diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2014-07-25 10:35:13 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-07-25 10:35:13 -0400 |
| commit | 64a02f06fb83ec19cb979fabac2117596143adf8 (patch) | |
| tree | 8dbcd46edd0563d910aa1e422f1776d6721e3079 | |
| parent | Grsec/PaX: 3.0-{3.2.60,3.14.12,3.15.5}-201407170639 (diff) | |
| download | hardened-patchset-64a02f06fb83ec19cb979fabac2117596143adf8.tar.gz hardened-patchset-64a02f06fb83ec19cb979fabac2117596143adf8.tar.bz2 hardened-patchset-64a02f06fb83ec19cb979fabac2117596143adf8.zip | |
Grsec/PaX: 3.0-{3.2.60,3.14.13,3.15.6}-201407232200
| -rw-r--r-- | 3.14.13/0000_README (renamed from 3.14.12/0000_README) | 2 | ||||
| -rw-r--r-- | 3.14.13/4420_grsecurity-3.0-3.14.13-201407232159.patch (renamed from 3.14.12/4420_grsecurity-3.0-3.14.12-201407170638.patch) | 432 | ||||
| -rw-r--r-- | 3.14.13/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.12/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.14.13/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.12/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.14.13/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.12/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.14.13/4435_grsec-mute-warnings.patch (renamed from 3.14.12/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.14.13/4440_grsec-remove-protected-paths.patch (renamed from 3.14.12/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.14.13/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.12/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.14.13/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.12/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.14.13/4470_disable-compat_vdso.patch (renamed from 3.14.12/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.14.13/4475_emutramp_default_on.patch (renamed from 3.14.12/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.15.6/0000_README (renamed from 3.15.5/0000_README) | 2 | ||||
| -rw-r--r-- | 3.15.6/4420_grsecurity-3.0-3.15.6-201407232200.patch (renamed from 3.15.5/4420_grsecurity-3.0-3.15.5-201407170639.patch) | 699 | ||||
| -rw-r--r-- | 3.15.6/4425_grsec_remove_EI_PAX.patch (renamed from 3.15.5/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.15.6/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.15.5/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.15.6/4430_grsec-remove-localversion-grsec.patch (renamed from 3.15.5/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.15.6/4435_grsec-mute-warnings.patch (renamed from 3.15.5/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.15.6/4440_grsec-remove-protected-paths.patch (renamed from 3.15.5/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.15.6/4450_grsec-kconfig-default-gids.patch (renamed from 3.15.5/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.15.6/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.15.5/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.15.6/4470_disable-compat_vdso.patch (renamed from 3.15.5/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.15.6/4475_emutramp_default_on.patch (renamed from 3.15.5/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.2.61/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.61/4420_grsecurity-3.0-3.2.61-201407232156.patch (renamed from 3.2.61/4420_grsecurity-3.0-3.2.61-201407170636.patch) | 144 |
24 files changed, 802 insertions, 479 deletions
diff --git a/3.14.12/0000_README b/3.14.13/0000_README index 857c6a1..ed0d890 100644 --- a/3.14.12/0000_README +++ b/3.14.13/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.12-201407170638.patch +Patch: 4420_grsecurity-3.0-3.14.13-201407232159.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.12/4420_grsecurity-3.0-3.14.12-201407170638.patch b/3.14.13/4420_grsecurity-3.0-3.14.13-201407232159.patch index 02636ed..81dff0f 100644 --- a/3.14.12/4420_grsecurity-3.0-3.14.12-201407170638.patch +++ b/3.14.13/4420_grsecurity-3.0-3.14.13-201407232159.patch @@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 13d8f32..a7a7b9b 100644 +index 7a2981c..9fadd78 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -7700,7 +7700,7 @@ index 50dfafc..b9fc230 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c -index 31ffa9b..588a798 100644 +index e1ffea2..46ed66e 100644 --- a/arch/parisc/kernel/sys_parisc.c +++ b/arch/parisc/kernel/sys_parisc.c @@ -89,6 +89,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, @@ -7960,7 +7960,7 @@ index d72197f..c017c84 100644 /* * If for any reason at all we couldn't handle the fault, make diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig -index 957bf34..3430cc8 100644 +index 2156fa2..cc28613 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -393,6 +393,7 @@ config PPC64_SUPPORTS_MEMORY_FAILURE @@ -33352,19 +33352,21 @@ index 7b179b4..6bd17777 100644 return (void *)vaddr; diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c -index 799580c..72f9fe0 100644 +index 94bd247..7e48391 100644 --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c -@@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(resource_size_t phys_addr, - for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) { - int is_ram = page_is_ram(pfn); +@@ -56,8 +56,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages, + unsigned long i; + + for (i = 0; i < nr_pages; ++i) +- if (pfn_valid(start_pfn + i) && +- !PageReserved(pfn_to_page(start_pfn + i))) ++ if (pfn_valid(start_pfn + i) && (start_pfn + i >= 0x100 || ++ !PageReserved(pfn_to_page(start_pfn + i)))) + return 1; -- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn))) -+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn)))) - return NULL; - WARN_ON_ONCE(is_ram); - } -@@ -256,7 +256,7 @@ EXPORT_SYMBOL(ioremap_prot); + WARN_ONCE(1, "ioremap on RAM pfn 0x%lx\n", start_pfn); +@@ -268,7 +268,7 @@ EXPORT_SYMBOL(ioremap_prot); * * Caller must ensure there is only one unmapping for the same pointer. */ @@ -33373,7 +33375,7 @@ index 799580c..72f9fe0 100644 { struct vm_struct *p, *o; -@@ -310,6 +310,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) +@@ -322,6 +322,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */ if (page_is_ram(start >> PAGE_SHIFT)) @@ -33383,7 +33385,7 @@ index 799580c..72f9fe0 100644 return __va(phys); addr = (void __force *)ioremap_cache(start, PAGE_SIZE); -@@ -322,6 +325,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) +@@ -334,6 +337,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) void unxlate_dev_mem_ptr(unsigned long phys, void *addr) { if (page_is_ram(phys >> PAGE_SHIFT)) @@ -33393,7 +33395,7 @@ index 799580c..72f9fe0 100644 return; iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK)); -@@ -339,7 +345,7 @@ static int __init early_ioremap_debug_setup(char *str) +@@ -351,7 +357,7 @@ static int __init early_ioremap_debug_setup(char *str) early_param("early_ioremap_debug", early_ioremap_debug_setup); static __initdata int after_paging_init; @@ -33402,7 +33404,7 @@ index 799580c..72f9fe0 100644 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr) { -@@ -376,8 +382,7 @@ void __init early_ioremap_init(void) +@@ -388,8 +394,7 @@ void __init early_ioremap_init(void) slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i); pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN)); @@ -39664,7 +39666,7 @@ index 18d4091..434be15 100644 } EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler); diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index 6d98c37..a592321 100644 +index ae52c77..3d8f69b 100644 --- a/drivers/cpufreq/intel_pstate.c +++ b/drivers/cpufreq/intel_pstate.c @@ -125,10 +125,10 @@ struct pstate_funcs { @@ -39680,7 +39682,7 @@ index 6d98c37..a592321 100644 struct perf_limits { int no_turbo; -@@ -526,7 +526,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) +@@ -530,7 +530,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) cpu->pstate.current_pstate = pstate; @@ -39689,7 +39691,7 @@ index 6d98c37..a592321 100644 } static inline void intel_pstate_pstate_increase(struct cpudata *cpu, int steps) -@@ -548,12 +548,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) +@@ -552,12 +552,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) { sprintf(cpu->name, "Intel 2nd generation core"); @@ -39707,7 +39709,7 @@ index 6d98c37..a592321 100644 intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate); } -@@ -835,9 +835,9 @@ static int intel_pstate_msrs_not_valid(void) +@@ -844,9 +844,9 @@ static int intel_pstate_msrs_not_valid(void) rdmsrl(MSR_IA32_APERF, aperf); rdmsrl(MSR_IA32_MPERF, mperf); @@ -39720,7 +39722,7 @@ index 6d98c37..a592321 100644 return -ENODEV; rdmsrl(MSR_IA32_APERF, tmp); -@@ -851,7 +851,7 @@ static int intel_pstate_msrs_not_valid(void) +@@ -860,7 +860,7 @@ static int intel_pstate_msrs_not_valid(void) return 0; } @@ -39729,7 +39731,7 @@ index 6d98c37..a592321 100644 { pid_params.sample_rate_ms = policy->sample_rate_ms; pid_params.p_gain_pct = policy->p_gain_pct; -@@ -863,11 +863,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy) +@@ -872,11 +872,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy) static void copy_cpu_funcs(struct pstate_funcs *funcs) { @@ -44543,10 +44545,10 @@ index b086a94..74cb67e 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 8c53b09..f1fb2b0 100644 +index 65ee3a0..1852af9 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c -@@ -185,9 +185,9 @@ struct mapped_device { +@@ -187,9 +187,9 @@ struct mapped_device { /* * Event handling. */ @@ -44558,7 +44560,7 @@ index 8c53b09..f1fb2b0 100644 struct list_head uevent_list; spinlock_t uevent_lock; /* Protect access to uevent_list */ -@@ -1888,8 +1888,8 @@ static struct mapped_device *alloc_dev(int minor) +@@ -1899,8 +1899,8 @@ static struct mapped_device *alloc_dev(int minor) spin_lock_init(&md->deferred_lock); atomic_set(&md->holders, 1); atomic_set(&md->open_count, 0); @@ -44569,7 +44571,7 @@ index 8c53b09..f1fb2b0 100644 INIT_LIST_HEAD(&md->uevent_list); spin_lock_init(&md->uevent_lock); -@@ -2043,7 +2043,7 @@ static void event_callback(void *context) +@@ -2054,7 +2054,7 @@ static void event_callback(void *context) dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); @@ -44578,7 +44580,7 @@ index 8c53b09..f1fb2b0 100644 wake_up(&md->eventq); } -@@ -2736,18 +2736,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2747,18 +2747,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -47503,6 +47505,24 @@ index 5920c99..ff2e4a5 100644 }; static void +diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c +index 5895f19..fa9fdfa 100644 +--- a/drivers/net/wan/x25_asy.c ++++ b/drivers/net/wan/x25_asy.c +@@ -122,8 +122,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu) + { + struct x25_asy *sl = netdev_priv(dev); + unsigned char *xbuff, *rbuff; +- int len = 2 * newmtu; ++ int len; + ++ if (newmtu > 65534) ++ return -EINVAL; ++ ++ len = 2 * newmtu; + xbuff = kmalloc(len + 4, GFP_ATOMIC); + rbuff = kmalloc(len + 4, GFP_ATOMIC); + diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c index feacc3b..5bac0de 100644 --- a/drivers/net/wan/z85230.c @@ -51951,7 +51971,7 @@ index 9cd706d..6ff2de7 100644 if (cfg->uart_flags & UPF_CONS_FLOW) { diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index ece2049..fba2524 100644 +index ece2049b..fba2524 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -1448,7 +1448,7 @@ static void uart_hangup(struct tty_struct *tty) @@ -60208,7 +60228,7 @@ index e6574d7..c30cbe2 100644 brelse(bh); bh = NULL; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 08ddfda..a48f3f6 100644 +index 502f0fd..bf3b3c1 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1880,7 +1880,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, @@ -60338,7 +60358,7 @@ index 04434ad..6404663 100644 "MMP failure info: last update time: %llu, last update " "node: %s, last update device: %s\n", diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 710fed2..a82e4e8 100644 +index 25b327e..56f169d 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1270,7 +1270,7 @@ static ext4_fsblk_t get_sb_block(void **data) @@ -60350,7 +60370,7 @@ index 710fed2..a82e4e8 100644 "Contact linux-ext4@vger.kernel.org if you think we should keep it.\n"; #ifdef CONFIG_QUOTA -@@ -2450,7 +2450,7 @@ struct ext4_attr { +@@ -2448,7 +2448,7 @@ struct ext4_attr { int offset; int deprecated_val; } u; @@ -62357,7 +62377,7 @@ index b29e42f..5ea7fdf 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index 8274c8d..922e189 100644 +index 8274c8d..e242796 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -330,17 +330,34 @@ int generic_permission(struct inode *inode, int mask) @@ -62493,7 +62513,19 @@ index 8274c8d..922e189 100644 return retval; } -@@ -2557,6 +2590,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2247,9 +2280,10 @@ done: + goto out; + } + path->dentry = dentry; +- path->mnt = mntget(nd->path.mnt); ++ path->mnt = nd->path.mnt; + if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW)) + return 1; ++ mntget(path->mnt); + follow_mount(path); + error = 0; + out: +@@ -2557,6 +2591,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -62507,7 +62539,7 @@ index 8274c8d..922e189 100644 return 0; } -@@ -2788,7 +2828,7 @@ looked_up: +@@ -2788,7 +2829,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -62516,7 +62548,7 @@ index 8274c8d..922e189 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2823,6 +2863,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2823,6 +2864,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -62534,7 +62566,7 @@ index 8274c8d..922e189 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2844,6 +2895,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2844,6 +2896,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -62543,7 +62575,7 @@ index 8274c8d..922e189 100644 } out_no_open: path->dentry = dentry; -@@ -2858,7 +2911,7 @@ out_dput: +@@ -2858,7 +2912,7 @@ out_dput: /* * Handle the last step of open() */ @@ -62552,7 +62584,7 @@ index 8274c8d..922e189 100644 struct file *file, const struct open_flags *op, int *opened, struct filename *name) { -@@ -2908,6 +2961,15 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2908,6 +2962,15 @@ static int do_last(struct nameidata *nd, struct path *path, if (error) return error; @@ -62568,7 +62600,7 @@ index 8274c8d..922e189 100644 audit_inode(name, dir, LOOKUP_PARENT); error = -EISDIR; /* trailing slashes? */ -@@ -2927,7 +2989,7 @@ retry_lookup: +@@ -2927,7 +2990,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -62577,7 +62609,7 @@ index 8274c8d..922e189 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2951,11 +3013,28 @@ retry_lookup: +@@ -2951,11 +3014,28 @@ retry_lookup: goto finish_open_created; } @@ -62607,7 +62639,7 @@ index 8274c8d..922e189 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -2996,6 +3075,11 @@ finish_lookup: +@@ -2996,6 +3076,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -62619,7 +62651,7 @@ index 8274c8d..922e189 100644 return 1; } -@@ -3005,7 +3089,6 @@ finish_lookup: +@@ -3005,7 +3090,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -62627,7 +62659,7 @@ index 8274c8d..922e189 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -3015,7 +3098,18 @@ finish_open: +@@ -3015,7 +3099,18 @@ finish_open: path_put(&save_parent); return error; } @@ -62646,7 +62678,7 @@ index 8274c8d..922e189 100644 error = -EISDIR; if ((open_flag & O_CREAT) && (d_is_directory(nd->path.dentry) || d_is_autodir(nd->path.dentry))) -@@ -3179,7 +3273,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3179,7 +3274,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, if (unlikely(error)) goto out; @@ -62655,7 +62687,7 @@ index 8274c8d..922e189 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -3197,7 +3291,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3197,7 +3292,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -62664,7 +62696,7 @@ index 8274c8d..922e189 100644 put_link(nd, &link, cookie); } out: -@@ -3297,9 +3391,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, +@@ -3297,9 +3392,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, goto unlock; error = -EEXIST; @@ -62678,7 +62710,7 @@ index 8274c8d..922e189 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3351,6 +3447,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3351,6 +3448,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -62699,7 +62731,7 @@ index 8274c8d..922e189 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3413,6 +3523,17 @@ retry: +@@ -3413,6 +3524,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62717,7 +62749,7 @@ index 8274c8d..922e189 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3429,6 +3550,8 @@ retry: +@@ -3429,6 +3551,8 @@ retry: break; } out: @@ -62726,7 +62758,7 @@ index 8274c8d..922e189 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3481,9 +3604,16 @@ retry: +@@ -3481,9 +3605,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62743,7 +62775,7 @@ index 8274c8d..922e189 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3564,6 +3694,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3564,6 +3695,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct filename *name; struct dentry *dentry; struct nameidata nd; @@ -62752,7 +62784,7 @@ index 8274c8d..922e189 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3596,10 +3728,21 @@ retry: +@@ -3596,10 +3729,21 @@ retry: error = -ENOENT; goto exit3; } @@ -62774,7 +62806,7 @@ index 8274c8d..922e189 100644 exit3: dput(dentry); exit2: -@@ -3689,6 +3832,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3689,6 +3833,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct nameidata nd; struct inode *inode = NULL; struct inode *delegated_inode = NULL; @@ -62783,7 +62815,7 @@ index 8274c8d..922e189 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3715,10 +3860,22 @@ retry_deleg: +@@ -3715,10 +3861,22 @@ retry_deleg: if (d_is_negative(dentry)) goto slashes; ihold(inode); @@ -62806,7 +62838,7 @@ index 8274c8d..922e189 100644 exit2: dput(dentry); } -@@ -3806,9 +3963,17 @@ retry: +@@ -3806,9 +3964,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -62824,7 +62856,7 @@ index 8274c8d..922e189 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3911,6 +4076,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3911,6 +4077,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, struct dentry *new_dentry; struct path old_path, new_path; struct inode *delegated_inode = NULL; @@ -62832,7 +62864,7 @@ index 8274c8d..922e189 100644 int how = 0; int error; -@@ -3934,7 +4100,7 @@ retry: +@@ -3934,7 +4101,7 @@ retry: if (error) return error; @@ -62841,7 +62873,7 @@ index 8274c8d..922e189 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -3946,11 +4112,28 @@ retry: +@@ -3946,11 +4113,28 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -62870,7 +62902,7 @@ index 8274c8d..922e189 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4237,6 +4420,12 @@ retry_deleg: +@@ -4237,6 +4421,12 @@ retry_deleg: if (new_dentry == trap) goto exit5; @@ -62883,7 +62915,7 @@ index 8274c8d..922e189 100644 error = security_path_rename(&oldnd.path, old_dentry, &newnd.path, new_dentry); if (error) -@@ -4244,6 +4433,9 @@ retry_deleg: +@@ -4244,6 +4434,9 @@ retry_deleg: error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry, &delegated_inode); @@ -62893,7 +62925,7 @@ index 8274c8d..922e189 100644 exit5: dput(new_dentry); exit4: -@@ -4280,6 +4472,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -4280,6 +4473,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -62902,7 +62934,7 @@ index 8274c8d..922e189 100644 int len; len = PTR_ERR(link); -@@ -4289,7 +4483,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -4289,7 +4484,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -91687,7 +91719,7 @@ index 868633e..921dc41 100644 ftrace_graph_active++; diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index fc4da2d..f3e800b 100644 +index 04202d9..e3e4242 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -352,9 +352,9 @@ struct buffer_data_page { @@ -91713,7 +91745,7 @@ index fc4da2d..f3e800b 100644 local_t dropped_events; local_t committing; local_t commits; -@@ -992,8 +992,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, +@@ -995,8 +995,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, * * We add a counter to the write field to denote this. */ @@ -91724,7 +91756,7 @@ index fc4da2d..f3e800b 100644 /* * Just make sure we have seen our old_write and synchronize -@@ -1021,8 +1021,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, +@@ -1024,8 +1024,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, * cmpxchg to only update if an interrupt did not already * do it for us. If the cmpxchg fails, we don't care. */ @@ -91735,7 +91767,7 @@ index fc4da2d..f3e800b 100644 /* * No need to worry about races with clearing out the commit. -@@ -1386,12 +1386,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); +@@ -1389,12 +1389,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); static inline unsigned long rb_page_entries(struct buffer_page *bpage) { @@ -91750,7 +91782,7 @@ index fc4da2d..f3e800b 100644 } static int -@@ -1486,7 +1486,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) +@@ -1489,7 +1489,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) * bytes consumed in ring buffer from here. * Increment overrun to account for the lost events. */ @@ -91759,7 +91791,7 @@ index fc4da2d..f3e800b 100644 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); } -@@ -2064,7 +2064,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2067,7 +2067,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, * it is our responsibility to update * the counters. */ @@ -91768,7 +91800,7 @@ index fc4da2d..f3e800b 100644 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); /* -@@ -2214,7 +2214,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2217,7 +2217,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, if (tail == BUF_PAGE_SIZE) tail_page->real_end = 0; @@ -91777,7 +91809,7 @@ index fc4da2d..f3e800b 100644 return; } -@@ -2249,7 +2249,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2252,7 +2252,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, rb_event_set_padding(event); /* Set the write back to the previous setting */ @@ -91786,7 +91818,7 @@ index fc4da2d..f3e800b 100644 return; } -@@ -2261,7 +2261,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2264,7 +2264,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, /* Set write to end of buffer */ length = (tail + length) - BUF_PAGE_SIZE; @@ -91795,7 +91827,7 @@ index fc4da2d..f3e800b 100644 } /* -@@ -2287,7 +2287,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2290,7 +2290,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, * about it. */ if (unlikely(next_page == commit_page)) { @@ -91804,7 +91836,7 @@ index fc4da2d..f3e800b 100644 goto out_reset; } -@@ -2343,7 +2343,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2346,7 +2346,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, cpu_buffer->tail_page) && (cpu_buffer->commit_page == cpu_buffer->reader_page))) { @@ -91813,7 +91845,7 @@ index fc4da2d..f3e800b 100644 goto out_reset; } } -@@ -2391,7 +2391,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2394,7 +2394,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, length += RB_LEN_TIME_EXTEND; tail_page = cpu_buffer->tail_page; @@ -91822,7 +91854,7 @@ index fc4da2d..f3e800b 100644 /* set write to only the index of the write */ write &= RB_WRITE_MASK; -@@ -2415,7 +2415,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2418,7 +2418,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, kmemcheck_annotate_bitfield(event, bitfield); rb_update_event(cpu_buffer, event, length, add_timestamp, delta); @@ -91831,7 +91863,7 @@ index fc4da2d..f3e800b 100644 /* * If this is the first commit on the page, then update -@@ -2448,7 +2448,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2451,7 +2451,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) { unsigned long write_mask = @@ -91840,7 +91872,7 @@ index fc4da2d..f3e800b 100644 unsigned long event_length = rb_event_length(event); /* * This is on the tail page. It is possible that -@@ -2458,7 +2458,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2461,7 +2461,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, */ old_index += write_mask; new_index += write_mask; @@ -91849,7 +91881,7 @@ index fc4da2d..f3e800b 100644 if (index == old_index) { /* update counters */ local_sub(event_length, &cpu_buffer->entries_bytes); -@@ -2850,7 +2850,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2853,7 +2853,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, /* Do the likely case first */ if (likely(bpage->page == (void *)addr)) { @@ -91858,7 +91890,7 @@ index fc4da2d..f3e800b 100644 return; } -@@ -2862,7 +2862,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2865,7 +2865,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, start = bpage; do { if (bpage->page == (void *)addr) { @@ -91867,7 +91899,7 @@ index fc4da2d..f3e800b 100644 return; } rb_inc_page(cpu_buffer, &bpage); -@@ -3146,7 +3146,7 @@ static inline unsigned long +@@ -3149,7 +3149,7 @@ static inline unsigned long rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer) { return local_read(&cpu_buffer->entries) - @@ -91876,7 +91908,7 @@ index fc4da2d..f3e800b 100644 } /** -@@ -3235,7 +3235,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) +@@ -3238,7 +3238,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) return 0; cpu_buffer = buffer->buffers[cpu]; @@ -91885,7 +91917,7 @@ index fc4da2d..f3e800b 100644 return ret; } -@@ -3258,7 +3258,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) +@@ -3261,7 +3261,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) return 0; cpu_buffer = buffer->buffers[cpu]; @@ -91894,7 +91926,7 @@ index fc4da2d..f3e800b 100644 return ret; } -@@ -3343,7 +3343,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) +@@ -3346,7 +3346,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) /* if you care about this being correct, lock the buffer */ for_each_buffer_cpu(buffer, cpu) { cpu_buffer = buffer->buffers[cpu]; @@ -91903,7 +91935,7 @@ index fc4da2d..f3e800b 100644 } return overruns; -@@ -3519,8 +3519,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3522,8 +3522,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) /* * Reset the reader page to size zero. */ @@ -91914,7 +91946,7 @@ index fc4da2d..f3e800b 100644 local_set(&cpu_buffer->reader_page->page->commit, 0); cpu_buffer->reader_page->real_end = 0; -@@ -3554,7 +3554,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3557,7 +3557,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) * want to compare with the last_overrun. */ smp_mb(); @@ -91923,7 +91955,7 @@ index fc4da2d..f3e800b 100644 /* * Here's the tricky part. -@@ -4124,8 +4124,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -4127,8 +4127,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) cpu_buffer->head_page = list_entry(cpu_buffer->pages, struct buffer_page, list); @@ -91934,7 +91966,7 @@ index fc4da2d..f3e800b 100644 local_set(&cpu_buffer->head_page->page->commit, 0); cpu_buffer->head_page->read = 0; -@@ -4135,14 +4135,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -4138,14 +4138,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) INIT_LIST_HEAD(&cpu_buffer->reader_page->list); INIT_LIST_HEAD(&cpu_buffer->new_pages); @@ -91953,7 +91985,7 @@ index fc4da2d..f3e800b 100644 local_set(&cpu_buffer->dropped_events, 0); local_set(&cpu_buffer->entries, 0); local_set(&cpu_buffer->committing, 0); -@@ -4547,8 +4547,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, +@@ -4550,8 +4550,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, rb_init_page(bpage); bpage = reader->page; reader->page = *data_page; @@ -91965,7 +91997,7 @@ index fc4da2d..f3e800b 100644 *data_page = bpage; diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index fd21e60..eb47c25 100644 +index 922657f..3d229d9 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -3398,7 +3398,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) @@ -91978,7 +92010,7 @@ index fd21e60..eb47c25 100644 /* do nothing if flag is already set */ if (!!(trace_flags & mask) == !!enabled) diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h -index 02b592f..f971546 100644 +index c8bd809..33d7539 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -1233,7 +1233,7 @@ extern const char *__stop___tracepoint_str[]; @@ -92171,10 +92203,10 @@ index c9b6f01..37781d9 100644 .thread_should_run = watchdog_should_run, .thread_fn = watchdog, diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index b6a3941..b68f191 100644 +index b4defde..f092808 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -4702,7 +4702,7 @@ static void rebind_workers(struct worker_pool *pool) +@@ -4703,7 +4703,7 @@ static void rebind_workers(struct worker_pool *pool) WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND)); worker_flags |= WORKER_REBOUND; worker_flags &= ~WORKER_UNBOUND; @@ -92950,7 +92982,7 @@ index 0000000..7cd6065 @@ -0,0 +1 @@ +-grsec diff --git a/mm/Kconfig b/mm/Kconfig -index 9b63c15..2ab509e 100644 +index 0862816..2e3a043 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -329,10 +329,11 @@ config KSM @@ -94220,7 +94252,7 @@ index 2121d8b8..fa1095a 100644 mm = get_task_mm(tsk); if (!mm) diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index 9c6288a..b0ea97e 100644 +index 15a8ea0..cb50389 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -747,6 +747,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, @@ -96343,7 +96375,7 @@ index cdbd312..2e1e0b9 100644 /* diff --git a/mm/shmem.c b/mm/shmem.c -index 1f18c9d..b550bab 100644 +index 1f18c9d..6aa94ab 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -33,7 +33,7 @@ @@ -96371,19 +96403,73 @@ index 1f18c9d..b550bab 100644 + * a time): we would prefer not to enlarge the shmem inode just for that. */ struct shmem_falloc { -+ int mode; /* FALLOC_FL mode currently operating */ ++ wait_queue_head_t *waitq; /* faults into hole wait for punch to end */ pgoff_t start; /* start of range currently being fallocated */ pgoff_t next; /* the next page offset to be fallocated */ pgoff_t nr_falloced; /* how many new pages have been fallocated */ -@@ -824,6 +825,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) +@@ -533,22 +534,19 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + return; + + index = start; +- for ( ; ; ) { ++ while (index < end) { + cond_resched(); + pvec.nr = shmem_find_get_pages_and_swap(mapping, index, + min(end - index, (pgoff_t)PAGEVEC_SIZE), + pvec.pages, indices); + if (!pvec.nr) { +- if (index == start || unfalloc) ++ /* If all gone or hole-punch or unfalloc, we're done */ ++ if (index == start || end != -1) + break; ++ /* But if truncating, restart to make sure all gone */ + index = start; + continue; + } +- if ((index == start || unfalloc) && indices[0] >= end) { +- shmem_deswap_pagevec(&pvec); +- pagevec_release(&pvec); +- break; +- } + mem_cgroup_uncharge_start(); + for (i = 0; i < pagevec_count(&pvec); i++) { + struct page *page = pvec.pages[i]; +@@ -560,8 +558,12 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + if (radix_tree_exceptional_entry(page)) { + if (unfalloc) + continue; +- nr_swaps_freed += !shmem_free_swap(mapping, +- index, page); ++ if (shmem_free_swap(mapping, index, page)) { ++ /* Swap was replaced by page: retry */ ++ index--; ++ break; ++ } ++ nr_swaps_freed++; + continue; + } + +@@ -570,6 +572,11 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + if (page->mapping == mapping) { + VM_BUG_ON_PAGE(PageWriteback(page), page); + truncate_inode_page(mapping, page); ++ } else { ++ /* Page was replaced by swap: retry */ ++ unlock_page(page); ++ index--; ++ break; + } + } + unlock_page(page); +@@ -824,6 +831,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) spin_lock(&inode->i_lock); shmem_falloc = inode->i_private; if (shmem_falloc && -+ !shmem_falloc->mode && ++ !shmem_falloc->waitq && index >= shmem_falloc->start && index < shmem_falloc->next) shmem_falloc->nr_unswapped++; -@@ -1298,6 +1300,43 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf) +@@ -1298,6 +1306,64 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf) int error; int ret = VM_FAULT_LOCKED; @@ -96391,71 +96477,98 @@ index 1f18c9d..b550bab 100644 + * Trinity finds that probing a hole which tmpfs is punching can + * prevent the hole-punch from ever completing: which in turn + * locks writers out with its hold on i_mutex. So refrain from -+ * faulting pages into the hole while it's being punched, and -+ * wait on i_mutex to be released if vmf->flags permits, ++ * faulting pages into the hole while it's being punched. Although ++ * shmem_undo_range() does remove the additions, it may be unable to ++ * keep up, as each new page needs its own unmap_mapping_range() call, ++ * and the i_mmap tree grows ever slower to scan if new vmas are added. ++ * ++ * It does not matter if we sometimes reach this check just before the ++ * hole-punch begins, so that one fault then races with the punch: ++ * we just need to make racing faults a rare case. ++ * ++ * The implementation below would be much simpler if we just used a ++ * standard mutex or completion: but we cannot take i_mutex in fault, ++ * and bloating every shmem inode for this unlikely case would be sad. + */ + if (unlikely(inode->i_private)) { + struct shmem_falloc *shmem_falloc; ++ + spin_lock(&inode->i_lock); + shmem_falloc = inode->i_private; -+ if (!shmem_falloc || -+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE || -+ vmf->pgoff < shmem_falloc->start || -+ vmf->pgoff >= shmem_falloc->next) -+ shmem_falloc = NULL; -+ spin_unlock(&inode->i_lock); -+ /* -+ * i_lock has protected us from taking shmem_falloc seriously -+ * once return from shmem_fallocate() went back up that stack. -+ * i_lock does not serialize with i_mutex at all, but it does -+ * not matter if sometimes we wait unnecessarily, or sometimes -+ * miss out on waiting: we just need to make those cases rare. -+ */ -+ if (shmem_falloc) { ++ if (shmem_falloc && ++ shmem_falloc->waitq && ++ vmf->pgoff >= shmem_falloc->start && ++ vmf->pgoff < shmem_falloc->next) { ++ wait_queue_head_t *shmem_falloc_waitq; ++ DEFINE_WAIT(shmem_fault_wait); ++ ++ ret = VM_FAULT_NOPAGE; + if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && + !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { ++ /* It's polite to up mmap_sem if we can */ + up_read(&vma->vm_mm->mmap_sem); -+ mutex_lock(&inode->i_mutex); -+ mutex_unlock(&inode->i_mutex); -+ return VM_FAULT_RETRY; ++ ret = VM_FAULT_RETRY; + } -+ /* cond_resched? Leave that to GUP or return to user */ -+ return VM_FAULT_NOPAGE; ++ ++ shmem_falloc_waitq = shmem_falloc->waitq; ++ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, ++ TASK_UNINTERRUPTIBLE); ++ spin_unlock(&inode->i_lock); ++ schedule(); ++ ++ /* ++ * shmem_falloc_waitq points into the shmem_fallocate() ++ * stack of the hole-punching task: shmem_falloc_waitq ++ * is usually invalid by the time we reach here, but ++ * finish_wait() does not dereference it in that case; ++ * though i_lock needed lest racing with wake_up_all(). ++ */ ++ spin_lock(&inode->i_lock); ++ finish_wait(shmem_falloc_waitq, &shmem_fault_wait); ++ spin_unlock(&inode->i_lock); ++ return ret; + } ++ spin_unlock(&inode->i_lock); + } + error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret); if (error) return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS); -@@ -1813,18 +1852,26 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, - - mutex_lock(&inode->i_mutex); - -+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; -+ - if (mode & FALLOC_FL_PUNCH_HOLE) { +@@ -1817,12 +1883,25 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, struct address_space *mapping = file->f_mapping; loff_t unmap_start = round_up(offset, PAGE_SIZE); loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; - ++ DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq); ++ ++ shmem_falloc.waitq = &shmem_falloc_waitq; + shmem_falloc.start = unmap_start >> PAGE_SHIFT; + shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; + spin_lock(&inode->i_lock); + inode->i_private = &shmem_falloc; + spin_unlock(&inode->i_lock); -+ + if ((u64)unmap_end > (u64)unmap_start) unmap_mapping_range(mapping, unmap_start, 1 + unmap_end - unmap_start, 0); shmem_truncate_range(inode, offset, offset + len - 1); /* No need to unmap again: hole-punching leaves COWed pages */ ++ ++ spin_lock(&inode->i_lock); ++ inode->i_private = NULL; ++ wake_up_all(&shmem_falloc_waitq); ++ spin_unlock(&inode->i_lock); error = 0; -- goto out; -+ goto undone; + goto out; + } +@@ -1840,6 +1919,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, + goto out; } - /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ -@@ -2218,6 +2265,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { ++ shmem_falloc.waitq = NULL; + shmem_falloc.start = start; + shmem_falloc.next = start; + shmem_falloc.nr_falloced = 0; +@@ -2218,6 +2298,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { static int shmem_xattr_validate(const char *name) { struct { const char *prefix; size_t len; } arr[] = { @@ -96467,7 +96580,7 @@ index 1f18c9d..b550bab 100644 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } }; -@@ -2273,6 +2325,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, +@@ -2273,6 +2358,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, if (err) return err; @@ -96483,7 +96596,7 @@ index 1f18c9d..b550bab 100644 return simple_xattr_set(&info->xattrs, name, value, size, flags); } -@@ -2585,8 +2646,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -2585,8 +2679,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ @@ -99666,6 +99779,21 @@ index 5325b54..a0d4d69 100644 return -EFAULT; *lenp = len; +diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c +index e7b6d53..f005cc7 100644 +--- a/net/dns_resolver/dns_query.c ++++ b/net/dns_resolver/dns_query.c +@@ -149,7 +149,9 @@ int dns_query(const char *type, const char *name, size_t namelen, + if (!*_result) + goto put; + +- memcpy(*_result, upayload->data, len + 1); ++ memcpy(*_result, upayload->data, len); ++ (*_result)[len] = '\0'; ++ + if (_expiry) + *_expiry = rkey->expiry; + diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 19ab78a..bf575c9 100644 --- a/net/ipv4/af_inet.c @@ -103158,6 +103286,18 @@ index f226709..0e735a8 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index a4d5701..5d97d8f 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1151,6 +1151,7 @@ void sctp_assoc_update(struct sctp_association *asoc, + asoc->c = new->c; + asoc->peer.rwnd = new->peer.rwnd; + asoc->peer.sack_needed = new->peer.sack_needed; ++ asoc->peer.auth_capable = new->peer.auth_capable; + asoc->peer.i = new->peer.i; + sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL, + asoc->peer.i.initial_tsn, GFP_ATOMIC); diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 2b1738e..a9d0fc9 100644 --- a/net/sctp/ipv6.c @@ -103388,6 +103528,26 @@ index c82fdc1..4ca1f95 100644 return 0; } +diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c +index 85c6465..879f3cd 100644 +--- a/net/sctp/ulpevent.c ++++ b/net/sctp/ulpevent.c +@@ -411,6 +411,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_remote_error( + * sre_type: + * It should be SCTP_REMOTE_ERROR. + */ ++ memset(sre, 0, sizeof(*sre)); + sre->sre_type = SCTP_REMOTE_ERROR; + + /* +@@ -916,6 +917,7 @@ void sctp_ulpevent_read_sndrcvinfo(const struct sctp_ulpevent *event, + * For recvmsg() the SCTP stack places the message's stream number in + * this value. + */ ++ memset(&sinfo, 0, sizeof(sinfo)); + sinfo.sinfo_stream = event->stream; + /* sinfo_ssn: 16 bits (unsigned integer) + * diff --git a/net/socket.c b/net/socket.c index a19ae19..89554dc 100644 --- a/net/socket.c diff --git a/3.14.12/4425_grsec_remove_EI_PAX.patch b/3.14.13/4425_grsec_remove_EI_PAX.patch index fc51f79..fc51f79 100644 --- a/3.14.12/4425_grsec_remove_EI_PAX.patch +++ b/3.14.13/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.12/4427_force_XATTR_PAX_tmpfs.patch b/3.14.13/4427_force_XATTR_PAX_tmpfs.patch index 3db2112..3db2112 100644 --- a/3.14.12/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.13/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.12/4430_grsec-remove-localversion-grsec.patch b/3.14.13/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.12/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.13/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.12/4435_grsec-mute-warnings.patch b/3.14.13/4435_grsec-mute-warnings.patch index 392cefb..392cefb 100644 --- a/3.14.12/4435_grsec-mute-warnings.patch +++ b/3.14.13/4435_grsec-mute-warnings.patch diff --git a/3.14.12/4440_grsec-remove-protected-paths.patch b/3.14.13/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.12/4440_grsec-remove-protected-paths.patch +++ b/3.14.13/4440_grsec-remove-protected-paths.patch diff --git a/3.14.12/4450_grsec-kconfig-default-gids.patch b/3.14.13/4450_grsec-kconfig-default-gids.patch index af218a8..af218a8 100644 --- a/3.14.12/4450_grsec-kconfig-default-gids.patch +++ b/3.14.13/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.12/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.13/4465_selinux-avc_audit-log-curr_ip.patch index fb528d0..fb528d0 100644 --- a/3.14.12/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.13/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.12/4470_disable-compat_vdso.patch b/3.14.13/4470_disable-compat_vdso.patch index 677174c..677174c 100644 --- a/3.14.12/4470_disable-compat_vdso.patch +++ b/3.14.13/4470_disable-compat_vdso.patch diff --git a/3.14.12/4475_emutramp_default_on.patch b/3.14.13/4475_emutramp_default_on.patch index 015c7c1..015c7c1 100644 --- a/3.14.12/4475_emutramp_default_on.patch +++ b/3.14.13/4475_emutramp_default_on.patch diff --git a/3.15.5/0000_README b/3.15.6/0000_README index 6000532..3a519cd 100644 --- a/3.15.5/0000_README +++ b/3.15.6/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.15.5-201407170639.patch +Patch: 4420_grsecurity-3.0-3.15.6-201407232200.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.15.5/4420_grsecurity-3.0-3.15.5-201407170639.patch b/3.15.6/4420_grsecurity-3.0-3.15.6-201407232200.patch index 7a5e81c..f992e88 100644 --- a/3.15.5/4420_grsecurity-3.0-3.15.5-201407170639.patch +++ b/3.15.6/4420_grsecurity-3.0-3.15.6-201407232200.patch @@ -287,13 +287,14 @@ index 30a8ad0d..2ed9efd 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index e6b01ed..74dbc85 100644 +index fefa023..06f4bb4 100644 --- a/Makefile +++ b/Makefile -@@ -246,7 +246,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ +@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ + HOSTCC = gcc HOSTCXX = g++ - HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer +-HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -HOSTCXXFLAGS = -O2 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks +HOSTCFLAGS += $(call cc-option, -Wno-empty-body) @@ -301,7 +302,7 @@ index e6b01ed..74dbc85 100644 ifeq ($(shell $(HOSTCC) -v 2>&1 | grep -c "clang version"), 1) HOSTCFLAGS += -Wno-unused-value -Wno-unused-parameter \ -@@ -438,8 +440,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \ +@@ -438,8 +439,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \ # Rules shared between *config targets and build targets # Basic helpers built in scripts/ @@ -312,7 +313,7 @@ index e6b01ed..74dbc85 100644 $(Q)$(MAKE) $(build)=scripts/basic $(Q)rm -f .tmp_quiet_recordmcount -@@ -600,6 +602,72 @@ else +@@ -600,6 +601,72 @@ else KBUILD_CFLAGS += -O2 endif @@ -385,7 +386,7 @@ index e6b01ed..74dbc85 100644 include $(srctree)/arch/$(SRCARCH)/Makefile ifdef CONFIG_READABLE_ASM -@@ -816,7 +884,7 @@ export mod_sign_cmd +@@ -816,7 +883,7 @@ export mod_sign_cmd ifeq ($(KBUILD_EXTMOD),) @@ -394,7 +395,7 @@ index e6b01ed..74dbc85 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -865,6 +933,8 @@ endif +@@ -865,6 +932,8 @@ endif # The actual objects are generated when descending, # make sure no implicit rule kicks in @@ -403,7 +404,7 @@ index e6b01ed..74dbc85 100644 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -874,7 +944,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; +@@ -874,7 +943,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -412,7 +413,7 @@ index e6b01ed..74dbc85 100644 $(Q)$(MAKE) $(build)=$@ define filechk_kernel.release -@@ -917,10 +987,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ +@@ -917,10 +986,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ archprepare: archheaders archscripts prepare1 scripts_basic @@ -426,7 +427,7 @@ index e6b01ed..74dbc85 100644 prepare: prepare0 # Generate some files -@@ -1028,6 +1101,8 @@ all: modules +@@ -1028,6 +1100,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules @@ -435,7 +436,7 @@ index e6b01ed..74dbc85 100644 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -1043,7 +1118,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -1043,7 +1117,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -444,7 +445,7 @@ index e6b01ed..74dbc85 100644 # Target to install modules PHONY += modules_install -@@ -1109,7 +1184,10 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ +@@ -1109,7 +1183,10 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.priv signing_key.x509 x509.genkey \ extra_certificates signing_key.x509.keyid \ @@ -456,7 +457,7 @@ index e6b01ed..74dbc85 100644 # clean - Delete most, but leave enough to build external modules # -@@ -1148,7 +1226,7 @@ distclean: mrproper +@@ -1148,7 +1225,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -465,7 +466,7 @@ index e6b01ed..74dbc85 100644 -type f -print | xargs rm -f -@@ -1309,6 +1387,8 @@ PHONY += $(module-dirs) modules +@@ -1309,6 +1386,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -474,7 +475,7 @@ index e6b01ed..74dbc85 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1448,17 +1528,21 @@ else +@@ -1448,17 +1527,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -500,7 +501,7 @@ index e6b01ed..74dbc85 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1468,11 +1552,15 @@ endif +@@ -1468,11 +1551,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -2429,7 +2430,7 @@ index f7b450f..f5364c5 100644 EXPORT_SYMBOL(__get_user_1); EXPORT_SYMBOL(__get_user_2); diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S -index 1879e8d..b2207fc 100644 +index 1879e8d..5602dd4 100644 --- a/arch/arm/kernel/entry-armv.S +++ b/arch/arm/kernel/entry-armv.S @@ -47,6 +47,87 @@ @@ -2448,7 +2449,7 @@ index 1879e8d..b2207fc 100644 + bic r2, r2, #(0x1fc0) + bic r2, r2, #(0x3f) + ldr r1, [r2, #TI_CPU_DOMAIN] -+ @ store old DACR on stack ++ @ store old DACR on stack + str r1, [sp, #8] +#ifdef CONFIG_PAX_KERNEXEC + @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT @@ -7990,7 +7991,7 @@ index 3ca9c11..d163ef7 100644 /* * If for any reason at all we couldn't handle the fault, make diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig -index e099899..457d6a8 100644 +index c95c4b8..d831f81 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -397,6 +397,7 @@ config PPC64_SUPPORTS_MEMORY_FAILURE @@ -14413,7 +14414,7 @@ index 2206757..85cbcfa 100644 err |= copy_siginfo_to_user32(&frame->info, &ksig->info); diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 4299eb0..c0687a7 100644 +index 4299eb0..fefe70e 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -15,8 +15,10 @@ @@ -14564,7 +14565,7 @@ index 4299eb0..c0687a7 100644 /* clear IF, that popfq doesn't enable interrupts early */ - andl $~0x200,EFLAGS-R11(%rsp) - movl RIP-R11(%rsp),%edx /* User %eip */ -+ andl $~X86_EFLAGS_IF,EFLAGS(%rsp) ++ andl $~X86_EFLAGS_IF,EFLAGS(%rsp) + movl RIP(%rsp),%edx /* User %eip */ CFI_REGISTER rip,rdx RESTORE_ARGS 0,24,0,0,0,0 @@ -18365,7 +18366,7 @@ index a4ea023..33aa874 100644 void df_debug(struct pt_regs *regs, long error_code); #endif /* _ASM_X86_PROCESSOR_H */ diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h -index 6205f0c..b31a4a4 100644 +index 6205f0c..688a3a9 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -84,28 +84,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs) @@ -18432,7 +18433,7 @@ index 6205f0c..b31a4a4 100644 - return kernel_stack_pointer(regs); + if (offset == offsetof(struct pt_regs, sp)) { + unsigned long cs = regs->cs & 0xffff; -+ if (cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) ++ if (cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) + return kernel_stack_pointer(regs); + } #endif @@ -32880,19 +32881,21 @@ index 7b179b4..6bd17777 100644 return (void *)vaddr; diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c -index 597ac15..49841be 100644 +index bc7527e..5e2c495 100644 --- a/arch/x86/mm/ioremap.c +++ b/arch/x86/mm/ioremap.c -@@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(resource_size_t phys_addr, - for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) { - int is_ram = page_is_ram(pfn); +@@ -56,8 +56,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages, + unsigned long i; + + for (i = 0; i < nr_pages; ++i) +- if (pfn_valid(start_pfn + i) && +- !PageReserved(pfn_to_page(start_pfn + i))) ++ if (pfn_valid(start_pfn + i) && (start_pfn + i >= 0x100 || ++ !PageReserved(pfn_to_page(start_pfn + i)))) + return 1; -- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn))) -+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn)))) - return NULL; - WARN_ON_ONCE(is_ram); - } -@@ -256,7 +256,7 @@ EXPORT_SYMBOL(ioremap_prot); + WARN_ONCE(1, "ioremap on RAM pfn 0x%lx\n", start_pfn); +@@ -268,7 +268,7 @@ EXPORT_SYMBOL(ioremap_prot); * * Caller must ensure there is only one unmapping for the same pointer. */ @@ -32901,7 +32904,7 @@ index 597ac15..49841be 100644 { struct vm_struct *p, *o; -@@ -310,6 +310,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) +@@ -322,6 +322,9 @@ void *xlate_dev_mem_ptr(unsigned long phys) /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */ if (page_is_ram(start >> PAGE_SHIFT)) @@ -32911,7 +32914,7 @@ index 597ac15..49841be 100644 return __va(phys); addr = (void __force *)ioremap_cache(start, PAGE_SIZE); -@@ -322,13 +325,16 @@ void *xlate_dev_mem_ptr(unsigned long phys) +@@ -334,13 +337,16 @@ void *xlate_dev_mem_ptr(unsigned long phys) void unxlate_dev_mem_ptr(unsigned long phys, void *addr) { if (page_is_ram(phys >> PAGE_SHIFT)) @@ -32929,7 +32932,7 @@ index 597ac15..49841be 100644 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr) { -@@ -358,8 +364,7 @@ void __init early_ioremap_init(void) +@@ -370,8 +376,7 @@ void __init early_ioremap_init(void) early_ioremap_setup(); pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN)); @@ -38688,7 +38691,7 @@ index 8320abd..ec48108 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/char/random.c b/drivers/char/random.c -index 2b6e4cd..43d7ae1 100644 +index 2b6e4cd..32033f3 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -270,10 +270,17 @@ @@ -38772,7 +38775,44 @@ index 2b6e4cd..43d7ae1 100644 unsigned int add = ((pool_size - entropy_count)*anfrac*3) >> s; -@@ -1166,7 +1177,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -641,7 +652,7 @@ retry: + } while (unlikely(entropy_count < pool_size-2 && pnfrac)); + } + +- if (entropy_count < 0) { ++ if (unlikely(entropy_count < 0)) { + pr_warn("random: negative entropy/overflow: pool %s count %d\n", + r->name, entropy_count); + WARN_ON(1); +@@ -980,7 +991,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, + int reserved) + { + int entropy_count, orig; +- size_t ibytes; ++ size_t ibytes, nfrac; + + BUG_ON(r->entropy_count > r->poolinfo->poolfracbits); + +@@ -998,7 +1009,17 @@ retry: + } + if (ibytes < min) + ibytes = 0; +- if ((entropy_count -= ibytes << (ENTROPY_SHIFT + 3)) < 0) ++ ++ if (unlikely(entropy_count < 0)) { ++ pr_warn("random: negative entropy count: pool %s count %d\n", ++ r->name, entropy_count); ++ WARN_ON(1); ++ entropy_count = 0; ++ } ++ nfrac = ibytes << (ENTROPY_SHIFT + 3); ++ if ((size_t) entropy_count > nfrac) ++ entropy_count -= nfrac; ++ else + entropy_count = 0; + + if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) +@@ -1166,7 +1187,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -38781,7 +38821,15 @@ index 2b6e4cd..43d7ae1 100644 ret = -EFAULT; break; } -@@ -1555,7 +1566,7 @@ static char sysctl_bootid[16]; +@@ -1375,6 +1396,7 @@ urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) + "with %d bits of entropy available\n", + current->comm, nonblocking_pool.entropy_total); + ++ nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3)); + ret = extract_entropy_user(&nonblocking_pool, buf, nbytes); + + trace_urandom_read(8 * nbytes, ENTROPY_BITS(&nonblocking_pool), +@@ -1555,7 +1577,7 @@ static char sysctl_bootid[16]; static int proc_do_uuid(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -38790,7 +38838,7 @@ index 2b6e4cd..43d7ae1 100644 unsigned char buf[64], tmp_uuid[16], *uuid; uuid = table->data; -@@ -1585,7 +1596,7 @@ static int proc_do_uuid(struct ctl_table *table, int write, +@@ -1585,7 +1607,7 @@ static int proc_do_uuid(struct ctl_table *table, int write, static int proc_do_entropy(ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -39194,7 +39242,7 @@ index 18d4091..434be15 100644 } EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler); diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index fcd0c92..7b736c2 100644 +index 870eecc..787bbca 100644 --- a/drivers/cpufreq/intel_pstate.c +++ b/drivers/cpufreq/intel_pstate.c @@ -125,10 +125,10 @@ struct pstate_funcs { @@ -39210,7 +39258,7 @@ index fcd0c92..7b736c2 100644 struct perf_limits { int no_turbo; -@@ -526,7 +526,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) +@@ -530,7 +530,7 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate) cpu->pstate.current_pstate = pstate; @@ -39219,7 +39267,7 @@ index fcd0c92..7b736c2 100644 } static inline void intel_pstate_pstate_increase(struct cpudata *cpu, int steps) -@@ -548,12 +548,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) +@@ -552,12 +552,12 @@ static void intel_pstate_get_cpu_pstates(struct cpudata *cpu) { sprintf(cpu->name, "Intel 2nd generation core"); @@ -39237,7 +39285,7 @@ index fcd0c92..7b736c2 100644 intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate); } -@@ -838,9 +838,9 @@ static int intel_pstate_msrs_not_valid(void) +@@ -847,9 +847,9 @@ static int intel_pstate_msrs_not_valid(void) rdmsrl(MSR_IA32_APERF, aperf); rdmsrl(MSR_IA32_MPERF, mperf); @@ -39250,7 +39298,7 @@ index fcd0c92..7b736c2 100644 return -ENODEV; rdmsrl(MSR_IA32_APERF, tmp); -@@ -854,7 +854,7 @@ static int intel_pstate_msrs_not_valid(void) +@@ -863,7 +863,7 @@ static int intel_pstate_msrs_not_valid(void) return 0; } @@ -39259,7 +39307,7 @@ index fcd0c92..7b736c2 100644 { pid_params.sample_rate_ms = policy->sample_rate_ms; pid_params.p_gain_pct = policy->p_gain_pct; -@@ -866,11 +866,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy) +@@ -875,11 +875,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy) static void copy_cpu_funcs(struct pstate_funcs *funcs) { @@ -40320,10 +40368,10 @@ index 3c59584..500f2e9 100644 return ret; diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 5b60e25..eac1625 100644 +index b91dfbe..b7fb16d 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c -@@ -11171,13 +11171,13 @@ struct intel_quirk { +@@ -11179,13 +11179,13 @@ struct intel_quirk { int subsystem_vendor; int subsystem_device; void (*hook)(struct drm_device *dev); @@ -40339,7 +40387,7 @@ index 5b60e25..eac1625 100644 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) { -@@ -11185,18 +11185,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) +@@ -11193,18 +11193,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) return 1; } @@ -41056,28 +41104,6 @@ index c8a8a51..219dacc 100644 } vma->vm_ops = &radeon_ttm_vm_ops; return 0; -diff --git a/drivers/gpu/drm/radeon/radeon_vm.c b/drivers/gpu/drm/radeon/radeon_vm.c -index c11b71d..c8c48aa 100644 ---- a/drivers/gpu/drm/radeon/radeon_vm.c -+++ b/drivers/gpu/drm/radeon/radeon_vm.c -@@ -493,7 +493,7 @@ int radeon_vm_bo_set_addr(struct radeon_device *rdev, - mutex_unlock(&vm->mutex); - - r = radeon_bo_create(rdev, RADEON_VM_PTE_COUNT * 8, -- RADEON_GPU_PAGE_SIZE, false, -+ RADEON_GPU_PAGE_SIZE, true, - RADEON_GEM_DOMAIN_VRAM, NULL, &pt); - if (r) - return r; -@@ -913,7 +913,7 @@ int radeon_vm_init(struct radeon_device *rdev, struct radeon_vm *vm) - return -ENOMEM; - } - -- r = radeon_bo_create(rdev, pd_size, RADEON_VM_PTB_ALIGN_SIZE, false, -+ r = radeon_bo_create(rdev, pd_size, RADEON_VM_PTB_ALIGN_SIZE, true, - RADEON_GEM_DOMAIN_VRAM, NULL, - &vm->page_directory); - if (r) diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c index edb871d..a275c6ed 100644 --- a/drivers/gpu/drm/tegra/dc.c @@ -43868,10 +43894,10 @@ index b086a94..74cb67e 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 455e649..1f214be 100644 +index 490ac23..b9790cd 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c -@@ -178,9 +178,9 @@ struct mapped_device { +@@ -180,9 +180,9 @@ struct mapped_device { /* * Event handling. */ @@ -43883,7 +43909,7 @@ index 455e649..1f214be 100644 struct list_head uevent_list; spinlock_t uevent_lock; /* Protect access to uevent_list */ -@@ -1884,8 +1884,8 @@ static struct mapped_device *alloc_dev(int minor) +@@ -1895,8 +1895,8 @@ static struct mapped_device *alloc_dev(int minor) spin_lock_init(&md->deferred_lock); atomic_set(&md->holders, 1); atomic_set(&md->open_count, 0); @@ -43894,7 +43920,7 @@ index 455e649..1f214be 100644 INIT_LIST_HEAD(&md->uevent_list); spin_lock_init(&md->uevent_lock); -@@ -2039,7 +2039,7 @@ static void event_callback(void *context) +@@ -2050,7 +2050,7 @@ static void event_callback(void *context) dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj); @@ -43903,7 +43929,7 @@ index 455e649..1f214be 100644 wake_up(&md->eventq); } -@@ -2732,18 +2732,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +@@ -2743,18 +2743,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, uint32_t dm_next_uevent_seq(struct mapped_device *md) { @@ -46857,6 +46883,24 @@ index 5920c99..ff2e4a5 100644 }; static void +diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c +index 5895f19..fa9fdfa 100644 +--- a/drivers/net/wan/x25_asy.c ++++ b/drivers/net/wan/x25_asy.c +@@ -122,8 +122,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu) + { + struct x25_asy *sl = netdev_priv(dev); + unsigned char *xbuff, *rbuff; +- int len = 2 * newmtu; ++ int len; + ++ if (newmtu > 65534) ++ return -EINVAL; ++ ++ len = 2 * newmtu; + xbuff = kmalloc(len + 4, GFP_ATOMIC); + rbuff = kmalloc(len + 4, GFP_ATOMIC); + diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c index feacc3b..5bac0de 100644 --- a/drivers/net/wan/z85230.c @@ -59617,7 +59661,7 @@ index e6574d7..c30cbe2 100644 brelse(bh); bh = NULL; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index fe4e668..f983538 100644 +index 2735a72..d083044 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1889,7 +1889,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, @@ -59747,7 +59791,7 @@ index 04434ad..6404663 100644 "MMP failure info: last update time: %llu, last update " "node: %s, last update device: %s\n", diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 6f9e6fa..d0ebdb7 100644 +index 29a403c..f58dbdb 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1275,7 +1275,7 @@ static ext4_fsblk_t get_sb_block(void **data) @@ -59759,7 +59803,7 @@ index 6f9e6fa..d0ebdb7 100644 "Contact linux-ext4@vger.kernel.org if you think we should keep it.\n"; #ifdef CONFIG_QUOTA -@@ -2455,7 +2455,7 @@ struct ext4_attr { +@@ -2453,7 +2453,7 @@ struct ext4_attr { int offset; int deprecated_val; } u; @@ -59768,114 +59812,6 @@ index 6f9e6fa..d0ebdb7 100644 static int parse_strtoull(const char *buf, unsigned long long max, unsigned long long *value) -@@ -3869,38 +3869,19 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) - goto failed_mount2; - } - } -- -- /* -- * set up enough so that it can read an inode, -- * and create new inode for buddy allocator -- */ -- sbi->s_gdb_count = db_count; -- if (!test_opt(sb, NOLOAD) && -- EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_HAS_JOURNAL)) -- sb->s_op = &ext4_sops; -- else -- sb->s_op = &ext4_nojournal_sops; -- -- ext4_ext_init(sb); -- err = ext4_mb_init(sb); -- if (err) { -- ext4_msg(sb, KERN_ERR, "failed to initialize mballoc (%d)", -- err); -- goto failed_mount2; -- } -- - if (!ext4_check_descriptors(sb, &first_not_zeroed)) { - ext4_msg(sb, KERN_ERR, "group descriptors corrupted!"); -- goto failed_mount2a; -+ goto failed_mount2; - } - if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_FLEX_BG)) - if (!ext4_fill_flex_info(sb)) { - ext4_msg(sb, KERN_ERR, - "unable to initialize " - "flex_bg meta info!"); -- goto failed_mount2a; -+ goto failed_mount2; - } - -+ sbi->s_gdb_count = db_count; - get_random_bytes(&sbi->s_next_generation, sizeof(u32)); - spin_lock_init(&sbi->s_next_gen_lock); - -@@ -3935,6 +3916,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) - sbi->s_stripe = ext4_get_stripe_size(sbi); - sbi->s_extent_max_zeroout_kb = 32; - -+ /* -+ * set up enough so that it can read an inode -+ */ -+ if (!test_opt(sb, NOLOAD) && -+ EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_HAS_JOURNAL)) -+ sb->s_op = &ext4_sops; -+ else -+ sb->s_op = &ext4_nojournal_sops; - sb->s_export_op = &ext4_export_ops; - sb->s_xattr = ext4_xattr_handlers; - #ifdef CONFIG_QUOTA -@@ -4124,13 +4113,21 @@ no_journal: - if (err) { - ext4_msg(sb, KERN_ERR, "failed to reserve %llu clusters for " - "reserved pool", ext4_calculate_resv_clusters(sb)); -- goto failed_mount5; -+ goto failed_mount4a; - } - - err = ext4_setup_system_zone(sb); - if (err) { - ext4_msg(sb, KERN_ERR, "failed to initialize system " - "zone (%d)", err); -+ goto failed_mount4a; -+ } -+ -+ ext4_ext_init(sb); -+ err = ext4_mb_init(sb); -+ if (err) { -+ ext4_msg(sb, KERN_ERR, "failed to initialize mballoc (%d)", -+ err); - goto failed_mount5; - } - -@@ -4207,8 +4204,11 @@ failed_mount8: - failed_mount7: - ext4_unregister_li_request(sb); - failed_mount6: -- ext4_release_system_zone(sb); -+ ext4_mb_release(sb); - failed_mount5: -+ ext4_ext_release(sb); -+ ext4_release_system_zone(sb); -+failed_mount4a: - dput(sb->s_root); - sb->s_root = NULL; - failed_mount4: -@@ -4232,14 +4232,11 @@ failed_mount3: - percpu_counter_destroy(&sbi->s_extent_cache_cnt); - if (sbi->s_mmp_tsk) - kthread_stop(sbi->s_mmp_tsk); --failed_mount2a: -- ext4_mb_release(sb); - failed_mount2: - for (i = 0; i < db_count; i++) - brelse(sbi->s_group_desc[i]); - ext4_kvfree(sbi->s_group_desc); - failed_mount: -- ext4_ext_release(sb); - if (sbi->s_chksum_driver) - crypto_free_shash(sbi->s_chksum_driver); - if (sbi->s_proc) { diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 4eec399..1d9444c 100644 --- a/fs/ext4/xattr.c @@ -61681,7 +61617,7 @@ index 97f7fda..09bd33d 100644 if (jfs_inode_cachep == NULL) return -ENOMEM; diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c -index ac127cd..d8079db 100644 +index a693f5b..82276a1 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -182,7 +182,7 @@ struct kernfs_node *kernfs_get_parent(struct kernfs_node *kn) @@ -61874,7 +61810,7 @@ index d55297f..f5b28c5 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index 985c6f3..f67a0f8 100644 +index 985c6f3..5f520b67 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -330,17 +330,32 @@ int generic_permission(struct inode *inode, int mask) @@ -62009,7 +61945,19 @@ index 985c6f3..f67a0f8 100644 return retval; } -@@ -2569,6 +2600,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2256,9 +2287,10 @@ done: + goto out; + } + path->dentry = dentry; +- path->mnt = mntget(nd->path.mnt); ++ path->mnt = nd->path.mnt; + if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW)) + return 1; ++ mntget(path->mnt); + follow_mount(path); + error = 0; + out: +@@ -2569,6 +2601,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -62023,7 +61971,7 @@ index 985c6f3..f67a0f8 100644 return 0; } -@@ -2800,7 +2838,7 @@ looked_up: +@@ -2800,7 +2839,7 @@ looked_up: * cleared otherwise prior to returning. */ static int lookup_open(struct nameidata *nd, struct path *path, @@ -62032,7 +61980,7 @@ index 985c6f3..f67a0f8 100644 const struct open_flags *op, bool got_write, int *opened) { -@@ -2835,6 +2873,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2835,6 +2874,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; @@ -62050,7 +61998,7 @@ index 985c6f3..f67a0f8 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2856,6 +2905,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2856,6 +2906,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -62059,7 +62007,7 @@ index 985c6f3..f67a0f8 100644 } out_no_open: path->dentry = dentry; -@@ -2870,7 +2921,7 @@ out_dput: +@@ -2870,7 +2922,7 @@ out_dput: /* * Handle the last step of open() */ @@ -62068,7 +62016,7 @@ index 985c6f3..f67a0f8 100644 struct file *file, const struct open_flags *op, int *opened, struct filename *name) { -@@ -2920,6 +2971,15 @@ static int do_last(struct nameidata *nd, struct path *path, +@@ -2920,6 +2972,15 @@ static int do_last(struct nameidata *nd, struct path *path, if (error) return error; @@ -62084,7 +62032,7 @@ index 985c6f3..f67a0f8 100644 audit_inode(name, dir, LOOKUP_PARENT); error = -EISDIR; /* trailing slashes? */ -@@ -2939,7 +2999,7 @@ retry_lookup: +@@ -2939,7 +3000,7 @@ retry_lookup: */ } mutex_lock(&dir->d_inode->i_mutex); @@ -62093,7 +62041,7 @@ index 985c6f3..f67a0f8 100644 mutex_unlock(&dir->d_inode->i_mutex); if (error <= 0) { -@@ -2963,11 +3023,28 @@ retry_lookup: +@@ -2963,11 +3024,28 @@ retry_lookup: goto finish_open_created; } @@ -62123,7 +62071,7 @@ index 985c6f3..f67a0f8 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -3008,6 +3085,11 @@ finish_lookup: +@@ -3008,6 +3086,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -62135,7 +62083,7 @@ index 985c6f3..f67a0f8 100644 return 1; } -@@ -3017,7 +3099,6 @@ finish_lookup: +@@ -3017,7 +3100,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -62143,7 +62091,7 @@ index 985c6f3..f67a0f8 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -3027,7 +3108,18 @@ finish_open: +@@ -3027,7 +3109,18 @@ finish_open: path_put(&save_parent); return error; } @@ -62162,7 +62110,7 @@ index 985c6f3..f67a0f8 100644 error = -EISDIR; if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry)) goto out; -@@ -3190,7 +3282,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3190,7 +3283,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, if (unlikely(error)) goto out; @@ -62171,7 +62119,7 @@ index 985c6f3..f67a0f8 100644 while (unlikely(error > 0)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -3208,7 +3300,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, +@@ -3208,7 +3301,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) break; @@ -62180,7 +62128,7 @@ index 985c6f3..f67a0f8 100644 put_link(nd, &link, cookie); } out: -@@ -3308,9 +3400,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, +@@ -3308,9 +3401,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, goto unlock; error = -EEXIST; @@ -62194,7 +62142,7 @@ index 985c6f3..f67a0f8 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3362,6 +3456,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3362,6 +3457,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -62215,7 +62163,7 @@ index 985c6f3..f67a0f8 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3425,6 +3533,17 @@ retry: +@@ -3425,6 +3534,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62233,7 +62181,7 @@ index 985c6f3..f67a0f8 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3441,6 +3560,8 @@ retry: +@@ -3441,6 +3561,8 @@ retry: break; } out: @@ -62242,7 +62190,7 @@ index 985c6f3..f67a0f8 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3494,9 +3615,16 @@ retry: +@@ -3494,9 +3616,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -62259,7 +62207,7 @@ index 985c6f3..f67a0f8 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3579,6 +3707,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3579,6 +3708,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct filename *name; struct dentry *dentry; struct nameidata nd; @@ -62268,7 +62216,7 @@ index 985c6f3..f67a0f8 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3611,10 +3741,21 @@ retry: +@@ -3611,10 +3742,21 @@ retry: error = -ENOENT; goto exit3; } @@ -62290,7 +62238,7 @@ index 985c6f3..f67a0f8 100644 exit3: dput(dentry); exit2: -@@ -3705,6 +3846,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3705,6 +3847,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct nameidata nd; struct inode *inode = NULL; struct inode *delegated_inode = NULL; @@ -62299,7 +62247,7 @@ index 985c6f3..f67a0f8 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, &nd, lookup_flags); -@@ -3731,10 +3874,22 @@ retry_deleg: +@@ -3731,10 +3875,22 @@ retry_deleg: if (d_is_negative(dentry)) goto slashes; ihold(inode); @@ -62322,7 +62270,7 @@ index 985c6f3..f67a0f8 100644 exit2: dput(dentry); } -@@ -3823,9 +3978,17 @@ retry: +@@ -3823,9 +3979,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -62340,7 +62288,7 @@ index 985c6f3..f67a0f8 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3929,6 +4092,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3929,6 +4093,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, struct dentry *new_dentry; struct path old_path, new_path; struct inode *delegated_inode = NULL; @@ -62348,7 +62296,7 @@ index 985c6f3..f67a0f8 100644 int how = 0; int error; -@@ -3952,7 +4116,7 @@ retry: +@@ -3952,7 +4117,7 @@ retry: if (error) return error; @@ -62357,7 +62305,7 @@ index 985c6f3..f67a0f8 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -3964,11 +4128,28 @@ retry: +@@ -3964,11 +4129,28 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -62386,7 +62334,7 @@ index 985c6f3..f67a0f8 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4278,6 +4459,12 @@ retry_deleg: +@@ -4278,6 +4460,12 @@ retry_deleg: if (new_dentry == trap) goto exit5; @@ -62399,7 +62347,7 @@ index 985c6f3..f67a0f8 100644 error = security_path_rename(&oldnd.path, old_dentry, &newnd.path, new_dentry, flags); if (error) -@@ -4285,6 +4472,9 @@ retry_deleg: +@@ -4285,6 +4473,9 @@ retry_deleg: error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry, &delegated_inode, flags); @@ -62409,7 +62357,7 @@ index 985c6f3..f67a0f8 100644 exit5: dput(new_dentry); exit4: -@@ -4327,14 +4517,24 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -4327,14 +4518,24 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int readlink_copy(char __user *buffer, int buflen, const char *link) { @@ -85909,10 +85857,10 @@ index 24663b3..b926ae1 100644 +} +EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog); diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index ceee0c5..d6f81dd 100644 +index 073226b..969c746 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c -@@ -4757,7 +4757,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v) +@@ -4808,7 +4808,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v) struct task_struct *task; int count = 0; @@ -91335,7 +91283,7 @@ index 4a54a25..7ca9c89 100644 ftrace_graph_active++; diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index c634868..00d0d19 100644 +index 7c56c3d..9980576 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -352,9 +352,9 @@ struct buffer_data_page { @@ -91361,7 +91309,7 @@ index c634868..00d0d19 100644 local_t dropped_events; local_t committing; local_t commits; -@@ -992,8 +992,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, +@@ -995,8 +995,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, * * We add a counter to the write field to denote this. */ @@ -91372,7 +91320,7 @@ index c634868..00d0d19 100644 /* * Just make sure we have seen our old_write and synchronize -@@ -1021,8 +1021,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, +@@ -1024,8 +1024,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, * cmpxchg to only update if an interrupt did not already * do it for us. If the cmpxchg fails, we don't care. */ @@ -91383,7 +91331,7 @@ index c634868..00d0d19 100644 /* * No need to worry about races with clearing out the commit. -@@ -1389,12 +1389,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); +@@ -1392,12 +1392,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); static inline unsigned long rb_page_entries(struct buffer_page *bpage) { @@ -91398,7 +91346,7 @@ index c634868..00d0d19 100644 } static int -@@ -1489,7 +1489,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) +@@ -1492,7 +1492,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) * bytes consumed in ring buffer from here. * Increment overrun to account for the lost events. */ @@ -91407,7 +91355,7 @@ index c634868..00d0d19 100644 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); } -@@ -2067,7 +2067,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2070,7 +2070,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, * it is our responsibility to update * the counters. */ @@ -91416,7 +91364,7 @@ index c634868..00d0d19 100644 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); /* -@@ -2217,7 +2217,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2220,7 +2220,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, if (tail == BUF_PAGE_SIZE) tail_page->real_end = 0; @@ -91425,7 +91373,7 @@ index c634868..00d0d19 100644 return; } -@@ -2252,7 +2252,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2255,7 +2255,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, rb_event_set_padding(event); /* Set the write back to the previous setting */ @@ -91434,7 +91382,7 @@ index c634868..00d0d19 100644 return; } -@@ -2264,7 +2264,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2267,7 +2267,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, /* Set write to end of buffer */ length = (tail + length) - BUF_PAGE_SIZE; @@ -91443,7 +91391,7 @@ index c634868..00d0d19 100644 } /* -@@ -2290,7 +2290,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2293,7 +2293,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, * about it. */ if (unlikely(next_page == commit_page)) { @@ -91452,7 +91400,7 @@ index c634868..00d0d19 100644 goto out_reset; } -@@ -2346,7 +2346,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2349,7 +2349,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, cpu_buffer->tail_page) && (cpu_buffer->commit_page == cpu_buffer->reader_page))) { @@ -91461,7 +91409,7 @@ index c634868..00d0d19 100644 goto out_reset; } } -@@ -2394,7 +2394,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2397,7 +2397,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, length += RB_LEN_TIME_EXTEND; tail_page = cpu_buffer->tail_page; @@ -91470,7 +91418,7 @@ index c634868..00d0d19 100644 /* set write to only the index of the write */ write &= RB_WRITE_MASK; -@@ -2418,7 +2418,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2421,7 +2421,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, kmemcheck_annotate_bitfield(event, bitfield); rb_update_event(cpu_buffer, event, length, add_timestamp, delta); @@ -91479,7 +91427,7 @@ index c634868..00d0d19 100644 /* * If this is the first commit on the page, then update -@@ -2451,7 +2451,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2454,7 +2454,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) { unsigned long write_mask = @@ -91488,7 +91436,7 @@ index c634868..00d0d19 100644 unsigned long event_length = rb_event_length(event); /* * This is on the tail page. It is possible that -@@ -2461,7 +2461,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2464,7 +2464,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, */ old_index += write_mask; new_index += write_mask; @@ -91497,7 +91445,7 @@ index c634868..00d0d19 100644 if (index == old_index) { /* update counters */ local_sub(event_length, &cpu_buffer->entries_bytes); -@@ -2853,7 +2853,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2856,7 +2856,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, /* Do the likely case first */ if (likely(bpage->page == (void *)addr)) { @@ -91506,7 +91454,7 @@ index c634868..00d0d19 100644 return; } -@@ -2865,7 +2865,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, +@@ -2868,7 +2868,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, start = bpage; do { if (bpage->page == (void *)addr) { @@ -91515,7 +91463,7 @@ index c634868..00d0d19 100644 return; } rb_inc_page(cpu_buffer, &bpage); -@@ -3149,7 +3149,7 @@ static inline unsigned long +@@ -3152,7 +3152,7 @@ static inline unsigned long rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer) { return local_read(&cpu_buffer->entries) - @@ -91524,7 +91472,7 @@ index c634868..00d0d19 100644 } /** -@@ -3238,7 +3238,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) +@@ -3241,7 +3241,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) return 0; cpu_buffer = buffer->buffers[cpu]; @@ -91533,7 +91481,7 @@ index c634868..00d0d19 100644 return ret; } -@@ -3261,7 +3261,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) +@@ -3264,7 +3264,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) return 0; cpu_buffer = buffer->buffers[cpu]; @@ -91542,7 +91490,7 @@ index c634868..00d0d19 100644 return ret; } -@@ -3346,7 +3346,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) +@@ -3349,7 +3349,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) /* if you care about this being correct, lock the buffer */ for_each_buffer_cpu(buffer, cpu) { cpu_buffer = buffer->buffers[cpu]; @@ -91551,7 +91499,7 @@ index c634868..00d0d19 100644 } return overruns; -@@ -3522,8 +3522,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3525,8 +3525,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) /* * Reset the reader page to size zero. */ @@ -91562,7 +91510,7 @@ index c634868..00d0d19 100644 local_set(&cpu_buffer->reader_page->page->commit, 0); cpu_buffer->reader_page->real_end = 0; -@@ -3557,7 +3557,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) +@@ -3560,7 +3560,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) * want to compare with the last_overrun. */ smp_mb(); @@ -91571,7 +91519,7 @@ index c634868..00d0d19 100644 /* * Here's the tricky part. -@@ -4127,8 +4127,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -4130,8 +4130,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) cpu_buffer->head_page = list_entry(cpu_buffer->pages, struct buffer_page, list); @@ -91582,7 +91530,7 @@ index c634868..00d0d19 100644 local_set(&cpu_buffer->head_page->page->commit, 0); cpu_buffer->head_page->read = 0; -@@ -4138,14 +4138,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -4141,14 +4141,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) INIT_LIST_HEAD(&cpu_buffer->reader_page->list); INIT_LIST_HEAD(&cpu_buffer->new_pages); @@ -91601,7 +91549,7 @@ index c634868..00d0d19 100644 local_set(&cpu_buffer->dropped_events, 0); local_set(&cpu_buffer->entries, 0); local_set(&cpu_buffer->committing, 0); -@@ -4550,8 +4550,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, +@@ -4553,8 +4553,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, rb_init_page(bpage); bpage = reader->page; reader->page = *data_page; @@ -91613,7 +91561,7 @@ index c634868..00d0d19 100644 *data_page = bpage; diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index 1848dc6..5fc244c 100644 +index 39a1226..2dc2b43 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -3447,7 +3447,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) @@ -91626,7 +91574,7 @@ index 1848dc6..5fc244c 100644 /* do nothing if flag is already set */ if (!!(trace_flags & mask) == !!enabled) diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h -index 2e29d7b..61367d7 100644 +index 99676cd..670b9e8 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -1264,7 +1264,7 @@ extern const char *__stop___tracepoint_str[]; @@ -91819,10 +91767,10 @@ index 30e4822..dd2b854 100644 .thread_should_run = watchdog_should_run, .thread_fn = watchdog, diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index 8edc8718..b6a70b9 100644 +index 7ba5897..c8ed1f2 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -4709,7 +4709,7 @@ static void rebind_workers(struct worker_pool *pool) +@@ -4710,7 +4710,7 @@ static void rebind_workers(struct worker_pool *pool) WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND)); worker_flags |= WORKER_REBOUND; worker_flags &= ~WORKER_UNBOUND; @@ -93143,7 +93091,7 @@ index eb8fb72..ae36cf3 100644 } unset_migratetype_isolate(page, MIGRATE_MOVABLE); diff --git a/mm/memory.c b/mm/memory.c -index e302ae1..c0ef712 100644 +index e302ae1..779c7ce 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -413,6 +413,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -93633,7 +93581,17 @@ index e302ae1..c0ef712 100644 unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -3535,6 +3724,11 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3515,7 +3704,8 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma, + * if page by the offset is not ready to be mapped (cold cache or + * something). + */ +- if (vma->vm_ops->map_pages) { ++ if (vma->vm_ops->map_pages && !(flags & FAULT_FLAG_NONLINEAR) && ++ fault_around_pages() > 1) { + pte = pte_offset_map_lock(mm, pmd, address, &ptl); + do_fault_around(vma, address, pte, pgoff, flags); + if (!pte_same(*pte, orig_pte)) +@@ -3535,6 +3725,11 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma, return ret; } do_set_pte(vma, address, fault_page, pte, false, false); @@ -93645,7 +93603,7 @@ index e302ae1..c0ef712 100644 unlock_page(fault_page); unlock_out: pte_unmap_unlock(pte, ptl); -@@ -3576,7 +3770,18 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3576,7 +3771,18 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma, page_cache_release(fault_page); goto uncharge_out; } @@ -93664,7 +93622,7 @@ index e302ae1..c0ef712 100644 pte_unmap_unlock(pte, ptl); unlock_page(fault_page); page_cache_release(fault_page); -@@ -3624,6 +3829,11 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3624,6 +3830,11 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma, return ret; } do_set_pte(vma, address, fault_page, pte, true, false); @@ -93676,7 +93634,7 @@ index e302ae1..c0ef712 100644 pte_unmap_unlock(pte, ptl); if (set_page_dirty(fault_page)) -@@ -3854,6 +4064,12 @@ static int handle_pte_fault(struct mm_struct *mm, +@@ -3854,6 +4065,12 @@ static int handle_pte_fault(struct mm_struct *mm, if (flags & FAULT_FLAG_WRITE) flush_tlb_fix_spurious_fault(vma, address); } @@ -93689,7 +93647,7 @@ index e302ae1..c0ef712 100644 unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -3870,9 +4086,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3870,9 +4087,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, pmd_t *pmd; pte_t *pte; @@ -93731,7 +93689,7 @@ index e302ae1..c0ef712 100644 pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); if (!pud) -@@ -4000,6 +4248,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -4000,6 +4249,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -93755,7 +93713,7 @@ index e302ae1..c0ef712 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -4030,6 +4295,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -4030,6 +4296,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -93786,7 +93744,7 @@ index e302ae1..c0ef712 100644 #endif /* __PAGETABLE_PMD_FOLDED */ #if !defined(__HAVE_ARCH_GATE_AREA) -@@ -4043,7 +4332,7 @@ static int __init gate_vma_init(void) +@@ -4043,7 +4333,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -93795,7 +93753,7 @@ index e302ae1..c0ef712 100644 return 0; } -@@ -4177,8 +4466,8 @@ out: +@@ -4177,8 +4467,8 @@ out: return ret; } @@ -93806,7 +93764,7 @@ index e302ae1..c0ef712 100644 { resource_size_t phys_addr; unsigned long prot = 0; -@@ -4204,8 +4493,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); +@@ -4204,8 +4494,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); * Access another process' address space as given in mm. If non-NULL, use the * given task for page fault accounting. */ @@ -93817,7 +93775,7 @@ index e302ae1..c0ef712 100644 { struct vm_area_struct *vma; void *old_buf = buf; -@@ -4213,7 +4502,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4213,7 +4503,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, down_read(&mm->mmap_sem); /* ignore errors, just check how much was successfully transferred */ while (len) { @@ -93826,7 +93784,7 @@ index e302ae1..c0ef712 100644 void *maddr; struct page *page = NULL; -@@ -4272,8 +4561,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4272,8 +4562,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, * * The caller must hold a reference on @mm. */ @@ -93837,7 +93795,7 @@ index e302ae1..c0ef712 100644 { return __access_remote_vm(NULL, mm, addr, buf, len, write); } -@@ -4283,11 +4572,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, +@@ -4283,11 +4573,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, * Source/target buffer must be kernel space, * Do not walk the page table directly, use get_user_pages */ @@ -93853,7 +93811,7 @@ index e302ae1..c0ef712 100644 mm = get_task_mm(tsk); if (!mm) diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index 35f9f91..bed4575 100644 +index 6b65d10..e6f415a 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -747,6 +747,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, @@ -95970,7 +95928,7 @@ index 14d1e28..3777962 100644 /* diff --git a/mm/shmem.c b/mm/shmem.c -index a2801ba..b8651e6 100644 +index a2801ba..1e82984 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -33,7 +33,7 @@ @@ -95998,19 +95956,74 @@ index a2801ba..b8651e6 100644 + * a time): we would prefer not to enlarge the shmem inode just for that. */ struct shmem_falloc { -+ int mode; /* FALLOC_FL mode currently operating */ ++ wait_queue_head_t *waitq; /* faults into hole wait for punch to end */ pgoff_t start; /* start of range currently being fallocated */ pgoff_t next; /* the next page offset to be fallocated */ pgoff_t nr_falloced; /* how many new pages have been fallocated */ -@@ -759,6 +760,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) +@@ -467,23 +468,20 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + return; + + index = start; +- for ( ; ; ) { ++ while (index < end) { + cond_resched(); + + pvec.nr = find_get_entries(mapping, index, + min(end - index, (pgoff_t)PAGEVEC_SIZE), + pvec.pages, indices); + if (!pvec.nr) { +- if (index == start || unfalloc) ++ /* If all gone or hole-punch or unfalloc, we're done */ ++ if (index == start || end != -1) + break; ++ /* But if truncating, restart to make sure all gone */ + index = start; + continue; + } +- if ((index == start || unfalloc) && indices[0] >= end) { +- pagevec_remove_exceptionals(&pvec); +- pagevec_release(&pvec); +- break; +- } + mem_cgroup_uncharge_start(); + for (i = 0; i < pagevec_count(&pvec); i++) { + struct page *page = pvec.pages[i]; +@@ -495,8 +493,12 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + if (radix_tree_exceptional_entry(page)) { + if (unfalloc) + continue; +- nr_swaps_freed += !shmem_free_swap(mapping, +- index, page); ++ if (shmem_free_swap(mapping, index, page)) { ++ /* Swap was replaced by page: retry */ ++ index--; ++ break; ++ } ++ nr_swaps_freed++; + continue; + } + +@@ -505,6 +507,11 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend, + if (page->mapping == mapping) { + VM_BUG_ON_PAGE(PageWriteback(page), page); + truncate_inode_page(mapping, page); ++ } else { ++ /* Page was replaced by swap: retry */ ++ unlock_page(page); ++ index--; ++ break; + } + } + unlock_page(page); +@@ -759,6 +766,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) spin_lock(&inode->i_lock); shmem_falloc = inode->i_private; if (shmem_falloc && -+ !shmem_falloc->mode && ++ !shmem_falloc->waitq && index >= shmem_falloc->start && index < shmem_falloc->next) shmem_falloc->nr_unswapped++; -@@ -1233,6 +1235,43 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf) +@@ -1233,6 +1241,64 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf) int error; int ret = VM_FAULT_LOCKED; @@ -96018,71 +96031,98 @@ index a2801ba..b8651e6 100644 + * Trinity finds that probing a hole which tmpfs is punching can + * prevent the hole-punch from ever completing: which in turn + * locks writers out with its hold on i_mutex. So refrain from -+ * faulting pages into the hole while it's being punched, and -+ * wait on i_mutex to be released if vmf->flags permits, ++ * faulting pages into the hole while it's being punched. Although ++ * shmem_undo_range() does remove the additions, it may be unable to ++ * keep up, as each new page needs its own unmap_mapping_range() call, ++ * and the i_mmap tree grows ever slower to scan if new vmas are added. ++ * ++ * It does not matter if we sometimes reach this check just before the ++ * hole-punch begins, so that one fault then races with the punch: ++ * we just need to make racing faults a rare case. ++ * ++ * The implementation below would be much simpler if we just used a ++ * standard mutex or completion: but we cannot take i_mutex in fault, ++ * and bloating every shmem inode for this unlikely case would be sad. + */ + if (unlikely(inode->i_private)) { + struct shmem_falloc *shmem_falloc; ++ + spin_lock(&inode->i_lock); + shmem_falloc = inode->i_private; -+ if (!shmem_falloc || -+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE || -+ vmf->pgoff < shmem_falloc->start || -+ vmf->pgoff >= shmem_falloc->next) -+ shmem_falloc = NULL; -+ spin_unlock(&inode->i_lock); -+ /* -+ * i_lock has protected us from taking shmem_falloc seriously -+ * once return from shmem_fallocate() went back up that stack. -+ * i_lock does not serialize with i_mutex at all, but it does -+ * not matter if sometimes we wait unnecessarily, or sometimes -+ * miss out on waiting: we just need to make those cases rare. -+ */ -+ if (shmem_falloc) { ++ if (shmem_falloc && ++ shmem_falloc->waitq && ++ vmf->pgoff >= shmem_falloc->start && ++ vmf->pgoff < shmem_falloc->next) { ++ wait_queue_head_t *shmem_falloc_waitq; ++ DEFINE_WAIT(shmem_fault_wait); ++ ++ ret = VM_FAULT_NOPAGE; + if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && + !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { ++ /* It's polite to up mmap_sem if we can */ + up_read(&vma->vm_mm->mmap_sem); -+ mutex_lock(&inode->i_mutex); -+ mutex_unlock(&inode->i_mutex); -+ return VM_FAULT_RETRY; ++ ret = VM_FAULT_RETRY; + } -+ /* cond_resched? Leave that to GUP or return to user */ -+ return VM_FAULT_NOPAGE; ++ ++ shmem_falloc_waitq = shmem_falloc->waitq; ++ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, ++ TASK_UNINTERRUPTIBLE); ++ spin_unlock(&inode->i_lock); ++ schedule(); ++ ++ /* ++ * shmem_falloc_waitq points into the shmem_fallocate() ++ * stack of the hole-punching task: shmem_falloc_waitq ++ * is usually invalid by the time we reach here, but ++ * finish_wait() does not dereference it in that case; ++ * though i_lock needed lest racing with wake_up_all(). ++ */ ++ spin_lock(&inode->i_lock); ++ finish_wait(shmem_falloc_waitq, &shmem_fault_wait); ++ spin_unlock(&inode->i_lock); ++ return ret; + } ++ spin_unlock(&inode->i_lock); + } + error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret); if (error) return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS); -@@ -1733,18 +1772,26 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, - - mutex_lock(&inode->i_mutex); - -+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; -+ - if (mode & FALLOC_FL_PUNCH_HOLE) { +@@ -1737,12 +1803,25 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, struct address_space *mapping = file->f_mapping; loff_t unmap_start = round_up(offset, PAGE_SIZE); loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; - ++ DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq); ++ ++ shmem_falloc.waitq = &shmem_falloc_waitq; + shmem_falloc.start = unmap_start >> PAGE_SHIFT; + shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; + spin_lock(&inode->i_lock); + inode->i_private = &shmem_falloc; + spin_unlock(&inode->i_lock); -+ + if ((u64)unmap_end > (u64)unmap_start) unmap_mapping_range(mapping, unmap_start, 1 + unmap_end - unmap_start, 0); shmem_truncate_range(inode, offset, offset + len - 1); /* No need to unmap again: hole-punching leaves COWed pages */ ++ ++ spin_lock(&inode->i_lock); ++ inode->i_private = NULL; ++ wake_up_all(&shmem_falloc_waitq); ++ spin_unlock(&inode->i_lock); error = 0; -- goto out; -+ goto undone; + goto out; + } +@@ -1760,6 +1839,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, + goto out; } - /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ -@@ -2138,6 +2185,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { ++ shmem_falloc.waitq = NULL; + shmem_falloc.start = start; + shmem_falloc.next = start; + shmem_falloc.nr_falloced = 0; +@@ -2138,6 +2218,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { static int shmem_xattr_validate(const char *name) { struct { const char *prefix; size_t len; } arr[] = { @@ -96094,7 +96134,7 @@ index a2801ba..b8651e6 100644 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } }; -@@ -2193,6 +2245,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, +@@ -2193,6 +2278,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, if (err) return err; @@ -96110,7 +96150,7 @@ index a2801ba..b8651e6 100644 return simple_xattr_set(&info->xattrs, name, value, size, flags); } -@@ -2505,8 +2566,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -2505,8 +2599,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ @@ -99302,6 +99342,21 @@ index 5325b54..a0d4d69 100644 return -EFAULT; *lenp = len; +diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c +index e7b6d53..f005cc7 100644 +--- a/net/dns_resolver/dns_query.c ++++ b/net/dns_resolver/dns_query.c +@@ -149,7 +149,9 @@ int dns_query(const char *type, const char *name, size_t namelen, + if (!*_result) + goto put; + +- memcpy(*_result, upayload->data, len + 1); ++ memcpy(*_result, upayload->data, len); ++ (*_result)[len] = '\0'; ++ + if (_expiry) + *_expiry = rkey->expiry; + diff --git a/net/ieee802154/reassembly.c b/net/ieee802154/reassembly.c index ef2d543..5b9b73f 100644 --- a/net/ieee802154/reassembly.c @@ -103055,6 +103110,18 @@ index e1543b0..7ce8bd0 100644 linkwatch_fire_event(dev); } } +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index 0b99998..a6953b0 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1151,6 +1151,7 @@ void sctp_assoc_update(struct sctp_association *asoc, + asoc->c = new->c; + asoc->peer.rwnd = new->peer.rwnd; + asoc->peer.sack_needed = new->peer.sack_needed; ++ asoc->peer.auth_capable = new->peer.auth_capable; + asoc->peer.i = new->peer.i; + sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL, + asoc->peer.i.initial_tsn, GFP_ATOMIC); diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 2b1738e..a9d0fc9 100644 --- a/net/sctp/ipv6.c @@ -103285,6 +103352,26 @@ index c82fdc1..4ca1f95 100644 return 0; } +diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c +index 85c6465..879f3cd 100644 +--- a/net/sctp/ulpevent.c ++++ b/net/sctp/ulpevent.c +@@ -411,6 +411,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_remote_error( + * sre_type: + * It should be SCTP_REMOTE_ERROR. + */ ++ memset(sre, 0, sizeof(*sre)); + sre->sre_type = SCTP_REMOTE_ERROR; + + /* +@@ -916,6 +917,7 @@ void sctp_ulpevent_read_sndrcvinfo(const struct sctp_ulpevent *event, + * For recvmsg() the SCTP stack places the message's stream number in + * this value. + */ ++ memset(&sinfo, 0, sizeof(sinfo)); + sinfo.sinfo_stream = event->stream; + /* sinfo_ssn: 16 bits (unsigned integer) + * diff --git a/net/socket.c b/net/socket.c index abf56b2..b8998bc 100644 --- a/net/socket.c diff --git a/3.15.5/4425_grsec_remove_EI_PAX.patch b/3.15.6/4425_grsec_remove_EI_PAX.patch index fc51f79..fc51f79 100644 --- a/3.15.5/4425_grsec_remove_EI_PAX.patch +++ b/3.15.6/4425_grsec_remove_EI_PAX.patch diff --git a/3.15.5/4427_force_XATTR_PAX_tmpfs.patch b/3.15.6/4427_force_XATTR_PAX_tmpfs.patch index 85766c5..85766c5 100644 --- a/3.15.5/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.15.6/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.15.5/4430_grsec-remove-localversion-grsec.patch b/3.15.6/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.15.5/4430_grsec-remove-localversion-grsec.patch +++ b/3.15.6/4430_grsec-remove-localversion-grsec.patch diff --git a/3.15.5/4435_grsec-mute-warnings.patch b/3.15.6/4435_grsec-mute-warnings.patch index a685858..a685858 100644 --- a/3.15.5/4435_grsec-mute-warnings.patch +++ b/3.15.6/4435_grsec-mute-warnings.patch diff --git a/3.15.5/4440_grsec-remove-protected-paths.patch b/3.15.6/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.15.5/4440_grsec-remove-protected-paths.patch +++ b/3.15.6/4440_grsec-remove-protected-paths.patch diff --git a/3.15.5/4450_grsec-kconfig-default-gids.patch b/3.15.6/4450_grsec-kconfig-default-gids.patch index af218a8..af218a8 100644 --- a/3.15.5/4450_grsec-kconfig-default-gids.patch +++ b/3.15.6/4450_grsec-kconfig-default-gids.patch diff --git a/3.15.5/4465_selinux-avc_audit-log-curr_ip.patch b/3.15.6/4465_selinux-avc_audit-log-curr_ip.patch index fb528d0..fb528d0 100644 --- a/3.15.5/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.15.6/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.15.5/4470_disable-compat_vdso.patch b/3.15.6/4470_disable-compat_vdso.patch index 7852848..7852848 100644 --- a/3.15.5/4470_disable-compat_vdso.patch +++ b/3.15.6/4470_disable-compat_vdso.patch diff --git a/3.15.5/4475_emutramp_default_on.patch b/3.15.6/4475_emutramp_default_on.patch index cf88fd9..cf88fd9 100644 --- a/3.15.5/4475_emutramp_default_on.patch +++ b/3.15.6/4475_emutramp_default_on.patch diff --git a/3.2.61/0000_README b/3.2.61/0000_README index c0718d5..be52f3a 100644 --- a/3.2.61/0000_README +++ b/3.2.61/0000_README @@ -162,7 +162,7 @@ Patch: 1060_linux-3.2.61.patch From: http://www.kernel.org Desc: Linux 3.2.61 -Patch: 4420_grsecurity-3.0-3.2.61-201407170636.patch +Patch: 4420_grsecurity-3.0-3.2.61-201407232156.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.61/4420_grsecurity-3.0-3.2.61-201407170636.patch b/3.2.61/4420_grsecurity-3.0-3.2.61-201407232156.patch index d53a91b..c484237 100644 --- a/3.2.61/4420_grsecurity-3.0-3.2.61-201407170636.patch +++ b/3.2.61/4420_grsecurity-3.0-3.2.61-201407232156.patch @@ -11106,7 +11106,7 @@ index 7bcf3fc..560ff4c 100644 + pax_force_retaddr ret diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c -index fd84387..887aa7e 100644 +index fd84387..887aa7ef 100644 --- a/arch/x86/ia32/ia32_aout.c +++ b/arch/x86/ia32/ia32_aout.c @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, struct pt_regs *regs, struct file *file, @@ -28843,7 +28843,7 @@ index a4cca06..9e00106 100644 (unsigned long)(&__init_begin), (unsigned long)(&__init_end)); diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c -index 29f7c6d..5122941 100644 +index 29f7c6d9..5122941 100644 --- a/arch/x86/mm/init_32.c +++ b/arch/x86/mm/init_32.c @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void) @@ -34913,7 +34913,7 @@ index da3cfee..a5a6606 100644 *ppos = i; diff --git a/drivers/char/random.c b/drivers/char/random.c -index c244f0e..8b3452f 100644 +index c244f0e..59b5e6c 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -255,10 +255,8 @@ @@ -35363,6 +35363,8 @@ index c244f0e..8b3452f 100644 retry: entropy_count = orig = ACCESS_ONCE(r->entropy_count); - entropy_count += nbits; +- if (entropy_count < 0) { +- DEBUG_ENT("negative entropy/overflow\n"); + if (nfrac < 0) { + /* Debit */ + entropy_count += nfrac; @@ -35402,8 +35404,7 @@ index c244f0e..8b3452f 100644 + } while (unlikely(entropy_count < pool_size-2 && pnfrac)); + } + - if (entropy_count < 0) { -- DEBUG_ENT("negative entropy/overflow\n"); ++ if (unlikely(entropy_count < 0)) { + pr_warn("random: negative entropy/overflow: pool %s count %d\n", + r->name, entropy_count); + WARN_ON(1); @@ -35651,7 +35652,7 @@ index c244f0e..8b3452f 100644 } #endif -@@ -835,104 +915,131 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -835,104 +915,141 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, * from the primary pool to the secondary extraction pool. We make * sure we pull enough for a 'catastrophic reseed'. */ @@ -35746,7 +35747,7 @@ index c244f0e..8b3452f 100644 { - unsigned long flags; + int entropy_count, orig; -+ size_t ibytes; ++ size_t ibytes, nfrac; - /* Hold lock while accounting */ - spin_lock_irqsave(&r->lock, flags); @@ -35781,18 +35782,27 @@ index c244f0e..8b3452f 100644 - if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) - goto retry; - } -- -- if (entropy_count < random_write_wakeup_thresh) { -- wake_up_interruptible(&random_write_wait); -- kill_fasync(&fasync, SIGIO, POLL_OUT); -- } + if ((have_bytes -= reserved) < 0) + have_bytes = 0; + ibytes = min_t(size_t, ibytes, have_bytes); - } ++ } + if (ibytes < min) + ibytes = 0; -+ if ((entropy_count -= ibytes << (ENTROPY_SHIFT + 3)) < 0) + +- if (entropy_count < random_write_wakeup_thresh) { +- wake_up_interruptible(&random_write_wait); +- kill_fasync(&fasync, SIGIO, POLL_OUT); +- } ++ if (unlikely(entropy_count < 0)) { ++ pr_warn("random: negative entropy count: pool %s count %d\n", ++ r->name, entropy_count); ++ WARN_ON(1); ++ entropy_count = 0; + } ++ nfrac = ibytes << (ENTROPY_SHIFT + 3); ++ if ((size_t) entropy_count > nfrac) ++ entropy_count -= nfrac; ++ else + entropy_count = 0; - DEBUG_ENT("debiting %d entropy credits from %s%s\n", @@ -35847,7 +35857,7 @@ index c244f0e..8b3452f 100644 spin_lock_irqsave(&r->lock, flags); for (i = 0; i < r->poolinfo->poolwords; i += 16) sha_transform(hash.w, (__u8 *)(r->pool + i), workspace); -@@ -966,27 +1073,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out) +@@ -966,27 +1083,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out) hash.w[1] ^= hash.w[4]; hash.w[2] ^= rol32(hash.w[2], 16); @@ -35902,7 +35912,7 @@ index c244f0e..8b3452f 100644 xfer_secondary_pool(r, nbytes); nbytes = account(r, nbytes, min, reserved); -@@ -994,8 +1117,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -994,8 +1127,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, extract_buf(r, tmp); if (fips_enabled) { @@ -35911,7 +35921,7 @@ index c244f0e..8b3452f 100644 spin_lock_irqsave(&r->lock, flags); if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) panic("Hardware RNG duplicated output!\n"); -@@ -1015,12 +1136,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, +@@ -1015,12 +1146,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, return ret; } @@ -35929,7 +35939,7 @@ index c244f0e..8b3452f 100644 xfer_secondary_pool(r, nbytes); nbytes = account(r, nbytes, 0, 0); -@@ -1036,7 +1162,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1036,7 +1172,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -35938,7 +35948,7 @@ index c244f0e..8b3452f 100644 ret = -EFAULT; break; } -@@ -1055,11 +1181,20 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1055,11 +1191,20 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, /* * This function is the exported kernel interface. It returns some * number of good random numbers, suitable for key generation, seeding @@ -35961,7 +35971,7 @@ index c244f0e..8b3452f 100644 extract_entropy(&nonblocking_pool, buf, nbytes, 0, 0); } EXPORT_SYMBOL(get_random_bytes); -@@ -1078,6 +1213,7 @@ void get_random_bytes_arch(void *buf, int nbytes) +@@ -1078,6 +1223,7 @@ void get_random_bytes_arch(void *buf, int nbytes) { char *p = buf; @@ -35969,7 +35979,7 @@ index c244f0e..8b3452f 100644 while (nbytes) { unsigned long v; int chunk = min(nbytes, (int)sizeof(unsigned long)); -@@ -1111,12 +1247,11 @@ static void init_std_data(struct entropy_store *r) +@@ -1111,12 +1257,11 @@ static void init_std_data(struct entropy_store *r) ktime_t now = ktime_get_real(); unsigned long rv; @@ -35985,7 +35995,7 @@ index c244f0e..8b3452f 100644 mix_pool_bytes(r, &rv, sizeof(rv), NULL); } mix_pool_bytes(r, utsname(), sizeof(*(utsname())), NULL); -@@ -1139,25 +1274,7 @@ static int rand_initialize(void) +@@ -1139,25 +1284,7 @@ static int rand_initialize(void) init_std_data(&nonblocking_pool); return 0; } @@ -36012,7 +36022,7 @@ index c244f0e..8b3452f 100644 #ifdef CONFIG_BLOCK void rand_initialize_disk(struct gendisk *disk) -@@ -1169,71 +1286,59 @@ void rand_initialize_disk(struct gendisk *disk) +@@ -1169,71 +1296,60 @@ void rand_initialize_disk(struct gendisk *disk) * source. */ state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL); @@ -36112,6 +36122,7 @@ index c244f0e..8b3452f 100644 + "with %d bits of entropy available\n", + current->comm, nonblocking_pool.entropy_total); + ++ nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3)); + ret = extract_entropy_user(&nonblocking_pool, buf, nbytes); + + trace_urandom_read(8 * nbytes, ENTROPY_BITS(&nonblocking_pool), @@ -36120,7 +36131,7 @@ index c244f0e..8b3452f 100644 } static unsigned int -@@ -1244,9 +1349,9 @@ random_poll(struct file *file, poll_table * wait) +@@ -1244,9 +1360,9 @@ random_poll(struct file *file, poll_table * wait) poll_wait(file, &random_read_wait, wait); poll_wait(file, &random_write_wait, wait); mask = 0; @@ -36132,7 +36143,7 @@ index c244f0e..8b3452f 100644 mask |= POLLOUT | POLLWRNORM; return mask; } -@@ -1297,7 +1402,8 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) +@@ -1297,7 +1413,8 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) switch (cmd) { case RNDGETENTCNT: /* inherently racy, no point locking */ @@ -36142,7 +36153,7 @@ index c244f0e..8b3452f 100644 return -EFAULT; return 0; case RNDADDTOENTCNT: -@@ -1305,7 +1411,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) +@@ -1305,7 +1422,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) return -EPERM; if (get_user(ent_count, p)) return -EFAULT; @@ -36151,7 +36162,7 @@ index c244f0e..8b3452f 100644 return 0; case RNDADDENTROPY: if (!capable(CAP_SYS_ADMIN)) -@@ -1320,14 +1426,19 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) +@@ -1320,14 +1437,19 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) size); if (retval < 0) return retval; @@ -36174,7 +36185,7 @@ index c244f0e..8b3452f 100644 return 0; default: return -EINVAL; -@@ -1387,23 +1498,23 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1387,23 +1509,23 @@ EXPORT_SYMBOL(generate_random_uuid); #include <linux/sysctl.h> static int min_read_thresh = 8, min_write_thresh; @@ -36205,7 +36216,7 @@ index c244f0e..8b3452f 100644 unsigned char buf[64], tmp_uuid[16], *uuid; uuid = table->data; -@@ -1427,8 +1538,26 @@ static int proc_do_uuid(ctl_table *table, int write, +@@ -1427,8 +1549,26 @@ static int proc_do_uuid(ctl_table *table, int write, return proc_dostring(&fake_table, write, buffer, lenp, ppos); } @@ -36233,7 +36244,7 @@ index c244f0e..8b3452f 100644 { .procname = "poolsize", .data = &sysctl_poolsize, -@@ -1440,12 +1569,12 @@ ctl_table random_table[] = { +@@ -1440,12 +1580,12 @@ ctl_table random_table[] = { .procname = "entropy_avail", .maxlen = sizeof(int), .mode = 0444, @@ -36248,7 +36259,7 @@ index c244f0e..8b3452f 100644 .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec_minmax, -@@ -1454,7 +1583,7 @@ ctl_table random_table[] = { +@@ -1454,7 +1594,7 @@ ctl_table random_table[] = { }, { .procname = "write_wakeup_threshold", @@ -36257,7 +36268,7 @@ index c244f0e..8b3452f 100644 .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec_minmax, -@@ -1462,6 +1591,13 @@ ctl_table random_table[] = { +@@ -1462,6 +1602,13 @@ ctl_table random_table[] = { .extra2 = &max_write_thresh, }, { @@ -36271,7 +36282,7 @@ index c244f0e..8b3452f 100644 .procname = "boot_id", .data = &sysctl_bootid, .maxlen = 16, -@@ -1492,7 +1628,7 @@ int random_int_secret_init(void) +@@ -1492,7 +1639,7 @@ int random_int_secret_init(void) * value is not cryptographically secure but for several uses the cost of * depleting entropy is too high */ @@ -36280,7 +36291,7 @@ index c244f0e..8b3452f 100644 unsigned int get_random_int(void) { __u32 *hash; -@@ -1510,6 +1646,7 @@ unsigned int get_random_int(void) +@@ -1510,6 +1657,7 @@ unsigned int get_random_int(void) return ret; } @@ -44899,6 +44910,24 @@ index 5920c99..ff2e4a5 100644 }; static void +diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c +index 8a10bb7..7560422 100644 +--- a/drivers/net/wan/x25_asy.c ++++ b/drivers/net/wan/x25_asy.c +@@ -123,8 +123,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu) + { + struct x25_asy *sl = netdev_priv(dev); + unsigned char *xbuff, *rbuff; +- int len = 2 * newmtu; ++ int len; + ++ if (newmtu > 65534) ++ return -EINVAL; ++ ++ len = 2 * newmtu; + xbuff = kmalloc(len + 4, GFP_ATOMIC); + rbuff = kmalloc(len + 4, GFP_ATOMIC); + diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c index 0e57690..ad698bb 100644 --- a/drivers/net/wan/z85230.c @@ -100930,6 +100959,21 @@ index d50a13c..1f612ff 100644 return -EFAULT; *lenp = len; +diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c +index c32be29..2022b46 100644 +--- a/net/dns_resolver/dns_query.c ++++ b/net/dns_resolver/dns_query.c +@@ -150,7 +150,9 @@ int dns_query(const char *type, const char *name, size_t namelen, + if (!*_result) + goto put; + +- memcpy(*_result, upayload->data, len + 1); ++ memcpy(*_result, upayload->data, len); ++ (*_result)[len] = '\0'; ++ + if (_expiry) + *_expiry = rkey->expiry; + diff --git a/net/econet/Kconfig b/net/econet/Kconfig index 39a2d29..f39c0fe 100644 --- a/net/econet/Kconfig @@ -105043,6 +105087,18 @@ index 7635107..4670276 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index 25b207b..da54d29 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1188,6 +1188,7 @@ void sctp_assoc_update(struct sctp_association *asoc, + asoc->c = new->c; + asoc->peer.rwnd = new->peer.rwnd; + asoc->peer.sack_needed = new->peer.sack_needed; ++ asoc->peer.auth_capable = new->peer.auth_capable; + asoc->peer.i = new->peer.i; + sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL, + asoc->peer.i.initial_tsn, GFP_ATOMIC); diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 0b6a391..febcef2 100644 --- a/net/sctp/ipv6.c @@ -105301,6 +105357,26 @@ index 8da4481..d02565e 100644 tp->srtt = tp->srtt - (tp->srtt >> sctp_rto_alpha) + (rtt >> sctp_rto_alpha); } else { +diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c +index 8a84017..d4faa70 100644 +--- a/net/sctp/ulpevent.c ++++ b/net/sctp/ulpevent.c +@@ -418,6 +418,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_remote_error( + * sre_type: + * It should be SCTP_REMOTE_ERROR. + */ ++ memset(sre, 0, sizeof(*sre)); + sre->sre_type = SCTP_REMOTE_ERROR; + + /* +@@ -921,6 +922,7 @@ void sctp_ulpevent_read_sndrcvinfo(const struct sctp_ulpevent *event, + * For recvmsg() the SCTP stack places the message's stream number in + * this value. + */ ++ memset(&sinfo, 0, sizeof(sinfo)); + sinfo.sinfo_stream = event->stream; + /* sinfo_ssn: 16 bits (unsigned integer) + * diff --git a/net/socket.c b/net/socket.c index 3faa358..3d43f20 100644 --- a/net/socket.c |