if (segvacl) { + segvacl->crashes = 0; + segvacl->expires = 0; + } -+ } else if (gr_find_uid(gr_usermode.segv_uid) >= 0) { -+ gr_remove_uid(gr_usermode.segv_uid); ++ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) { ++ gr_remove_uid(gr_usermode->segv_uid); + } + } else { + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG); @@ -73043,11 +73135,11 @@ index 0000000..361a099 + } + + if (lookup_special_role_auth -+ (gr_usermode.mode, gr_usermode.sp_role, &sprole_salt, &sprole_sum) ++ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum) + && ((!sprole_salt && !sprole_sum) -+ || !(chkpw(&gr_usermode, sprole_salt, sprole_sum)))) { ++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) { + char *p = ""; -+ assign_special_role(gr_usermode.sp_role); ++ assign_special_role(gr_usermode->sp_role); + read_lock(&tasklist_lock); + if (current->real_parent) + p = current->real_parent->role->rolename; @@ -73055,7 +73147,7 @@ index 0000000..361a099 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG, + p, acl_sp_role_value); + } else { -+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode.sp_role); ++ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role); + error = -EPERM; + if(!(current->role->auth_attempts++)) + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT; @@ -73089,7 +73181,7 @@ index 0000000..361a099 + } + break; + default: -+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode.mode); ++ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode); + error = -EINVAL; + break; + } @@ -74714,10 +74806,10 @@ index 0000000..8ca18bf +} diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c new file mode 100644 -index 0000000..ae6c028 +index 0000000..b7cb191 --- /dev/null +++ b/grsecurity/grsec_init.c -@@ -0,0 +1,272 @@ +@@ -0,0 +1,286 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -74797,6 +74889,10 @@ index 0000000..ae6c028 +char *gr_alert_log_buf; +char *gr_audit_log_buf; + ++extern struct gr_arg *gr_usermode; ++extern unsigned char *gr_system_salt; ++extern unsigned char *gr_system_sum; ++ +void __init +grsecurity_init(void) +{ @@ -74837,6 +74933,16 @@ index 0000000..ae6c028 + return; + } + ++ /* allocate memory for authentication structure */ ++ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL); ++ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL); ++ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL); ++ ++ if (!gr_usermode || !gr_system_salt || !gr_system_sum) { ++ panic("Unable to allocate grsecurity authentication structure"); ++ return; ++ } ++ +#ifdef CONFIG_GRKERNSEC_IO +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO) + grsec_disable_privio = 1; @@ -76799,10 +76905,10 @@ index 0000000..ae02d8e +EXPORT_SYMBOL_GPL(gr_handle_new_usb); diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c new file mode 100644 -index 0000000..9f7b1ac +index 0000000..158b330 --- /dev/null +++ b/grsecurity/grsum.c -@@ -0,0 +1,61 @@ +@@ -0,0 +1,64 @@ +#include <linux/err.h> +#include <linux/kernel.h> +#include <linux/sched.h> @@ -76819,47 +76925,50 @@ index 0000000..9f7b1ac +int +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum) +{ -+ char *p; + struct crypto_hash *tfm; + struct hash_desc desc; -+ struct scatterlist sg; -+ unsigned char temp_sum[GR_SHA_LEN]; -+ volatile int retval = 0; ++ struct scatterlist sg[2]; ++ unsigned char temp_sum[GR_SHA_LEN] __attribute__((aligned(__alignof__(unsigned long)))); ++ unsigned long *tmpsumptr = (unsigned long *)temp_sum; ++ unsigned long *sumptr = (unsigned long *)sum; ++ int cryptres; ++ int retval = 1; ++ volatile int mismatched = 0; + volatile int dummy = 0; + unsigned int i; + -+ sg_init_table(&sg, 1); -+ + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(tfm)) { + /* should never happen, since sha256 should be built in */ ++ memset(entry->pw, 0, GR_PW_LEN); + return 1; + } + ++ sg_init_table(sg, 2); ++ sg_set_buf(&sg[0], salt, GR_SALT_LEN); ++ sg_set_buf(&sg[1], entry->pw, strlen(entry->pw)); ++ + desc.tfm = tfm; + desc.flags = 0; + -+ crypto_hash_init(&desc); -+ -+ p = salt; -+ sg_set_buf(&sg, p, GR_SALT_LEN); -+ crypto_hash_update(&desc, &sg, sg.length); -+ -+ p = entry->pw; -+ sg_set_buf(&sg, p, strlen(p)); -+ -+ crypto_hash_update(&desc, &sg, sg.length); -+ -+ crypto_hash_final(&desc, temp_sum); ++ cryptres = crypto_hash_digest(&desc, sg, GR_SALT_LEN + strlen(entry->pw), ++ temp_sum); + + memset(entry->pw, 0, GR_PW_LEN); + -+ for (i = 0; i < GR_SHA_LEN; i++) -+ if (sum[i] != temp_sum[i]) -+ retval = 1; ++ if (cryptres) ++ goto out; ++ ++ for (i = 0; i < GR_SHA_LEN/sizeof(tmpsumptr[0]); i++) ++ if (sumptr[i] != tmpsumptr[i]) ++ mismatched = 1; + else + dummy = 1; // waste a cycle + ++ if (!mismatched) ++ retval = dummy - 1; ++ ++out: + crypto_free_hash(tfm); + + return retval; @@ -80572,10 +80681,10 @@ index 7d21cf9..bc0c81f 100644 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu); diff --git a/include/linux/libata.h b/include/linux/libata.h -index 5ab4e3a..2fe237b 100644 +index 92abb49..e7fff2a 100644 --- a/include/linux/libata.h +++ b/include/linux/libata.h -@@ -975,7 +975,7 @@ struct ata_port_operations { +@@ -976,7 +976,7 @@ struct ata_port_operations { * fields must be pointers. */ const struct ata_port_operations *inherits; @@ -81872,7 +81981,7 @@ index cc7494a..1e27036 100644 extern bool qid_valid(struct kqid qid); diff --git a/include/linux/random.h b/include/linux/random.h -index 57fbbff..2331f3f 100644 +index 57fbbff..2170304 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -9,9 +9,19 @@ @@ -81922,6 +82031,15 @@ index 57fbbff..2331f3f 100644 /** * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro) * @ep_ro: right open interval endpoint +@@ -49,7 +64,7 @@ void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes); + * + * Returns: pseudo-random number in interval [0, ep_ro) + */ +-static inline u32 prandom_u32_max(u32 ep_ro) ++static inline u32 __intentional_overflow(-1) prandom_u32_max(u32 ep_ro) + { + return (u32)(((u64) prandom_u32() * ep_ro) >> 32); + } diff --git a/include/linux/rbtree_augmented.h b/include/linux/rbtree_augmented.h index fea49b5..2ac22bb 100644 --- a/include/linux/rbtree_augmented.h @@ -83660,31 +83778,52 @@ index 7a43138..bc76865 100644 /** inet_connection_sock - INET connection oriented sock * diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h -index 058271b..1a44af7 100644 +index 058271b..1af4453 100644 --- a/include/net/inetpeer.h +++ b/include/net/inetpeer.h -@@ -47,8 +47,8 @@ struct inet_peer { +@@ -41,14 +41,13 @@ struct inet_peer { + struct rcu_head gc_rcu; + }; + /* +- * Once inet_peer is queued for deletion (refcnt == -1), following fields +- * are not available: rid, ip_id_count ++ * Once inet_peer is queued for deletion (refcnt == -1), following field ++ * is not available: rid + * We can share memory with rcu_head to help keep inet_peer small. */ union { struct { - atomic_t rid; /* Frag reception counter */ - atomic_t ip_id_count; /* IP ID for the next packet */ -+ atomic_unchecked_t rid; /* Frag reception counter */ -+ atomic_unchecked_t ip_id_count; /* IP ID for the next packet */ ++ atomic_unchecked_t rid; /* Frag reception counter */ }; struct rcu_head rcu; struct inet_peer *gc_next; -@@ -179,7 +179,7 @@ static inline int inet_getid(struct inet_peer *p, int more) - { - more++; - inet_peer_refcheck(p); -- return atomic_add_return(more, &p->ip_id_count) - more; -+ return atomic_add_return_unchecked(more, &p->ip_id_count) - more; +@@ -165,7 +164,7 @@ bool inet_peer_xrlim_allow(struct inet_peer *peer, int timeout); + void inetpeer_invalidate_tree(struct inet_peer_base *); + + /* +- * temporary check to make sure we dont access rid, ip_id_count, tcp_ts, ++ * temporary check to make sure we dont access rid, tcp_ts, + * tcp_ts_stamp if no refcount is taken on inet_peer + */ + static inline void inet_peer_refcheck(const struct inet_peer *p) +@@ -173,13 +172,4 @@ static inline void inet_peer_refcheck(const struct inet_peer *p) + WARN_ON_ONCE(atomic_read(&p->refcnt) <= 0); } +- +-/* can be called with or without local BH being disabled */ +-static inline int inet_getid(struct inet_peer *p, int more) +-{ +- more++; +- inet_peer_refcheck(p); +- return atomic_add_return(more, &p->ip_id_count) - more; +-} +- #endif /* _NET_INETPEER_H */ diff --git a/include/net/ip.h b/include/net/ip.h -index 3ec2b0f..72435b6 100644 +index 3ec2b0f..6a28064 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -220,7 +220,7 @@ static inline void snmp_mib_free(void __percpu *ptr[SNMP_ARRAY_SZ]) @@ -83696,6 +83835,55 @@ index 3ec2b0f..72435b6 100644 static inline int inet_is_reserved_local_port(int port) { return test_bit(port, sysctl_local_reserved_ports); +@@ -310,9 +310,10 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb) + } + } + +-void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more); ++u32 ip_idents_reserve(u32 hash, int segs) __intentional_overflow(-1); ++void __ip_select_ident(struct iphdr *iph, int segs); + +-static inline void ip_select_ident(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk) ++static inline void ip_select_ident_segs(struct sk_buff *skb, struct sock *sk, int segs) + { + struct iphdr *iph = ip_hdr(skb); + +@@ -322,24 +323,20 @@ static inline void ip_select_ident(struct sk_buff *skb, struct dst_entry *dst, s + * does not change, they drop every other packet in + * a TCP stream using header compression. + */ +- iph->id = (sk && inet_sk(sk)->inet_daddr) ? +- htons(inet_sk(sk)->inet_id++) : 0; +- } else +- __ip_select_ident(iph, dst, 0); +-} +- +-static inline void ip_select_ident_more(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk, int more) +-{ +- struct iphdr *iph = ip_hdr(skb); +- +- if ((iph->frag_off & htons(IP_DF)) && !skb->local_df) { + if (sk && inet_sk(sk)->inet_daddr) { + iph->id = htons(inet_sk(sk)->inet_id); +- inet_sk(sk)->inet_id += 1 + more; +- } else ++ inet_sk(sk)->inet_id += segs; ++ } else { + iph->id = 0; +- } else +- __ip_select_ident(iph, dst, more); ++ } ++ } else { ++ __ip_select_ident(iph, segs); ++ } ++} ++ ++static inline void ip_select_ident(struct sk_buff *skb, struct sock *sk) ++{ ++ ip_select_ident_segs(skb, sk, 1); + } + + /* diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index 9922093..a1755d6 100644 --- a/include/net/ip_fib.h @@ -83745,6 +83933,19 @@ index 5679d92..2e7a690 100644 /* ip_vs_est */ struct list_head est_list; /* estimator list */ spinlock_t est_lock; +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index d640925..d681568 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -660,8 +660,6 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add + return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr)); + } + +-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt); +- + int ip6_dst_hoplimit(struct dst_entry *dst); + + /* diff --git a/include/net/irda/ircomm_tty.h b/include/net/irda/ircomm_tty.h index 8d4f588..2e37ad2 100644 --- a/include/net/irda/ircomm_tty.h @@ -84158,6 +84359,19 @@ index 0dfcc92..7967849 100644 /* Structure to track chunk fragments that have been acked, but peer +diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h +index f257486..3f36d45 100644 +--- a/include/net/secure_seq.h ++++ b/include/net/secure_seq.h +@@ -3,8 +3,6 @@ + + #include <linux/types.h> + +-__u32 secure_ip_id(__be32 daddr); +-__u32 secure_ipv6_id(const __be32 daddr[4]); + u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); + u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, + __be16 dport); diff --git a/include/net/sock.h b/include/net/sock.h index f5a7e22..043b85f 100644 --- a/include/net/sock.h @@ -91514,7 +91728,7 @@ index ff70271..e1e8cf1 100644 *data_page = bpage; diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 4dcbf7d..dc24fdc 100644 +index e1baa92f..7b2e345 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -3461,7 +3461,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) @@ -91540,10 +91754,10 @@ index 99676cd..670b9e8 100644 /* * Normal trace_printk() and friends allocates special buffers diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c -index 26dc348..8708ca7 100644 +index 57b67b1..66082a9 100644 --- a/kernel/trace/trace_clock.c +++ b/kernel/trace/trace_clock.c -@@ -123,7 +123,7 @@ u64 notrace trace_clock_global(void) +@@ -124,7 +124,7 @@ u64 notrace trace_clock_global(void) return now; } @@ -91552,7 +91766,7 @@ index 26dc348..8708ca7 100644 /* * trace_clock_counter(): simply an atomic counter. -@@ -132,5 +132,5 @@ static atomic64_t trace_counter; +@@ -133,5 +133,5 @@ static atomic64_t trace_counter; */ u64 notrace trace_clock_counter(void) { @@ -92592,7 +92806,7 @@ index b32b70c..e512eb0 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index a646f15..f55da4c 100644 +index 002f08e..68f11e8 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2107,6 +2107,7 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, @@ -92639,7 +92853,7 @@ index a646f15..f55da4c 100644 if (ret) goto out; -@@ -2654,6 +2658,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2655,6 +2659,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -92667,7 +92881,7 @@ index a646f15..f55da4c 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. * Called with hugetlb_instantiation_mutex held and pte_page locked so we -@@ -2771,6 +2796,11 @@ retry_avoidcopy: +@@ -2772,6 +2797,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -92679,7 +92893,7 @@ index a646f15..f55da4c 100644 /* Make the old page be freed below */ new_page = old_page; } -@@ -2930,6 +2960,10 @@ retry: +@@ -2931,6 +2961,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -92690,7 +92904,7 @@ index a646f15..f55da4c 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl); -@@ -2996,6 +3030,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2997,6 +3031,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, struct hstate *h = hstate_vma(vma); struct address_space *mapping; @@ -92701,7 +92915,7 @@ index a646f15..f55da4c 100644 address &= huge_page_mask(h); ptep = huge_pte_offset(mm, address); -@@ -3009,6 +3047,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3010,6 +3048,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(hstate_index(h)); } @@ -92913,6 +93127,23 @@ index a402f8f..f5e5daa 100644 error = 0; if (end == start) return error; +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 67c927a..fe99d96 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5544,8 +5544,12 @@ static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg) + { + struct mem_cgroup_eventfd_list *ev; + ++ spin_lock(&memcg_oom_lock); ++ + list_for_each_entry(ev, &memcg->oom_notify, list) + eventfd_signal(ev->eventfd, 1); ++ ++ spin_unlock(&memcg_oom_lock); + return 0; + } + diff --git a/mm/memory-failure.c b/mm/memory-failure.c index eb8fb72..ae36cf3 100644 --- a/mm/memory-failure.c @@ -93044,7 +93275,7 @@ index eb8fb72..ae36cf3 100644 } unset_migratetype_isolate(page, MIGRATE_MOVABLE); diff --git a/mm/memory.c b/mm/memory.c -index e302ae1..779c7ce 100644 +index 4f9e530..779c7ce 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -413,6 +413,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -93538,7 +93769,7 @@ index e302ae1..779c7ce 100644 * if page by the offset is not ready to be mapped (cold cache or * something). */ -- if (vma->vm_ops->map_pages) { +- if (vma->vm_ops->map_pages && !(flags & FAULT_FLAG_NONLINEAR)) { + if (vma->vm_ops->map_pages && !(flags & FAULT_FLAG_NONLINEAR) && + fault_around_pages() > 1) { pte = pte_offset_map_lock(mm, pmd, address, &ptl); @@ -96163,7 +96394,7 @@ index 6bd4c35..97565a1 100644 if (slab_equal_or_root(cachep, s)) return cachep; diff --git a/mm/slab_common.c b/mm/slab_common.c -index 102cc6f..c7aab3d 100644 +index b810fba..ae882bf 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -23,11 +23,22 @@ @@ -98154,7 +98385,7 @@ index 1948d59..9e854d5 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index 9a76eaf..5b8ccfd 100644 +index 9a76eaf..f9c070c 100644 --- a/net/compat.c +++ b/net/compat.c @@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -98170,17 +98401,28 @@ index 9a76eaf..5b8ccfd 100644 return 0; } -@@ -87,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -85,21 +85,22 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + { + int tot_len; - if (kern_msg->msg_namelen) { +- if (kern_msg->msg_namelen) { ++ if (kern_msg->msg_name && kern_msg->msg_namelen) { if (mode == VERIFY_READ) { - int err = move_addr_to_kernel(kern_msg->msg_name, + int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name, kern_msg->msg_namelen, kern_address); if (err < 0) -@@ -99,7 +99,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + return err; + } +- if (kern_msg->msg_name) +- kern_msg->msg_name = kern_address; +- } else ++ kern_msg->msg_name = kern_address; ++ } else { kern_msg->msg_name = NULL; ++ kern_msg->msg_namelen = 0; ++ } tot_len = iov_from_user_compat_to_kern(kern_iov, - (struct compat_iovec __user *)kern_msg->msg_iov, @@ -98188,7 +98430,7 @@ index 9a76eaf..5b8ccfd 100644 kern_msg->msg_iovlen); if (tot_len >= 0) kern_msg->msg_iov = kern_iov; -@@ -119,20 +119,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -119,20 +120,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, #define CMSG_COMPAT_FIRSTHDR(msg) \ (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ @@ -98212,7 +98454,7 @@ index 9a76eaf..5b8ccfd 100644 msg->msg_controllen) return NULL; return (struct compat_cmsghdr __user *)ptr; -@@ -222,7 +222,7 @@ Efault: +@@ -222,7 +223,7 @@ Efault: int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data) { @@ -98221,7 +98463,7 @@ index 9a76eaf..5b8ccfd 100644 struct compat_cmsghdr cmhdr; struct compat_timeval ctv; struct compat_timespec cts[3]; -@@ -278,7 +278,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -278,7 +279,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) { @@ -98230,7 +98472,7 @@ index 9a76eaf..5b8ccfd 100644 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); int fdnum = scm->fp->count; struct file **fp = scm->fp->fp; -@@ -366,7 +366,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, +@@ -366,7 +367,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, return -EFAULT; old_fs = get_fs(); set_fs(KERNEL_DS); @@ -98239,7 +98481,7 @@ index 9a76eaf..5b8ccfd 100644 set_fs(old_fs); return err; -@@ -427,7 +427,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, +@@ -427,7 +428,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, len = sizeof(ktime); old_fs = get_fs(); set_fs(KERNEL_DS); @@ -98248,7 +98490,7 @@ index 9a76eaf..5b8ccfd 100644 set_fs(old_fs); if (!err) { -@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -570,7 +571,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_JOIN_GROUP: case MCAST_LEAVE_GROUP: { @@ -98257,7 +98499,7 @@ index 9a76eaf..5b8ccfd 100644 struct group_req __user *kgr = compat_alloc_user_space(sizeof(struct group_req)); u32 interface; -@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -591,7 +592,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_BLOCK_SOURCE: case MCAST_UNBLOCK_SOURCE: { @@ -98266,7 +98508,7 @@ index 9a76eaf..5b8ccfd 100644 struct group_source_req __user *kgsr = compat_alloc_user_space( sizeof(struct group_source_req)); u32 interface; -@@ -612,7 +612,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -612,7 +613,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, } case MCAST_MSFILTER: { @@ -98275,7 +98517,7 @@ index 9a76eaf..5b8ccfd 100644 struct group_filter __user *kgf; u32 interface, fmode, numsrc; -@@ -650,7 +650,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, +@@ -650,7 +651,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, char __user *optval, int __user *optlen, int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) { @@ -98284,7 +98526,7 @@ index 9a76eaf..5b8ccfd 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -803,7 +803,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) +@@ -803,7 +804,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -98477,11 +98719,15 @@ index a0348fd..6951c76 100644 fle->object = flo; else diff --git a/net/core/iovec.c b/net/core/iovec.c -index b618694..192bbba 100644 +index b618694..cd5f0af 100644 --- a/net/core/iovec.c +++ b/net/core/iovec.c -@@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a - if (m->msg_namelen) { +@@ -39,23 +39,23 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a + { + int size, ct, err; + +- if (m->msg_namelen) { ++ if (m->msg_name && m->msg_namelen) { if (mode == VERIFY_READ) { void __user *namep; - namep = (void __user __force *) m->msg_name; @@ -98489,7 +98735,14 @@ index b618694..192bbba 100644 err = move_addr_to_kernel(namep, m->msg_namelen, address); if (err < 0) -@@ -55,7 +55,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a + return err; + } +- if (m->msg_name) +- m->msg_name = address; ++ m->msg_name = address; + } else { + m->msg_name = NULL; ++ m->msg_namelen = 0; } size = m->msg_iovlen * sizeof(struct iovec); @@ -98764,6 +99017,42 @@ index b442e7e..6f5b5a2 100644 i++, cmfptr++) { struct socket *sock; +diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c +index 897da56..ba71212 100644 +--- a/net/core/secure_seq.c ++++ b/net/core/secure_seq.c +@@ -85,31 +85,6 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral); + #endif + + #ifdef CONFIG_INET +-__u32 secure_ip_id(__be32 daddr) +-{ +- u32 hash[MD5_DIGEST_WORDS]; +- +- net_secret_init(); +- hash[0] = (__force __u32) daddr; +- hash[1] = net_secret[13]; +- hash[2] = net_secret[14]; +- hash[3] = net_secret[15]; +- +- md5_transform(hash, net_secret); +- +- return hash[0]; +-} +- +-__u32 secure_ipv6_id(const __be32 daddr[4]) +-{ +- __u32 hash[4]; +- +- net_secret_init(); +- memcpy(hash, daddr, 16); +- md5_transform(hash, net_secret); +- +- return hash[0]; +-} + + __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr, + __be16 sport, __be16 dport) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 9433047..8763e83 100644 --- a/net/core/skbuff.c @@ -99270,6 +99559,28 @@ index b10cd43a..22327f9 100644 return nh->nh_saddr; } +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 9db3b87..0ffcd4d 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -369,7 +369,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size) + pip->saddr = fl4.saddr; + pip->protocol = IPPROTO_IGMP; + pip->tot_len = 0; /* filled in later */ +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + ((u8 *)&pip[1])[0] = IPOPT_RA; + ((u8 *)&pip[1])[1] = 4; + ((u8 *)&pip[1])[2] = 0; +@@ -714,7 +714,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc, + iph->daddr = dst; + iph->saddr = fl4.saddr; + iph->protocol = IPPROTO_IGMP; +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + ((u8 *)&iph[1])[0] = IPOPT_RA; + ((u8 *)&iph[1])[1] = 4; + ((u8 *)&iph[1])[2] = 0; diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index a56b8e6..5be2a30 100644 --- a/net/ipv4/inet_connection_sock.c @@ -99314,20 +99625,51 @@ index 8b9cf27..0d8d592 100644 inet_twsk_deschedule(tw, death_row); while (twrefcnt) { diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c -index 48f4244..f56d83a 100644 +index 48f4244..d83ba8a 100644 --- a/net/ipv4/inetpeer.c +++ b/net/ipv4/inetpeer.c -@@ -496,8 +496,8 @@ relookup: +@@ -26,20 +26,7 @@ + * Theory of operations. + * We keep one entry for each peer IP address. The nodes contains long-living + * information about the peer which doesn't depend on routes. +- * At this moment this information consists only of ID field for the next +- * outgoing IP packet. This field is incremented with each packet as encoded +- * in inet_getid() function (include/net/inetpeer.h). +- * At the moment of writing this notes identifier of IP packets is generated +- * to be unpredictable using this code only for packets subjected +- * (actually or potentially) to defragmentation. I.e. DF packets less than +- * PMTU in size when local fragmentation is disabled use a constant ID and do +- * not use this code (see ip_select_ident() in include/net/ip.h). + * +- * Route cache entries hold references to our nodes. +- * New cache entries get references via lookup by destination IP address in +- * the avl tree. The reference is grabbed only when it's needed i.e. only +- * when we try to output IP packet which needs an unpredictable ID (see +- * __ip_select_ident() in net/ipv4/route.c). + * Nodes are removed only when reference counter goes to 0. + * When it's happened the node may be removed when a sufficient amount of + * time has been passed since its last use. The less-recently-used entry can +@@ -62,7 +49,6 @@ + * refcnt: atomically against modifications on other CPU; + * usually under some other lock to prevent node disappearing + * daddr: unchangeable +- * ip_id_count: atomic value (no lock needed) + */ + + static struct kmem_cache *peer_cachep __read_mostly; +@@ -496,11 +482,7 @@ relookup: if (p) { p->daddr = *daddr; atomic_set(&p->refcnt, 1); - atomic_set(&p->rid, 0); - atomic_set(&p->ip_id_count, +- (daddr->family == AF_INET) ? +- secure_ip_id(daddr->addr.a4) : +- secure_ipv6_id(daddr->addr.a6)); + atomic_set_unchecked(&p->rid, 0); -+ atomic_set_unchecked(&p->ip_id_count, - (daddr->family == AF_INET) ? - secure_ip_id(daddr->addr.a4) : - secure_ipv6_id(daddr->addr.a6)); + p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW; + p->rate_tokens = 0; + /* 60*HZ is arbitrary, but chosen enough high so that the first diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index ed32313..3762abe 100644 --- a/net/ipv4/ip_fragment.c @@ -99410,6 +99752,38 @@ index 94213c8..8bdb342 100644 .kind = "gretap", .maxtype = IFLA_GRE_MAX, .policy = ipgre_policy, +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index a52f501..4ecc160 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -148,7 +148,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk, + iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr); + iph->saddr = saddr; + iph->protocol = sk->sk_protocol; +- ip_select_ident(skb, &rt->dst, sk); ++ ip_select_ident(skb, sk); + + if (opt && opt->opt.optlen) { + iph->ihl += opt->opt.optlen>>2; +@@ -430,8 +430,7 @@ packet_routed: + ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0); + } + +- ip_select_ident_more(skb, &rt->dst, sk, +- (skb_shinfo(skb)->gso_segs ?: 1) - 1); ++ ip_select_ident_segs(skb, sk, skb_shinfo(skb)->gso_segs ?: 1); + + /* TODO : should we use skb->sk here instead of sk ? */ + skb->priority = sk->sk_priority; +@@ -1379,7 +1378,7 @@ struct sk_buff *__ip_make_skb(struct sock *sk, + iph->ttl = ttl; + iph->protocol = sk->sk_protocol; + ip_copy_addrs(iph, fl4); +- ip_select_ident(skb, &rt->dst, sk); ++ ip_select_ident(skb, sk); + + if (opt) { + iph->ihl += opt->optlen>>2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 64741b9..6f334a2 100644 --- a/net/ipv4/ip_sockglue.c @@ -99433,6 +99807,19 @@ index 64741b9..6f334a2 100644 msg.msg_controllen = len; msg.msg_flags = flags; +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index bcf206c..847e69c 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -74,7 +74,7 @@ int iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + iph->daddr = dst; + iph->saddr = src; + iph->ttl = ttl; +- __ip_select_ident(iph, &rt->dst, (skb_shinfo(skb)->gso_segs ?: 1) - 1); ++ __ip_select_ident(iph, skb_shinfo(skb)->gso_segs ?: 1); + + err = ip_local_out_sk(sk, skb); + if (unlikely(net_xmit_eval(err))) diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c index 13ef00f..8ffca25 100644 --- a/net/ipv4/ip_vti.c @@ -99508,6 +99895,19 @@ index 62eaa00..29b2dc2 100644 .kind = "ipip", .maxtype = IFLA_IPTUN_MAX, .policy = ipip_policy, +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index d84dc8d..d11a50d 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1663,7 +1663,7 @@ static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr) + iph->protocol = IPPROTO_IPIP; + iph->ihl = 5; + iph->tot_len = htons(skb->len); +- ip_select_ident(skb, skb_dst(skb), NULL); ++ ip_select_ident(skb, NULL); + ip_send_check(iph); + + memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index f95b6f9..2ee2097 100644 --- a/net/ipv4/netfilter/arp_tables.c @@ -99724,7 +100124,7 @@ index 044a0dd..e0c1971 100644 static int ping_v4_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index a9dbe58..46f577f 100644 +index a9dbe58..b54c00e 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -311,7 +311,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -99736,6 +100136,15 @@ index a9dbe58..46f577f 100644 kfree_skb(skb); return NET_RX_DROP; } +@@ -389,7 +389,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, + iph->check = 0; + iph->tot_len = htons(length); + if (!iph->id) +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + + iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); + } @@ -696,6 +696,9 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, if (flags & MSG_OOB) goto out; @@ -99797,10 +100206,18 @@ index a9dbe58..46f577f 100644 static int raw_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index be9f2b1..29f966d 100644 +index be9f2b1..aae0ac9 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c -@@ -227,7 +227,7 @@ static const struct seq_operations rt_cache_seq_ops = { +@@ -89,6 +89,7 @@ + #include <linux/rcupdate.h> + #include <linux/times.h> + #include <linux/slab.h> ++#include <linux/jhash.h> + #include <net/dst.h> + #include <net/net_namespace.h> + #include <net/protocol.h> +@@ -227,7 +228,7 @@ static const struct seq_operations rt_cache_seq_ops = { static int rt_cache_seq_open(struct inode *inode, struct file *file) { @@ -99809,7 +100226,7 @@ index be9f2b1..29f966d 100644 } static const struct file_operations rt_cache_seq_fops = { -@@ -318,7 +318,7 @@ static const struct seq_operations rt_cpu_seq_ops = { +@@ -318,7 +319,7 @@ static const struct seq_operations rt_cpu_seq_ops = { static int rt_cpu_seq_open(struct inode *inode, struct file *file) { @@ -99818,7 +100235,7 @@ index be9f2b1..29f966d 100644 } static const struct file_operations rt_cpu_seq_fops = { -@@ -356,7 +356,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) +@@ -356,7 +357,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v) static int rt_acct_proc_open(struct inode *inode, struct file *file) { @@ -99827,7 +100244,78 @@ index be9f2b1..29f966d 100644 } static const struct file_operations rt_acct_proc_fops = { -@@ -2611,34 +2611,34 @@ static struct ctl_table ipv4_route_flush_table[] = { +@@ -456,39 +457,45 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst, + return neigh_create(&arp_tbl, pkey, dev); + } + +-/* +- * Peer allocation may fail only in serious out-of-memory conditions. However +- * we still can generate some output. +- * Random ID selection looks a bit dangerous because we have no chances to +- * select ID being unique in a reasonable period of time. +- * But broken packet identifier may be better than no packet at all. ++#define IP_IDENTS_SZ 2048u ++struct ip_ident_bucket { ++ atomic_unchecked_t id; ++ u32 stamp32; ++}; ++ ++static struct ip_ident_bucket *ip_idents __read_mostly; ++ ++/* In order to protect privacy, we add a perturbation to identifiers ++ * if one generator is seldom used. This makes hard for an attacker ++ * to infer how many packets were sent between two points in time. + */ +-static void ip_select_fb_ident(struct iphdr *iph) ++u32 ip_idents_reserve(u32 hash, int segs) + { +- static DEFINE_SPINLOCK(ip_fb_id_lock); +- static u32 ip_fallback_id; +- u32 salt; ++ struct ip_ident_bucket *bucket = ip_idents + hash % IP_IDENTS_SZ; ++ u32 old = ACCESS_ONCE(bucket->stamp32); ++ u32 now = (u32)jiffies; ++ u32 delta = 0; + +- spin_lock_bh(&ip_fb_id_lock); +- salt = secure_ip_id((__force __be32)ip_fallback_id ^ iph->daddr); +- iph->id = htons(salt & 0xFFFF); +- ip_fallback_id = salt; +- spin_unlock_bh(&ip_fb_id_lock); ++ if (old != now && cmpxchg(&bucket->stamp32, old, now) == old) ++ delta = prandom_u32_max(now - old); ++ ++ return atomic_add_return_unchecked(segs + delta, &bucket->id) - segs; + } ++EXPORT_SYMBOL(ip_idents_reserve); + +-void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more) ++void __ip_select_ident(struct iphdr *iph, int segs) + { +- struct net *net = dev_net(dst->dev); +- struct inet_peer *peer; ++ static u32 ip_idents_hashrnd __read_mostly; ++ u32 hash, id; + +- peer = inet_getpeer_v4(net->ipv4.peers, iph->daddr, 1); +- if (peer) { +- iph->id = htons(inet_getid(peer, more)); +- inet_putpeer(peer); +- return; +- } ++ net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd)); + +- ip_select_fb_ident(iph); ++ hash = jhash_3words((__force u32)iph->daddr, ++ (__force u32)iph->saddr, ++ iph->protocol, ++ ip_idents_hashrnd); ++ id = ip_idents_reserve(hash, segs); ++ iph->id = htons(id); + } + EXPORT_SYMBOL(__ip_select_ident); + +@@ -2611,34 +2618,34 @@ static struct ctl_table ipv4_route_flush_table[] = { .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -99870,7 +100358,7 @@ index be9f2b1..29f966d 100644 err_dup: return -ENOMEM; } -@@ -2661,8 +2661,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { +@@ -2661,8 +2668,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { static __net_init int rt_genid_init(struct net *net) { @@ -99881,6 +100369,19 @@ index be9f2b1..29f966d 100644 get_random_bytes(&net->ipv4.dev_addr_genid, sizeof(net->ipv4.dev_addr_genid)); return 0; +@@ -2705,6 +2712,12 @@ int __init ip_rt_init(void) + { + int rc = 0; + ++ ip_idents = kmalloc(IP_IDENTS_SZ * sizeof(*ip_idents), GFP_KERNEL); ++ if (!ip_idents) ++ panic("IP: failed to allocate ip_idents\n"); ++ ++ prandom_bytes(ip_idents, IP_IDENTS_SZ * sizeof(*ip_idents)); ++ + #ifdef CONFIG_IP_ROUTE_CLASSID + ip_rt_acct = __alloc_percpu(256 * sizeof(struct ip_rt_acct), __alignof__(struct ip_rt_acct)); + if (!ip_rt_acct) diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index 5cde8f2..5f5684e 100644 --- a/net/ipv4/sysctl_net_ipv4.c @@ -100177,6 +100678,33 @@ index 286227a..c495a76 100644 if (retransmits_timed_out(sk, retry_until, syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) { /* Has it gone just too far? */ +diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c +index 48539ff..08c8ab4 100644 +--- a/net/ipv4/tcp_vegas.c ++++ b/net/ipv4/tcp_vegas.c +@@ -219,7 +219,8 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked, + * This is: + * (actual rate in segments) * baseRTT + */ +- target_cwnd = tp->snd_cwnd * vegas->baseRTT / rtt; ++ target_cwnd = (u64)tp->snd_cwnd * vegas->baseRTT; ++ do_div(target_cwnd, rtt); + + /* Calculate the difference between the window we had, + * and the window we would like to have. This quantity +diff --git a/net/ipv4/tcp_veno.c b/net/ipv4/tcp_veno.c +index 1b8e28f..4cd4e1b 100644 +--- a/net/ipv4/tcp_veno.c ++++ b/net/ipv4/tcp_veno.c +@@ -145,7 +145,7 @@ static void tcp_veno_cong_avoid(struct sock *sk, u32 ack, u32 acked, + + rtt = veno->minrtt; + +- target_cwnd = (tp->snd_cwnd * veno->basertt); ++ target_cwnd = (u64)tp->snd_cwnd * veno->basertt; + target_cwnd <<= V_PARAM_SHIFT; + do_div(target_cwnd, rtt); + diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 54a5fe9..78fea00 100644 --- a/net/ipv4/udp.c @@ -100316,6 +100844,24 @@ index 54a5fe9..78fea00 100644 } int udp4_seq_show(struct seq_file *seq, void *v) +diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c +index 05f2b48..91771a7 100644 +--- a/net/ipv4/xfrm4_mode_tunnel.c ++++ b/net/ipv4/xfrm4_mode_tunnel.c +@@ -58,12 +58,12 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb) + + top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ? + 0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF)); +- ip_select_ident(skb, dst->child, NULL); + + top_iph->ttl = ip4_dst_hoplimit(dst->child); + + top_iph->saddr = x->props.saddr.a4; + top_iph->daddr = x->id.daddr.a4; ++ ip_select_ident(skb, NULL); + + return 0; + } diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 6156f68..d6ab46d 100644 --- a/net/ipv4/xfrm4_policy.c @@ -100529,6 +101075,31 @@ index 9d92146..d986c6a 100644 .kind = "ip6gretap", .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index fbf1156..1362d3a 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -537,6 +537,20 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from) + skb_copy_secmark(to, from); + } + ++static void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) ++{ ++ static u32 ip6_idents_hashrnd __read_mostly; ++ u32 hash, id; ++ ++ net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); ++ ++ hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd); ++ hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash); ++ ++ id = ip_idents_reserve(hash, 1); ++ fhdr->identification = htonl(id); ++} ++ + int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) + { + struct sk_buff *frag; diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index afa0824..04ba530 100644 --- a/net/ipv6/ip6_tunnel.c @@ -100678,27 +101249,42 @@ index 767ab8d..c5ec70a 100644 return -ENOMEM; } diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c -index 56596ce..c734618 100644 +index 56596ce..ffa0293 100644 --- a/net/ipv6/output_core.c +++ b/net/ipv6/output_core.c -@@ -10,7 +10,7 @@ +@@ -8,32 +8,6 @@ + #include <net/addrconf.h> + #include <net/secure_seq.h> - void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) - { +-void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) +-{ - static atomic_t ipv6_fragmentation_id; -+ static atomic_unchecked_t ipv6_fragmentation_id; - struct in6_addr addr; - int ident; - -@@ -26,7 +26,7 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) - return; - } - #endif +- struct in6_addr addr; +- int ident; +- +-#if IS_ENABLED(CONFIG_IPV6) +- struct inet_peer *peer; +- struct net *net; +- +- net = dev_net(rt->dst.dev); +- peer = inet_getpeer_v6(net->ipv6.peers, &rt->rt6i_dst.addr, 1); +- if (peer) { +- fhdr->identification = htonl(inet_getid(peer, 0)); +- inet_putpeer(peer); +- return; +- } +-#endif - ident = atomic_inc_return(&ipv6_fragmentation_id); -+ ident = atomic_inc_return_unchecked(&ipv6_fragmentation_id); - - addr = rt->rt6i_dst.addr; - addr.s6_addr32[0] ^= (__force __be32)ident; +- +- addr = rt->rt6i_dst.addr; +- addr.s6_addr32[0] ^= (__force __be32)ident; +- fhdr->identification = htonl(secure_ipv6_id(addr.s6_addr32)); +-} +-EXPORT_SYMBOL(ipv6_select_ident); +- + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { + u16 offset = sizeof(struct ipv6hdr); diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c index bda7429..469b26b 100644 --- a/net/ipv6/ping.c @@ -101865,9 +102451,18 @@ index db80126..ef7110e 100644 cp->old_state = cp->state; /* diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c -index c47444e..b0961c6 100644 +index c47444e..e9a86e6 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -883,7 +883,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, + iph->daddr = cp->daddr.ip; + iph->saddr = saddr; + iph->ttl = old_iph->ttl; +- ip_select_ident(skb, &rt->dst, NULL); ++ ip_select_ident(skb, NULL); + + /* Another hack: avoid icmp_send in ip_fragment */ + skb->local_df = 1; @@ -1102,7 +1102,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, else rc = NF_ACCEPT; @@ -109422,10 +110017,10 @@ index 0000000..39d7cc7 +} diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c new file mode 100644 -index 0000000..8dafb22 +index 0000000..a5cb46b --- /dev/null +++ b/tools/gcc/randomize_layout_plugin.c -@@ -0,0 +1,910 @@ +@@ -0,0 +1,915 @@ +/* + * Copyright 2014 by Open Source Security, Inc., Brad Spengler <spender@grsecurity.net> + * and PaX Team <pageexec@freemail.hu> @@ -109744,6 +110339,11 @@ index 0000000..8dafb22 + lookup_attribute("no_randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type)))) + return 0; + ++ /* Workaround for 3rd-party VirtualBox source that we can't modify ourselves */ ++ if (!strcmp((const char *)ORIG_TYPE_NAME(type), "INTNETTRUNKFACTORY") || ++ !strcmp((const char *)ORIG_TYPE_NAME(type), "RAWPCIFACTORY")) ++ return 0; ++ + /* throw out any structs in uapi */ + xloc = expand_location(DECL_SOURCE_LOCATION(TYPE_FIELDS(type))); + @@ -121228,10 +121828,10 @@ index 0000000..0888f6c + diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c new file mode 100644 -index 0000000..dd94983 +index 0000000..924652b --- /dev/null +++ b/tools/gcc/stackleak_plugin.c -@@ -0,0 +1,376 @@ +@@ -0,0 +1,395 @@ +/* + * Copyright 2011-2014 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -121263,7 +121863,7 @@ index 0000000..dd94983 +static bool init_locals; + +static struct plugin_info stackleak_plugin_info = { -+ .version = "201402131920", ++ .version = "201408011900", + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n" +// "initialize-locals\t\tforcibly initialize all stack frames\n" +}; @@ -121409,6 +122009,25 @@ index 0000000..dd94983 + +static bool gate_stackleak_track_stack(void) +{ ++ tree section; ++ ++ if (ix86_cmodel != CM_KERNEL) ++ return false; ++ ++ section = lookup_attribute("section", DECL_ATTRIBUTES(current_function_decl)); ++ if (section && TREE_VALUE(section)) { ++ section = TREE_VALUE(TREE_VALUE(section)); ++ ++ if (!strncmp(TREE_STRING_POINTER(section), ".init.text", 10)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".devinit.text", 13)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".cpuinit.text", 13)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".meminit.text", 13)) ++ return false; ++ } ++ + return track_frame_size >= 0; +} + diff --git a/3.15.7/4425_grsec_remove_EI_PAX.patch b/3.15.8/4425_grsec_remove_EI_PAX.patch index fc51f79..fc51f79 100644 --- a/3.15.7/4425_grsec_remove_EI_PAX.patch +++ b/3.15.8/4425_grsec_remove_EI_PAX.patch diff --git a/3.15.7/4427_force_XATTR_PAX_tmpfs.patch b/3.15.8/4427_force_XATTR_PAX_tmpfs.patch index bbcef41..bbcef41 100644 --- a/3.15.7/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.15.8/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.15.7/4430_grsec-remove-localversion-grsec.patch b/3.15.8/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.15.7/4430_grsec-remove-localversion-grsec.patch +++ b/3.15.8/4430_grsec-remove-localversion-grsec.patch diff --git a/3.15.7/4435_grsec-mute-warnings.patch b/3.15.8/4435_grsec-mute-warnings.patch index 41d43d5..41d43d5 100644 --- a/3.15.7/4435_grsec-mute-warnings.patch +++ b/3.15.8/4435_grsec-mute-warnings.patch diff --git a/3.15.7/4440_grsec-remove-protected-paths.patch b/3.15.8/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.15.7/4440_grsec-remove-protected-paths.patch +++ b/3.15.8/4440_grsec-remove-protected-paths.patch diff --git a/3.15.7/4450_grsec-kconfig-default-gids.patch b/3.15.8/4450_grsec-kconfig-default-gids.patch index af218a8..af218a8 100644 --- a/3.15.7/4450_grsec-kconfig-default-gids.patch +++ b/3.15.8/4450_grsec-kconfig-default-gids.patch diff --git a/3.15.7/4465_selinux-avc_audit-log-curr_ip.patch b/3.15.8/4465_selinux-avc_audit-log-curr_ip.patch index fb528d0..fb528d0 100644 --- a/3.15.7/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.15.8/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.15.7/4470_disable-compat_vdso.patch b/3.15.8/4470_disable-compat_vdso.patch index 7852848..7852848 100644 --- a/3.15.7/4470_disable-compat_vdso.patch +++ b/3.15.8/4470_disable-compat_vdso.patch diff --git a/3.15.7/4475_emutramp_default_on.patch b/3.15.8/4475_emutramp_default_on.patch index cf88fd9..cf88fd9 100644 --- a/3.15.7/4475_emutramp_default_on.patch +++ b/3.15.8/4475_emutramp_default_on.patch diff --git a/3.2.61/0000_README b/3.2.61/0000_README index d8b2bdd..c3587c8 100644 --- a/3.2.61/0000_README +++ b/3.2.61/0000_README @@ -162,7 +162,7 @@ Patch: 1060_linux-3.2.61.patch From: http://www.kernel.org Desc: Linux 3.2.61 -Patch: 4420_grsecurity-3.0-3.2.61-201407280723.patch +Patch: 4420_grsecurity-3.0-3.2.61-201408032011.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.61/4420_grsecurity-3.0-3.2.61-201407280723.patch b/3.2.61/4420_grsecurity-3.0-3.2.61-201408032011.patch index d3add23..d00d89e 100644 --- a/3.2.61/4420_grsecurity-3.0-3.2.61-201407280723.patch +++ b/3.2.61/4420_grsecurity-3.0-3.2.61-201408032011.patch @@ -7410,7 +7410,7 @@ index fa57532..e1a4c53 100644 /* diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h -index 60d86be..6389ac8 100644 +index 60d86be..ef93645 100644 --- a/arch/sparc/include/asm/thread_info_64.h +++ b/arch/sparc/include/asm/thread_info_64.h @@ -63,6 +63,8 @@ struct thread_info { @@ -7422,7 +7422,25 @@ index 60d86be..6389ac8 100644 unsigned long fpregs[0] __attribute__ ((aligned(64))); }; -@@ -214,10 +216,11 @@ register struct thread_info *current_thread_info_reg asm("g6"); +@@ -104,13 +106,15 @@ struct thread_info { + #define FAULT_CODE_BLKCOMMIT 0x10 /* Use blk-commit ASI in copy_page */ + + #if PAGE_SHIFT == 13 +-#define THREAD_SIZE (2*PAGE_SIZE) ++#define THREAD_ORDER 1 + #define THREAD_SHIFT (PAGE_SHIFT + 1) + #else /* PAGE_SHIFT == 13 */ +-#define THREAD_SIZE PAGE_SIZE ++#define THREAD_ORDER 0 + #define THREAD_SHIFT PAGE_SHIFT + #endif /* PAGE_SHIFT == 13 */ + ++#define THREAD_SIZE (PAGE_SIZE << THREAD_ORDER) ++ + #define PREEMPT_ACTIVE 0x10000000 + + /* +@@ -214,10 +218,11 @@ register struct thread_info *current_thread_info_reg asm("g6"); #define TIF_UNALIGNED 5 /* allowed to do unaligned accesses */ /* flag bit 6 is available */ #define TIF_32BIT 7 /* 32-bit binary */ @@ -7435,7 +7453,7 @@ index 60d86be..6389ac8 100644 /* NOTE: Thread flags >= 12 should be ones we have no interest * in using in assembly, else we can't use the mask as * an immediate value in instructions such as andcc. -@@ -238,12 +241,18 @@ register struct thread_info *current_thread_info_reg asm("g6"); +@@ -238,12 +243,18 @@ register struct thread_info *current_thread_info_reg asm("g6"); #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT) #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG) #define _TIF_FREEZE (1<<TIF_FREEZE) @@ -18393,7 +18411,7 @@ index cd28a35..c72ed9a 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index db090f6..f8ec76c 100644 +index db090f6..2886e27 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -180,13 +180,153 @@ @@ -18659,7 +18677,7 @@ index db090f6..f8ec76c 100644 movl %ebp,PT_EBP(%esp) .section __ex_table,"a" .align 4 -@@ -423,6 +591,10 @@ sysenter_past_esp: +@@ -423,14 +591,18 @@ sysenter_past_esp: GET_THREAD_INFO(%ebp) @@ -18670,6 +18688,15 @@ index db090f6..f8ec76c 100644 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) jnz sysenter_audit sysenter_do_call: + cmpl $(nr_syscalls), %eax + jae sysenter_badsys + call *sys_call_table(,%eax,4) +- movl %eax,PT_EAX(%esp) + sysenter_after_call: ++ movl %eax,PT_EAX(%esp) + LOCKDEP_SYS_EXIT + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF @@ -438,12 +610,24 @@ sysenter_after_call: testl $_TIF_ALLWORK_MASK, %ecx jne sysexit_audit @@ -18737,7 +18764,15 @@ index db090f6..f8ec76c 100644 # system call tracing in operation / emulation testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) jnz syscall_trace_entry -@@ -523,6 +721,15 @@ syscall_exit: +@@ -512,6 +710,7 @@ ENTRY(system_call) + jae syscall_badsys + syscall_call: + call *sys_call_table(,%eax,4) ++syscall_after_call: + movl %eax,PT_EAX(%esp) # store the return value + syscall_exit: + LOCKDEP_SYS_EXIT +@@ -523,6 +722,15 @@ syscall_exit: testl $_TIF_ALLWORK_MASK, %ecx # current->work jne syscall_exit_work @@ -18753,7 +18788,7 @@ index db090f6..f8ec76c 100644 restore_all: TRACE_IRQS_IRET restore_all_notrace: -@@ -582,14 +789,34 @@ ldt_ss: +@@ -582,14 +790,34 @@ ldt_ss: * compensating for the offset by changing to the ESPFIX segment with * a base address that matches for the difference. */ @@ -18791,7 +18826,7 @@ index db090f6..f8ec76c 100644 pushl_cfi $__ESPFIX_SS pushl_cfi %eax /* new kernel esp */ /* Disable interrupts, but do not irqtrace this section: we -@@ -618,34 +845,28 @@ work_resched: +@@ -618,34 +846,28 @@ work_resched: movl TI_flags(%ebp), %ecx andl $_TIF_WORK_MASK, %ecx # is there any work to be done other # than syscall tracing? @@ -18831,7 +18866,7 @@ index db090f6..f8ec76c 100644 # perform syscall exit tracing ALIGN -@@ -653,11 +874,14 @@ syscall_trace_entry: +@@ -653,11 +875,14 @@ syscall_trace_entry: movl $-ENOSYS,PT_EAX(%esp) movl %esp, %eax call syscall_trace_enter @@ -18847,7 +18882,7 @@ index db090f6..f8ec76c 100644 # perform syscall exit tracing ALIGN -@@ -670,25 +894,29 @@ syscall_exit_work: +@@ -670,25 +895,29 @@ syscall_exit_work: movl %esp, %eax call syscall_trace_leave jmp resume_userspace @@ -18868,20 +18903,23 @@ index db090f6..f8ec76c 100644 +ENDPROC(syscall_fault) syscall_badsys: - movl $-ENOSYS,PT_EAX(%esp) - jmp syscall_exit +- movl $-ENOSYS,PT_EAX(%esp) +- jmp syscall_exit -END(syscall_badsys) ++ movl $-ENOSYS,%eax ++ jmp syscall_after_call +ENDPROC(syscall_badsys) sysenter_badsys: - movl $-ENOSYS,PT_EAX(%esp) +- movl $-ENOSYS,PT_EAX(%esp) ++ movl $-ENOSYS,%eax jmp sysenter_after_call -END(syscall_badsys) +ENDPROC(sysenter_badsys) CFI_ENDPROC /* * End of kprobes section -@@ -762,6 +990,36 @@ ptregs_clone: +@@ -762,6 +991,36 @@ ptregs_clone: CFI_ENDPROC ENDPROC(ptregs_clone) @@ -18918,7 +18956,7 @@ index db090f6..f8ec76c 100644 .macro FIXUP_ESPFIX_STACK /* * Switch back for ESPFIX stack to the normal zerobased stack -@@ -771,8 +1029,15 @@ ENDPROC(ptregs_clone) +@@ -771,8 +1030,15 @@ ENDPROC(ptregs_clone) * normal stack and adjusts ESP with the matching offset. */ /* fixup the stack */ @@ -18936,7 +18974,7 @@ index db090f6..f8ec76c 100644 shl $16, %eax addl %esp, %eax /* the adjusted stack pointer */ pushl_cfi $__KERNEL_DS -@@ -825,7 +1090,7 @@ vector=vector+1 +@@ -825,7 +1091,7 @@ vector=vector+1 .endr 2: jmp common_interrupt .endr @@ -18945,7 +18983,7 @@ index db090f6..f8ec76c 100644 .previous END(interrupt) -@@ -873,7 +1138,7 @@ ENTRY(coprocessor_error) +@@ -873,7 +1139,7 @@ ENTRY(coprocessor_error) pushl_cfi $do_coprocessor_error jmp error_code CFI_ENDPROC @@ -18954,7 +18992,7 @@ index db090f6..f8ec76c 100644 ENTRY(simd_coprocessor_error) RING0_INT_FRAME -@@ -894,7 +1159,7 @@ ENTRY(simd_coprocessor_error) +@@ -894,7 +1160,7 @@ ENTRY(simd_coprocessor_error) #endif jmp error_code CFI_ENDPROC @@ -18963,7 +19001,7 @@ index db090f6..f8ec76c 100644 ENTRY(device_not_available) RING0_INT_FRAME -@@ -902,7 +1167,7 @@ ENTRY(device_not_available) +@@ -902,7 +1168,7 @@ ENTRY(device_not_available) pushl_cfi $do_device_not_available jmp error_code CFI_ENDPROC @@ -18972,7 +19010,7 @@ index db090f6..f8ec76c 100644 #ifdef CONFIG_PARAVIRT ENTRY(native_iret) -@@ -911,12 +1176,12 @@ ENTRY(native_iret) +@@ -911,12 +1177,12 @@ ENTRY(native_iret) .align 4 .long native_iret, iret_exc .previous @@ -18987,7 +19025,7 @@ index db090f6..f8ec76c 100644 #endif ENTRY(overflow) -@@ -925,7 +1190,7 @@ ENTRY(overflow) +@@ -925,7 +1191,7 @@ ENTRY(overflow) pushl_cfi $do_overflow jmp error_code CFI_ENDPROC @@ -18996,7 +19034,7 @@ index db090f6..f8ec76c 100644 ENTRY(bounds) RING0_INT_FRAME -@@ -933,7 +1198,7 @@ ENTRY(bounds) +@@ -933,7 +1199,7 @@ ENTRY(bounds) pushl_cfi $do_bounds jmp error_code CFI_ENDPROC @@ -19005,7 +19043,7 @@ index db090f6..f8ec76c 100644 ENTRY(invalid_op) RING0_INT_FRAME -@@ -941,7 +1206,7 @@ ENTRY(invalid_op) +@@ -941,7 +1207,7 @@ ENTRY(invalid_op) pushl_cfi $do_invalid_op jmp error_code CFI_ENDPROC @@ -19014,7 +19052,7 @@ index db090f6..f8ec76c 100644 ENTRY(coprocessor_segment_overrun) RING0_INT_FRAME -@@ -949,35 +1214,35 @@ ENTRY(coprocessor_segment_overrun) +@@ -949,35 +1215,35 @@ ENTRY(coprocessor_segment_overrun) pushl_cfi $do_coprocessor_segment_overrun jmp error_code CFI_ENDPROC @@ -19055,7 +19093,7 @@ index db090f6..f8ec76c 100644 ENTRY(divide_error) RING0_INT_FRAME -@@ -985,7 +1250,7 @@ ENTRY(divide_error) +@@ -985,7 +1251,7 @@ ENTRY(divide_error) pushl_cfi $do_divide_error jmp error_code CFI_ENDPROC @@ -19064,7 +19102,7 @@ index db090f6..f8ec76c 100644 #ifdef CONFIG_X86_MCE ENTRY(machine_check) -@@ -994,7 +1259,7 @@ ENTRY(machine_check) +@@ -994,7 +1260,7 @@ ENTRY(machine_check) pushl_cfi machine_check_vector jmp error_code CFI_ENDPROC @@ -19073,7 +19111,7 @@ index db090f6..f8ec76c 100644 #endif ENTRY(spurious_interrupt_bug) -@@ -1003,7 +1268,7 @@ ENTRY(spurious_interrupt_bug) +@@ -1003,7 +1269,7 @@ ENTRY(spurious_interrupt_bug) pushl_cfi $do_spurious_interrupt_bug jmp error_code CFI_ENDPROC @@ -19082,7 +19120,7 @@ index db090f6..f8ec76c 100644 /* * End of kprobes section */ -@@ -1119,7 +1384,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, +@@ -1119,7 +1385,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK, ENTRY(mcount) ret @@ -19091,7 +19129,7 @@ index db090f6..f8ec76c 100644 ENTRY(ftrace_caller) cmpl $0, function_trace_stop -@@ -1148,7 +1413,7 @@ ftrace_graph_call: +@@ -1148,7 +1414,7 @@ ftrace_graph_call: .globl ftrace_stub ftrace_stub: ret @@ -19100,7 +19138,7 @@ index db090f6..f8ec76c 100644 #else /* ! CONFIG_DYNAMIC_FTRACE */ -@@ -1184,7 +1449,7 @@ trace: +@@ -1184,7 +1450,7 @@ trace: popl %ecx popl %eax jmp ftrace_stub @@ -19109,7 +19147,7 @@ index db090f6..f8ec76c 100644 #endif /* CONFIG_DYNAMIC_FTRACE */ #endif /* CONFIG_FUNCTION_TRACER */ -@@ -1205,7 +1470,7 @@ ENTRY(ftrace_graph_caller) +@@ -1205,7 +1471,7 @@ ENTRY(ftrace_graph_caller) popl %ecx popl %eax ret @@ -19118,7 +19156,7 @@ index db090f6..f8ec76c 100644 .globl return_to_handler return_to_handler: -@@ -1219,7 +1484,6 @@ return_to_handler: +@@ -1219,7 +1485,6 @@ return_to_handler: jmp *%ecx #endif @@ -19126,7 +19164,7 @@ index db090f6..f8ec76c 100644 #include "syscall_table_32.S" syscall_table_size=(.-sys_call_table) -@@ -1265,15 +1529,18 @@ error_code: +@@ -1265,15 +1530,18 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -19147,7 +19185,7 @@ index db090f6..f8ec76c 100644 /* * Debug traps and NMI can happen at the one SYSENTER instruction -@@ -1315,7 +1582,7 @@ debug_stack_correct: +@@ -1315,7 +1583,7 @@ debug_stack_correct: call do_debug jmp ret_from_exception CFI_ENDPROC @@ -19156,7 +19194,7 @@ index db090f6..f8ec76c 100644 /* * NMI is doubly nasty. It can happen _while_ we're handling -@@ -1352,6 +1619,9 @@ nmi_stack_correct: +@@ -1352,6 +1620,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer call do_nmi @@ -19166,7 +19204,7 @@ index db090f6..f8ec76c 100644 jmp restore_all_notrace CFI_ENDPROC -@@ -1388,12 +1658,15 @@ nmi_espfix_stack: +@@ -1388,12 +1659,15 @@ nmi_espfix_stack: FIXUP_ESPFIX_STACK # %eax == %esp xorl %edx,%edx # zero error code call do_nmi @@ -19183,7 +19221,7 @@ index db090f6..f8ec76c 100644 ENTRY(int3) RING0_INT_FRAME -@@ -1405,14 +1678,14 @@ ENTRY(int3) +@@ -1405,14 +1679,14 @@ ENTRY(int3) call do_int3 jmp ret_from_exception CFI_ENDPROC @@ -19200,7 +19238,7 @@ index db090f6..f8ec76c 100644 #ifdef CONFIG_KVM_GUEST ENTRY(async_page_fault) -@@ -1420,7 +1693,7 @@ ENTRY(async_page_fault) +@@ -1420,7 +1694,7 @@ ENTRY(async_page_fault) pushl_cfi $do_async_page_fault jmp error_code CFI_ENDPROC @@ -20283,7 +20321,7 @@ index 3bb0850..55a56f4 100644 #ifdef CONFIG_BLK_DEV_INITRD /* Reserve INITRD */ diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index ce0be7c..1252d68 100644 +index ce0be7c..a61dc21 100644 --- a/arch/x86/kernel/head_32.S +++ b/arch/x86/kernel/head_32.S @@ -25,6 +25,12 @@ @@ -20712,7 +20750,7 @@ index ce0be7c..1252d68 100644 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */ + .quad 0x004093000000ffff /* 0xc8 APM DS data */ + -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */ ++ .quad 0x00c093000000ffff /* 0xd0 - ESPFIX SS */ + .quad 0x0040930000000000 /* 0xd8 - PERCPU */ + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */ + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */ @@ -32236,6 +32274,26 @@ index 9e76a32..a220c64 100644 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len)) goto error; +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index ac33d5f..bf948e1 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -21,6 +21,7 @@ + #include <linux/module.h> + #include <linux/net.h> + #include <linux/rwsem.h> ++#include <linux/security.h> + + struct alg_type_list { + const struct af_alg_type *type; +@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) + + sock_init_data(newsock, sk2); + sock_graft(sk2, newsock); ++ security_sk_clone(sk, sk2); + + err = type->accept(ask->private, sk2); + if (err) { diff --git a/crypto/api.c b/crypto/api.c index cea3cf6..86a0f6f 100644 --- a/crypto/api.c @@ -47525,10 +47583,25 @@ index 831db24..aef1598 100644 /* check if the device is still usable */ if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index cd4ac38..796597d 100644 +index cd4ac38..89011d6 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -1427,7 +1427,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) +@@ -793,6 +793,14 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes) + scsi_next_command(cmd); + return; + } ++ } else if (blk_rq_bytes(req) == 0 && result && !sense_deferred) { ++ /* ++ * Certain non BLOCK_PC requests are commands that don't ++ * actually transfer anything (FLUSH), so cannot use ++ * good_bytes != blk_rq_bytes(req) as the signal for an error. ++ * This sets the error explicitly for the problem case. ++ */ ++ error = __scsi_error_from_host_byte(cmd, result); + } + + /* no bidi support for !REQ_TYPE_BLOCK_PC yet */ +@@ -1427,7 +1435,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) shost = sdev->host; scsi_init_cmd_errh(cmd); cmd->result = DID_NO_CONNECT << 16; @@ -47537,7 +47610,7 @@ index cd4ac38..796597d 100644 /* * SCSI request completion path will do scsi_device_unbusy(), -@@ -1453,9 +1453,9 @@ static void scsi_softirq_done(struct request *rq) +@@ -1453,9 +1461,9 @@ static void scsi_softirq_done(struct request *rq) INIT_LIST_HEAD(&cmd->eh_entry); @@ -70659,7 +70732,7 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..b4a4084 +index 0000000..3768798 --- /dev/null +++ b/grsecurity/gracl_policy.c @@ -0,0 +1,1781 @@ @@ -70717,9 +70790,9 @@ index 0000000..b4a4084 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum); +extern void gr_clear_learn_entries(void); + -+static struct gr_arg gr_usermode; -+static unsigned char gr_system_salt[GR_SALT_LEN]; -+static unsigned char gr_system_sum[GR_SHA_LEN]; ++struct gr_arg *gr_usermode __read_only; ++unsigned char *gr_system_salt __read_only; ++unsigned char *gr_system_sum __read_only; + +static unsigned int gr_auth_attempts = 0; +static unsigned long gr_auth_expires = 0UL; @@ -71961,8 +72034,8 @@ index 0000000..b4a4084 +{ + int error = 0; + -+ memcpy(&gr_system_salt, args->salt, sizeof(gr_system_salt)); -+ memcpy(&gr_system_sum, args->sum, sizeof(gr_system_sum)); ++ memcpy(gr_system_salt, args->salt, GR_SALT_LEN); ++ memcpy(gr_system_sum, args->sum, GR_SHA_LEN); + + if (init_variables(args, false)) { + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION); @@ -72189,11 +72262,11 @@ index 0000000..b4a4084 + if (error) + goto out; + -+ error = copy_gr_arg(uwrap.arg, &gr_usermode); ++ error = copy_gr_arg(uwrap.arg, gr_usermode); + if (error) + goto out; + -+ if (gr_usermode.mode != GR_SPROLE && gr_usermode.mode != GR_SPROLEPAM && ++ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM && + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES && + time_after(gr_auth_expires, get_seconds())) { + error = -EBUSY; @@ -72205,8 +72278,8 @@ index 0000000..b4a4084 + locking + */ + -+ if (gr_usermode.mode != GR_SPROLE && gr_usermode.mode != GR_STATUS && -+ gr_usermode.mode != GR_UNSPROLE && gr_usermode.mode != GR_SPROLEPAM && ++ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS && ++ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM && + current_uid()) { + error = -EPERM; + goto out; @@ -72214,15 +72287,15 @@ index 0000000..b4a4084 + + /* ensure pw and special role name are null terminated */ + -+ gr_usermode.pw[GR_PW_LEN - 1] = '\0'; -+ gr_usermode.sp_role[GR_SPROLE_LEN - 1] = '\0'; ++ gr_usermode->pw[GR_PW_LEN - 1] = '\0'; ++ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0'; + + /* Okay. + * We have our enough of the argument structure..(we have yet + * to copy_from_user the tables themselves) . Copy the tables + * only if we need them, i.e. for loading operations. */ + -+ switch (gr_usermode.mode) { ++ switch (gr_usermode->mode) { + case GR_STATUS: + if (gr_acl_is_enabled()) { + error = 1; @@ -72232,12 +72305,12 @@ index 0000000..b4a4084 + error = 2; + goto out; + case GR_SHUTDOWN: -+ if (gr_acl_is_enabled() && !(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { ++ if (gr_acl_is_enabled() && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + stop_machine(gr_rbac_disable, NULL, NULL); + free_variables(false); -+ memset(&gr_usermode, 0, sizeof(gr_usermode)); -+ memset(&gr_system_salt, 0, sizeof(gr_system_salt)); -+ memset(&gr_system_sum, 0, sizeof(gr_system_sum)); ++ memset(gr_usermode, 0, sizeof(struct gr_arg)); ++ memset(gr_system_salt, 0, GR_SALT_LEN); ++ memset(gr_system_sum, 0, GR_SHA_LEN); + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG); + } else if (gr_acl_is_enabled()) { + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG); @@ -72248,7 +72321,7 @@ index 0000000..b4a4084 + } + break; + case GR_ENABLE: -+ if (!gr_acl_is_enabled() && !(error2 = gracl_init(&gr_usermode))) ++ if (!gr_acl_is_enabled() && !(error2 = gracl_init(gr_usermode))) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION); + else { + if (gr_acl_is_enabled()) @@ -72264,8 +72337,8 @@ index 0000000..b4a4084 + if (!gr_acl_is_enabled()) { + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION); + error = -EAGAIN; -+ } else if (!(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { -+ error2 = gracl_reload(&gr_usermode, oldmode); ++ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { ++ error2 = gracl_reload(gr_usermode, oldmode); + if (!error2) + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION); + else { @@ -72284,20 +72357,20 @@ index 0000000..b4a4084 + break; + } + -+ if (!(chkpw(&gr_usermode, (unsigned char *)&gr_system_salt, (unsigned char *)&gr_system_sum))) { ++ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) { + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG); -+ if (gr_usermode.segv_device && gr_usermode.segv_inode) { ++ if (gr_usermode->segv_device && gr_usermode->segv_inode) { + struct acl_subject_label *segvacl; + segvacl = -+ lookup_acl_subj_label(gr_usermode.segv_inode, -+ gr_usermode.segv_device, ++ lookup_acl_subj_label(gr_usermode->segv_inode, ++ gr_usermode->segv_device, + current->role); + if (segvacl) { + segvacl->crashes = 0; + segvacl->expires = 0; + } -+ } else if (gr_find_uid(gr_usermode.segv_uid) >= 0) { -+ gr_remove_uid(gr_usermode.segv_uid); ++ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) { ++ gr_remove_uid(gr_usermode->segv_uid); + } + } else { + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG); @@ -72324,11 +72397,11 @@ index 0000000..b4a4084 + } + + if (lookup_special_role_auth -+ (gr_usermode.mode, gr_usermode.sp_role, &sprole_salt, &sprole_sum) ++ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum) + && ((!sprole_salt && !sprole_sum) -+ || !(chkpw(&gr_usermode, sprole_salt, sprole_sum)))) { ++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) { + char *p = ""; -+ assign_special_role(gr_usermode.sp_role); ++ assign_special_role(gr_usermode->sp_role); + read_lock(&tasklist_lock); + if (current->real_parent) + p = current->real_parent->role->rolename; @@ -72336,7 +72409,7 @@ index 0000000..b4a4084 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG, + p, acl_sp_role_value); + } else { -+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode.sp_role); ++ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role); + error = -EPERM; + if(!(current->role->auth_attempts++)) + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT; @@ -72370,7 +72443,7 @@ index 0000000..b4a4084 + } + break; + default: -+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode.mode); ++ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode); + error = -EINVAL; + break; + } @@ -73953,10 +74026,10 @@ index 0000000..8ca18bf +} diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c new file mode 100644 -index 0000000..7bcfc7a +index 0000000..a5e1b5c --- /dev/null +++ b/grsecurity/grsec_init.c -@@ -0,0 +1,272 @@ +@@ -0,0 +1,286 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -74036,6 +74109,10 @@ index 0000000..7bcfc7a +char *gr_alert_log_buf; +char *gr_audit_log_buf; + ++extern struct gr_arg *gr_usermode; ++extern unsigned char *gr_system_salt; ++extern unsigned char *gr_system_sum; ++ +void __init +grsecurity_init(void) +{ @@ -74076,6 +74153,16 @@ index 0000000..7bcfc7a + return; + } + ++ /* allocate memory for authentication structure */ ++ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL); ++ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL); ++ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL); ++ ++ if (!gr_usermode || !gr_system_salt || !gr_system_sum) { ++ panic("Unable to allocate grsecurity authentication structure"); ++ return; ++ } ++ +#ifdef CONFIG_GRKERNSEC_IO +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO) + grsec_disable_privio = 1; @@ -76036,10 +76123,10 @@ index 0000000..ae02d8e +EXPORT_SYMBOL_GPL(gr_handle_new_usb); diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c new file mode 100644 -index 0000000..9f7b1ac +index 0000000..158b330 --- /dev/null +++ b/grsecurity/grsum.c -@@ -0,0 +1,61 @@ +@@ -0,0 +1,64 @@ +#include <linux/err.h> +#include <linux/kernel.h> +#include <linux/sched.h> @@ -76056,47 +76143,50 @@ index 0000000..9f7b1ac +int +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum) +{ -+ char *p; + struct crypto_hash *tfm; + struct hash_desc desc; -+ struct scatterlist sg; -+ unsigned char temp_sum[GR_SHA_LEN]; -+ volatile int retval = 0; ++ struct scatterlist sg[2]; ++ unsigned char temp_sum[GR_SHA_LEN] __attribute__((aligned(__alignof__(unsigned long)))); ++ unsigned long *tmpsumptr = (unsigned long *)temp_sum; ++ unsigned long *sumptr = (unsigned long *)sum; ++ int cryptres; ++ int retval = 1; ++ volatile int mismatched = 0; + volatile int dummy = 0; + unsigned int i; + -+ sg_init_table(&sg, 1); -+ + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(tfm)) { + /* should never happen, since sha256 should be built in */ ++ memset(entry->pw, 0, GR_PW_LEN); + return 1; + } + ++ sg_init_table(sg, 2); ++ sg_set_buf(&sg[0], salt, GR_SALT_LEN); ++ sg_set_buf(&sg[1], entry->pw, strlen(entry->pw)); ++ + desc.tfm = tfm; + desc.flags = 0; + -+ crypto_hash_init(&desc); -+ -+ p = salt; -+ sg_set_buf(&sg, p, GR_SALT_LEN); -+ crypto_hash_update(&desc, &sg, sg.length); -+ -+ p = entry->pw; -+ sg_set_buf(&sg, p, strlen(p)); -+ -+ crypto_hash_update(&desc, &sg, sg.length); -+ -+ crypto_hash_final(&desc, temp_sum); ++ cryptres = crypto_hash_digest(&desc, sg, GR_SALT_LEN + strlen(entry->pw), ++ temp_sum); + + memset(entry->pw, 0, GR_PW_LEN); + -+ for (i = 0; i < GR_SHA_LEN; i++) -+ if (sum[i] != temp_sum[i]) -+ retval = 1; ++ if (cryptres) ++ goto out; ++ ++ for (i = 0; i < GR_SHA_LEN/sizeof(tmpsumptr[0]); i++) ++ if (sumptr[i] != tmpsumptr[i]) ++ mismatched = 1; + else + dummy = 1; // waste a cycle + ++ if (!mismatched) ++ retval = dummy - 1; ++ ++out: + crypto_free_hash(tfm); + + return retval; @@ -94242,7 +94332,7 @@ index 51901b1..79af2f4 100644 /* keep elevated page count for bad page */ return ret; diff --git a/mm/memory.c b/mm/memory.c -index 483e665..32583a0 100644 +index 483e66505..32583a0 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -462,8 +462,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -99967,7 +100057,7 @@ index ba873c3..3b00036 100644 if (!can_dir) { printk(KERN_INFO "can: failed to create /proc/net/can . " diff --git a/net/compat.c b/net/compat.c -index 41724c9..630f046 100644 +index 41724c9..7cf6606 100644 --- a/net/compat.c +++ b/net/compat.c @@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -99983,17 +100073,28 @@ index 41724c9..630f046 100644 return 0; } -@@ -87,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -85,21 +85,22 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + { + int tot_len; - if (kern_msg->msg_namelen) { +- if (kern_msg->msg_namelen) { ++ if (kern_msg->msg_name && kern_msg->msg_namelen) { if (mode == VERIFY_READ) { - int err = move_addr_to_kernel(kern_msg->msg_name, + int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name, kern_msg->msg_namelen, kern_address); if (err < 0) -@@ -99,7 +99,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + return err; + } +- if (kern_msg->msg_name) +- kern_msg->msg_name = kern_address; +- } else ++ kern_msg->msg_name = kern_address; ++ } else { kern_msg->msg_name = NULL; ++ kern_msg->msg_namelen = 0; ++ } tot_len = iov_from_user_compat_to_kern(kern_iov, - (struct compat_iovec __user *)kern_msg->msg_iov, @@ -100001,7 +100102,7 @@ index 41724c9..630f046 100644 kern_msg->msg_iovlen); if (tot_len >= 0) kern_msg->msg_iov = kern_iov; -@@ -119,20 +119,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -119,20 +120,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, #define CMSG_COMPAT_FIRSTHDR(msg) \ (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ @@ -100025,7 +100126,7 @@ index 41724c9..630f046 100644 msg->msg_controllen) return NULL; return (struct compat_cmsghdr __user *)ptr; -@@ -224,7 +224,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -224,7 +225,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat { struct compat_timeval ctv; struct compat_timespec cts[3]; @@ -100034,7 +100135,7 @@ index 41724c9..630f046 100644 struct compat_cmsghdr cmhdr; int cmlen; -@@ -276,7 +276,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -276,7 +277,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) { @@ -100043,7 +100144,7 @@ index 41724c9..630f046 100644 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); int fdnum = scm->fp->count; struct file **fp = scm->fp->fp; -@@ -329,14 +329,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) +@@ -329,14 +330,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) __scm_destroy(scm); } @@ -100058,7 +100159,7 @@ index 41724c9..630f046 100644 static int do_set_attach_filter(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen) { -@@ -373,7 +365,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, +@@ -373,7 +366,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, return -EFAULT; old_fs = get_fs(); set_fs(KERNEL_DS); @@ -100067,7 +100168,7 @@ index 41724c9..630f046 100644 set_fs(old_fs); return err; -@@ -434,7 +426,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, +@@ -434,7 +427,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, len = sizeof(ktime); old_fs = get_fs(); set_fs(KERNEL_DS); @@ -100076,7 +100177,7 @@ index 41724c9..630f046 100644 set_fs(old_fs); if (!err) { -@@ -569,7 +561,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -569,7 +562,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_JOIN_GROUP: case MCAST_LEAVE_GROUP: { @@ -100085,7 +100186,7 @@ index 41724c9..630f046 100644 struct group_req __user *kgr = compat_alloc_user_space(sizeof(struct group_req)); u32 interface; -@@ -590,7 +582,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -590,7 +583,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_BLOCK_SOURCE: case MCAST_UNBLOCK_SOURCE: { @@ -100094,7 +100195,7 @@ index 41724c9..630f046 100644 struct group_source_req __user *kgsr = compat_alloc_user_space( sizeof(struct group_source_req)); u32 interface; -@@ -611,7 +603,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -611,7 +604,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, } case MCAST_MSFILTER: { @@ -100103,7 +100204,7 @@ index 41724c9..630f046 100644 struct group_filter __user *kgf; u32 interface, fmode, numsrc; -@@ -649,7 +641,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, +@@ -649,7 +642,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, char __user *optval, int __user *optlen, int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) { @@ -100112,7 +100213,7 @@ index 41724c9..630f046 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -802,7 +794,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -802,7 +795,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -100499,11 +100600,15 @@ index e318c7e..168b1d0 100644 fle->object = flo; else diff --git a/net/core/iovec.c b/net/core/iovec.c -index 139ef93..7afaa2f 100644 +index 139ef93..21a2245 100644 --- a/net/core/iovec.c +++ b/net/core/iovec.c -@@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, - if (m->msg_namelen) { +@@ -39,23 +39,23 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, + { + int size, ct, err; + +- if (m->msg_namelen) { ++ if (m->msg_name && m->msg_namelen) { if (mode == VERIFY_READ) { void __user *namep; - namep = (void __user __force *) m->msg_name; @@ -100511,7 +100616,14 @@ index 139ef93..7afaa2f 100644 err = move_addr_to_kernel(namep, m->msg_namelen, address); if (err < 0) -@@ -55,7 +55,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, + return err; + } +- if (m->msg_name) +- m->msg_name = address; ++ m->msg_name = address; + } else { + m->msg_name = NULL; ++ m->msg_namelen = 0; } size = m->msg_iovlen * sizeof(struct iovec); @@ -102391,6 +102503,33 @@ index 2e0f0af..e2948bf 100644 if (retransmits_timed_out(sk, retry_until, syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) { /* Has it gone just too far? */ +diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c +index 80fa2bf..c042e52 100644 +--- a/net/ipv4/tcp_vegas.c ++++ b/net/ipv4/tcp_vegas.c +@@ -218,7 +218,8 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 in_flight) + * This is: + * (actual rate in segments) * baseRTT + */ +- target_cwnd = tp->snd_cwnd * vegas->baseRTT / rtt; ++ target_cwnd = (u64)tp->snd_cwnd * vegas->baseRTT; ++ do_div(target_cwnd, rtt); + + /* Calculate the difference between the window we had, + * and the window we would like to have. This quantity +diff --git a/net/ipv4/tcp_veno.c b/net/ipv4/tcp_veno.c +index ac43cd7..b4d1858 100644 +--- a/net/ipv4/tcp_veno.c ++++ b/net/ipv4/tcp_veno.c +@@ -144,7 +144,7 @@ static void tcp_veno_cong_avoid(struct sock *sk, u32 ack, u32 in_flight) + + rtt = veno->minrtt; + +- target_cwnd = (tp->snd_cwnd * veno->basertt); ++ target_cwnd = (u64)tp->snd_cwnd * veno->basertt; + target_cwnd <<= V_PARAM_SHIFT; + do_div(target_cwnd, rtt); + diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 8c2e259..076bc5b 100644 --- a/net/ipv4/udp.c @@ -113345,10 +113484,10 @@ index 0000000..39d7cc7 +} diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c new file mode 100644 -index 0000000..8dafb22 +index 0000000..a5cb46b --- /dev/null +++ b/tools/gcc/randomize_layout_plugin.c -@@ -0,0 +1,910 @@ +@@ -0,0 +1,915 @@ +/* + * Copyright 2014 by Open Source Security, Inc., Brad Spengler <spender@grsecurity.net> + * and PaX Team <pageexec@freemail.hu> @@ -113667,6 +113806,11 @@ index 0000000..8dafb22 + lookup_attribute("no_randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type)))) + return 0; + ++ /* Workaround for 3rd-party VirtualBox source that we can't modify ourselves */ ++ if (!strcmp((const char *)ORIG_TYPE_NAME(type), "INTNETTRUNKFACTORY") || ++ !strcmp((const char *)ORIG_TYPE_NAME(type), "RAWPCIFACTORY")) ++ return 0; ++ + /* throw out any structs in uapi */ + xloc = expand_location(DECL_SOURCE_LOCATION(TYPE_FIELDS(type))); + @@ -124449,10 +124593,10 @@ index 0000000..0888f6c + diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c new file mode 100644 -index 0000000..dd94983 +index 0000000..924652b --- /dev/null +++ b/tools/gcc/stackleak_plugin.c -@@ -0,0 +1,376 @@ +@@ -0,0 +1,395 @@ +/* + * Copyright 2011-2014 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -124484,7 +124628,7 @@ index 0000000..dd94983 +static bool init_locals; + +static struct plugin_info stackleak_plugin_info = { -+ .version = "201402131920", ++ .version = "201408011900", + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n" +// "initialize-locals\t\tforcibly initialize all stack frames\n" +}; @@ -124630,6 +124774,25 @@ index 0000000..dd94983 + +static bool gate_stackleak_track_stack(void) +{ ++ tree section; ++ ++ if (ix86_cmodel != CM_KERNEL) ++ return false; ++ ++ section = lookup_attribute("section", DECL_ATTRIBUTES(current_function_decl)); ++ if (section && TREE_VALUE(section)) { ++ section = TREE_VALUE(TREE_VALUE(section)); ++ ++ if (!strncmp(TREE_STRING_POINTER(section), ".init.text", 10)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".devinit.text", 13)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".cpuinit.text", 13)) ++ return false; ++ if (!strncmp(TREE_STRING_POINTER(section), ".meminit.text", 13)) ++ return false; ++ } ++ + return track_frame_size >= 0; +} + |