summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2015-08-02 17:35:32 -0400
committerAnthony G. Basile <blueness@gentoo.org>2015-08-02 17:35:32 -0400
commitcac43c138723f39170dbf2989d04225ec1f58b6e (patch)
treecb72f4cdc3cf53e685841c25af5ab1d79eb46a75
parentgrsecurity-3.1-4.1.3-201507281943 (diff)
downloadhardened-patchset-cac43c138723f39170dbf2989d04225ec1f58b6e.tar.gz
hardened-patchset-cac43c138723f39170dbf2989d04225ec1f58b6e.tar.bz2
hardened-patchset-cac43c138723f39170dbf2989d04225ec1f58b6e.zip
grsecurity-{3.2.69,3.14.48,4.1.3}-20150802090120150802
-rw-r--r--3.14.48/0000_README2
-rw-r--r--3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch (renamed from 3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch)210
-rw-r--r--3.2.69/0000_README2
-rw-r--r--3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch (renamed from 3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch)161
-rw-r--r--4.1.3/0000_README2
-rw-r--r--4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch (renamed from 4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch)322
6 files changed, 635 insertions, 64 deletions
diff --git a/3.14.48/0000_README b/3.14.48/0000_README
index a724891..e334e8a 100644
--- a/3.14.48/0000_README
+++ b/3.14.48/0000_README
@@ -6,7 +6,7 @@ Patch: 1047_linux-3.14.48.patch
From: http://www.kernel.org
Desc: Linux 3.14.48
-Patch: 4420_grsecurity-3.1-3.14.48-201507261203.patch
+Patch: 4420_grsecurity-3.1-3.14.48-201508020901.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch b/3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch
index f010f2a..2727f73 100644
--- a/3.14.48/4420_grsecurity-3.1-3.14.48-201507261203.patch
+++ b/3.14.48/4420_grsecurity-3.1-3.14.48-201508020901.patch
@@ -12816,6 +12816,21 @@ index 67e9f5c..2af15db 100644
KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
GCOV_PROFILE := n
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 78cbb2d..ec5a3c7 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -560,6 +560,10 @@ static efi_status_t setup_e820(struct boot_params *params,
+ unsigned int e820_type = 0;
+ unsigned long m = efi->efi_memmap;
+
++#ifdef CONFIG_X86_64
++ m |= (u64)efi->efi_memmap_hi << 32;
++#endif
++
+ d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size));
+ switch (d->type) {
+ case EFI_RESERVED_TYPE:
diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S
index a53440e..c3dbf1e 100644
--- a/arch/x86/boot/compressed/efi_stub_32.S
@@ -36455,7 +36470,7 @@ index 01b9026..1e476df 100644
This is the Linux Xen port. Enabling this will allow the
kernel to boot in a paravirtualized environment under the
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 201d09a..2302db1 100644
+index 201d09a..9789e51 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -36467,7 +36482,75 @@ index 201d09a..2302db1 100644
RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
__read_mostly int xen_have_vector_callback;
EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -542,8 +540,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -481,6 +479,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ pte_t pte;
+ unsigned long pfn;
+ struct page *page;
++ unsigned char dummy;
+
+ ptep = lookup_address((unsigned long)v, &level);
+ BUG_ON(ptep == NULL);
+@@ -490,6 +489,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+
+ pte = pfn_pte(pfn, prot);
+
++ /*
++ * Careful: update_va_mapping() will fail if the virtual address
++ * we're poking isn't populated in the page tables. We don't
++ * need to worry about the direct map (that's always in the page
++ * tables), but we need to be careful about vmap space. In
++ * particular, the top level page table can lazily propagate
++ * entries between processes, so if we've switched mms since we
++ * vmapped the target in the first place, we might not have the
++ * top-level page table entry populated.
++ *
++ * We disable preemption because we want the same mm active when
++ * we probe the target and when we issue the hypercall. We'll
++ * have the same nominal mm, but if we're a kernel thread, lazy
++ * mm dropping could change our pgd.
++ *
++ * Out of an abundance of caution, this uses __get_user() to fault
++ * in the target address just in case there's some obscure case
++ * in which the target address isn't readable.
++ */
++
++ preempt_disable();
++
++ pagefault_disable(); /* Avoid warnings due to being atomic. */
++ __get_user(dummy, (unsigned char __user __force *)v);
++ pagefault_enable();
++
+ if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
+ BUG();
+
+@@ -501,6 +526,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ BUG();
+ } else
+ kmap_flush_unused();
++
++ preempt_enable();
+ }
+
+ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+@@ -508,6 +535,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+ const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
+ int i;
+
++ /*
++ * We need to mark the all aliases of the LDT pages RO. We
++ * don't need to call vm_flush_aliases(), though, since that's
++ * only responsible for flushing aliases out the TLBs, not the
++ * page tables, and Xen will flush the TLB for us if needed.
++ *
++ * To avoid confusing future readers: none of this is necessary
++ * to load the LDT. The hypervisor only checks this when the
++ * LDT is faulted in due to subsequent descriptor access.
++ */
++
+ for(i = 0; i < entries; i += entries_per_page)
+ set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
+ }
+@@ -542,8 +580,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -36477,7 +36560,7 @@ index 201d09a..2302db1 100644
int f;
/*
-@@ -591,8 +588,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -591,8 +628,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -36487,7 +36570,7 @@ index 201d09a..2302db1 100644
int f;
/*
-@@ -600,7 +596,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -600,7 +636,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
* 8-byte entries, or 16 4k pages..
*/
@@ -36496,7 +36579,7 @@ index 201d09a..2302db1 100644
BUG_ON(va & ~PAGE_MASK);
for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
-@@ -989,7 +985,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
+@@ -989,7 +1025,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
return 0;
}
@@ -36505,7 +36588,7 @@ index 201d09a..2302db1 100644
{
apic->read = xen_apic_read;
apic->write = xen_apic_write;
-@@ -1295,30 +1291,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1295,30 +1331,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -36543,7 +36626,7 @@ index 201d09a..2302db1 100644
{
if (pm_power_off)
pm_power_off();
-@@ -1455,8 +1451,11 @@ static void __ref xen_setup_gdt(int cpu)
+@@ -1455,8 +1491,11 @@ static void __ref xen_setup_gdt(int cpu)
pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
pv_cpu_ops.load_gdt = xen_load_gdt_boot;
@@ -36557,7 +36640,7 @@ index 201d09a..2302db1 100644
pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
pv_cpu_ops.load_gdt = xen_load_gdt;
-@@ -1564,7 +1563,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1564,7 +1603,17 @@ asmlinkage void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -36576,7 +36659,7 @@ index 201d09a..2302db1 100644
/* Get mfn list */
xen_build_dynamic_phys_to_machine();
-@@ -1592,13 +1601,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1592,13 +1641,6 @@ asmlinkage void __init xen_start_kernel(void)
machine_ops = xen_machine_ops;
@@ -45818,7 +45901,7 @@ index e400591..a94ae6b 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 40959ee..ba57756 100644
+index 40959ee..2da5090 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -194,10 +194,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
@@ -45890,7 +45973,27 @@ index 40959ee..ba57756 100644
INIT_LIST_HEAD(&rdev->same_set);
init_waitqueue_head(&rdev->blocked_wait);
-@@ -7079,7 +7079,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -5645,16 +5645,13 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
+ char *ptr, *buf = NULL;
+ int err = -ENOMEM;
+
+- file = kmalloc(sizeof(*file), GFP_NOIO);
+-
++ file = kzalloc(sizeof(*file), GFP_NOIO);
+ if (!file)
+ goto out;
+
+- /* bitmap disabled, zero the first byte and copy out */
+- if (!mddev->bitmap || !mddev->bitmap->storage.file) {
+- file->pathname[0] = '\0';
++ /* bitmap disabled, copy out */
++ if (!mddev->bitmap || !mddev->bitmap->storage.file)
+ goto copy_out;
+- }
+
+ buf = kmalloc(sizeof(file->pathname), GFP_KERNEL);
+ if (!buf)
+@@ -7079,7 +7076,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
spin_unlock(&pers_lock);
seq_printf(seq, "\n");
@@ -45899,7 +46002,7 @@ index 40959ee..ba57756 100644
return 0;
}
if (v == (void*)2) {
-@@ -7182,7 +7182,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -7182,7 +7179,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
return error;
seq = file->private_data;
@@ -45908,7 +46011,7 @@ index 40959ee..ba57756 100644
return error;
}
-@@ -7196,7 +7196,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -7196,7 +7193,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
/* always allow read */
mask = POLLIN | POLLRDNORM;
@@ -45917,7 +46020,7 @@ index 40959ee..ba57756 100644
mask |= POLLERR | POLLPRI;
return mask;
}
-@@ -7240,7 +7240,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -7240,7 +7237,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
(int)part_stat_read(&disk->part0, sectors[1]) -
@@ -52875,7 +52978,7 @@ index a107064..30775cf 100644
if (!sdp->request_queue->rq_timeout) {
if (sdp->type != TYPE_MOD)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index eb81c98..e6716ae 100644
+index eb81c98..0253222 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1102,7 +1102,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
@@ -52887,6 +52990,16 @@ index eb81c98..e6716ae 100644
case BLKTRACESTART:
return blk_trace_startstop(sdp->device->request_queue, 1);
case BLKTRACESTOP:
+@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
+ md->from_user = 0;
+ }
+
++ if (unlikely(iov_count > UIO_MAXIOV))
++ return -EINVAL;
++
+ if (iov_count) {
+ int len, size = sizeof(struct sg_iovec) * iov_count;
+ struct iovec *iov;
diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index 40d8592..8e89146 100644
--- a/drivers/scsi/sr.c
@@ -119776,6 +119889,30 @@ index 0a00f44..123e322 100644
break;
case IPV6_RECVPKTINFO:
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index bcd6518..4e5c78a 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1603,6 +1603,7 @@ int ndisc_rcv(struct sk_buff *skb)
+ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
+ {
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct netdev_notifier_change_info *change_info;
+ struct net *net = dev_net(dev);
+ struct inet6_dev *idev;
+
+@@ -1617,6 +1618,11 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event,
+ ndisc_send_unsol_na(dev);
+ in6_dev_put(idev);
+ break;
++ case NETDEV_CHANGE:
++ change_info = ptr;
++ if (change_info->flags_changed & IFF_NOARP)
++ neigh_changeaddr(&nd_tbl, dev);
++ break;
+ case NETDEV_DOWN:
+ neigh_ifdown(&nd_tbl, dev);
+ fib6_run_gc(0, net, false);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index e080fbb..412b3cf 100644
--- a/net/ipv6/netfilter/ip6_tables.c
@@ -125574,6 +125711,25 @@ index cee72ce..e46074a 100644
err:
if (iov != iovstack)
kfree(iov);
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index 2fb2576..04d0d7c 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1151,9 +1151,11 @@ void __key_link_end(struct key *keyring,
+ if (index_key->type == &key_type_keyring)
+ up_write(&keyring_serialise_link_sem);
+
+- if (edit && !edit->dead_leaf) {
+- key_payload_reserve(keyring,
+- keyring->datalen - KEYQUOTA_LINK_BYTES);
++ if (edit) {
++ if (!edit->dead_leaf) {
++ key_payload_reserve(keyring,
++ keyring->datalen - KEYQUOTA_LINK_BYTES);
++ }
+ assoc_array_cancel_edit(edit);
+ }
+ up_write(&keyring->sem);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 3814119..2e8ebaa 100644
--- a/security/keys/request_key.c
@@ -128699,10 +128855,10 @@ index 0000000..457d54e
+}
diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c
new file mode 100644
-index 0000000..b0d8255
+index 0000000..4838c8a
--- /dev/null
+++ b/tools/gcc/kernexec_plugin.c
-@@ -0,0 +1,547 @@
+@@ -0,0 +1,551 @@
+/*
+ * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -128737,10 +128893,12 @@ index 0000000..b0d8255
+ */
+static void kernexec_reload_fptr_mask(gimple_stmt_iterator *gsi)
+{
++ gimple stmt;
+ gasm *asm_movabs_stmt;
+
+ // build asm volatile("movabs $0x8000000000000000, %%r12\n\t" : : : );
-+ asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL);
++ stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL);
++ asm_movabs_stmt = as_a_gasm(stmt);
+ gimple_asm_set_volatile(asm_movabs_stmt, true);
+ gsi_insert_after(gsi, asm_movabs_stmt, GSI_CONTINUE_LINKING);
+ update_stmt(asm_movabs_stmt);
@@ -128834,6 +128992,7 @@ index 0000000..b0d8255
+
+static void kernexec_instrument_fptr_or(gimple_stmt_iterator *gsi)
+{
++ gimple stmt;
+ gasm *asm_or_stmt;
+ gcall *call_stmt;
+ tree old_fptr, new_fptr, input, output;
@@ -128865,7 +129024,8 @@ index 0000000..b0d8255
+ vec_safe_push(inputs, input);
+ vec_safe_push(outputs, output);
+#endif
-+ asm_or_stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL);
++ stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL);
++ asm_or_stmt = as_a_gasm(stmt);
+ SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt;
+ gimple_asm_set_volatile(asm_or_stmt, true);
+ gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT);
@@ -141904,10 +142064,10 @@ index 0000000..2a693fe
+
diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
new file mode 100644
-index 0000000..1d296ce
+index 0000000..155e2c5
--- /dev/null
+++ b/tools/gcc/stackleak_plugin.c
-@@ -0,0 +1,432 @@
+@@ -0,0 +1,436 @@
+/*
+ * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -141947,6 +142107,7 @@ index 0000000..1d296ce
+
+static void stackleak_check_alloca(gimple_stmt_iterator *gsi)
+{
++ gimple stmt;
+ gcall *check_alloca;
+ tree alloca_size;
+ cgraph_node_ptr node;
@@ -141955,7 +142116,8 @@ index 0000000..1d296ce
+
+ // insert call to void pax_check_alloca(unsigned long size)
+ alloca_size = gimple_call_arg(gsi_stmt(*gsi), 0);
-+ check_alloca = gimple_build_call(check_function_decl, 1, alloca_size);
++ stmt = gimple_build_call(check_function_decl, 1, alloca_size);
++ check_alloca = as_a_gcall(stmt);
+ gsi_insert_before(gsi, check_alloca, GSI_SAME_STMT);
+
+ // update the cgraph
@@ -141968,13 +142130,15 @@ index 0000000..1d296ce
+
+static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi)
+{
++ gimple stmt;
+ gcall *track_stack;
+ cgraph_node_ptr node;
+ int frequency;
+ basic_block bb;
+
+ // insert call to void pax_track_stack(void)
-+ track_stack = gimple_build_call(track_function_decl, 0);
++ stmt = gimple_build_call(track_function_decl, 0);
++ track_stack = as_a_gcall(stmt);
+ gsi_insert_after(gsi, track_stack, GSI_CONTINUE_LINKING);
+
+ // update the cgraph
diff --git a/3.2.69/0000_README b/3.2.69/0000_README
index 9b79be0..96cd54d 100644
--- a/3.2.69/0000_README
+++ b/3.2.69/0000_README
@@ -194,7 +194,7 @@ Patch: 1068_linux-3.2.69.patch
From: http://www.kernel.org
Desc: Linux 3.2.69
-Patch: 4420_grsecurity-3.1-3.2.69-201507251415.patch
+Patch: 4420_grsecurity-3.1-3.2.69-201508020900.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch
index 11686d8..e361065 100644
--- a/3.2.69/4420_grsecurity-3.1-3.2.69-201507251415.patch
+++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201508020900.patch
@@ -32649,7 +32649,7 @@ index 26c731a..fb510c7 100644
This is the Linux Xen port. Enabling this will allow the
kernel to boot in a paravirtualized environment under the
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 5189fe8..1bf8944 100644
+index 5189fe8..e27635d 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -32661,7 +32661,75 @@ index 5189fe8..1bf8944 100644
RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
__read_mostly int xen_have_vector_callback;
EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -382,8 +380,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -321,6 +319,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ pte_t pte;
+ unsigned long pfn;
+ struct page *page;
++ unsigned char dummy;
+
+ ptep = lookup_address((unsigned long)v, &level);
+ BUG_ON(ptep == NULL);
+@@ -330,6 +329,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+
+ pte = pfn_pte(pfn, prot);
+
++ /*
++ * Careful: update_va_mapping() will fail if the virtual address
++ * we're poking isn't populated in the page tables. We don't
++ * need to worry about the direct map (that's always in the page
++ * tables), but we need to be careful about vmap space. In
++ * particular, the top level page table can lazily propagate
++ * entries between processes, so if we've switched mms since we
++ * vmapped the target in the first place, we might not have the
++ * top-level page table entry populated.
++ *
++ * We disable preemption because we want the same mm active when
++ * we probe the target and when we issue the hypercall. We'll
++ * have the same nominal mm, but if we're a kernel thread, lazy
++ * mm dropping could change our pgd.
++ *
++ * Out of an abundance of caution, this uses __get_user() to fault
++ * in the target address just in case there's some obscure case
++ * in which the target address isn't readable.
++ */
++
++ preempt_disable();
++
++ pagefault_disable(); /* Avoid warnings due to being atomic. */
++ __get_user(dummy, (unsigned char __user __force *)v);
++ pagefault_enable();
++
+ if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
+ BUG();
+
+@@ -341,6 +366,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ BUG();
+ } else
+ kmap_flush_unused();
++
++ preempt_enable();
+ }
+
+ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+@@ -348,6 +375,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+ const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
+ int i;
+
++ /*
++ * We need to mark the all aliases of the LDT pages RO. We
++ * don't need to call vm_flush_aliases(), though, since that's
++ * only responsible for flushing aliases out the TLBs, not the
++ * page tables, and Xen will flush the TLB for us if needed.
++ *
++ * To avoid confusing future readers: none of this is necessary
++ * to load the LDT. The hypervisor only checks this when the
++ * LDT is faulted in due to subsequent descriptor access.
++ */
++
+ for(i = 0; i < entries; i += entries_per_page)
+ set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
+ }
+@@ -382,8 +420,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -32671,7 +32739,7 @@ index 5189fe8..1bf8944 100644
int f;
/*
-@@ -431,8 +428,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -431,8 +468,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -32681,7 +32749,7 @@ index 5189fe8..1bf8944 100644
int f;
/*
-@@ -440,7 +436,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -440,7 +476,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
* 8-byte entries, or 16 4k pages..
*/
@@ -32690,7 +32758,7 @@ index 5189fe8..1bf8944 100644
BUG_ON(va & ~PAGE_MASK);
for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
-@@ -1072,30 +1068,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1072,30 +1108,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -32728,7 +32796,7 @@ index 5189fe8..1bf8944 100644
{
if (pm_power_off)
pm_power_off();
-@@ -1144,6 +1140,9 @@ static void __init xen_setup_stackprotector(void)
+@@ -1144,6 +1180,9 @@ static void __init xen_setup_stackprotector(void)
pv_cpu_ops.load_gdt = xen_load_gdt_boot;
setup_stack_canary_segment(0);
@@ -32738,7 +32806,7 @@ index 5189fe8..1bf8944 100644
switch_to_new_gdt(0);
pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
-@@ -1196,7 +1195,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1196,7 +1235,17 @@ asmlinkage void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -32757,7 +32825,7 @@ index 5189fe8..1bf8944 100644
xen_setup_features();
-@@ -1227,13 +1236,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1227,13 +1276,6 @@ asmlinkage void __init xen_start_kernel(void)
machine_ops = xen_machine_ops;
@@ -32771,7 +32839,7 @@ index 5189fe8..1bf8944 100644
xen_smp_init();
#ifdef CONFIG_ACPI_NUMA
-@@ -1418,7 +1420,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
+@@ -1418,7 +1460,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
return NOTIFY_OK;
}
@@ -43402,7 +43470,7 @@ index c00bcdc..bb5792b 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
-index ea8a181..4d3faed 100644
+index ea8a181..12a3598 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -278,10 +278,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
@@ -43474,7 +43542,30 @@ index ea8a181..4d3faed 100644
INIT_LIST_HEAD(&rdev->same_set);
init_waitqueue_head(&rdev->blocked_wait);
-@@ -6703,7 +6703,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -5384,18 +5384,16 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
+ int err = -ENOMEM;
+
+ if (md_allow_write(mddev))
+- file = kmalloc(sizeof(*file), GFP_NOIO);
++ file = kzalloc(sizeof(*file), GFP_NOIO);
+ else
+- file = kmalloc(sizeof(*file), GFP_KERNEL);
++ file = kzalloc(sizeof(*file), GFP_KERNEL);
+
+ if (!file)
+ goto out;
+
+- /* bitmap disabled, zero the first byte and copy out */
+- if (!mddev->bitmap || !mddev->bitmap->file) {
+- file->pathname[0] = '\0';
++ /* bitmap disabled, copy out */
++ if (!mddev->bitmap || !mddev->bitmap->file)
+ goto copy_out;
+- }
+
+ buf = kmalloc(sizeof(file->pathname), GFP_KERNEL);
+ if (!buf)
+@@ -6703,7 +6701,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
spin_unlock(&pers_lock);
seq_printf(seq, "\n");
@@ -43483,7 +43574,7 @@ index ea8a181..4d3faed 100644
return 0;
}
if (v == (void*)2) {
-@@ -6792,7 +6792,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+@@ -6792,7 +6790,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
chunk_kb ? "KB" : "B");
if (bitmap->file) {
seq_printf(seq, ", file: ");
@@ -43492,7 +43583,7 @@ index ea8a181..4d3faed 100644
}
seq_printf(seq, "\n");
-@@ -6823,7 +6823,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
+@@ -6823,7 +6821,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
return error;
seq = file->private_data;
@@ -43501,7 +43592,7 @@ index ea8a181..4d3faed 100644
return error;
}
-@@ -6837,7 +6837,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
+@@ -6837,7 +6835,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
/* always allow read */
mask = POLLIN | POLLRDNORM;
@@ -43510,7 +43601,7 @@ index ea8a181..4d3faed 100644
mask |= POLLERR | POLLPRI;
return mask;
}
-@@ -6881,7 +6881,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+@@ -6881,7 +6879,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
(int)part_stat_read(&disk->part0, sectors[1]) -
@@ -50026,7 +50117,7 @@ index 5c6b5f5..015ec9d 100644
if (device_add(&sdkp->dev))
goto out_free_index;
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 2d25616..7502cde 100644
+index 2d25616..c464bcf 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1077,7 +1077,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
@@ -50038,7 +50129,17 @@ index 2d25616..7502cde 100644
case BLKTRACESTART:
return blk_trace_startstop(sdp->device->request_queue, 1);
case BLKTRACESTOP:
-@@ -2312,7 +2312,7 @@ struct sg_proc_leaf {
+@@ -1687,6 +1687,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
+ md->from_user = 0;
+ }
+
++ if (unlikely(iov_count > UIO_MAXIOV))
++ return -EINVAL;
++
+ if (iov_count) {
+ int len, size = sizeof(struct sg_iovec) * iov_count;
+ struct iovec *iov;
+@@ -2312,7 +2315,7 @@ struct sg_proc_leaf {
const struct file_operations * fops;
};
@@ -50047,7 +50148,7 @@ index 2d25616..7502cde 100644
{"allow_dio", &adio_fops},
{"debug", &debug_fops},
{"def_reserved_size", &dressz_fops},
-@@ -2327,7 +2327,7 @@ sg_proc_init(void)
+@@ -2327,7 +2330,7 @@ sg_proc_init(void)
{
int k, mask;
int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
@@ -121065,10 +121166,10 @@ index 0000000..457d54e
+}
diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c
new file mode 100644
-index 0000000..b0d8255
+index 0000000..4838c8a
--- /dev/null
+++ b/tools/gcc/kernexec_plugin.c
-@@ -0,0 +1,547 @@
+@@ -0,0 +1,551 @@
+/*
+ * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -121103,10 +121204,12 @@ index 0000000..b0d8255
+ */
+static void kernexec_reload_fptr_mask(gimple_stmt_iterator *gsi)
+{
++ gimple stmt;
+ gasm *asm_movabs_stmt;
+
+ // build asm volatile("movabs $0x8000000000000000, %%r12\n\t" : : : );
-+ asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL);
++ stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r12\n\t", NULL, NULL, NULL, NULL);
++ asm_movabs_stmt = as_a_gasm(stmt);
+ gimple_asm_set_volatile(asm_movabs_stmt, true);
+ gsi_insert_after(gsi, asm_movabs_stmt, GSI_CONTINUE_LINKING);
+ update_stmt(asm_movabs_stmt);
@@ -121200,6 +121303,7 @@ index 0000000..b0d8255
+
+static void kernexec_instrument_fptr_or(gimple_stmt_iterator *gsi)
+{
++ gimple stmt;
+ gasm *asm_or_stmt;
+ gcall *call_stmt;
+ tree old_fptr, new_fptr, input, output;
@@ -121231,7 +121335,8 @@ index 0000000..b0d8255
+ vec_safe_push(inputs, input);
+ vec_safe_push(outputs, output);
+#endif
-+ asm_or_stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL);
++ stmt = gimple_build_asm_vec("orq %%r12, %0\n\t", inputs, outputs, NULL, NULL);
++ asm_or_stmt = as_a_gasm(stmt);
+ SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt;
+ gimple_asm_set_volatile(asm_or_stmt, true);
+ gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT);
@@ -133346,10 +133451,10 @@ index 0000000..2a693fe
+
diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
new file mode 100644
-index 0000000..1d296ce
+index 0000000..155e2c5
--- /dev/null
+++ b/tools/gcc/stackleak_plugin.c
-@@ -0,0 +1,432 @@
+@@ -0,0 +1,436 @@
+/*
+ * Copyright 2011-2015 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -133389,6 +133494,7 @@ index 0000000..1d296ce
+
+static void stackleak_check_alloca(gimple_stmt_iterator *gsi)
+{
++ gimple stmt;
+ gcall *check_alloca;
+ tree alloca_size;
+ cgraph_node_ptr node;
@@ -133397,7 +133503,8 @@ index 0000000..1d296ce
+
+ // insert call to void pax_check_alloca(unsigned long size)
+ alloca_size = gimple_call_arg(gsi_stmt(*gsi), 0);
-+ check_alloca = gimple_build_call(check_function_decl, 1, alloca_size);
++ stmt = gimple_build_call(check_function_decl, 1, alloca_size);
++ check_alloca = as_a_gcall(stmt);
+ gsi_insert_before(gsi, check_alloca, GSI_SAME_STMT);
+
+ // update the cgraph
@@ -133410,13 +133517,15 @@ index 0000000..1d296ce
+
+static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi)
+{
++ gimple stmt;
+ gcall *track_stack;
+ cgraph_node_ptr node;
+ int frequency;
+ basic_block bb;
+
+ // insert call to void pax_track_stack(void)
-+ track_stack = gimple_build_call(track_function_decl, 0);
++ stmt = gimple_build_call(track_function_decl, 0);
++ track_stack = as_a_gcall(stmt);
+ gsi_insert_after(gsi, track_stack, GSI_CONTINUE_LINKING);
+
+ // update the cgraph
diff --git a/4.1.3/0000_README b/4.1.3/0000_README
index 68a3992..473ae13 100644
--- a/4.1.3/0000_README
+++ b/4.1.3/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.1.3-201507281943.patch
+Patch: 4420_grsecurity-3.1-4.1.3-201508011613.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch b/4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch
index fc096b0..bcae8ba 100644
--- a/4.1.3/4420_grsecurity-3.1-4.1.3-201507281943.patch
+++ b/4.1.3/4420_grsecurity-3.1-4.1.3-201508011613.patch
@@ -12840,6 +12840,21 @@ index 0a291cd..9686efc 100644
KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
GCOV_PROFILE := n
+diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
+index 48304b8..0cdc154 100644
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -1193,6 +1193,10 @@ static efi_status_t setup_e820(struct boot_params *params,
+ unsigned int e820_type = 0;
+ unsigned long m = efi->efi_memmap;
+
++#ifdef CONFIG_X86_64
++ m |= (u64)efi->efi_memmap_hi << 32;
++#endif
++
+ d = (efi_memory_desc_t *)(m + (i * efi->efi_memdesc_size));
+ switch (d->type) {
+ case EFI_RESERVED_TYPE:
diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S
index a53440e..c3dbf1e 100644
--- a/arch/x86/boot/compressed/efi_stub_32.S
@@ -35138,6 +35153,22 @@ index 9b83b90..4112152 100644
return !(ret & 0xff00);
}
EXPORT_SYMBOL(pcibios_set_irq_routing);
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index 02744df..841ea05 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -946,6 +946,11 @@ u64 efi_mem_attributes(unsigned long phys_addr)
+
+ static int __init arch_parse_efi_cmdline(char *str)
+ {
++ if (!str) {
++ pr_warn("need at least one option\n");
++ return -EINVAL;
++ }
++
+ if (parse_option_str(str, "old_map"))
+ set_bit(EFI_OLD_MEMMAP, &efi.flags);
+ if (parse_option_str(str, "debug"))
diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
index ed5b673..24d2d53 100644
--- a/arch/x86/platform/efi/efi_32.c
@@ -36084,7 +36115,7 @@ index e88fda8..76ce7ce 100644
This is the Linux Xen port. Enabling this will allow the
kernel to boot in a paravirtualized environment under the
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 46957ea..ef7b714 100644
+index 46957ea..a9dc1d9 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -125,8 +125,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -36096,7 +36127,75 @@ index 46957ea..ef7b714 100644
RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
__read_mostly int xen_have_vector_callback;
EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -544,8 +542,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
+@@ -483,6 +481,7 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ pte_t pte;
+ unsigned long pfn;
+ struct page *page;
++ unsigned char dummy;
+
+ ptep = lookup_address((unsigned long)v, &level);
+ BUG_ON(ptep == NULL);
+@@ -492,6 +491,32 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+
+ pte = pfn_pte(pfn, prot);
+
++ /*
++ * Careful: update_va_mapping() will fail if the virtual address
++ * we're poking isn't populated in the page tables. We don't
++ * need to worry about the direct map (that's always in the page
++ * tables), but we need to be careful about vmap space. In
++ * particular, the top level page table can lazily propagate
++ * entries between processes, so if we've switched mms since we
++ * vmapped the target in the first place, we might not have the
++ * top-level page table entry populated.
++ *
++ * We disable preemption because we want the same mm active when
++ * we probe the target and when we issue the hypercall. We'll
++ * have the same nominal mm, but if we're a kernel thread, lazy
++ * mm dropping could change our pgd.
++ *
++ * Out of an abundance of caution, this uses __get_user() to fault
++ * in the target address just in case there's some obscure case
++ * in which the target address isn't readable.
++ */
++
++ preempt_disable();
++
++ pagefault_disable(); /* Avoid warnings due to being atomic. */
++ __get_user(dummy, (unsigned char __user __force *)v);
++ pagefault_enable();
++
+ if (HYPERVISOR_update_va_mapping((unsigned long)v, pte, 0))
+ BUG();
+
+@@ -503,6 +528,8 @@ static void set_aliased_prot(void *v, pgprot_t prot)
+ BUG();
+ } else
+ kmap_flush_unused();
++
++ preempt_enable();
+ }
+
+ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+@@ -510,6 +537,17 @@ static void xen_alloc_ldt(struct desc_struct *ldt, unsigned entries)
+ const unsigned entries_per_page = PAGE_SIZE / LDT_ENTRY_SIZE;
+ int i;
+
++ /*
++ * We need to mark the all aliases of the LDT pages RO. We
++ * don't need to call vm_flush_aliases(), though, since that's
++ * only responsible for flushing aliases out the TLBs, not the
++ * page tables, and Xen will flush the TLB for us if needed.
++ *
++ * To avoid confusing future readers: none of this is necessary
++ * to load the LDT. The hypervisor only checks this when the
++ * LDT is faulted in due to subsequent descriptor access.
++ */
++
+ for(i = 0; i < entries; i += entries_per_page)
+ set_aliased_prot(ldt + i, PAGE_KERNEL_RO);
+ }
+@@ -544,8 +582,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -36106,7 +36205,7 @@ index 46957ea..ef7b714 100644
int f;
/*
-@@ -593,8 +590,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -593,8 +630,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
{
unsigned long va = dtr->address;
unsigned int size = dtr->size + 1;
@@ -36116,7 +36215,7 @@ index 46957ea..ef7b714 100644
int f;
/*
-@@ -602,7 +598,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
+@@ -602,7 +638,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
* 8-byte entries, or 16 4k pages..
*/
@@ -36125,7 +36224,7 @@ index 46957ea..ef7b714 100644
BUG_ON(va & ~PAGE_MASK);
for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
-@@ -1223,30 +1219,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1223,30 +1259,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -36163,7 +36262,7 @@ index 46957ea..ef7b714 100644
{
if (pm_power_off)
pm_power_off();
-@@ -1399,8 +1395,11 @@ static void __ref xen_setup_gdt(int cpu)
+@@ -1399,8 +1435,11 @@ static void __ref xen_setup_gdt(int cpu)
pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
pv_cpu_ops.load_gdt = xen_load_gdt_boot;
@@ -36177,7 +36276,7 @@ index 46957ea..ef7b714 100644
pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
pv_cpu_ops.load_gdt = xen_load_gdt;
-@@ -1515,7 +1514,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1515,7 +1554,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -36196,7 +36295,7 @@ index 46957ea..ef7b714 100644
/* Get mfn list */
xen_build_dynamic_phys_to_machine();
-@@ -1543,13 +1552,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1543,13 +1592,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
machine_ops = xen_machine_ops;
@@ -40627,10 +40726,22 @@ index 4fd9961..52d60ce 100644
EXPORT_SYMBOL_GPL(cper_next_record_id);
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
-index e14363d..c3d5d84 100644
+index e14363d..302716e 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
-@@ -159,14 +159,16 @@ static struct attribute_group efi_subsys_attr_group = {
+@@ -57,6 +57,11 @@ bool efi_runtime_disabled(void)
+
+ static int __init parse_efi_cmdline(char *str)
+ {
++ if (!str) {
++ pr_warn("need at least one option\n");
++ return -EINVAL;
++ }
++
+ if (parse_option_str(str, "noruntime"))
+ disable_runtime = true;
+
+@@ -159,14 +164,16 @@ static struct attribute_group efi_subsys_attr_group = {
};
static struct efivars generic_efivars;
@@ -43054,6 +43165,19 @@ index bd1c99d..2fa55ad 100644
struct attribute **attrs;
struct sensor_device_template **t;
int i, count;
+diff --git a/drivers/hwmon/nct7802.c b/drivers/hwmon/nct7802.c
+index 5576579..9192666 100644
+--- a/drivers/hwmon/nct7802.c
++++ b/drivers/hwmon/nct7802.c
+@@ -195,7 +195,7 @@ abort:
+ }
+
+ static int nct7802_write_voltage(struct nct7802_data *data, int nr, int index,
+- unsigned int voltage)
++ unsigned long voltage)
+ {
+ int shift = 8 - REG_VOLTAGE_LIMIT_MSB_SHIFT[index - 1][nr];
+ int err;
diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
index f2e47c7..45d7941 100644
--- a/drivers/hwmon/pmbus/pmbus_core.c
@@ -45806,7 +45930,7 @@ index 2caf492..0c0dcac 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 4dbed4a..bed2a6a 100644
+index 4dbed4a..150c3d6 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -197,10 +197,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
@@ -45878,6 +46002,40 @@ index 4dbed4a..bed2a6a 100644
INIT_LIST_HEAD(&rdev->same_set);
init_waitqueue_head(&rdev->blocked_wait);
+@@ -5735,22 +5735,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
+ char *ptr;
+ int err;
+
+- file = kmalloc(sizeof(*file), GFP_NOIO);
++ file = kzalloc(sizeof(*file), GFP_NOIO);
+ if (!file)
+ return -ENOMEM;
+
+ err = 0;
+ spin_lock(&mddev->lock);
+- /* bitmap disabled, zero the first byte and copy out */
+- if (!mddev->bitmap_info.file)
+- file->pathname[0] = '\0';
+- else if ((ptr = d_path(&mddev->bitmap_info.file->f_path,
+- file->pathname, sizeof(file->pathname))),
+- IS_ERR(ptr))
+- err = PTR_ERR(ptr);
+- else
+- memmove(file->pathname, ptr,
+- sizeof(file->pathname)-(ptr-file->pathname));
++ /* bitmap enabled */
++ if (mddev->bitmap_info.file) {
++ ptr = d_path(&mddev->bitmap_info.file->f_path,
++ file->pathname, sizeof(file->pathname));
++ if (IS_ERR(ptr))
++ err = PTR_ERR(ptr);
++ else
++ memmove(file->pathname, ptr,
++ sizeof(file->pathname)-(ptr-file->pathname));
++ }
+ spin_unlock(&mddev->lock);
+
+ if (err == 0 &&
@@ -7232,7 +7232,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
spin_unlock(&pers_lock);
@@ -49293,9 +49451,18 @@ index 6223930..975033d 100644
__vxge_hw_mempool_create(vpath->hldev,
fifo->config->memblock_size,
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
-index 33669c2..a29c75e 100644
+index 33669c2..674c39a 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
+@@ -1415,7 +1415,7 @@ static int qlcnic_83xx_copy_fw_file(struct qlcnic_adapter *adapter)
+ if (fw->size & 0xF) {
+ addr = dest + size;
+ for (i = 0; i < (fw->size & 0xF); i++)
+- data[i] = temp[size + i];
++ data[i] = ((u8 *)temp)[size + i];
+ for (; i < 16; i++)
+ data[i] = 0;
+ ret = qlcnic_ms_mem_write128(adapter, addr,
@@ -2324,7 +2324,9 @@ int qlcnic_83xx_configure_opmode(struct qlcnic_adapter *adapter)
max_tx_rings = QLCNIC_MAX_VNIC_TX_RINGS;
} else if (ret == QLC_83XX_DEFAULT_OPMODE) {
@@ -79178,6 +79345,94 @@ index f734562..3fd6c4e 100644
}
EXPORT_SYMBOL_GPL(nfs_inc_attr_generation_counter);
+diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
+index 9e6475b..7970138 100644
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -296,6 +296,22 @@ extern struct rpc_procinfo nfs4_procedures[];
+
+ #ifdef CONFIG_NFS_V4_SECURITY_LABEL
+ extern struct nfs4_label *nfs4_label_alloc(struct nfs_server *server, gfp_t flags);
++static inline struct nfs4_label *
++nfs4_label_copy(struct nfs4_label *dst, struct nfs4_label *src)
++{
++ if (!dst || !src)
++ return NULL;
++
++ if (src->len > NFS4_MAXLABELLEN)
++ return NULL;
++
++ dst->lfs = src->lfs;
++ dst->pi = src->pi;
++ dst->len = src->len;
++ memcpy(dst->label, src->label, src->len);
++
++ return dst;
++}
+ static inline void nfs4_label_free(struct nfs4_label *label)
+ {
+ if (label) {
+@@ -316,6 +332,11 @@ static inline void nfs4_label_free(void *label) {}
+ static inline void nfs_zap_label_cache_locked(struct nfs_inode *nfsi)
+ {
+ }
++static inline struct nfs4_label *
++nfs4_label_copy(struct nfs4_label *dst, struct nfs4_label *src)
++{
++ return NULL;
++}
+ #endif /* CONFIG_NFS_V4_SECURITY_LABEL */
+
+ /* proc.c */
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 55e1e3a..3886f50 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -916,6 +916,7 @@ struct nfs4_opendata {
+ struct nfs_open_confirmres c_res;
+ struct nfs4_string owner_name;
+ struct nfs4_string group_name;
++ struct nfs4_label *a_label;
+ struct nfs_fattr f_attr;
+ struct nfs4_label *f_label;
+ struct dentry *dir;
+@@ -1019,6 +1020,10 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
+ if (IS_ERR(p->f_label))
+ goto err_free_p;
+
++ p->a_label = nfs4_label_alloc(server, gfp_mask);
++ if (IS_ERR(p->a_label))
++ goto err_free_f;
++
+ alloc_seqid = server->nfs_client->cl_mvops->alloc_seqid;
+ p->o_arg.seqid = alloc_seqid(&sp->so_seqid, gfp_mask);
+ if (IS_ERR(p->o_arg.seqid))
+@@ -1047,7 +1052,7 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
+ p->o_arg.server = server;
+ p->o_arg.bitmask = nfs4_bitmask(server, label);
+ p->o_arg.open_bitmap = &nfs4_fattr_bitmap[0];
+- p->o_arg.label = label;
++ p->o_arg.label = nfs4_label_copy(p->a_label, label);
+ p->o_arg.claim = nfs4_map_atomic_open_claim(server, claim);
+ switch (p->o_arg.claim) {
+ case NFS4_OPEN_CLAIM_NULL:
+@@ -1080,6 +1085,8 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
+ return p;
+
+ err_free_label:
++ nfs4_label_free(p->a_label);
++err_free_f:
+ nfs4_label_free(p->f_label);
+ err_free_p:
+ kfree(p);
+@@ -1099,6 +1106,7 @@ static void nfs4_opendata_free(struct kref *kref)
+ nfs4_put_open_state(p->state);
+ nfs4_put_state_owner(p->owner);
+
++ nfs4_label_free(p->a_label);
+ nfs4_label_free(p->f_label);
+
+ dput(p->dir);
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 864e200..357c255 100644
--- a/fs/nfsd/nfs4proc.c
@@ -119867,6 +120122,30 @@ index 63e6956..ebbbcf6 100644
msg.msg_controllen = len;
msg.msg_flags = flags;
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index 96f153c..82fcad9 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1650,6 +1650,7 @@ int ndisc_rcv(struct sk_buff *skb)
+ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
+ {
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct netdev_notifier_change_info *change_info;
+ struct net *net = dev_net(dev);
+ struct inet6_dev *idev;
+
+@@ -1664,6 +1665,11 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event,
+ ndisc_send_unsol_na(dev);
+ in6_dev_put(idev);
+ break;
++ case NETDEV_CHANGE:
++ change_info = ptr;
++ if (change_info->flags_changed & IFF_NOARP)
++ neigh_changeaddr(&nd_tbl, dev);
++ break;
+ case NETDEV_DOWN:
+ neigh_ifdown(&nd_tbl, dev);
+ fib6_run_gc(0, net, false);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 62f5b0d..331fdb1 100644
--- a/net/ipv6/netfilter/ip6_tables.c
@@ -125458,6 +125737,25 @@ index aee2ec5..c276071 100644
/* record the root user tracking */
rb_link_node(&root_key_user.node,
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index e72548b..d334370 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring,
+ if (index_key->type == &key_type_keyring)
+ up_write(&keyring_serialise_link_sem);
+
+- if (edit && !edit->dead_leaf) {
+- key_payload_reserve(keyring,
+- keyring->datalen - KEYQUOTA_LINK_BYTES);
++ if (edit) {
++ if (!edit->dead_leaf) {
++ key_payload_reserve(keyring,
++ keyring->datalen - KEYQUOTA_LINK_BYTES);
++ }
+ assoc_array_cancel_edit(edit);
+ }
+ up_write(&keyring->sem);
diff --git a/security/min_addr.c b/security/min_addr.c
index f728728..6457a0c 100644
--- a/security/min_addr.c