diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2015-01-29 06:41:51 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2015-01-29 06:41:51 -0500 |
| commit | cf65d04c20ef96fe10613b77e58f65f11f612701 (patch) | |
| tree | 6b7331cd3e61b433d4a00ef3034c23573084d33f | |
| parent | Grsec/PaX: 3.0-{3.2.66,3.14.29,3.18.3}-201501211944 (diff) | |
| download | hardened-patchset-cf65d04c20ef96fe10613b77e58f65f11f612701.tar.gz hardened-patchset-cf65d04c20ef96fe10613b77e58f65f11f612701.tar.bz2 hardened-patchset-cf65d04c20ef96fe10613b77e58f65f11f612701.zip | |
Grsec/PaX: 3.0-{3.2.66,3.14.30,3.18.4}-20150127230720150127
| -rw-r--r-- | 3.14.30/0000_README (renamed from 3.14.29/0000_README) | 2 | ||||
| -rw-r--r-- | 3.14.30/4420_grsecurity-3.0-3.14.30-201501272307.patch (renamed from 3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch) | 661 | ||||
| -rw-r--r-- | 3.14.30/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.29/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.14.30/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.29/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.14.30/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.29/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.14.30/4435_grsec-mute-warnings.patch (renamed from 3.14.29/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.14.30/4440_grsec-remove-protected-paths.patch (renamed from 3.14.29/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.14.30/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.29/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
| -rw-r--r-- | 3.14.30/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.29/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
| -rw-r--r-- | 3.14.30/4470_disable-compat_vdso.patch (renamed from 3.14.29/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.14.30/4475_emutramp_default_on.patch (renamed from 3.14.29/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.18.4/0000_README (renamed from 3.18.3/0000_README) | 4 | ||||
| -rw-r--r-- | 3.18.4/4420_grsecurity-3.0-3.18.4-201501272307.patch (renamed from 3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch) | 743 | ||||
| -rw-r--r-- | 3.18.4/4425_grsec_remove_EI_PAX.patch (renamed from 3.18.3/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
| -rw-r--r-- | 3.18.4/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.18.3/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
| -rw-r--r-- | 3.18.4/4430_grsec-remove-localversion-grsec.patch (renamed from 3.18.3/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
| -rw-r--r-- | 3.18.4/4435_grsec-mute-warnings.patch (renamed from 3.18.3/4435_grsec-mute-warnings.patch) | 0 | ||||
| -rw-r--r-- | 3.18.4/4440_grsec-remove-protected-paths.patch (renamed from 3.18.3/4440_grsec-remove-protected-paths.patch) | 0 | ||||
| -rw-r--r-- | 3.18.4/4450_grsec-kconfig-default-gids.patch (renamed from 3.18.3/4450_grsec-kconfig-default-gids.patch) | 12 | ||||
| -rw-r--r-- | 3.18.4/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.18.3/4465_selinux-avc_audit-log-curr_ip.patch) | 2 | ||||
| -rw-r--r-- | 3.18.4/4470_disable-compat_vdso.patch (renamed from 3.18.3/4470_disable-compat_vdso.patch) | 0 | ||||
| -rw-r--r-- | 3.18.4/4475_emutramp_default_on.patch (renamed from 3.18.3/4475_emutramp_default_on.patch) | 0 | ||||
| -rw-r--r-- | 3.2.66/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.66/4420_grsecurity-3.0-3.2.66-201501272306.patch (renamed from 3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch) | 227 |
24 files changed, 1208 insertions, 445 deletions
diff --git a/3.14.29/0000_README b/3.14.30/0000_README index 77bdae3..e7390a1 100644 --- a/3.14.29/0000_README +++ b/3.14.30/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.29-201501211943.patch +Patch: 4420_grsecurity-3.0-3.14.30-201501272307.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch b/3.14.30/4420_grsecurity-3.0-3.14.30-201501272307.patch index 5df869a..fa3669a 100644 --- a/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch +++ b/3.14.30/4420_grsecurity-3.0-3.14.30-201501272307.patch @@ -235,7 +235,7 @@ index b89a739..e289b9b 100644 +zconf.lex.c zoffset.h diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 7116fda..2f71588 100644 +index 5d91ba1..935a4e7 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -1084,6 +1084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. @@ -249,7 +249,7 @@ index 7116fda..2f71588 100644 hashdist= [KNL,NUMA] Large hashes allocated during boot are distributed across NUMA nodes. Defaults on for 64-bit NUMA, off otherwise. -@@ -2080,6 +2084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -2081,6 +2085,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. noexec=on: enable non-executable mappings (default) noexec=off: disable non-executable mappings @@ -260,7 +260,7 @@ index 7116fda..2f71588 100644 nosmap [X86] Disable SMAP (Supervisor Mode Access Prevention) even if it is supported by processor. -@@ -2347,6 +2355,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -2348,6 +2356,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. the specified number of seconds. This is to be used if your oopses keep scrolling off the screen. @@ -292,7 +292,7 @@ index 7116fda..2f71588 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 7aff64e..32dc1aa 100644 +index 5b94752..8acf114 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -16387,7 +16387,7 @@ index 1717156..14e260a 100644 "6:\n" ".previous\n" diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h -index 50d033a..37deb26 100644 +index 50d033a..59ecefa 100644 --- a/arch/x86/include/asm/desc.h +++ b/arch/x86/include/asm/desc.h @@ -4,6 +4,7 @@ @@ -16485,7 +16485,7 @@ index 50d033a..37deb26 100644 } static inline void native_load_gdt(const struct desc_ptr *dtr) -@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) +@@ -247,11 +258,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) struct desc_struct *gdt = get_cpu_gdt_table(cpu); unsigned int i; @@ -16495,8 +16495,37 @@ index 50d033a..37deb26 100644 + pax_close_kernel(); } - #define _LDT_empty(info) \ -@@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc) +-#define _LDT_empty(info) \ ++/* This intentionally ignores lm, since 32-bit apps don't have that field. */ ++#define LDT_empty(info) \ + ((info)->base_addr == 0 && \ + (info)->limit == 0 && \ + (info)->contents == 0 && \ +@@ -261,11 +275,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) + (info)->seg_not_present == 1 && \ + (info)->useable == 0) + +-#ifdef CONFIG_X86_64 +-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0)) +-#else +-#define LDT_empty(info) (_LDT_empty(info)) +-#endif ++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */ ++static inline bool LDT_zero(const struct user_desc *info) ++{ ++ return (info->base_addr == 0 && ++ info->limit == 0 && ++ info->contents == 0 && ++ info->read_exec_only == 0 && ++ info->seg_32bit == 0 && ++ info->limit_in_pages == 0 && ++ info->seg_not_present == 0 && ++ info->useable == 0); ++} + + static inline void clear_LDT(void) + { +@@ -287,7 +308,7 @@ static inline void load_LDT(mm_context_t *pc) preempt_enable(); } @@ -16505,7 +16534,7 @@ index 50d033a..37deb26 100644 { return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24)); } -@@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) +@@ -311,7 +332,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) } #ifdef CONFIG_X86_64 @@ -16514,7 +16543,7 @@ index 50d033a..37deb26 100644 { gate_desc s; -@@ -321,14 +334,14 @@ static inline void set_nmi_gate(int gate, void *addr) +@@ -321,14 +342,14 @@ static inline void set_nmi_gate(int gate, void *addr) #endif #ifdef CONFIG_TRACING @@ -16532,7 +16561,7 @@ index 50d033a..37deb26 100644 unsigned dpl, unsigned ist, unsigned seg) { gate_desc s; -@@ -348,7 +361,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate) +@@ -348,7 +369,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate) #define _trace_set_gate(gate, type, addr, dpl, ist, seg) #endif @@ -16541,7 +16570,7 @@ index 50d033a..37deb26 100644 unsigned dpl, unsigned ist, unsigned seg) { gate_desc s; -@@ -371,9 +384,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr, +@@ -371,9 +392,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr, #define set_intr_gate(n, addr) \ do { \ BUG_ON((unsigned)n > 0xFF); \ @@ -16553,7 +16582,7 @@ index 50d033a..37deb26 100644 0, 0, __KERNEL_CS); \ } while (0) -@@ -401,19 +414,19 @@ static inline void alloc_system_vector(int vector) +@@ -401,19 +422,19 @@ static inline void alloc_system_vector(int vector) /* * This routine sets up an interrupt gate at directory privilege level 3. */ @@ -16576,7 +16605,7 @@ index 50d033a..37deb26 100644 { BUG_ON((unsigned)n > 0xFF); _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS); -@@ -422,16 +435,16 @@ static inline void set_trap_gate(unsigned int n, void *addr) +@@ -422,16 +443,16 @@ static inline void set_trap_gate(unsigned int n, void *addr) static inline void set_task_gate(unsigned int n, unsigned int gdt_entry) { BUG_ON((unsigned)n > 0xFF); @@ -16596,7 +16625,7 @@ index 50d033a..37deb26 100644 { BUG_ON((unsigned)n > 0xFF); _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS); -@@ -503,4 +516,17 @@ static inline void load_current_idt(void) +@@ -503,4 +524,17 @@ static inline void load_current_idt(void) else load_idt((const struct desc_ptr *)&idt_descr); } @@ -22264,10 +22293,10 @@ index 01d1c18..8073693 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index c5a9cb9..228d280 100644 +index c5a9cb9..b6a5426 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S -@@ -177,13 +177,153 @@ +@@ -177,13 +177,154 @@ /*CFI_REL_OFFSET gs, PT_GS*/ .endm .macro SET_KERNEL_GS reg @@ -22396,6 +22425,7 @@ index c5a9cb9..228d280 100644 + jne 1b + +2: cld ++ or $2*4, %edi + mov %esp, %ecx + sub %edi, %ecx + @@ -22422,7 +22452,7 @@ index c5a9cb9..228d280 100644 cld PUSH_GS pushl_cfi %fs -@@ -206,7 +346,7 @@ +@@ -206,7 +347,7 @@ CFI_REL_OFFSET ecx, 0 pushl_cfi %ebx CFI_REL_OFFSET ebx, 0 @@ -22431,7 +22461,7 @@ index c5a9cb9..228d280 100644 movl %edx, %ds movl %edx, %es movl $(__KERNEL_PERCPU), %edx -@@ -214,6 +354,15 @@ +@@ -214,6 +355,15 @@ SET_KERNEL_GS %edx .endm @@ -22447,7 +22477,7 @@ index c5a9cb9..228d280 100644 .macro RESTORE_INT_REGS popl_cfi %ebx CFI_RESTORE ebx -@@ -297,7 +446,7 @@ ENTRY(ret_from_fork) +@@ -297,7 +447,7 @@ ENTRY(ret_from_fork) popfl_cfi jmp syscall_exit CFI_ENDPROC @@ -22456,7 +22486,7 @@ index c5a9cb9..228d280 100644 ENTRY(ret_from_kernel_thread) CFI_STARTPROC -@@ -344,7 +493,15 @@ ret_from_intr: +@@ -344,7 +494,15 @@ ret_from_intr: andl $SEGMENT_RPL_MASK, %eax #endif cmpl $USER_RPL, %eax @@ -22472,7 +22502,7 @@ index c5a9cb9..228d280 100644 ENTRY(resume_userspace) LOCKDEP_SYS_EXIT -@@ -356,8 +513,8 @@ ENTRY(resume_userspace) +@@ -356,8 +514,8 @@ ENTRY(resume_userspace) andl $_TIF_WORK_MASK, %ecx # is there any work to be done on # int/exception return? jne work_pending @@ -22483,7 +22513,7 @@ index c5a9cb9..228d280 100644 #ifdef CONFIG_PREEMPT ENTRY(resume_kernel) -@@ -369,7 +526,7 @@ need_resched: +@@ -369,7 +527,7 @@ need_resched: jz restore_all call preempt_schedule_irq jmp need_resched @@ -22492,7 +22522,7 @@ index c5a9cb9..228d280 100644 #endif CFI_ENDPROC /* -@@ -403,30 +560,45 @@ sysenter_past_esp: +@@ -403,30 +561,45 @@ sysenter_past_esp: /*CFI_REL_OFFSET cs, 0*/ /* * Push current_thread_info()->sysenter_return to the stack. @@ -22541,7 +22571,7 @@ index c5a9cb9..228d280 100644 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) jnz sysenter_audit sysenter_do_call: -@@ -442,12 +614,24 @@ sysenter_after_call: +@@ -442,12 +615,24 @@ sysenter_after_call: testl $_TIF_ALLWORK_MASK, %ecx jne sysexit_audit sysenter_exit: @@ -22566,7 +22596,7 @@ index c5a9cb9..228d280 100644 PTGS_TO_GS ENABLE_INTERRUPTS_SYSEXIT -@@ -464,6 +648,9 @@ sysenter_audit: +@@ -464,6 +649,9 @@ sysenter_audit: movl %eax,%edx /* 2nd arg: syscall number */ movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */ call __audit_syscall_entry @@ -22576,7 +22606,7 @@ index c5a9cb9..228d280 100644 pushl_cfi %ebx movl PT_EAX(%esp),%eax /* reload syscall number */ jmp sysenter_do_call -@@ -489,10 +676,16 @@ sysexit_audit: +@@ -489,10 +677,16 @@ sysexit_audit: CFI_ENDPROC .pushsection .fixup,"ax" @@ -22595,7 +22625,7 @@ index c5a9cb9..228d280 100644 PTGS_TO_GS_EX ENDPROC(ia32_sysenter_target) -@@ -507,6 +700,11 @@ ENTRY(system_call) +@@ -507,6 +701,11 @@ ENTRY(system_call) pushl_cfi %eax # save orig_eax SAVE_ALL GET_THREAD_INFO(%ebp) @@ -22607,7 +22637,7 @@ index c5a9cb9..228d280 100644 # system call tracing in operation / emulation testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp) jnz syscall_trace_entry -@@ -526,6 +724,15 @@ syscall_exit: +@@ -526,6 +725,15 @@ syscall_exit: testl $_TIF_ALLWORK_MASK, %ecx # current->work jne syscall_exit_work @@ -22623,7 +22653,7 @@ index c5a9cb9..228d280 100644 restore_all: TRACE_IRQS_IRET restore_all_notrace: -@@ -580,14 +787,34 @@ ldt_ss: +@@ -580,14 +788,34 @@ ldt_ss: * compensating for the offset by changing to the ESPFIX segment with * a base address that matches for the difference. */ @@ -22661,7 +22691,7 @@ index c5a9cb9..228d280 100644 pushl_cfi $__ESPFIX_SS pushl_cfi %eax /* new kernel esp */ /* Disable interrupts, but do not irqtrace this section: we -@@ -617,20 +844,18 @@ work_resched: +@@ -617,20 +845,18 @@ work_resched: movl TI_flags(%ebp), %ecx andl $_TIF_WORK_MASK, %ecx # is there any work to be done other # than syscall tracing? @@ -22684,7 +22714,7 @@ index c5a9cb9..228d280 100644 #endif TRACE_IRQS_ON ENABLE_INTERRUPTS(CLBR_NONE) -@@ -651,7 +876,7 @@ work_notifysig_v86: +@@ -651,7 +877,7 @@ work_notifysig_v86: movl %eax, %esp jmp 1b #endif @@ -22693,7 +22723,7 @@ index c5a9cb9..228d280 100644 # perform syscall exit tracing ALIGN -@@ -659,11 +884,14 @@ syscall_trace_entry: +@@ -659,11 +885,14 @@ syscall_trace_entry: movl $-ENOSYS,PT_EAX(%esp) movl %esp, %eax call syscall_trace_enter @@ -22709,7 +22739,7 @@ index c5a9cb9..228d280 100644 # perform syscall exit tracing ALIGN -@@ -676,26 +904,30 @@ syscall_exit_work: +@@ -676,26 +905,30 @@ syscall_exit_work: movl %esp, %eax call syscall_trace_leave jmp resume_userspace @@ -22744,7 +22774,7 @@ index c5a9cb9..228d280 100644 CFI_ENDPROC /* * End of kprobes section -@@ -712,8 +944,15 @@ END(syscall_badsys) +@@ -712,8 +945,15 @@ END(syscall_badsys) */ #ifdef CONFIG_X86_ESPFIX32 /* fixup the stack */ @@ -22762,7 +22792,7 @@ index c5a9cb9..228d280 100644 shl $16, %eax addl %esp, %eax /* the adjusted stack pointer */ pushl_cfi $__KERNEL_DS -@@ -769,7 +1008,7 @@ vector=vector+1 +@@ -769,7 +1009,7 @@ vector=vector+1 .endr 2: jmp common_interrupt .endr @@ -22771,7 +22801,7 @@ index c5a9cb9..228d280 100644 .previous END(interrupt) -@@ -830,7 +1069,7 @@ ENTRY(coprocessor_error) +@@ -830,7 +1070,7 @@ ENTRY(coprocessor_error) pushl_cfi $do_coprocessor_error jmp error_code CFI_ENDPROC @@ -22780,7 +22810,7 @@ index c5a9cb9..228d280 100644 ENTRY(simd_coprocessor_error) RING0_INT_FRAME -@@ -843,7 +1082,7 @@ ENTRY(simd_coprocessor_error) +@@ -843,7 +1083,7 @@ ENTRY(simd_coprocessor_error) .section .altinstructions,"a" altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f .previous @@ -22789,7 +22819,7 @@ index c5a9cb9..228d280 100644 663: pushl $do_simd_coprocessor_error 664: .previous -@@ -852,7 +1091,7 @@ ENTRY(simd_coprocessor_error) +@@ -852,7 +1092,7 @@ ENTRY(simd_coprocessor_error) #endif jmp error_code CFI_ENDPROC @@ -22798,7 +22828,7 @@ index c5a9cb9..228d280 100644 ENTRY(device_not_available) RING0_INT_FRAME -@@ -861,18 +1100,18 @@ ENTRY(device_not_available) +@@ -861,18 +1101,18 @@ ENTRY(device_not_available) pushl_cfi $do_device_not_available jmp error_code CFI_ENDPROC @@ -22820,7 +22850,7 @@ index c5a9cb9..228d280 100644 #endif ENTRY(overflow) -@@ -882,7 +1121,7 @@ ENTRY(overflow) +@@ -882,7 +1122,7 @@ ENTRY(overflow) pushl_cfi $do_overflow jmp error_code CFI_ENDPROC @@ -22829,7 +22859,7 @@ index c5a9cb9..228d280 100644 ENTRY(bounds) RING0_INT_FRAME -@@ -891,7 +1130,7 @@ ENTRY(bounds) +@@ -891,7 +1131,7 @@ ENTRY(bounds) pushl_cfi $do_bounds jmp error_code CFI_ENDPROC @@ -22838,7 +22868,7 @@ index c5a9cb9..228d280 100644 ENTRY(invalid_op) RING0_INT_FRAME -@@ -900,7 +1139,7 @@ ENTRY(invalid_op) +@@ -900,7 +1140,7 @@ ENTRY(invalid_op) pushl_cfi $do_invalid_op jmp error_code CFI_ENDPROC @@ -22847,7 +22877,7 @@ index c5a9cb9..228d280 100644 ENTRY(coprocessor_segment_overrun) RING0_INT_FRAME -@@ -909,7 +1148,7 @@ ENTRY(coprocessor_segment_overrun) +@@ -909,7 +1149,7 @@ ENTRY(coprocessor_segment_overrun) pushl_cfi $do_coprocessor_segment_overrun jmp error_code CFI_ENDPROC @@ -22856,7 +22886,7 @@ index c5a9cb9..228d280 100644 ENTRY(invalid_TSS) RING0_EC_FRAME -@@ -917,7 +1156,7 @@ ENTRY(invalid_TSS) +@@ -917,7 +1157,7 @@ ENTRY(invalid_TSS) pushl_cfi $do_invalid_TSS jmp error_code CFI_ENDPROC @@ -22865,7 +22895,7 @@ index c5a9cb9..228d280 100644 ENTRY(segment_not_present) RING0_EC_FRAME -@@ -925,7 +1164,7 @@ ENTRY(segment_not_present) +@@ -925,7 +1165,7 @@ ENTRY(segment_not_present) pushl_cfi $do_segment_not_present jmp error_code CFI_ENDPROC @@ -22874,7 +22904,7 @@ index c5a9cb9..228d280 100644 ENTRY(stack_segment) RING0_EC_FRAME -@@ -933,7 +1172,7 @@ ENTRY(stack_segment) +@@ -933,7 +1173,7 @@ ENTRY(stack_segment) pushl_cfi $do_stack_segment jmp error_code CFI_ENDPROC @@ -22883,7 +22913,7 @@ index c5a9cb9..228d280 100644 ENTRY(alignment_check) RING0_EC_FRAME -@@ -941,7 +1180,7 @@ ENTRY(alignment_check) +@@ -941,7 +1181,7 @@ ENTRY(alignment_check) pushl_cfi $do_alignment_check jmp error_code CFI_ENDPROC @@ -22892,7 +22922,7 @@ index c5a9cb9..228d280 100644 ENTRY(divide_error) RING0_INT_FRAME -@@ -950,7 +1189,7 @@ ENTRY(divide_error) +@@ -950,7 +1190,7 @@ ENTRY(divide_error) pushl_cfi $do_divide_error jmp error_code CFI_ENDPROC @@ -22901,7 +22931,7 @@ index c5a9cb9..228d280 100644 #ifdef CONFIG_X86_MCE ENTRY(machine_check) -@@ -960,7 +1199,7 @@ ENTRY(machine_check) +@@ -960,7 +1200,7 @@ ENTRY(machine_check) pushl_cfi machine_check_vector jmp error_code CFI_ENDPROC @@ -22910,7 +22940,7 @@ index c5a9cb9..228d280 100644 #endif ENTRY(spurious_interrupt_bug) -@@ -970,7 +1209,7 @@ ENTRY(spurious_interrupt_bug) +@@ -970,7 +1210,7 @@ ENTRY(spurious_interrupt_bug) pushl_cfi $do_spurious_interrupt_bug jmp error_code CFI_ENDPROC @@ -22919,7 +22949,7 @@ index c5a9cb9..228d280 100644 /* * End of kprobes section */ -@@ -1080,7 +1319,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, +@@ -1080,7 +1320,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR, ENTRY(mcount) ret @@ -22928,7 +22958,7 @@ index c5a9cb9..228d280 100644 ENTRY(ftrace_caller) cmpl $0, function_trace_stop -@@ -1113,7 +1352,7 @@ ftrace_graph_call: +@@ -1113,7 +1353,7 @@ ftrace_graph_call: .globl ftrace_stub ftrace_stub: ret @@ -22937,7 +22967,7 @@ index c5a9cb9..228d280 100644 ENTRY(ftrace_regs_caller) pushf /* push flags before compare (in cs location) */ -@@ -1217,7 +1456,7 @@ trace: +@@ -1217,7 +1457,7 @@ trace: popl %ecx popl %eax jmp ftrace_stub @@ -22946,7 +22976,7 @@ index c5a9cb9..228d280 100644 #endif /* CONFIG_DYNAMIC_FTRACE */ #endif /* CONFIG_FUNCTION_TRACER */ -@@ -1235,7 +1474,7 @@ ENTRY(ftrace_graph_caller) +@@ -1235,7 +1475,7 @@ ENTRY(ftrace_graph_caller) popl %ecx popl %eax ret @@ -22955,7 +22985,7 @@ index c5a9cb9..228d280 100644 .globl return_to_handler return_to_handler: -@@ -1301,15 +1540,18 @@ error_code: +@@ -1301,15 +1541,18 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -22976,7 +23006,7 @@ index c5a9cb9..228d280 100644 /* * Debug traps and NMI can happen at the one SYSENTER instruction -@@ -1352,7 +1594,7 @@ debug_stack_correct: +@@ -1352,7 +1595,7 @@ debug_stack_correct: call do_debug jmp ret_from_exception CFI_ENDPROC @@ -22985,7 +23015,7 @@ index c5a9cb9..228d280 100644 /* * NMI is doubly nasty. It can happen _while_ we're handling -@@ -1392,6 +1634,9 @@ nmi_stack_correct: +@@ -1392,6 +1635,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer call do_nmi @@ -22995,7 +23025,7 @@ index c5a9cb9..228d280 100644 jmp restore_all_notrace CFI_ENDPROC -@@ -1429,13 +1674,16 @@ nmi_espfix_stack: +@@ -1429,13 +1675,16 @@ nmi_espfix_stack: FIXUP_ESPFIX_STACK # %eax == %esp xorl %edx,%edx # zero error code call do_nmi @@ -23013,7 +23043,7 @@ index c5a9cb9..228d280 100644 ENTRY(int3) RING0_INT_FRAME -@@ -1448,14 +1696,14 @@ ENTRY(int3) +@@ -1448,14 +1697,14 @@ ENTRY(int3) call do_int3 jmp ret_from_exception CFI_ENDPROC @@ -23030,7 +23060,7 @@ index c5a9cb9..228d280 100644 #ifdef CONFIG_KVM_GUEST ENTRY(async_page_fault) -@@ -1464,7 +1712,7 @@ ENTRY(async_page_fault) +@@ -1464,7 +1713,7 @@ ENTRY(async_page_fault) pushl_cfi $do_async_page_fault jmp error_code CFI_ENDPROC @@ -23040,7 +23070,7 @@ index c5a9cb9..228d280 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 02553d6..d1fcecb 100644 +index 02553d6..81f4dc7 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -60,6 +60,8 @@ @@ -23127,7 +23157,7 @@ index 02553d6..d1fcecb 100644 #endif -@@ -285,6 +294,430 @@ ENTRY(native_usergs_sysret64) +@@ -285,6 +294,431 @@ ENTRY(native_usergs_sysret64) ENDPROC(native_usergs_sysret64) #endif /* CONFIG_PARAVIRT */ @@ -23532,6 +23562,7 @@ index 02553d6..d1fcecb 100644 + jne 1b + +2: cld ++ or $2*8, %rdi + mov %esp, %ecx + sub %edi, %ecx + @@ -23558,7 +23589,7 @@ index 02553d6..d1fcecb 100644 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET #ifdef CONFIG_TRACE_IRQFLAGS -@@ -321,7 +754,7 @@ ENDPROC(native_usergs_sysret64) +@@ -321,7 +755,7 @@ ENDPROC(native_usergs_sysret64) .endm .macro TRACE_IRQS_IRETQ_DEBUG offset=ARGOFFSET @@ -23567,7 +23598,7 @@ index 02553d6..d1fcecb 100644 jnc 1f TRACE_IRQS_ON_DEBUG 1: -@@ -359,27 +792,6 @@ ENDPROC(native_usergs_sysret64) +@@ -359,27 +793,6 @@ ENDPROC(native_usergs_sysret64) movq \tmp,R11+\offset(%rsp) .endm @@ -23595,7 +23626,7 @@ index 02553d6..d1fcecb 100644 /* * initial frame state for interrupts (and exceptions without error code) */ -@@ -446,25 +858,26 @@ ENDPROC(native_usergs_sysret64) +@@ -446,25 +859,26 @@ ENDPROC(native_usergs_sysret64) /* save partial stack frame */ .macro SAVE_ARGS_IRQ cld @@ -23635,7 +23666,7 @@ index 02553d6..d1fcecb 100644 je 1f SWAPGS /* -@@ -484,6 +897,18 @@ ENDPROC(native_usergs_sysret64) +@@ -484,6 +898,18 @@ ENDPROC(native_usergs_sysret64) 0x06 /* DW_OP_deref */, \ 0x08 /* DW_OP_const1u */, SS+8-RBP, \ 0x22 /* DW_OP_plus */ @@ -23654,7 +23685,7 @@ index 02553d6..d1fcecb 100644 /* We entered an interrupt context - irqs are off: */ TRACE_IRQS_OFF .endm -@@ -515,9 +940,52 @@ ENTRY(save_paranoid) +@@ -515,9 +941,52 @@ ENTRY(save_paranoid) js 1f /* negative -> in kernel */ SWAPGS xorl %ebx,%ebx @@ -23709,7 +23740,7 @@ index 02553d6..d1fcecb 100644 .popsection /* -@@ -539,7 +1007,7 @@ ENTRY(ret_from_fork) +@@ -539,7 +1008,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -23718,7 +23749,7 @@ index 02553d6..d1fcecb 100644 jz 1f testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -@@ -549,15 +1017,13 @@ ENTRY(ret_from_fork) +@@ -549,15 +1018,13 @@ ENTRY(ret_from_fork) jmp ret_from_sys_call # go to the SYSRET fastpath 1: @@ -23735,7 +23766,7 @@ index 02553d6..d1fcecb 100644 /* * System call entry. Up to 6 arguments in registers are supported. -@@ -594,7 +1060,7 @@ END(ret_from_fork) +@@ -594,7 +1061,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -23744,7 +23775,7 @@ index 02553d6..d1fcecb 100644 CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -607,16 +1073,23 @@ GLOBAL(system_call_after_swapgs) +@@ -607,16 +1074,23 @@ GLOBAL(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -23770,7 +23801,7 @@ index 02553d6..d1fcecb 100644 jnz tracesys system_call_fastpath: #if __SYSCALL_MASK == ~0 -@@ -640,10 +1113,13 @@ sysret_check: +@@ -640,10 +1114,13 @@ sysret_check: LOCKDEP_SYS_EXIT DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -23785,7 +23816,7 @@ index 02553d6..d1fcecb 100644 /* * sysretq will re-enable interrupts: */ -@@ -702,6 +1178,9 @@ auditsys: +@@ -702,6 +1179,9 @@ auditsys: movq %rax,%rsi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */ call __audit_syscall_entry @@ -23795,7 +23826,7 @@ index 02553d6..d1fcecb 100644 LOAD_ARGS 0 /* reload call-clobbered registers */ jmp system_call_fastpath -@@ -723,7 +1202,7 @@ sysret_audit: +@@ -723,7 +1203,7 @@ sysret_audit: /* Do syscall tracing */ tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -23804,7 +23835,7 @@ index 02553d6..d1fcecb 100644 jz auditsys #endif SAVE_REST -@@ -731,12 +1210,15 @@ tracesys: +@@ -731,12 +1211,15 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -23821,7 +23852,7 @@ index 02553d6..d1fcecb 100644 RESTORE_REST #if __SYSCALL_MASK == ~0 cmpq $__NR_syscall_max,%rax -@@ -766,7 +1248,9 @@ GLOBAL(int_with_check) +@@ -766,7 +1249,9 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) @@ -23832,7 +23863,7 @@ index 02553d6..d1fcecb 100644 /* Either reschedule or signal or syscall exit tracking needed. */ /* First do a reschedule test. */ -@@ -812,7 +1296,7 @@ int_restore_rest: +@@ -812,7 +1297,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -23841,7 +23872,7 @@ index 02553d6..d1fcecb 100644 .macro FORK_LIKE func ENTRY(stub_\func) -@@ -825,9 +1309,10 @@ ENTRY(stub_\func) +@@ -825,9 +1310,10 @@ ENTRY(stub_\func) DEFAULT_FRAME 0 8 /* offset 8: return address */ call sys_\func RESTORE_TOP_OF_STACK %r11, 8 @@ -23854,7 +23885,7 @@ index 02553d6..d1fcecb 100644 .endm .macro FIXED_FRAME label,func -@@ -837,9 +1322,10 @@ ENTRY(\label) +@@ -837,9 +1323,10 @@ ENTRY(\label) FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET call \func RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET @@ -23866,7 +23897,7 @@ index 02553d6..d1fcecb 100644 .endm FORK_LIKE clone -@@ -847,19 +1333,6 @@ END(\label) +@@ -847,19 +1334,6 @@ END(\label) FORK_LIKE vfork FIXED_FRAME stub_iopl, sys_iopl @@ -23886,7 +23917,7 @@ index 02553d6..d1fcecb 100644 ENTRY(stub_execve) CFI_STARTPROC addq $8, %rsp -@@ -871,7 +1344,7 @@ ENTRY(stub_execve) +@@ -871,7 +1345,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23895,7 +23926,7 @@ index 02553d6..d1fcecb 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -888,7 +1361,7 @@ ENTRY(stub_rt_sigreturn) +@@ -888,7 +1362,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23904,7 +23935,7 @@ index 02553d6..d1fcecb 100644 #ifdef CONFIG_X86_X32_ABI ENTRY(stub_x32_rt_sigreturn) -@@ -902,7 +1375,7 @@ ENTRY(stub_x32_rt_sigreturn) +@@ -902,7 +1376,7 @@ ENTRY(stub_x32_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23913,7 +23944,7 @@ index 02553d6..d1fcecb 100644 ENTRY(stub_x32_execve) CFI_STARTPROC -@@ -916,7 +1389,7 @@ ENTRY(stub_x32_execve) +@@ -916,7 +1390,7 @@ ENTRY(stub_x32_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -23922,7 +23953,7 @@ index 02553d6..d1fcecb 100644 #endif -@@ -953,7 +1426,7 @@ vector=vector+1 +@@ -953,7 +1427,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -23931,7 +23962,7 @@ index 02553d6..d1fcecb 100644 .previous END(interrupt) -@@ -970,8 +1443,8 @@ END(interrupt) +@@ -970,8 +1444,8 @@ END(interrupt) /* 0(%rsp): ~(interrupt number) */ .macro interrupt func /* reserve pt_regs for scratch regs and rbp */ @@ -23942,7 +23973,7 @@ index 02553d6..d1fcecb 100644 SAVE_ARGS_IRQ call \func .endm -@@ -998,14 +1471,14 @@ ret_from_intr: +@@ -998,14 +1472,14 @@ ret_from_intr: /* Restore saved previous stack */ popq %rsi @@ -23961,7 +23992,7 @@ index 02553d6..d1fcecb 100644 je retint_kernel /* Interrupt came from user space */ -@@ -1027,12 +1500,35 @@ retint_swapgs: /* return to user-space */ +@@ -1027,12 +1501,35 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -23997,7 +24028,7 @@ index 02553d6..d1fcecb 100644 /* * The iretq could re-enable interrupts: */ -@@ -1070,15 +1566,15 @@ native_irq_return_ldt: +@@ -1070,15 +1567,15 @@ native_irq_return_ldt: SWAPGS movq PER_CPU_VAR(espfix_waddr),%rdi movq %rax,(0*8)(%rdi) /* RAX */ @@ -24018,7 +24049,7 @@ index 02553d6..d1fcecb 100644 movq %rax,(4*8)(%rdi) andl $0xffff0000,%eax popq_cfi %rdi -@@ -1132,7 +1628,7 @@ ENTRY(retint_kernel) +@@ -1132,7 +1629,7 @@ ENTRY(retint_kernel) jmp exit_intr #endif CFI_ENDPROC @@ -24027,7 +24058,7 @@ index 02553d6..d1fcecb 100644 /* * End of kprobes section -@@ -1151,7 +1647,7 @@ ENTRY(\sym) +@@ -1151,7 +1648,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -24036,7 +24067,7 @@ index 02553d6..d1fcecb 100644 .endm #ifdef CONFIG_TRACING -@@ -1239,7 +1735,7 @@ ENTRY(\sym) +@@ -1239,7 +1736,7 @@ ENTRY(\sym) call \do_sym jmp error_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -24045,7 +24076,7 @@ index 02553d6..d1fcecb 100644 .endm .macro paranoidzeroentry sym do_sym -@@ -1257,10 +1753,10 @@ ENTRY(\sym) +@@ -1257,10 +1754,10 @@ ENTRY(\sym) call \do_sym jmp paranoid_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -24058,7 +24089,7 @@ index 02553d6..d1fcecb 100644 .macro paranoidzeroentry_ist sym do_sym ist ENTRY(\sym) INTR_FRAME -@@ -1273,12 +1769,18 @@ ENTRY(\sym) +@@ -1273,12 +1770,18 @@ ENTRY(\sym) TRACE_IRQS_OFF_DEBUG movq %rsp,%rdi /* pt_regs pointer */ xorl %esi,%esi /* no error code */ @@ -24078,7 +24109,7 @@ index 02553d6..d1fcecb 100644 .endm .macro errorentry sym do_sym -@@ -1296,7 +1798,7 @@ ENTRY(\sym) +@@ -1296,7 +1799,7 @@ ENTRY(\sym) call \do_sym jmp error_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -24087,7 +24118,7 @@ index 02553d6..d1fcecb 100644 .endm #ifdef CONFIG_TRACING -@@ -1327,7 +1829,7 @@ ENTRY(\sym) +@@ -1327,7 +1830,7 @@ ENTRY(\sym) call \do_sym jmp paranoid_exit /* %ebx: no swapgs flag */ CFI_ENDPROC @@ -24096,7 +24127,7 @@ index 02553d6..d1fcecb 100644 .endm zeroentry divide_error do_divide_error -@@ -1357,9 +1859,10 @@ gs_change: +@@ -1357,9 +1860,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -24108,7 +24139,7 @@ index 02553d6..d1fcecb 100644 _ASM_EXTABLE(gs_change,bad_gs) .section .fixup,"ax" -@@ -1387,9 +1890,10 @@ ENTRY(do_softirq_own_stack) +@@ -1387,9 +1891,10 @@ ENTRY(do_softirq_own_stack) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -24120,7 +24151,7 @@ index 02553d6..d1fcecb 100644 #ifdef CONFIG_XEN zeroentry xen_hypervisor_callback xen_do_hypervisor_callback -@@ -1427,7 +1931,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1427,7 +1932,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) decl PER_CPU_VAR(irq_count) jmp error_exit CFI_ENDPROC @@ -24129,7 +24160,7 @@ index 02553d6..d1fcecb 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1486,7 +1990,7 @@ ENTRY(xen_failsafe_callback) +@@ -1486,7 +1991,7 @@ ENTRY(xen_failsafe_callback) SAVE_ALL jmp error_exit CFI_ENDPROC @@ -24138,7 +24169,7 @@ index 02553d6..d1fcecb 100644 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1538,18 +2042,33 @@ ENTRY(paranoid_exit) +@@ -1538,18 +2043,33 @@ ENTRY(paranoid_exit) DEFAULT_FRAME DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF_DEBUG @@ -24174,7 +24205,7 @@ index 02553d6..d1fcecb 100644 jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1578,7 +2097,7 @@ paranoid_schedule: +@@ -1578,7 +2098,7 @@ paranoid_schedule: TRACE_IRQS_OFF jmp paranoid_userspace CFI_ENDPROC @@ -24183,7 +24214,7 @@ index 02553d6..d1fcecb 100644 /* * Exception entry point. This expects an error code/orig_rax on the stack. -@@ -1605,12 +2124,23 @@ ENTRY(error_entry) +@@ -1605,12 +2125,23 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -24208,7 +24239,7 @@ index 02553d6..d1fcecb 100644 ret /* -@@ -1644,7 +2174,7 @@ error_bad_iret: +@@ -1644,7 +2175,7 @@ error_bad_iret: decl %ebx /* Return to usergs */ jmp error_sti CFI_ENDPROC @@ -24217,7 +24248,7 @@ index 02553d6..d1fcecb 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ -@@ -1655,7 +2185,7 @@ ENTRY(error_exit) +@@ -1655,7 +2186,7 @@ ENTRY(error_exit) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF GET_THREAD_INFO(%rcx) @@ -24226,7 +24257,7 @@ index 02553d6..d1fcecb 100644 jne retint_kernel LOCKDEP_SYS_EXIT_IRQ movl TI_flags(%rcx),%edx -@@ -1664,7 +2194,7 @@ ENTRY(error_exit) +@@ -1664,7 +2195,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -24235,7 +24266,7 @@ index 02553d6..d1fcecb 100644 /* * Test if a given stack is an NMI stack or not. -@@ -1722,9 +2252,11 @@ ENTRY(nmi) +@@ -1722,9 +2253,11 @@ ENTRY(nmi) * If %cs was not the kernel segment, then the NMI triggered in user * space, which means it is definitely not nested. */ @@ -24248,7 +24279,7 @@ index 02553d6..d1fcecb 100644 /* * Check the special variable on the stack to see if NMIs are * executing. -@@ -1758,8 +2290,7 @@ nested_nmi: +@@ -1758,8 +2291,7 @@ nested_nmi: 1: /* Set up the interrupted NMIs stack to jump to repeat_nmi */ @@ -24258,7 +24289,7 @@ index 02553d6..d1fcecb 100644 CFI_ADJUST_CFA_OFFSET 1*8 leaq -10*8(%rsp), %rdx pushq_cfi $__KERNEL_DS -@@ -1777,6 +2308,7 @@ nested_nmi_out: +@@ -1777,6 +2309,7 @@ nested_nmi_out: CFI_RESTORE rdx /* No need to check faults here */ @@ -24266,7 +24297,7 @@ index 02553d6..d1fcecb 100644 INTERRUPT_RETURN CFI_RESTORE_STATE -@@ -1873,13 +2405,13 @@ end_repeat_nmi: +@@ -1873,13 +2406,13 @@ end_repeat_nmi: subq $ORIG_RAX-R15, %rsp CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 /* @@ -24282,7 +24313,7 @@ index 02553d6..d1fcecb 100644 DEFAULT_FRAME 0 /* -@@ -1889,9 +2421,9 @@ end_repeat_nmi: +@@ -1889,9 +2422,9 @@ end_repeat_nmi: * NMI itself takes a page fault, the page fault that was preempted * will read the information from the NMI page fault and not the * origin fault. Save it off and restore it if it changes. @@ -24294,7 +24325,7 @@ index 02553d6..d1fcecb 100644 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi -@@ -1900,31 +2432,36 @@ end_repeat_nmi: +@@ -1900,31 +2433,36 @@ end_repeat_nmi: /* Did the NMI take a page fault? Restore cr2 if it did */ movq %cr2, %rcx @@ -25668,7 +25699,7 @@ index 7ec1d5f..5a7d130 100644 } diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c -index 79a3f96..6ba030a 100644 +index a1f5b18..9d9e077 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -119,9 +119,12 @@ static void __kprobes __synthesize_relative_insn(void *from, void *to, u8 op) @@ -26573,7 +26604,7 @@ index 3fb8d95..254dc51 100644 +} +#endif diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c -index 0de43e9..056b840 100644 +index 0de43e9..b0211fe 100644 --- a/arch/x86/kernel/process_32.c +++ b/arch/x86/kernel/process_32.c @@ -64,6 +64,7 @@ asmlinkage void ret_from_kernel_thread(void) __asm__("ret_from_kernel_thread"); @@ -26618,7 +26649,7 @@ index 0de43e9..056b840 100644 p->thread.sp = (unsigned long) childregs; p->thread.sp0 = (unsigned long) (childregs+1); -+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p); ++ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long); if (unlikely(p->flags & PF_KTHREAD)) { /* kernel thread */ @@ -26678,7 +26709,7 @@ index 0de43e9..056b840 100644 } - diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c -index e2d26ce..10f7ec2 100644 +index e2d26ce..d49eb67 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -158,10 +158,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, @@ -26690,7 +26721,7 @@ index e2d26ce..10f7ec2 100644 childregs = task_pt_regs(p); p->thread.sp = (unsigned long) childregs; p->thread.usersp = me->thread.usersp; -+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p); ++ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long); set_tsk_thread_flag(p, TIF_FORK); p->thread.fpu_counter = 0; p->thread.io_bitmap_ptr = NULL; @@ -27835,10 +27866,49 @@ index 24d3c91..d06b473 100644 return pc; } diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c -index 4e942f3..d0f623f 100644 +index 4e942f3..c6e445a 100644 --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c -@@ -118,6 +118,11 @@ int do_set_thread_area(struct task_struct *p, int idx, +@@ -29,7 +29,28 @@ static int get_free_idx(void) + + static bool tls_desc_okay(const struct user_desc *info) + { +- if (LDT_empty(info)) ++ /* ++ * For historical reasons (i.e. no one ever documented how any ++ * of the segmentation APIs work), user programs can and do ++ * assume that a struct user_desc that's all zeros except for ++ * entry_number means "no segment at all". This never actually ++ * worked. In fact, up to Linux 3.19, a struct user_desc like ++ * this would create a 16-bit read-write segment with base and ++ * limit both equal to zero. ++ * ++ * That was close enough to "no segment at all" until we ++ * hardened this function to disallow 16-bit TLS segments. Fix ++ * it up by interpreting these zeroed segments the way that they ++ * were almost certainly intended to be interpreted. ++ * ++ * The correct way to ask for "no segment at all" is to specify ++ * a user_desc that satisfies LDT_empty. To keep everything ++ * working, we accept both. ++ * ++ * Note that there's a similar kludge in modify_ldt -- look at ++ * the distinction between modes 1 and 0x11. ++ */ ++ if (LDT_empty(info) || LDT_zero(info)) + return true; + + /* +@@ -71,7 +92,7 @@ static void set_tls_desc(struct task_struct *p, int idx, + cpu = get_cpu(); + + while (n-- > 0) { +- if (LDT_empty(info)) ++ if (LDT_empty(info) || LDT_zero(info)) + desc->a = desc->b = 0; + else + fill_ldt(desc, info); +@@ -118,6 +139,11 @@ int do_set_thread_area(struct task_struct *p, int idx, if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) return -EINVAL; @@ -27850,7 +27920,7 @@ index 4e942f3..d0f623f 100644 set_tls_desc(p, idx, &info, 1); return 0; -@@ -235,7 +240,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, +@@ -235,7 +261,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, if (kbuf) info = kbuf; @@ -28654,10 +28724,63 @@ index c697625..a032162 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 38d3751..1702329 100644 +index 38d3751..497a96f 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c -@@ -3401,7 +3401,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) +@@ -2258,7 +2258,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + * Not recognized on AMD in compat mode (but is recognized in legacy + * mode). + */ +- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) ++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) + && !vendor_intel(ctxt)) + return emulate_ud(ctxt); + +@@ -2271,25 +2271,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + setup_syscalls_segments(ctxt, &cs, &ss); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +- switch (ctxt->mode) { +- case X86EMUL_MODE_PROT32: +- if ((msr_data & 0xfffc) == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- case X86EMUL_MODE_PROT64: +- if (msr_data == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- default: +- break; +- } ++ if ((msr_data & 0xfffc) == 0x0) ++ return emulate_gp(ctxt, 0); + + ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF); +- cs_sel = (u16)msr_data; +- cs_sel &= ~SELECTOR_RPL_MASK; ++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK; + ss_sel = cs_sel + 8; +- ss_sel &= ~SELECTOR_RPL_MASK; +- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) { ++ if (efer & EFER_LMA) { + cs.d = 0; + cs.l = 1; + } +@@ -2298,10 +2286,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data); +- ctxt->_eip = msr_data; ++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data; + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data); +- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data; ++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data : ++ (u32)msr_data; + + return X86EMUL_CONTINUE; + } +@@ -3401,7 +3390,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) int cr = ctxt->modrm_reg; u64 efer = 0; @@ -28666,7 +28789,7 @@ index 38d3751..1702329 100644 0xffffffff00000000ULL, 0, 0, 0, /* CR3 checked later */ CR4_RESERVED_BITS, -@@ -3436,7 +3436,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) +@@ -3436,7 +3425,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); if (efer & EFER_LMA) @@ -28675,6 +28798,17 @@ index 38d3751..1702329 100644 else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE) rsvd = CR3_PAE_RESERVED_BITS; else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG) +@@ -3668,8 +3657,8 @@ static const struct opcode group5[] = { + }; + + static const struct opcode group6[] = { +- DI(Prot, sldt), +- DI(Prot, str), ++ DI(Prot | DstMem, sldt), ++ DI(Prot | DstMem, str), + II(Prot | Priv | SrcMem16, em_lldt, lldt), + II(Prot | Priv | SrcMem16, em_ltr, ltr), + N, N, N, N, diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 453e5fb..214168f 100644 --- a/arch/x86/kvm/lapic.c @@ -28729,7 +28863,7 @@ index 9643eda6..c9cb765 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 0c90f4b..9fca4d7 100644 +index de42688..6e3ace5 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -441,6 +441,7 @@ struct vcpu_vmx { @@ -41997,7 +42131,7 @@ index 956ab7f..fbd36d8 100644 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID); diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c -index 040a2a1..eae4e54 100644 +index 45a9a03..3cadf87 100644 --- a/drivers/gpu/drm/radeon/radeon_ttm.c +++ b/drivers/gpu/drm/radeon/radeon_ttm.c @@ -790,7 +790,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size) @@ -42102,7 +42236,7 @@ index dbc2def..0a9f710 100644 kobject_put(&zone->kobj); return ret; diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c -index cf4bad2..3d50d64 100644 +index 76329d2..9c422dd 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c @@ -54,7 +54,7 @@ @@ -42114,14 +42248,15 @@ index cf4bad2..3d50d64 100644 /* times are in msecs */ #define PAGE_FREE_INTERVAL 1000 -@@ -299,14 +299,13 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool, +@@ -299,15 +299,14 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool, * @free_all: If set to true will free all pages in pool - * @gfp: GFP flags. + * @use_static: Safe to use static buffer **/ -static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free, +static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free, - gfp_t gfp) + bool use_static) { + static struct page *static_buf[NUM_PAGES_TO_ALLOC]; unsigned long irq_flags; struct page *p; struct page **pages_to_free; @@ -42131,7 +42266,7 @@ index cf4bad2..3d50d64 100644 if (NUM_PAGES_TO_ALLOC < nr_free) npages_to_free = NUM_PAGES_TO_ALLOC; -@@ -366,7 +365,8 @@ restart: +@@ -371,7 +370,8 @@ restart: __list_del(&p->lru, &pool->list); ttm_pool_update_free_locked(pool, freed_pages); @@ -42141,7 +42276,7 @@ index cf4bad2..3d50d64 100644 } spin_unlock_irqrestore(&pool->lock, irq_flags); -@@ -395,7 +395,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) +@@ -399,7 +399,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) unsigned i; unsigned pool_offset; struct ttm_page_pool *pool; @@ -42150,7 +42285,7 @@ index cf4bad2..3d50d64 100644 unsigned long freed = 0; if (!mutex_trylock(&lock)) -@@ -403,7 +403,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) +@@ -407,7 +407,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) pool_offset = ++start_pool % NUM_POOLS; /* select start pool in round robin fashion */ for (i = 0; i < NUM_POOLS; ++i) { @@ -42159,7 +42294,7 @@ index cf4bad2..3d50d64 100644 if (shrink_pages == 0) break; pool = &_manager->pools[(i + pool_offset)%NUM_POOLS]; -@@ -669,7 +669,7 @@ out: +@@ -673,7 +673,7 @@ out: } /* Put all pages in pages list to correct pool to wait for reuse */ @@ -42168,7 +42303,7 @@ index cf4bad2..3d50d64 100644 enum ttm_caching_state cstate) { unsigned long irq_flags; -@@ -724,7 +724,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags, +@@ -728,7 +728,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags, struct list_head plist; struct page *p = NULL; gfp_t gfp_flags = GFP_USER; @@ -42178,7 +42313,7 @@ index cf4bad2..3d50d64 100644 /* set zero flag for page allocation if required */ diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c -index ca65df1..4f0024b 100644 +index 3dfa97d..44bfcb7 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c @@ -56,7 +56,7 @@ @@ -42190,15 +42325,16 @@ index ca65df1..4f0024b 100644 /* times are in msecs */ #define IS_UNDEFINED (0) #define IS_WC (1<<1) -@@ -413,15 +413,14 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page) +@@ -413,7 +413,7 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page) * @nr_free: If set to true will free all pages in pool - * @gfp: GFP flags. + * @use_static: Safe to use static buffer **/ -static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free, +static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free, - gfp_t gfp) + bool use_static) { - unsigned long irq_flags; + static struct page *static_buf[NUM_PAGES_TO_ALLOC]; +@@ -421,8 +421,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free, struct dma_page *dma_p, *tmp; struct page **pages_to_free; struct list_head d_pages; @@ -42208,7 +42344,7 @@ index ca65df1..4f0024b 100644 if (NUM_PAGES_TO_ALLOC < nr_free) npages_to_free = NUM_PAGES_TO_ALLOC; -@@ -494,7 +493,8 @@ restart: +@@ -499,7 +498,8 @@ restart: /* remove range of pages from the pool */ if (freed_pages) { ttm_pool_update_free_locked(pool, freed_pages); @@ -42218,7 +42354,7 @@ index ca65df1..4f0024b 100644 } spin_unlock_irqrestore(&pool->lock, irq_flags); -@@ -928,7 +928,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev) +@@ -935,7 +935,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev) struct dma_page *d_page, *next; enum pool_type type; bool is_cached = false; @@ -42227,7 +42363,7 @@ index ca65df1..4f0024b 100644 unsigned long irq_flags; type = ttm_to_type(ttm->page_flags, ttm->caching_state); -@@ -1005,7 +1005,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) +@@ -1010,7 +1010,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) static unsigned start_pool; unsigned idx = 0; unsigned pool_offset; @@ -42236,7 +42372,7 @@ index ca65df1..4f0024b 100644 struct device_pools *p; unsigned long freed = 0; -@@ -1018,7 +1018,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) +@@ -1023,7 +1023,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) goto out; pool_offset = ++start_pool % _manager->npools; list_for_each_entry(p, &_manager->pools, pools) { @@ -42245,8 +42381,8 @@ index ca65df1..4f0024b 100644 if (!p->dev) continue; -@@ -1032,7 +1032,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) - sc->gfp_mask); +@@ -1037,7 +1037,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) + shrink_pages = ttm_dma_page_pool_free(p->pool, nr_free, true); freed += nr_free - shrink_pages; - pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n", @@ -48334,10 +48470,10 @@ index 1252d9c..80e660b 100644 /* We've got a compressed packet; read the change byte */ diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index 979fe43..3f92d61 100644 +index 32efe83..cef96b8 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c -@@ -2086,7 +2086,7 @@ static unsigned int team_get_num_rx_queues(void) +@@ -2098,7 +2098,7 @@ static unsigned int team_get_num_rx_queues(void) return TEAM_DEFAULT_NUM_RX_QUEUES; } @@ -48346,7 +48482,7 @@ index 979fe43..3f92d61 100644 .kind = DRV_NAME, .priv_size = sizeof(struct team), .setup = team_setup, -@@ -2874,7 +2874,7 @@ static int team_device_event(struct notifier_block *unused, +@@ -2886,7 +2886,7 @@ static int team_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -54494,10 +54630,10 @@ index ba6a5d6..f88f7f3 100644 props.type = BACKLIGHT_RAW; props.max_brightness = 0xff; diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c -index 8d7fc48..01c4986 100644 +index 29fa1c3..a57b08e 100644 --- a/drivers/usb/serial/console.c +++ b/drivers/usb/serial/console.c -@@ -123,7 +123,7 @@ static int usb_console_setup(struct console *co, char *options) +@@ -125,7 +125,7 @@ static int usb_console_setup(struct console *co, char *options) info->port = port; @@ -54506,7 +54642,7 @@ index 8d7fc48..01c4986 100644 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) { if (serial->type->set_termios) { /* -@@ -167,7 +167,7 @@ static int usb_console_setup(struct console *co, char *options) +@@ -173,7 +173,7 @@ static int usb_console_setup(struct console *co, char *options) } /* Now that any required fake tty operations are completed restore * the tty port count */ @@ -54515,16 +54651,16 @@ index 8d7fc48..01c4986 100644 /* The console is special in terms of closing the device so * indicate this port is now acting as a system console. */ port->port.console = 1; -@@ -180,7 +180,7 @@ static int usb_console_setup(struct console *co, char *options) - free_tty: - kfree(tty); +@@ -186,7 +186,7 @@ static int usb_console_setup(struct console *co, char *options) + put_tty: + tty_kref_put(tty); reset_open_count: - port->port.count = 0; + atomic_set(&port->port.count, 0); usb_autopm_put_interface(serial->interface); error_get_interface: usb_serial_put(serial); -@@ -191,7 +191,7 @@ static int usb_console_setup(struct console *co, char *options) +@@ -197,7 +197,7 @@ static int usb_console_setup(struct console *co, char *options) static void usb_console_write(struct console *co, const char *buf, unsigned count) { @@ -60765,7 +60901,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index ea4449d..cb8ebd8 100644 +index ea4449d..cbad96a 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,8 +56,20 @@ @@ -61552,7 +61688,7 @@ index ea4449d..cb8ebd8 100644 +{ + unsigned long sp = (unsigned long)&sp; + if (sp < current_thread_info()->lowest_stack && -+ sp > (unsigned long)task_stack_page(current)) ++ sp >= (unsigned long)task_stack_page(current) + 2 * sizeof(unsigned long)) + current_thread_info()->lowest_stack = sp; + if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16))) + BUG(); @@ -66941,7 +67077,7 @@ index 87dbcbe..55e1b4d 100644 } diff --git a/fs/proc/stat.c b/fs/proc/stat.c -index 6f599c6..bd00271 100644 +index dbd0272..3cd5915 100644 --- a/fs/proc/stat.c +++ b/fs/proc/stat.c @@ -11,6 +11,7 @@ @@ -67036,8 +67172,8 @@ index 6f599c6..bd00271 100644 /* sum again ? it could be updated? */ for_each_irq_nr(j) -- seq_put_decimal_ull(p, ' ', kstat_irqs(j)); -+ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL); +- seq_put_decimal_ull(p, ' ', kstat_irqs_usr(j)); ++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs_usr(j) : 0ULL); seq_printf(p, "\nctxt %llu\n" @@ -70239,10 +70375,10 @@ index 0000000..30ababb +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..e56396f +index 0000000..c83525f --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,2679 @@ +@@ -0,0 +1,2697 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -71416,9 +71552,10 @@ index 0000000..e56396f + rcu_read_lock(); + read_lock(&tasklist_lock); + read_lock(&grsec_exec_file_lock); ++ except in the case of gr_set_role_label() (for __gr_get_subject_for_task) +*/ + -+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename) ++struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback) +{ + char *tmpname; + struct acl_subject_label *tmpsubj; @@ -71460,15 +71597,15 @@ index 0000000..e56396f + /* this also works for the reload case -- if we don't match a potentially inherited subject + then we fall back to a normal lookup based on the binary's ino/dev + */ -+ if (tmpsubj == NULL) ++ if (tmpsubj == NULL && fallback) + tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role); + + return tmpsubj; +} + -+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename) ++static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback) +{ -+ return __gr_get_subject_for_task(&running_polstate, task, filename); ++ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback); +} + +void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj) @@ -71532,7 +71669,7 @@ index 0000000..e56396f + task->role = current->role; + rcu_read_lock(); + read_lock(&grsec_exec_file_lock); -+ subj = gr_get_subject_for_task(task, NULL); ++ subj = gr_get_subject_for_task(task, NULL, 1); + gr_apply_subject_to_task(task, subj); + read_unlock(&grsec_exec_file_lock); + rcu_read_unlock(); @@ -71942,6 +72079,7 @@ index 0000000..e56396f +gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid) +{ + struct acl_role_label *role = task->role; ++ struct acl_role_label *origrole = role; + struct acl_subject_label *subj = NULL; + struct acl_object_label *obj; + struct file *filp; @@ -71974,10 +72112,28 @@ index 0000000..e56396f + ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID)))) + return; + -+ /* perform subject lookup in possibly new role -+ we can use this result below in the case where role == task->role -+ */ -+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); ++ task->role = role; ++ ++ if (task->inherited) { ++ /* if we reached our subject through inheritance, then first see ++ if there's a subject of the same name in the new role that has ++ an object that would result in the same inherited subject ++ */ ++ subj = gr_get_subject_for_task(task, task->acl->filename, 0); ++ if (subj) { ++ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj); ++ if (!(obj->mode & GR_INHERIT)) ++ subj = NULL; ++ } ++ ++ } ++ if (subj == NULL) { ++ /* otherwise: ++ perform subject lookup in possibly new role ++ we can use this result below in the case where role == task->role ++ */ ++ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); ++ } + + /* if we changed uid/gid, but result in the same role + and are using inheritance, don't lose the inherited subject @@ -71985,14 +72141,12 @@ index 0000000..e56396f + would result in, we arrived via inheritance, don't + lose subject + */ -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) && ++ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) && + (subj == task->acl))) + task->acl = subj; + + /* leave task->inherited unaffected */ + -+ task->role = role; -+ + task->is_writable = 0; + + /* ignore additional mmap checks for processes that are writable @@ -74494,7 +74648,7 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..3f8ade0 +index 0000000..7949dcd --- /dev/null +++ b/grsecurity/gracl_policy.c @@ -0,0 +1,1782 @@ @@ -74568,7 +74722,7 @@ index 0000000..3f8ade0 +extern void gr_remove_uid(uid_t uid); +extern int gr_find_uid(uid_t uid); + -+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename); ++extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback); +extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj); +extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb); +extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry); @@ -75673,8 +75827,8 @@ index 0000000..3f8ade0 + } + /* this handles non-nested inherited subjects, nested subjects will still + be dropped currently */ -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); -+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL); ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); ++ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1); + /* change the role back so that we've made no modifications to the policy */ + task->role = rtmp; + @@ -75706,7 +75860,7 @@ index 0000000..3f8ade0 + /* this handles non-nested inherited subjects, nested subjects will still + be dropped currently */ + if (!reload_state->oldmode && task->inherited) -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); + else { + /* looked up and tagged to the task previously */ + subj = task->tmpacl; @@ -76255,7 +76409,7 @@ index 0000000..3f8ade0 + if (task->exec_file) { + cred = __task_cred(task); + task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid)); -+ subj = __gr_get_subject_for_task(polstate, task, NULL); ++ subj = __gr_get_subject_for_task(polstate, task, NULL, 1); + if (subj == NULL) { + ret = -EINVAL; + read_unlock(&grsec_exec_file_lock); @@ -101345,18 +101499,9 @@ index d074d06..ad3cfcf 100644 if (ogm_packet->flags & BATADV_DIRECTLINK) has_directlink_flag = true; diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c -index c46387a..3b6c10e 100644 +index e5c5f57..1f25f1c 100644 --- a/net/batman-adv/fragmentation.c +++ b/net/batman-adv/fragmentation.c -@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb) - kfree(entry); - - /* Make room for the rest of the fragments. */ -- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) { -+ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { - kfree_skb(skb_out); - skb_out = NULL; - goto free; @@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb, frag_header.packet_type = BATADV_UNICAST_FRAG; frag_header.version = BATADV_COMPAT_VERSION; @@ -101956,7 +102101,7 @@ index a16ed7b..eb44d17 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 3ed11a5..c177c8f 100644 +index 86bb9cc..8814d50 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1695,14 +1695,14 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) @@ -101976,7 +102121,7 @@ index 3ed11a5..c177c8f 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -2460,7 +2460,7 @@ static int illegal_highdma(const struct net_device *dev, struct sk_buff *skb) +@@ -2461,7 +2461,7 @@ static int illegal_highdma(const struct net_device *dev, struct sk_buff *skb) struct dev_gso_cb { void (*destructor)(struct sk_buff *skb); @@ -101985,7 +102130,7 @@ index 3ed11a5..c177c8f 100644 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) -@@ -3234,7 +3234,7 @@ enqueue: +@@ -3238,7 +3238,7 @@ enqueue: local_irq_restore(flags); @@ -101994,7 +102139,7 @@ index 3ed11a5..c177c8f 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3315,7 +3315,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3319,7 +3319,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -102003,7 +102148,7 @@ index 3ed11a5..c177c8f 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); -@@ -3652,7 +3652,7 @@ ncls: +@@ -3656,7 +3656,7 @@ ncls: ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { drop: @@ -102012,7 +102157,7 @@ index 3ed11a5..c177c8f 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -4342,7 +4342,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -4346,7 +4346,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -102021,7 +102166,7 @@ index 3ed11a5..c177c8f 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -6311,7 +6311,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -6376,7 +6376,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -102444,7 +102589,7 @@ index b442e7e..6f5b5a2 100644 { struct socket *sock; diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index baf6fc4..783639a 100644 +index e2b1bba..71bd8fe 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -360,18 +360,29 @@ refill: @@ -103128,7 +103273,7 @@ index c10a3ce..dd71f84 100644 return -ENOMEM; } diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index 94213c8..8bdb342 100644 +index b40b90d..9e7ce17 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -115,7 +115,7 @@ static bool log_ecn_error = true; @@ -103140,7 +103285,7 @@ index 94213c8..8bdb342 100644 static int ipgre_tunnel_init(struct net_device *dev); static int ipgre_net_id __read_mostly; -@@ -732,7 +732,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { +@@ -733,7 +733,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { [IFLA_GRE_PMTUDISC] = { .type = NLA_U8 }, }; @@ -103149,7 +103294,7 @@ index 94213c8..8bdb342 100644 .kind = "gre", .maxtype = IFLA_GRE_MAX, .policy = ipgre_policy, -@@ -746,7 +746,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { +@@ -747,7 +747,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { .fill_info = ipgre_fill_info, }; @@ -103412,7 +103557,7 @@ index 2510c02..cfb34fa 100644 pr_err("Unable to proc dir entry\n"); return -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 0d33f94..fcd69aa 100644 +index 0d33f94..d0a62e6 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -59,7 +59,7 @@ struct ping_table { @@ -103473,7 +103618,20 @@ index 0d33f94..fcd69aa 100644 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags) ip_cmsg_recv(msg, skb); #endif -@@ -1113,7 +1113,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, +@@ -973,8 +973,11 @@ void ping_rcv(struct sk_buff *skb) + + sk = ping_lookup(net, skb, ntohs(icmph->un.echo.id)); + if (sk != NULL) { ++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); ++ + pr_debug("rcv on socket %p\n", sk); +- ping_queue_rcv_skb(sk, skb_get(skb)); ++ if (skb2) ++ ping_queue_rcv_skb(sk, skb2); + sock_put(sk); + return; + } +@@ -1113,7 +1116,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -104893,10 +105051,10 @@ index 20b63d2..31a777d 100644 kfree_skb(skb); diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c -index 5f8e128..9e02f78 100644 +index 5f8e128..776fc30 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c -@@ -130,8 +130,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) +@@ -130,12 +130,18 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) { struct flowi6 *fl6 = &fl->u.ip6; int onlyproto = 0; @@ -104905,8 +105063,19 @@ index 5f8e128..9e02f78 100644 + u16 offset = sizeof(*hdr); struct ipv6_opt_hdr *exthdr; const unsigned char *nh = skb_network_header(skb); - u8 nexthdr = nh[IP6CB(skb)->nhoff]; -@@ -170,8 +170,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) +- u8 nexthdr = nh[IP6CB(skb)->nhoff]; ++ u16 nhoff = IP6CB(skb)->nhoff; + int oif = 0; ++ u8 nexthdr; ++ ++ if (!nhoff) ++ nhoff = offsetof(struct ipv6hdr, nexthdr); ++ ++ nexthdr = nh[nhoff]; + + if (skb_dst(skb)) + oif = skb_dst(skb)->dev->ifindex; +@@ -170,8 +176,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) case IPPROTO_DCCP: if (!onlyproto && (nh + offset + 4 < skb->data || pskb_may_pull(skb, nh + offset + 4 - skb->data))) { @@ -104918,7 +105087,7 @@ index 5f8e128..9e02f78 100644 fl6->fl6_sport = ports[!!reverse]; fl6->fl6_dport = ports[!reverse]; } -@@ -180,8 +182,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) +@@ -180,8 +188,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) case IPPROTO_ICMPV6: if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) { @@ -104930,7 +105099,7 @@ index 5f8e128..9e02f78 100644 fl6->fl6_icmp_type = icmp[0]; fl6->fl6_icmp_code = icmp[1]; } -@@ -192,8 +196,9 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) +@@ -192,8 +202,9 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) case IPPROTO_MH: if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) { struct ip6_mh *mh; @@ -104941,7 +105110,7 @@ index 5f8e128..9e02f78 100644 fl6->fl6_mh_type = mh->ip6mh_type; } fl6->flowi6_proto = nexthdr; -@@ -212,11 +217,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) +@@ -212,11 +223,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) } } @@ -104955,7 +105124,7 @@ index 5f8e128..9e02f78 100644 return dst_entries_get_fast(ops) > ops->gc_thresh * 2; } -@@ -329,19 +334,19 @@ static struct ctl_table xfrm6_policy_table[] = { +@@ -329,19 +340,19 @@ static struct ctl_table xfrm6_policy_table[] = { static int __net_init xfrm6_net_init(struct net *net) { @@ -104980,7 +105149,7 @@ index 5f8e128..9e02f78 100644 if (!hdr) goto err_reg; -@@ -349,8 +354,7 @@ static int __net_init xfrm6_net_init(struct net *net) +@@ -349,8 +360,7 @@ static int __net_init xfrm6_net_init(struct net *net) return 0; err_reg: @@ -105407,10 +105576,10 @@ index bffdad7..f9317d1 100644 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c -index cf99377..c09b5b7 100644 +index 53ea164..c518529 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c -@@ -1922,7 +1922,7 @@ done: +@@ -1928,7 +1928,7 @@ done: return ret; } @@ -105969,7 +106138,7 @@ index 11de55e..f25e448 100644 return 0; } diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 7c177bc..d4abd23 100644 +index 1d52506..b772b22 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -257,7 +257,7 @@ static void netlink_overrun(struct sock *sk) @@ -105981,7 +106150,7 @@ index 7c177bc..d4abd23 100644 } static void netlink_rcv_wake(struct sock *sk) -@@ -3003,7 +3003,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) +@@ -2983,7 +2983,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) sk_wmem_alloc_get(s), nlk->cb_running, atomic_read(&s->sk_refcnt), @@ -106598,6 +106767,58 @@ index f226709..0e735a8 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index 8e3cf49..4a8e322 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -182,6 +182,11 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, + } + + bpf_size = bpf_len * sizeof(*bpf_ops); ++ if (bpf_size != nla_len(tb[TCA_BPF_OPS])) { ++ ret = -EINVAL; ++ goto errout; ++ } ++ + bpf_ops = kzalloc(bpf_size, GFP_KERNEL); + if (bpf_ops == NULL) { + ret = -ENOMEM; +@@ -228,15 +233,21 @@ static u32 cls_bpf_grab_new_handle(struct tcf_proto *tp, + struct cls_bpf_head *head) + { + unsigned int i = 0x80000000; ++ u32 handle; + + do { + if (++head->hgen == 0x7FFFFFFF) + head->hgen = 1; + } while (--i > 0 && cls_bpf_get(tp, head->hgen)); +- if (i == 0) ++ ++ if (unlikely(i == 0)) { + pr_err("Insufficient number of handles\n"); ++ handle = 0; ++ } else { ++ handle = head->hgen; ++ } + +- return i; ++ return handle; + } + + static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index d477d47..abc0922 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1235,7 +1235,6 @@ void sctp_assoc_update(struct sctp_association *asoc, + asoc->peer.peer_hmacs = new->peer.peer_hmacs; + new->peer.peer_hmacs = NULL; + +- sctp_auth_key_put(asoc->asoc_shared_key); + sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC); + } + diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 2b1738e..a9d0fc9 100644 --- a/net/sctp/ipv6.c @@ -118621,10 +118842,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..dfb7516 +index 0000000..7ab73a3 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,6038 @@ +@@ -0,0 +1,6040 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL @@ -119594,6 +119815,7 @@ index 0000000..dfb7516 +rd_build_prot_space_10761 rd_build_prot_space 2-3 10761 NULL +kvm_read_guest_atomic_10765 kvm_read_guest_atomic 4 10765 NULL +__qp_memcpy_to_queue_10779 __qp_memcpy_to_queue 2-4 10779 NULL ++ttm_dma_page_pool_free_10796 ttm_dma_page_pool_free 2-0 10796 NULL +diva_set_trace_filter_10820 diva_set_trace_filter 0-1 10820 NULL +lbs_sleepparams_read_10840 lbs_sleepparams_read 3 10840 NULL +ida_get_new_above_10853 ida_get_new_above 0 10853 NULL @@ -120901,6 +121123,7 @@ index 0000000..dfb7516 +evdev_do_ioctl_24459 evdev_do_ioctl 2 24459 NULL +lbs_highsnr_write_24460 lbs_highsnr_write 3 24460 NULL +skb_copy_and_csum_datagram_iovec_24466 skb_copy_and_csum_datagram_iovec 2 24466 NULL ++ttm_page_pool_free_24486 ttm_page_pool_free 2-0 24486 NULL +dut_mode_read_24489 dut_mode_read 3 24489 NULL +read_file_spec_scan_ctl_24491 read_file_spec_scan_ctl 3 24491 NULL +pd_video_read_24510 pd_video_read 3 24510 NULL diff --git a/3.14.29/4425_grsec_remove_EI_PAX.patch b/3.14.30/4425_grsec_remove_EI_PAX.patch index 86e242a..86e242a 100644 --- a/3.14.29/4425_grsec_remove_EI_PAX.patch +++ b/3.14.30/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.29/4427_force_XATTR_PAX_tmpfs.patch b/3.14.30/4427_force_XATTR_PAX_tmpfs.patch index aa540ad..aa540ad 100644 --- a/3.14.29/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.30/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.29/4430_grsec-remove-localversion-grsec.patch b/3.14.30/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.29/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.30/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.29/4435_grsec-mute-warnings.patch b/3.14.30/4435_grsec-mute-warnings.patch index 392cefb..392cefb 100644 --- a/3.14.29/4435_grsec-mute-warnings.patch +++ b/3.14.30/4435_grsec-mute-warnings.patch diff --git a/3.14.29/4440_grsec-remove-protected-paths.patch b/3.14.30/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.29/4440_grsec-remove-protected-paths.patch +++ b/3.14.30/4440_grsec-remove-protected-paths.patch diff --git a/3.14.29/4450_grsec-kconfig-default-gids.patch b/3.14.30/4450_grsec-kconfig-default-gids.patch index 722821b..722821b 100644 --- a/3.14.29/4450_grsec-kconfig-default-gids.patch +++ b/3.14.30/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.29/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.30/4465_selinux-avc_audit-log-curr_ip.patch index f92c155..f92c155 100644 --- a/3.14.29/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.30/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.29/4470_disable-compat_vdso.patch b/3.14.30/4470_disable-compat_vdso.patch index cc7c122..cc7c122 100644 --- a/3.14.29/4470_disable-compat_vdso.patch +++ b/3.14.30/4470_disable-compat_vdso.patch diff --git a/3.14.29/4475_emutramp_default_on.patch b/3.14.30/4475_emutramp_default_on.patch index ad4967a..ad4967a 100644 --- a/3.14.29/4475_emutramp_default_on.patch +++ b/3.14.30/4475_emutramp_default_on.patch diff --git a/3.18.3/0000_README b/3.18.4/0000_README index 910054e..d079d57 100644 --- a/3.18.3/0000_README +++ b/3.18.4/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.18.3-201501211944.patch +Patch: 4420_grsecurity-3.0-3.18.4-201501272307.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity @@ -41,4 +41,4 @@ Desc: Disables VDSO_COMPAT operation completely Patch: 4475_emutramp_default_on.patch From: Anthony G. Basile <blueness@gentoo.org> -Desc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194 +Dnux-3.18.4.patchesc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194 diff --git a/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch b/3.18.4/4420_grsecurity-3.0-3.18.4-201501272307.patch index 93912cb..4163835 100644 --- a/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch +++ b/3.18.4/4420_grsecurity-3.0-3.18.4-201501272307.patch @@ -313,7 +313,7 @@ index a311db8..415b28c 100644 A typical pattern in a Kbuild file looks like this: diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 479f332..2475ac2 100644 +index f4c71d4..66811b1 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -1182,6 +1182,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. @@ -327,7 +327,7 @@ index 479f332..2475ac2 100644 hashdist= [KNL,NUMA] Large hashes allocated during boot are distributed across NUMA nodes. Defaults on for 64-bit NUMA, off otherwise. -@@ -2259,6 +2263,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -2260,6 +2264,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. noexec=on: enable non-executable mappings (default) noexec=off: disable non-executable mappings @@ -338,7 +338,7 @@ index 479f332..2475ac2 100644 nosmap [X86] Disable SMAP (Supervisor Mode Access Prevention) even if it is supported by processor. -@@ -2551,6 +2559,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -2552,6 +2560,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. the specified number of seconds. This is to be used if your oopses keep scrolling off the screen. @@ -370,7 +370,7 @@ index 479f332..2475ac2 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 91cfe8d..ccf7329 100644 +index 4e93284..ba06195 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -12721,10 +12721,10 @@ index 920e616..ac3d4df 100644 +*** Please upgrade your binutils to 2.18 or newer +endef diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile -index 5b016e2..04ef69c 100644 +index 3db07f3..9d81d0f 100644 --- a/arch/x86/boot/Makefile +++ b/arch/x86/boot/Makefile -@@ -55,6 +55,9 @@ endif +@@ -56,6 +56,9 @@ clean-files += cpustr.h # --------------------------------------------------------------------------- KBUILD_CFLAGS := $(USERINCLUDE) $(REALMODE_CFLAGS) -D_SETUP @@ -16544,7 +16544,7 @@ index 0bb1335..8f1aec7 100644 "6:\n" ".previous\n" diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h -index 50d033a..37deb26 100644 +index 50d033a..59ecefa 100644 --- a/arch/x86/include/asm/desc.h +++ b/arch/x86/include/asm/desc.h @@ -4,6 +4,7 @@ @@ -16642,7 +16642,7 @@ index 50d033a..37deb26 100644 } static inline void native_load_gdt(const struct desc_ptr *dtr) -@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) +@@ -247,11 +258,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) struct desc_struct *gdt = get_cpu_gdt_table(cpu); unsigned int i; @@ -16652,8 +16652,37 @@ index 50d033a..37deb26 100644 + pax_close_kernel(); } - #define _LDT_empty(info) \ -@@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc) +-#define _LDT_empty(info) \ ++/* This intentionally ignores lm, since 32-bit apps don't have that field. */ ++#define LDT_empty(info) \ + ((info)->base_addr == 0 && \ + (info)->limit == 0 && \ + (info)->contents == 0 && \ +@@ -261,11 +275,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) + (info)->seg_not_present == 1 && \ + (info)->useable == 0) + +-#ifdef CONFIG_X86_64 +-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0)) +-#else +-#define LDT_empty(info) (_LDT_empty(info)) +-#endif ++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */ ++static inline bool LDT_zero(const struct user_desc *info) ++{ ++ return (info->base_addr == 0 && ++ info->limit == 0 && ++ info->contents == 0 && ++ info->read_exec_only == 0 && ++ info->seg_32bit == 0 && ++ info->limit_in_pages == 0 && ++ info->seg_not_present == 0 && ++ info->useable == 0); ++} + + static inline void clear_LDT(void) + { +@@ -287,7 +308,7 @@ static inline void load_LDT(mm_context_t *pc) preempt_enable(); } @@ -16662,7 +16691,7 @@ index 50d033a..37deb26 100644 { return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24)); } -@@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) +@@ -311,7 +332,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) } #ifdef CONFIG_X86_64 @@ -16671,7 +16700,7 @@ index 50d033a..37deb26 100644 { gate_desc s; -@@ -321,14 +334,14 @@ static inline void set_nmi_gate(int gate, void *addr) +@@ -321,14 +342,14 @@ static inline void set_nmi_gate(int gate, void *addr) #endif #ifdef CONFIG_TRACING @@ -16689,7 +16718,7 @@ index 50d033a..37deb26 100644 unsigned dpl, unsigned ist, unsigned seg) { gate_desc s; -@@ -348,7 +361,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate) +@@ -348,7 +369,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate) #define _trace_set_gate(gate, type, addr, dpl, ist, seg) #endif @@ -16698,7 +16727,7 @@ index 50d033a..37deb26 100644 unsigned dpl, unsigned ist, unsigned seg) { gate_desc s; -@@ -371,9 +384,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr, +@@ -371,9 +392,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr, #define set_intr_gate(n, addr) \ do { \ BUG_ON((unsigned)n > 0xFF); \ @@ -16710,7 +16739,7 @@ index 50d033a..37deb26 100644 0, 0, __KERNEL_CS); \ } while (0) -@@ -401,19 +414,19 @@ static inline void alloc_system_vector(int vector) +@@ -401,19 +422,19 @@ static inline void alloc_system_vector(int vector) /* * This routine sets up an interrupt gate at directory privilege level 3. */ @@ -16733,7 +16762,7 @@ index 50d033a..37deb26 100644 { BUG_ON((unsigned)n > 0xFF); _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS); -@@ -422,16 +435,16 @@ static inline void set_trap_gate(unsigned int n, void *addr) +@@ -422,16 +443,16 @@ static inline void set_trap_gate(unsigned int n, void *addr) static inline void set_task_gate(unsigned int n, unsigned int gdt_entry) { BUG_ON((unsigned)n > 0xFF); @@ -16753,7 +16782,7 @@ index 50d033a..37deb26 100644 { BUG_ON((unsigned)n > 0xFF); _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS); -@@ -503,4 +516,17 @@ static inline void load_current_idt(void) +@@ -503,4 +524,17 @@ static inline void load_current_idt(void) else load_idt((const struct desc_ptr *)&idt_descr); } @@ -21115,7 +21144,7 @@ index e7c798b..2b2019b 100644 BLANK(); diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile -index e27b49d..85b106c 100644 +index 80091ae..0c5184f 100644 --- a/arch/x86/kernel/cpu/Makefile +++ b/arch/x86/kernel/cpu/Makefile @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg @@ -25536,7 +25565,7 @@ index 7ec1d5f..5a7d130 100644 } diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c -index 67e6d19..731ed28 100644 +index 93d2c04..36d0e94 100644 --- a/arch/x86/kernel/kprobes/core.c +++ b/arch/x86/kernel/kprobes/core.c @@ -120,9 +120,12 @@ __synthesize_relative_insn(void *from, void *to, u8 op) @@ -27816,10 +27845,49 @@ index 0fa2960..91eabbe 100644 return pc; } diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c -index 4e942f3..d0f623f 100644 +index 4e942f3..c6e445a 100644 --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c -@@ -118,6 +118,11 @@ int do_set_thread_area(struct task_struct *p, int idx, +@@ -29,7 +29,28 @@ static int get_free_idx(void) + + static bool tls_desc_okay(const struct user_desc *info) + { +- if (LDT_empty(info)) ++ /* ++ * For historical reasons (i.e. no one ever documented how any ++ * of the segmentation APIs work), user programs can and do ++ * assume that a struct user_desc that's all zeros except for ++ * entry_number means "no segment at all". This never actually ++ * worked. In fact, up to Linux 3.19, a struct user_desc like ++ * this would create a 16-bit read-write segment with base and ++ * limit both equal to zero. ++ * ++ * That was close enough to "no segment at all" until we ++ * hardened this function to disallow 16-bit TLS segments. Fix ++ * it up by interpreting these zeroed segments the way that they ++ * were almost certainly intended to be interpreted. ++ * ++ * The correct way to ask for "no segment at all" is to specify ++ * a user_desc that satisfies LDT_empty. To keep everything ++ * working, we accept both. ++ * ++ * Note that there's a similar kludge in modify_ldt -- look at ++ * the distinction between modes 1 and 0x11. ++ */ ++ if (LDT_empty(info) || LDT_zero(info)) + return true; + + /* +@@ -71,7 +92,7 @@ static void set_tls_desc(struct task_struct *p, int idx, + cpu = get_cpu(); + + while (n-- > 0) { +- if (LDT_empty(info)) ++ if (LDT_empty(info) || LDT_zero(info)) + desc->a = desc->b = 0; + else + fill_ldt(desc, info); +@@ -118,6 +139,11 @@ int do_set_thread_area(struct task_struct *p, int idx, if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) return -EINVAL; @@ -27831,7 +27899,7 @@ index 4e942f3..d0f623f 100644 set_tls_desc(p, idx, &info, 1); return 0; -@@ -235,7 +240,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, +@@ -235,7 +261,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, if (kbuf) info = kbuf; @@ -28626,10 +28694,63 @@ index 88f9201..0e7f1a3 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 22e7ed9..e03a378 100644 +index 22e7ed9..c3e2419 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c -@@ -3519,7 +3519,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) +@@ -2345,7 +2345,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + * Not recognized on AMD in compat mode (but is recognized in legacy + * mode). + */ +- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA) ++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA) + && !vendor_intel(ctxt)) + return emulate_ud(ctxt); + +@@ -2358,25 +2358,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + setup_syscalls_segments(ctxt, &cs, &ss); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +- switch (ctxt->mode) { +- case X86EMUL_MODE_PROT32: +- if ((msr_data & 0xfffc) == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- case X86EMUL_MODE_PROT64: +- if (msr_data == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- default: +- break; +- } ++ if ((msr_data & 0xfffc) == 0x0) ++ return emulate_gp(ctxt, 0); + + ctxt->eflags &= ~(EFLG_VM | EFLG_IF); +- cs_sel = (u16)msr_data; +- cs_sel &= ~SELECTOR_RPL_MASK; ++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK; + ss_sel = cs_sel + 8; +- ss_sel &= ~SELECTOR_RPL_MASK; +- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) { ++ if (efer & EFER_LMA) { + cs.d = 0; + cs.l = 1; + } +@@ -2385,10 +2373,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data); +- ctxt->_eip = msr_data; ++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data; + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data); +- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data; ++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data : ++ (u32)msr_data; + + return X86EMUL_CONTINUE; + } +@@ -3519,7 +3508,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) int cr = ctxt->modrm_reg; u64 efer = 0; @@ -28638,7 +28759,7 @@ index 22e7ed9..e03a378 100644 0xffffffff00000000ULL, 0, 0, 0, /* CR3 checked later */ CR4_RESERVED_BITS, -@@ -3554,7 +3554,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) +@@ -3554,7 +3543,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); if (efer & EFER_LMA) @@ -28647,6 +28768,17 @@ index 22e7ed9..e03a378 100644 if (new_val & rsvd) return emulate_gp(ctxt, 0); +@@ -3788,8 +3777,8 @@ static const struct opcode group5[] = { + }; + + static const struct opcode group6[] = { +- DI(Prot, sldt), +- DI(Prot, str), ++ DI(Prot | DstMem, sldt), ++ DI(Prot | DstMem, str), + II(Prot | Priv | SrcMem16, em_lldt, lldt), + II(Prot | Priv | SrcMem16, em_ltr, ltr), + N, N, N, N, diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index b8345dd..f225d71 100644 --- a/arch/x86/kvm/lapic.c @@ -28701,7 +28833,7 @@ index 7527cef..c63a838e 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index 3e556c6..08bbf7f 100644 +index ed70394..c629a68 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1366,12 +1366,12 @@ static void vmcs_write64(unsigned long field, u64 value) @@ -40155,10 +40287,10 @@ index dbf28fa..04dad4e 100644 return -EINVAL; } diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c -index e8e98ca..10f416e 100644 +index c81bda0..a8ccd9f 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c -@@ -537,8 +537,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip) +@@ -539,8 +539,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip) } if (gpiochip->irqchip) { @@ -40171,7 +40303,7 @@ index e8e98ca..10f416e 100644 gpiochip->irqchip = NULL; } } -@@ -604,8 +606,11 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip, +@@ -606,8 +608,11 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip, gpiochip->irqchip = NULL; return -EINVAL; } @@ -40212,10 +40344,10 @@ index bc3da32..7289357 100644 } mutex_unlock(&drm_global_mutex); diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c -index 0c0c39b..70dd2f4 100644 +index ef757f7..98f720c 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c -@@ -732,7 +732,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info) +@@ -741,7 +741,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info) int i, j, rc = 0; int start; @@ -40226,7 +40358,7 @@ index 0c0c39b..70dd2f4 100644 if (!drm_fb_helper_is_bound(fb_helper)) { drm_modeset_unlock_all(dev); return -EBUSY; -@@ -910,7 +912,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var, +@@ -915,7 +917,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var, int ret = 0; int i; @@ -40530,7 +40662,7 @@ index 2e0613e..a8b94d9 100644 return ret; diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 9cb5c95..9228666 100644 +index cadc3bc..1bfccfe 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -12811,13 +12811,13 @@ struct intel_quirk { @@ -41243,7 +41375,7 @@ index 535403e..5dd655b 100644 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID); diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c -index 8624979..65e5243 100644 +index d2510cf..63bd4ed 100644 --- a/drivers/gpu/drm/radeon/radeon_ttm.c +++ b/drivers/gpu/drm/radeon/radeon_ttm.c @@ -936,7 +936,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size) @@ -41348,7 +41480,7 @@ index a1803fb..c53f6b0 100644 kobject_put(&zone->kobj); return ret; diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c -index 09874d6..d6da1de 100644 +index 025c429..314062f 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c @@ -54,7 +54,7 @@ @@ -41360,14 +41492,15 @@ index 09874d6..d6da1de 100644 /* times are in msecs */ #define PAGE_FREE_INTERVAL 1000 -@@ -299,14 +299,13 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool, +@@ -299,15 +299,14 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool, * @free_all: If set to true will free all pages in pool - * @gfp: GFP flags. + * @use_static: Safe to use static buffer **/ -static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free, +static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free, - gfp_t gfp) + bool use_static) { + static struct page *static_buf[NUM_PAGES_TO_ALLOC]; unsigned long irq_flags; struct page *p; struct page **pages_to_free; @@ -41377,7 +41510,7 @@ index 09874d6..d6da1de 100644 if (NUM_PAGES_TO_ALLOC < nr_free) npages_to_free = NUM_PAGES_TO_ALLOC; -@@ -366,7 +365,8 @@ restart: +@@ -371,7 +370,8 @@ restart: __list_del(&p->lru, &pool->list); ttm_pool_update_free_locked(pool, freed_pages); @@ -41387,7 +41520,7 @@ index 09874d6..d6da1de 100644 } spin_unlock_irqrestore(&pool->lock, irq_flags); -@@ -395,7 +395,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) +@@ -399,7 +399,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) unsigned i; unsigned pool_offset; struct ttm_page_pool *pool; @@ -41396,7 +41529,7 @@ index 09874d6..d6da1de 100644 unsigned long freed = 0; if (!mutex_trylock(&lock)) -@@ -403,7 +403,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) +@@ -407,7 +407,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) pool_offset = ++start_pool % NUM_POOLS; /* select start pool in round robin fashion */ for (i = 0; i < NUM_POOLS; ++i) { @@ -41405,7 +41538,7 @@ index 09874d6..d6da1de 100644 if (shrink_pages == 0) break; pool = &_manager->pools[(i + pool_offset)%NUM_POOLS]; -@@ -669,7 +669,7 @@ out: +@@ -673,7 +673,7 @@ out: } /* Put all pages in pages list to correct pool to wait for reuse */ @@ -41414,7 +41547,7 @@ index 09874d6..d6da1de 100644 enum ttm_caching_state cstate) { unsigned long irq_flags; -@@ -724,7 +724,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags, +@@ -728,7 +728,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags, struct list_head plist; struct page *p = NULL; gfp_t gfp_flags = GFP_USER; @@ -41424,7 +41557,7 @@ index 09874d6..d6da1de 100644 /* set zero flag for page allocation if required */ diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c -index c96db43..c367557 100644 +index 01e1d27..aaa018a 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c @@ -56,7 +56,7 @@ @@ -41436,15 +41569,16 @@ index c96db43..c367557 100644 /* times are in msecs */ #define IS_UNDEFINED (0) #define IS_WC (1<<1) -@@ -413,15 +413,14 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page) +@@ -413,7 +413,7 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page) * @nr_free: If set to true will free all pages in pool - * @gfp: GFP flags. + * @use_static: Safe to use static buffer **/ -static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free, +static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free, - gfp_t gfp) + bool use_static) { - unsigned long irq_flags; + static struct page *static_buf[NUM_PAGES_TO_ALLOC]; +@@ -421,8 +421,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free, struct dma_page *dma_p, *tmp; struct page **pages_to_free; struct list_head d_pages; @@ -41454,7 +41588,7 @@ index c96db43..c367557 100644 if (NUM_PAGES_TO_ALLOC < nr_free) npages_to_free = NUM_PAGES_TO_ALLOC; -@@ -494,7 +493,8 @@ restart: +@@ -499,7 +498,8 @@ restart: /* remove range of pages from the pool */ if (freed_pages) { ttm_pool_update_free_locked(pool, freed_pages); @@ -41464,7 +41598,7 @@ index c96db43..c367557 100644 } spin_unlock_irqrestore(&pool->lock, irq_flags); -@@ -929,7 +929,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev) +@@ -936,7 +936,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev) struct dma_page *d_page, *next; enum pool_type type; bool is_cached = false; @@ -41473,7 +41607,7 @@ index c96db43..c367557 100644 unsigned long irq_flags; type = ttm_to_type(ttm->page_flags, ttm->caching_state); -@@ -1007,7 +1007,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) +@@ -1012,7 +1012,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) static unsigned start_pool; unsigned idx = 0; unsigned pool_offset; @@ -41482,7 +41616,7 @@ index c96db43..c367557 100644 struct device_pools *p; unsigned long freed = 0; -@@ -1020,7 +1020,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) +@@ -1025,7 +1025,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) goto out; pool_offset = ++start_pool % _manager->npools; list_for_each_entry(p, &_manager->pools, pools) { @@ -41491,8 +41625,8 @@ index c96db43..c367557 100644 if (!p->dev) continue; -@@ -1034,7 +1034,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) - sc->gfp_mask); +@@ -1039,7 +1039,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc) + shrink_pages = ttm_dma_page_pool_free(p->pool, nr_free, true); freed += nr_free - shrink_pages; - pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n", @@ -44554,7 +44688,7 @@ index e9d33ad..dae9880d 100644 pmd->bl_info.value_type.inc = data_block_inc; pmd->bl_info.value_type.dec = data_block_dec; diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index 58f3927..bfbad3e 100644 +index 62c5136..aede7f1 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -183,9 +183,9 @@ struct mapped_device { @@ -48053,7 +48187,7 @@ index cf8b6ff..274271e 100644 break; } diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c -index 597c463..5cc1a7f 100644 +index d2975fa..8aaec07 100644 --- a/drivers/net/ethernet/emulex/benet/be_main.c +++ b/drivers/net/ethernet/emulex/benet/be_main.c @@ -537,7 +537,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val) @@ -48118,7 +48252,7 @@ index 5fd4b52..87aa34b 100644 /* need lock to prevent incorrect read while modifying cyclecounter */ diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c -index 454d9fe..59f0f0b 100644 +index 11ff28b..375d659 100644 --- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c +++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c @@ -458,8 +458,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev, @@ -48497,10 +48631,10 @@ index 079f7ad..b2a2bfa7 100644 /* We've got a compressed packet; read the change byte */ diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index 2368395..bf6fe96 100644 +index 9c505c4..5d0c879 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c -@@ -2090,7 +2090,7 @@ static unsigned int team_get_num_rx_queues(void) +@@ -2102,7 +2102,7 @@ static unsigned int team_get_num_rx_queues(void) return TEAM_DEFAULT_NUM_RX_QUEUES; } @@ -48509,7 +48643,7 @@ index 2368395..bf6fe96 100644 .kind = DRV_NAME, .priv_size = sizeof(struct team), .setup = team_setup, -@@ -2880,7 +2880,7 @@ static int team_device_event(struct notifier_block *unused, +@@ -2892,7 +2892,7 @@ static int team_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -51752,7 +51886,7 @@ index 79c77b4..ef6ec0b 100644 /* check if the device is still usable */ if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 50a6e1a..de5252e 100644 +index 17fb051..937fbbd 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -1583,7 +1583,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) @@ -52470,7 +52604,7 @@ index e7e9372..161f530 100644 login->tgt_agt = sbp_target_agent_register(login); if (IS_ERR(login->tgt_agt)) { diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c -index c45f9e9..00e85f0 100644 +index 24fa5d1..fae56f1 100644 --- a/drivers/target/target_core_device.c +++ b/drivers/target/target_core_device.c @@ -1532,7 +1532,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) @@ -53278,7 +53412,7 @@ index 587d63b..48423a6 100644 if (cfg->uart_flags & UPF_CONS_FLOW) { diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index eaeb9a0..01a238c 100644 +index a28dee9..168ba47 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -1339,7 +1339,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp) @@ -54471,10 +54605,10 @@ index b3d245e..99549ed 100644 props.type = BACKLIGHT_RAW; props.max_brightness = 0xff; diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c -index 8d7fc48..01c4986 100644 +index 29fa1c3..a57b08e 100644 --- a/drivers/usb/serial/console.c +++ b/drivers/usb/serial/console.c -@@ -123,7 +123,7 @@ static int usb_console_setup(struct console *co, char *options) +@@ -125,7 +125,7 @@ static int usb_console_setup(struct console *co, char *options) info->port = port; @@ -54483,7 +54617,7 @@ index 8d7fc48..01c4986 100644 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) { if (serial->type->set_termios) { /* -@@ -167,7 +167,7 @@ static int usb_console_setup(struct console *co, char *options) +@@ -173,7 +173,7 @@ static int usb_console_setup(struct console *co, char *options) } /* Now that any required fake tty operations are completed restore * the tty port count */ @@ -54492,16 +54626,16 @@ index 8d7fc48..01c4986 100644 /* The console is special in terms of closing the device so * indicate this port is now acting as a system console. */ port->port.console = 1; -@@ -180,7 +180,7 @@ static int usb_console_setup(struct console *co, char *options) - free_tty: - kfree(tty); +@@ -186,7 +186,7 @@ static int usb_console_setup(struct console *co, char *options) + put_tty: + tty_kref_put(tty); reset_open_count: - port->port.count = 0; + atomic_set(&port->port.count, 0); usb_autopm_put_interface(serial->interface); error_get_interface: usb_serial_put(serial); -@@ -191,7 +191,7 @@ static int usb_console_setup(struct console *co, char *options) +@@ -197,7 +197,7 @@ static int usb_console_setup(struct console *co, char *options) static void usb_console_write(struct console *co, const char *buf, unsigned count) { @@ -54782,10 +54916,10 @@ index 2fa0317..4983f2a 100644 return 0; } diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c -index 900aa4e..6d49418 100644 +index d6cab1f..112f680 100644 --- a/drivers/video/fbdev/core/fb_defio.c +++ b/drivers/video/fbdev/core/fb_defio.c -@@ -206,7 +206,9 @@ void fb_deferred_io_init(struct fb_info *info) +@@ -207,7 +207,9 @@ void fb_deferred_io_init(struct fb_info *info) BUG_ON(!fbdefio); mutex_init(&fbdefio->lock); @@ -54796,7 +54930,7 @@ index 900aa4e..6d49418 100644 INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work); INIT_LIST_HEAD(&fbdefio->pagelist); if (fbdefio->delay == 0) /* set a default of 1 s */ -@@ -237,7 +239,7 @@ void fb_deferred_io_cleanup(struct fb_info *info) +@@ -238,7 +240,7 @@ void fb_deferred_io_cleanup(struct fb_info *info) page->mapping = NULL; } @@ -60523,7 +60657,7 @@ index b5c86ff..0dac262 100644 return 0; while (nr) { diff --git a/fs/dcache.c b/fs/dcache.c -index 03dca3c..f66c622 100644 +index 03dca3c..15f326d 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -508,7 +508,7 @@ static void __dentry_kill(struct dentry *dentry) @@ -60659,7 +60793,17 @@ index 03dca3c..f66c622 100644 dentry->d_flags = 0; spin_lock_init(&dentry->d_lock); seqcount_init(&dentry->d_seq); -@@ -2183,7 +2183,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) +@@ -1452,6 +1452,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) + dentry->d_sb = sb; + dentry->d_op = NULL; + dentry->d_fsdata = NULL; ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME ++ atomic_set(&dentry->chroot_refcnt, 0); ++#endif + INIT_HLIST_BL_NODE(&dentry->d_hash); + INIT_LIST_HEAD(&dentry->d_lru); + INIT_LIST_HEAD(&dentry->d_subdirs); +@@ -2183,7 +2186,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name) goto next; } @@ -60668,7 +60812,7 @@ index 03dca3c..f66c622 100644 found = dentry; spin_unlock(&dentry->d_lock); break; -@@ -2282,7 +2282,7 @@ again: +@@ -2282,7 +2285,7 @@ again: spin_lock(&dentry->d_lock); inode = dentry->d_inode; isdir = S_ISDIR(inode->i_mode); @@ -60677,7 +60821,7 @@ index 03dca3c..f66c622 100644 if (!spin_trylock(&inode->i_lock)) { spin_unlock(&dentry->d_lock); cpu_relax(); -@@ -3308,7 +3308,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) +@@ -3308,7 +3311,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry) if (!(dentry->d_flags & DCACHE_GENOCIDE)) { dentry->d_flags |= DCACHE_GENOCIDE; @@ -60686,7 +60830,7 @@ index 03dca3c..f66c622 100644 } } return D_WALK_CONTINUE; -@@ -3424,7 +3424,8 @@ void __init vfs_caches_init(unsigned long mempages) +@@ -3424,7 +3427,8 @@ void __init vfs_caches_init(unsigned long mempages) mempages -= reserve; names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, @@ -62024,7 +62168,7 @@ index 5797d45..7d7d79a 100644 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) { diff --git a/fs/fs_struct.c b/fs/fs_struct.c -index 7dca743..543d620 100644 +index 7dca743..f5e007d 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -4,6 +4,7 @@ @@ -62035,15 +62179,27 @@ index 7dca743..543d620 100644 #include "internal.h" /* -@@ -19,6 +20,7 @@ void set_fs_root(struct fs_struct *fs, const struct path *path) +@@ -15,14 +16,18 @@ void set_fs_root(struct fs_struct *fs, const struct path *path) + struct path old_root; + + path_get(path); ++ gr_inc_chroot_refcnts(path->dentry, path->mnt); + spin_lock(&fs->lock); write_seqcount_begin(&fs->seq); old_root = fs->root; fs->root = *path; + gr_set_chroot_entries(current, path); write_seqcount_end(&fs->seq); spin_unlock(&fs->lock); - if (old_root.dentry) -@@ -67,6 +69,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root) +- if (old_root.dentry) ++ if (old_root.dentry) { ++ gr_inc_chroot_refcnts(old_root.dentry, old_root.mnt); + path_put(&old_root); ++ } + } + + /* +@@ -67,6 +72,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root) int hits = 0; spin_lock(&fs->lock); write_seqcount_begin(&fs->seq); @@ -62054,7 +62210,15 @@ index 7dca743..543d620 100644 hits += replace_path(&fs->root, old_root, new_root); hits += replace_path(&fs->pwd, old_root, new_root); write_seqcount_end(&fs->seq); -@@ -99,7 +105,8 @@ void exit_fs(struct task_struct *tsk) +@@ -85,6 +94,7 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root) + + void free_fs_struct(struct fs_struct *fs) + { ++ gr_dec_chroot_refcnts(fs->root.dentry, fs->root.mnt); + path_put(&fs->root); + path_put(&fs->pwd); + kmem_cache_free(fs_cachep, fs); +@@ -99,7 +109,8 @@ void exit_fs(struct task_struct *tsk) task_lock(tsk); spin_lock(&fs->lock); tsk->fs = NULL; @@ -62064,7 +62228,7 @@ index 7dca743..543d620 100644 spin_unlock(&fs->lock); task_unlock(tsk); if (kill) -@@ -112,7 +119,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) +@@ -112,7 +123,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL); /* We don't need to lock fs - think why ;-) */ if (fs) { @@ -62073,7 +62237,7 @@ index 7dca743..543d620 100644 fs->in_exec = 0; spin_lock_init(&fs->lock); seqcount_init(&fs->seq); -@@ -121,6 +128,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) +@@ -121,6 +132,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) spin_lock(&old->lock); fs->root = old->root; path_get(&fs->root); @@ -62083,7 +62247,7 @@ index 7dca743..543d620 100644 fs->pwd = old->pwd; path_get(&fs->pwd); spin_unlock(&old->lock); -@@ -139,8 +149,9 @@ int unshare_fs_struct(void) +@@ -139,8 +153,9 @@ int unshare_fs_struct(void) task_lock(current); spin_lock(&fs->lock); @@ -62094,7 +62258,7 @@ index 7dca743..543d620 100644 spin_unlock(&fs->lock); task_unlock(current); -@@ -153,13 +164,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); +@@ -153,13 +168,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); int current_umask(void) { @@ -63844,7 +64008,7 @@ index acd3947..1f896e2 100644 memcpy(c->data, &cookie, 4); c->len=4; diff --git a/fs/locks.c b/fs/locks.c -index 735b8d3..dfc44a2 100644 +index 59e2f90..bd69071 100644 --- a/fs/locks.c +++ b/fs/locks.c @@ -2374,7 +2374,7 @@ void locks_remove_file(struct file *filp) @@ -63892,7 +64056,7 @@ index f82c628..9492b99 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index db5fe86..d3dcc14 100644 +index db5fe86..ac769e4 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -331,17 +331,32 @@ int generic_permission(struct inode *inode, int mask) @@ -64396,10 +64560,18 @@ index db5fe86..d3dcc14 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4304,6 +4486,12 @@ retry_deleg: +@@ -4304,6 +4486,20 @@ retry_deleg: if (new_dentry == trap) goto exit5; ++ if (gr_bad_chroot_rename(old_dentry, oldnd.path.mnt, new_dentry, newnd.path.mnt)) { ++ /* use EXDEV error to cause 'mv' to switch to an alternative ++ * method for usability ++ */ ++ error = -EXDEV; ++ goto exit5; ++ } ++ + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt, + old_dentry, old_dir->d_inode, oldnd.path.mnt, + to, flags); @@ -64409,7 +64581,7 @@ index db5fe86..d3dcc14 100644 error = security_path_rename(&oldnd.path, old_dentry, &newnd.path, new_dentry, flags); if (error) -@@ -4311,6 +4499,9 @@ retry_deleg: +@@ -4311,6 +4507,9 @@ retry_deleg: error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry, &delegated_inode, flags); @@ -64419,7 +64591,7 @@ index db5fe86..d3dcc14 100644 exit5: dput(new_dentry); exit4: -@@ -4367,14 +4558,24 @@ EXPORT_SYMBOL(vfs_whiteout); +@@ -4367,14 +4566,24 @@ EXPORT_SYMBOL(vfs_whiteout); int readlink_copy(char __user *buffer, int buflen, const char *link) { @@ -66719,7 +66891,7 @@ index 094e44d..085a877 100644 } diff --git a/fs/proc/stat.c b/fs/proc/stat.c -index bf2d03f..f058f9c 100644 +index 510413eb..34d9a8c 100644 --- a/fs/proc/stat.c +++ b/fs/proc/stat.c @@ -11,6 +11,7 @@ @@ -66814,8 +66986,8 @@ index bf2d03f..f058f9c 100644 /* sum again ? it could be updated? */ for_each_irq_nr(j) -- seq_put_decimal_ull(p, ' ', kstat_irqs(j)); -+ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL); +- seq_put_decimal_ull(p, ' ', kstat_irqs_usr(j)); ++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs_usr(j) : 0ULL); seq_printf(p, "\nctxt %llu\n" @@ -68011,10 +68183,10 @@ index 6a51619..9592e1b 100644 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..f27264e +index 0000000..31f8fe4 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1166 @@ +@@ -0,0 +1,1182 @@ +# +# grecurity configuration +# @@ -68655,6 +68827,22 @@ index 0000000..f27264e + sysctl option is enabled, a sysctl option with name + "chroot_deny_sysctl" is created. + ++config GRKERNSEC_CHROOT_RENAME ++ bool "Deny bad renames" ++ default y if GRKERNSEC_CONFIG_AUTO ++ depends on GRKERNSEC_CHROOT ++ help ++ If you say Y here, an attacker in a chroot will not be able to ++ abuse the ability to create double chroots to break out of the ++ chroot by exploiting a race condition between a rename of a directory ++ within a chroot against an open of a symlink with relative path ++ components. This feature will likewise prevent an accomplice outside ++ a chroot from enabling a user inside the chroot to break out and make ++ use of their credentials on the global filesystem. Enabling this ++ feature is essential to prevent root users from breaking out of a ++ chroot. If the sysctl option is enabled, a sysctl option with name ++ "chroot_deny_bad_rename" is created. ++ +config GRKERNSEC_CHROOT_CAPS + bool "Capability restrictions" + default y if GRKERNSEC_CONFIG_AUTO @@ -69243,10 +69431,10 @@ index 0000000..30ababb +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..6ae3aa0 +index 0000000..9c2d930 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,2703 @@ +@@ -0,0 +1,2721 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -70420,9 +70608,10 @@ index 0000000..6ae3aa0 + rcu_read_lock(); + read_lock(&tasklist_lock); + read_lock(&grsec_exec_file_lock); ++ except in the case of gr_set_role_label() (for __gr_get_subject_for_task) +*/ + -+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename) ++struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback) +{ + char *tmpname; + struct acl_subject_label *tmpsubj; @@ -70464,15 +70653,15 @@ index 0000000..6ae3aa0 + /* this also works for the reload case -- if we don't match a potentially inherited subject + then we fall back to a normal lookup based on the binary's ino/dev + */ -+ if (tmpsubj == NULL) ++ if (tmpsubj == NULL && fallback) + tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role); + + return tmpsubj; +} + -+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename) ++static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback) +{ -+ return __gr_get_subject_for_task(&running_polstate, task, filename); ++ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback); +} + +void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj) @@ -70536,7 +70725,7 @@ index 0000000..6ae3aa0 + task->role = current->role; + rcu_read_lock(); + read_lock(&grsec_exec_file_lock); -+ subj = gr_get_subject_for_task(task, NULL); ++ subj = gr_get_subject_for_task(task, NULL, 1); + gr_apply_subject_to_task(task, subj); + read_unlock(&grsec_exec_file_lock); + rcu_read_unlock(); @@ -70946,6 +71135,7 @@ index 0000000..6ae3aa0 +gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid) +{ + struct acl_role_label *role = task->role; ++ struct acl_role_label *origrole = role; + struct acl_subject_label *subj = NULL; + struct acl_object_label *obj; + struct file *filp; @@ -70978,10 +71168,28 @@ index 0000000..6ae3aa0 + ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID)))) + return; + -+ /* perform subject lookup in possibly new role -+ we can use this result below in the case where role == task->role -+ */ -+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); ++ task->role = role; ++ ++ if (task->inherited) { ++ /* if we reached our subject through inheritance, then first see ++ if there's a subject of the same name in the new role that has ++ an object that would result in the same inherited subject ++ */ ++ subj = gr_get_subject_for_task(task, task->acl->filename, 0); ++ if (subj) { ++ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj); ++ if (!(obj->mode & GR_INHERIT)) ++ subj = NULL; ++ } ++ ++ } ++ if (subj == NULL) { ++ /* otherwise: ++ perform subject lookup in possibly new role ++ we can use this result below in the case where role == task->role ++ */ ++ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); ++ } + + /* if we changed uid/gid, but result in the same role + and are using inheritance, don't lose the inherited subject @@ -70989,14 +71197,12 @@ index 0000000..6ae3aa0 + would result in, we arrived via inheritance, don't + lose subject + */ -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) && ++ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) && + (subj == task->acl))) + task->acl = subj; + + /* leave task->inherited unaffected */ + -+ task->role = role; -+ + task->is_writable = 0; + + /* ignore additional mmap checks for processes that are writable @@ -73530,7 +73736,7 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..3f8ade0 +index 0000000..7949dcd --- /dev/null +++ b/grsecurity/gracl_policy.c @@ -0,0 +1,1782 @@ @@ -73604,7 +73810,7 @@ index 0000000..3f8ade0 +extern void gr_remove_uid(uid_t uid); +extern int gr_find_uid(uid_t uid); + -+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename); ++extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback); +extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj); +extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb); +extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry); @@ -74709,8 +74915,8 @@ index 0000000..3f8ade0 + } + /* this handles non-nested inherited subjects, nested subjects will still + be dropped currently */ -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); -+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL); ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); ++ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1); + /* change the role back so that we've made no modifications to the policy */ + task->role = rtmp; + @@ -74742,7 +74948,7 @@ index 0000000..3f8ade0 + /* this handles non-nested inherited subjects, nested subjects will still + be dropped currently */ + if (!reload_state->oldmode && task->inherited) -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); + else { + /* looked up and tagged to the task previously */ + subj = task->tmpacl; @@ -75291,7 +75497,7 @@ index 0000000..3f8ade0 + if (task->exec_file) { + cred = __task_cred(task); + task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid)); -+ subj = __gr_get_subject_for_task(polstate, task, NULL); ++ subj = __gr_get_subject_for_task(polstate, task, NULL, 1); + if (subj == NULL) { + ret = -EINVAL; + read_unlock(&grsec_exec_file_lock); @@ -75782,10 +75988,10 @@ index 0000000..bc0be01 +} diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c new file mode 100644 -index 0000000..6d99cec +index 0000000..114ea4f --- /dev/null +++ b/grsecurity/grsec_chroot.c -@@ -0,0 +1,385 @@ +@@ -0,0 +1,467 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -75801,6 +76007,88 @@ index 0000000..6d99cec +int gr_init_ran; +#endif + ++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt) ++{ ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME ++ struct dentry *tmpd = dentry; ++ ++ read_seqlock_excl(&mount_lock); ++ write_seqlock(&rename_lock); ++ ++ while (tmpd != mnt->mnt_root) { ++ atomic_inc(&tmpd->chroot_refcnt); ++ tmpd = tmpd->d_parent; ++ } ++ atomic_inc(&tmpd->chroot_refcnt); ++ ++ write_sequnlock(&rename_lock); ++ read_sequnlock_excl(&mount_lock); ++#endif ++} ++ ++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt) ++{ ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME ++ struct dentry *tmpd = dentry; ++ ++ read_seqlock_excl(&mount_lock); ++ write_seqlock(&rename_lock); ++ ++ while (tmpd != mnt->mnt_root) { ++ atomic_dec(&tmpd->chroot_refcnt); ++ tmpd = tmpd->d_parent; ++ } ++ atomic_dec(&tmpd->chroot_refcnt); ++ ++ write_sequnlock(&rename_lock); ++ read_sequnlock_excl(&mount_lock); ++#endif ++} ++ ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME ++static struct dentry *get_closest_chroot(struct dentry *dentry) ++{ ++ write_seqlock(&rename_lock); ++ do { ++ if (atomic_read(&dentry->chroot_refcnt)) { ++ write_sequnlock(&rename_lock); ++ return dentry; ++ } ++ dentry = dentry->d_parent; ++ } while (!IS_ROOT(dentry)); ++ write_sequnlock(&rename_lock); ++ return NULL; ++} ++#endif ++ ++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt, ++ struct dentry *newdentry, struct vfsmount *newmnt) ++{ ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME ++ struct dentry *chroot; ++ ++ if (unlikely(!grsec_enable_chroot_rename)) ++ return 0; ++ ++ if (likely(!proc_is_chrooted(current) && gr_is_global_root(current_uid()))) ++ return 0; ++ ++ chroot = get_closest_chroot(olddentry); ++ ++ if (chroot == NULL) ++ return 0; ++ ++ if (is_subdir(newdentry, chroot)) ++ return 0; ++ ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_RENAME_MSG, olddentry, oldmnt); ++ ++ return 1; ++#else ++ return 0; ++#endif ++} ++ +void gr_set_chroot_entries(struct task_struct *task, const struct path *path) +{ +#ifdef CONFIG_GRKERNSEC @@ -76872,10 +77160,10 @@ index 0000000..8ca18bf +} diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c new file mode 100644 -index 0000000..b7cb191 +index 0000000..4ed9e7d --- /dev/null +++ b/grsecurity/grsec_init.c -@@ -0,0 +1,286 @@ +@@ -0,0 +1,290 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -76918,6 +77206,7 @@ index 0000000..b7cb191 +int grsec_enable_chroot_nice; +int grsec_enable_chroot_execlog; +int grsec_enable_chroot_caps; ++int grsec_enable_chroot_rename; +int grsec_enable_chroot_sysctl; +int grsec_enable_chroot_unix; +int grsec_enable_tpe; @@ -77129,6 +77418,9 @@ index 0000000..b7cb191 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + grsec_enable_chroot_caps = 1; +#endif ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME ++ grsec_enable_chroot_rename = 1; ++#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL + grsec_enable_chroot_sysctl = 1; +#endif @@ -78359,10 +78651,10 @@ index 0000000..e3650b6 +} diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c new file mode 100644 -index 0000000..8159888 +index 0000000..cce889e --- /dev/null +++ b/grsecurity/grsec_sysctl.c -@@ -0,0 +1,479 @@ +@@ -0,0 +1,488 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/sysctl.h> @@ -78632,6 +78924,15 @@ index 0000000..8159888 + .proc_handler = &proc_dointvec, + }, +#endif ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME ++ { ++ .procname = "chroot_deny_bad_rename", ++ .data = &grsec_enable_chroot_rename, ++ .maxlen = sizeof(int), ++ .mode = 0600, ++ .proc_handler = &proc_dointvec, ++ }, ++#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL + { + .procname = "chroot_deny_sysctl", @@ -80516,10 +80817,20 @@ index 653589e..4ef254a 100644 return c | 0x20; } diff --git a/include/linux/dcache.h b/include/linux/dcache.h -index 1c2f1b8..c67151e 100644 +index 1c2f1b8..7b9f50c 100644 --- a/include/linux/dcache.h +++ b/include/linux/dcache.h -@@ -133,7 +133,7 @@ struct dentry { +@@ -123,6 +123,9 @@ struct dentry { + unsigned long d_time; /* used by d_revalidate */ + void *d_fsdata; /* fs-specific data */ + ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME ++ atomic_t chroot_refcnt; /* tracks use of directory in chroot */ ++#endif + struct list_head d_lru; /* LRU list */ + struct list_head d_child; /* child of parent list */ + struct list_head d_subdirs; /* our children */ +@@ -133,7 +136,7 @@ struct dentry { struct hlist_node d_alias; /* inode alias list */ struct rcu_head d_rcu; } d_u; @@ -81643,10 +81954,10 @@ index 0000000..be66033 +#endif diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h new file mode 100644 -index 0000000..d25522e +index 0000000..fb1de5d --- /dev/null +++ b/include/linux/grinternal.h -@@ -0,0 +1,229 @@ +@@ -0,0 +1,230 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H + @@ -81706,6 +82017,7 @@ index 0000000..d25522e +extern int grsec_enable_chroot_nice; +extern int grsec_enable_chroot_execlog; +extern int grsec_enable_chroot_caps; ++extern int grsec_enable_chroot_rename; +extern int grsec_enable_chroot_sysctl; +extern int grsec_enable_chroot_unix; +extern int grsec_enable_symlinkown; @@ -81878,10 +82190,10 @@ index 0000000..d25522e +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..b02ba9d +index 0000000..26ef560 --- /dev/null +++ b/include/linux/grmsg.h -@@ -0,0 +1,117 @@ +@@ -0,0 +1,118 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -81925,6 +82237,7 @@ index 0000000..b02ba9d +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by " +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by " +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by " ++#define GR_CHROOT_RENAME_MSG "denied bad rename of %.950s out of a chroot by " +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by " +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by " +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by " @@ -82001,10 +82314,10 @@ index 0000000..b02ba9d +#define GR_MSRWRITE_MSG "denied write to CPU MSR by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..c3b0738 +index 0000000..6c76fcb --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,244 @@ +@@ -0,0 +1,249 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -82216,6 +82529,11 @@ index 0000000..c3b0738 + +int gr_ptrace_readexec(struct file *file, int unsafe_flags); + ++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt); ++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt); ++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt, ++ struct dentry *newdentry, struct vfsmount *newmnt); ++ +#ifdef CONFIG_GRKERNSEC_RESLOG +extern void gr_log_resource(const struct task_struct *task, const int res, + const unsigned long wanted, const int gt); @@ -83550,18 +83868,18 @@ index 17d8339..81656c0 100644 struct iovec; struct kvec; diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h -index 74fd5d3..86a1e4f 100644 +index 22339b4..4b4d5b3 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h -@@ -1156,6 +1156,7 @@ struct net_device_ops { - bool (*ndo_gso_check) (struct sk_buff *skb, - struct net_device *dev); +@@ -1160,6 +1160,7 @@ struct net_device_ops { + struct net_device *dev, + netdev_features_t features); }; +typedef struct net_device_ops __no_const net_device_ops_no_const; /** * enum net_device_priv_flags - &struct net_device priv_flags -@@ -1498,10 +1499,10 @@ struct net_device { +@@ -1502,10 +1503,10 @@ struct net_device { struct net_device_stats stats; @@ -93512,7 +93830,7 @@ index c1bd4ad..4b861dc 100644 ret = -EIO; diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 31c90fe..051ce98 100644 +index 124e2c7..762ca29 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -2183,12 +2183,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) @@ -93535,7 +93853,7 @@ index 31c90fe..051ce98 100644 } /* -@@ -4492,8 +4497,10 @@ static int ftrace_process_locs(struct module *mod, +@@ -4529,8 +4534,10 @@ static int ftrace_process_locs(struct module *mod, if (!count) return 0; @@ -93546,7 +93864,7 @@ index 31c90fe..051ce98 100644 start_pg = ftrace_allocate_pages(count); if (!start_pg) -@@ -5340,7 +5347,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) +@@ -5377,7 +5384,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) if (t->ret_stack == NULL) { atomic_set(&t->tracing_graph_pause, 0); @@ -93555,7 +93873,7 @@ index 31c90fe..051ce98 100644 t->curr_ret_stack = -1; /* Make sure the tasks see the -1 first: */ smp_wmb(); -@@ -5553,7 +5560,7 @@ static void +@@ -5590,7 +5597,7 @@ static void graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack) { atomic_set(&t->tracing_graph_pause, 0); @@ -100385,18 +100703,9 @@ index 1e80539..676c37a 100644 if (ogm_packet->flags & BATADV_DIRECTLINK) has_directlink_flag = true; diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c -index fc1835c..42f2c2f 100644 +index 00f9e14..e1c7203 100644 --- a/net/batman-adv/fragmentation.c +++ b/net/batman-adv/fragmentation.c -@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb) - kfree(entry); - - /* Make room for the rest of the fragments. */ -- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) { -+ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { - kfree_skb(skb_out); - skb_out = NULL; - goto free; @@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb, frag_header.packet_type = BATADV_UNICAST_FRAG; frag_header.version = BATADV_COMPAT_VERSION; @@ -101008,7 +101317,7 @@ index fdbc9a8..cd6972c 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 945bbd0..8b1a370 100644 +index 8440968..d1d6bea 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1683,14 +1683,14 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb) @@ -101028,7 +101337,7 @@ index 945bbd0..8b1a370 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -2985,7 +2985,7 @@ recursion_alert: +@@ -2994,7 +2994,7 @@ recursion_alert: drop: rcu_read_unlock_bh(); @@ -101037,7 +101346,7 @@ index 945bbd0..8b1a370 100644 kfree_skb_list(skb); return rc; out: -@@ -3328,7 +3328,7 @@ enqueue: +@@ -3337,7 +3337,7 @@ enqueue: local_irq_restore(flags); @@ -101046,7 +101355,7 @@ index 945bbd0..8b1a370 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3405,7 +3405,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3414,7 +3414,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -101055,7 +101364,7 @@ index 945bbd0..8b1a370 100644 { struct softnet_data *sd = this_cpu_ptr(&softnet_data); -@@ -3738,7 +3738,7 @@ ncls: +@@ -3747,7 +3747,7 @@ ncls: ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { drop: @@ -101064,7 +101373,7 @@ index 945bbd0..8b1a370 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -4502,7 +4502,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -4511,7 +4511,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -101073,7 +101382,7 @@ index 945bbd0..8b1a370 100644 { struct softnet_data *sd = this_cpu_ptr(&softnet_data); unsigned long time_limit = jiffies + 2; -@@ -6548,8 +6548,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -6557,8 +6557,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -101441,7 +101750,7 @@ index b442e7e..6f5b5a2 100644 { struct socket *sock; diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 32e31c2..e981248 100644 +index d7543d0..ff96aec 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2025,7 +2025,7 @@ EXPORT_SYMBOL(__skb_checksum); @@ -102082,7 +102391,7 @@ index 2811cc1..ad5a534 100644 return -ENOMEM; } diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index 12055fd..df852c4 100644 +index 69aaf0a..8298c029 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -115,7 +115,7 @@ static bool log_ecn_error = true; @@ -102094,7 +102403,7 @@ index 12055fd..df852c4 100644 static int ipgre_tunnel_init(struct net_device *dev); static int ipgre_net_id __read_mostly; -@@ -815,7 +815,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { +@@ -816,7 +816,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { [IFLA_GRE_ENCAP_DPORT] = { .type = NLA_U16 }, }; @@ -102103,7 +102412,7 @@ index 12055fd..df852c4 100644 .kind = "gre", .maxtype = IFLA_GRE_MAX, .policy = ipgre_policy, -@@ -829,7 +829,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { +@@ -830,7 +830,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = { .fill_info = ipgre_fill_info, }; @@ -102366,7 +102675,7 @@ index e90f83a..3e6acca 100644 pr_err("Unable to proc dir entry\n"); return -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 5d740cc..b2842b9 100644 +index 5d740cc..22c8e65 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -59,7 +59,7 @@ struct ping_table { @@ -102418,7 +102727,20 @@ index 5d740cc..b2842b9 100644 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags) ip_cmsg_recv(msg, skb); #endif -@@ -1105,7 +1105,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, +@@ -965,8 +965,11 @@ void ping_rcv(struct sk_buff *skb) + + sk = ping_lookup(net, skb, ntohs(icmph->un.echo.id)); + if (sk != NULL) { ++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); ++ + pr_debug("rcv on socket %p\n", sk); +- ping_queue_rcv_skb(sk, skb_get(skb)); ++ if (skb2) ++ ping_queue_rcv_skb(sk, skb2); + sock_put(sk); + return; + } +@@ -1105,7 +1108,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -103661,7 +103983,7 @@ index c5c10fa..2577d51 100644 struct ctl_table *ipv6_icmp_table; int err; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c -index c277951..c7ee5bf 100644 +index c113602..0cccb46 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -104,6 +104,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) @@ -103685,10 +104007,10 @@ index c277951..c7ee5bf 100644 tcp_v6_send_reset(sk, skb); discard: if (opt_skb) -@@ -1434,12 +1441,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) +@@ -1441,12 +1448,20 @@ static int tcp_v6_rcv(struct sk_buff *skb) sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest, - tcp_v6_iif(skb)); + inet6_iif(skb)); - if (!sk) + if (!sk) { +#ifdef CONFIG_GRKERNSEC_BLACKHOLE @@ -103708,7 +104030,7 @@ index c277951..c7ee5bf 100644 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) { NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); -@@ -1486,6 +1501,10 @@ csum_error: +@@ -1497,6 +1512,10 @@ csum_error: bad_packet: TCP_INC_STATS_BH(net, TCP_MIB_INERRS); } else { @@ -103772,10 +104094,10 @@ index f6ba535..b41033f 100644 kfree_skb(skb); diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c -index 5f98364..5ca982a 100644 +index 5f98364..691985a 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c -@@ -130,8 +130,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) +@@ -130,12 +130,18 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) { struct flowi6 *fl6 = &fl->u.ip6; int onlyproto = 0; @@ -103784,8 +104106,19 @@ index 5f98364..5ca982a 100644 + u16 offset = sizeof(*hdr); struct ipv6_opt_hdr *exthdr; const unsigned char *nh = skb_network_header(skb); - u8 nexthdr = nh[IP6CB(skb)->nhoff]; -@@ -217,11 +217,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) +- u8 nexthdr = nh[IP6CB(skb)->nhoff]; ++ u16 nhoff = IP6CB(skb)->nhoff; + int oif = 0; ++ u8 nexthdr; ++ ++ if (!nhoff) ++ nhoff = offsetof(struct ipv6hdr, nexthdr); ++ ++ nexthdr = nh[nhoff]; + + if (skb_dst(skb)) + oif = skb_dst(skb)->dev->ifindex; +@@ -217,11 +223,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) } } @@ -103799,7 +104132,7 @@ index 5f98364..5ca982a 100644 return dst_entries_get_fast(ops) > ops->gc_thresh * 2; } -@@ -334,19 +334,19 @@ static struct ctl_table xfrm6_policy_table[] = { +@@ -334,19 +340,19 @@ static struct ctl_table xfrm6_policy_table[] = { static int __net_init xfrm6_net_init(struct net *net) { @@ -103824,7 +104157,7 @@ index 5f98364..5ca982a 100644 if (!hdr) goto err_reg; -@@ -354,8 +354,7 @@ static int __net_init xfrm6_net_init(struct net *net) +@@ -354,8 +360,7 @@ static int __net_init xfrm6_net_init(struct net *net) return 0; err_reg: @@ -104829,7 +105162,7 @@ index 11de55e..f25e448 100644 return 0; } diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index b6bf8e8..7884ddf 100644 +index 79c965a..ee2b76d 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -273,7 +273,7 @@ static void netlink_overrun(struct sock *sk) @@ -104841,7 +105174,7 @@ index b6bf8e8..7884ddf 100644 } static void netlink_rcv_wake(struct sock *sk) -@@ -3010,7 +3010,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) +@@ -2990,7 +2990,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v) sk_wmem_alloc_get(s), nlk->cb_running, atomic_read(&s->sk_refcnt), @@ -105462,6 +105795,46 @@ index f226709..0e735a8 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index eed49d1..ce22514 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -191,6 +191,11 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, + } + + bpf_size = bpf_len * sizeof(*bpf_ops); ++ if (bpf_size != nla_len(tb[TCA_BPF_OPS])) { ++ ret = -EINVAL; ++ goto errout; ++ } ++ + bpf_ops = kzalloc(bpf_size, GFP_KERNEL); + if (bpf_ops == NULL) { + ret = -ENOMEM; +@@ -226,15 +231,21 @@ static u32 cls_bpf_grab_new_handle(struct tcf_proto *tp, + struct cls_bpf_head *head) + { + unsigned int i = 0x80000000; ++ u32 handle; + + do { + if (++head->hgen == 0x7FFFFFFF) + head->hgen = 1; + } while (--i > 0 && cls_bpf_get(tp, head->hgen)); +- if (i == 0) ++ ++ if (unlikely(i == 0)) { + pr_err("Insufficient number of handles\n"); ++ handle = 0; ++ } else { ++ handle = head->hgen; ++ } + +- return i; ++ return handle; + } + + static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c index 6efca30..1259f82 100644 --- a/net/sched/sch_generic.c @@ -105484,6 +105857,18 @@ index 6efca30..1259f82 100644 linkwatch_fire_event(dev); } } +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index f791edd..26d06db 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1182,7 +1182,6 @@ void sctp_assoc_update(struct sctp_association *asoc, + asoc->peer.peer_hmacs = new->peer.peer_hmacs; + new->peer.peer_hmacs = NULL; + +- sctp_auth_key_put(asoc->asoc_shared_key); + sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC); + } + diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 0e4198e..f94193e 100644 --- a/net/sctp/ipv6.c @@ -106771,7 +107156,7 @@ index 649ce68..f6bc05c 100644 endif diff --git a/scripts/Makefile.clean b/scripts/Makefile.clean -index b1c668d..638055f 100644 +index a609552..fde19cd 100644 --- a/scripts/Makefile.clean +++ b/scripts/Makefile.clean @@ -41,7 +41,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subdir-ymn)) @@ -117463,10 +117848,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..f38f762 +index 0000000..f2bd55d --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,6029 @@ +@@ -0,0 +1,6031 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL +compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL @@ -118442,6 +118827,7 @@ index 0000000..f38f762 +rd_build_prot_space_10761 rd_build_prot_space 2-3 10761 NULL +kvm_read_guest_atomic_10765 kvm_read_guest_atomic 4 10765 NULL +__qp_memcpy_to_queue_10779 __qp_memcpy_to_queue 2-4 10779 NULL ++ttm_dma_page_pool_free_10796 ttm_dma_page_pool_free 2-0 10796 NULL +diva_set_trace_filter_10820 diva_set_trace_filter 0-1 10820 NULL +lbs_sleepparams_read_10840 lbs_sleepparams_read 3 10840 NULL +ext4_direct_IO_10843 ext4_direct_IO 4 10843 NULL @@ -119732,6 +120118,7 @@ index 0000000..f38f762 +evdev_do_ioctl_24459 evdev_do_ioctl 2 24459 NULL +lbs_highsnr_write_24460 lbs_highsnr_write 3 24460 NULL +skb_copy_and_csum_datagram_iovec_24466 skb_copy_and_csum_datagram_iovec 2 24466 NULL ++ttm_page_pool_free_24486 ttm_page_pool_free 2-0 24486 NULL +dut_mode_read_24489 dut_mode_read 3 24489 NULL +read_file_spec_scan_ctl_24491 read_file_spec_scan_ctl 3 24491 NULL +pd_video_read_24510 pd_video_read 3 24510 NULL diff --git a/3.18.3/4425_grsec_remove_EI_PAX.patch b/3.18.4/4425_grsec_remove_EI_PAX.patch index 86e242a..86e242a 100644 --- a/3.18.3/4425_grsec_remove_EI_PAX.patch +++ b/3.18.4/4425_grsec_remove_EI_PAX.patch diff --git a/3.18.3/4427_force_XATTR_PAX_tmpfs.patch b/3.18.4/4427_force_XATTR_PAX_tmpfs.patch index 22c9273..22c9273 100644 --- a/3.18.3/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.18.4/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.18.3/4430_grsec-remove-localversion-grsec.patch b/3.18.4/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.18.3/4430_grsec-remove-localversion-grsec.patch +++ b/3.18.4/4430_grsec-remove-localversion-grsec.patch diff --git a/3.18.3/4435_grsec-mute-warnings.patch b/3.18.4/4435_grsec-mute-warnings.patch index 0585e08..0585e08 100644 --- a/3.18.3/4435_grsec-mute-warnings.patch +++ b/3.18.4/4435_grsec-mute-warnings.patch diff --git a/3.18.3/4440_grsec-remove-protected-paths.patch b/3.18.4/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.18.3/4440_grsec-remove-protected-paths.patch +++ b/3.18.4/4440_grsec-remove-protected-paths.patch diff --git a/3.18.3/4450_grsec-kconfig-default-gids.patch b/3.18.4/4450_grsec-kconfig-default-gids.patch index 039bad1..5c025da 100644 --- a/3.18.3/4450_grsec-kconfig-default-gids.patch +++ b/3.18.4/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -678,7 +678,7 @@ +@@ -694,7 +694,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -909,7 +909,7 @@ +@@ -925,7 +925,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -918,7 +918,7 @@ +@@ -934,7 +934,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -1003,7 +1003,7 @@ +@@ -1019,7 +1019,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -1024,7 +1024,7 @@ +@@ -1040,7 +1040,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -1042,7 +1042,7 @@ +@@ -1058,7 +1058,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch b/3.18.4/4465_selinux-avc_audit-log-curr_ip.patch index 747ac53..ba89596 100644 --- a/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.18.4/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1137,6 +1137,27 @@ +@@ -1153,6 +1153,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.18.3/4470_disable-compat_vdso.patch b/3.18.4/4470_disable-compat_vdso.patch index df785ab..df785ab 100644 --- a/3.18.3/4470_disable-compat_vdso.patch +++ b/3.18.4/4470_disable-compat_vdso.patch diff --git a/3.18.3/4475_emutramp_default_on.patch b/3.18.4/4475_emutramp_default_on.patch index ad4967a..ad4967a 100644 --- a/3.18.3/4475_emutramp_default_on.patch +++ b/3.18.4/4475_emutramp_default_on.patch diff --git a/3.2.66/0000_README b/3.2.66/0000_README index f9825bd..2b43bf6 100644 --- a/3.2.66/0000_README +++ b/3.2.66/0000_README @@ -182,7 +182,7 @@ Patch: 1065_linux-3.2.66.patch From: http://www.kernel.org Desc: Linux 3.2.66 -Patch: 4420_grsecurity-3.0-3.2.66-201501211939.patch +Patch: 4420_grsecurity-3.0-3.2.66-201501272306.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch b/3.2.66/4420_grsecurity-3.0-3.2.66-201501272306.patch index 89a8670..082c246 100644 --- a/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch +++ b/3.2.66/4420_grsecurity-3.0-3.2.66-201501272306.patch @@ -13556,7 +13556,7 @@ index b8a5fe5..fbbe2c2 100644 "4:\n" ".previous\n" diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h -index 41935fa..2be7ac3 100644 +index 41935fa..e0fb1f6 100644 --- a/arch/x86/include/asm/desc.h +++ b/arch/x86/include/asm/desc.h @@ -4,6 +4,7 @@ @@ -13650,7 +13650,7 @@ index 41935fa..2be7ac3 100644 } static inline void native_load_gdt(const struct desc_ptr *dtr) -@@ -244,8 +255,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) +@@ -244,11 +255,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) struct desc_struct *gdt = get_cpu_gdt_table(cpu); unsigned int i; @@ -13660,8 +13660,37 @@ index 41935fa..2be7ac3 100644 + pax_close_kernel(); } - #define _LDT_empty(info) \ -@@ -284,7 +297,7 @@ static inline void load_LDT(mm_context_t *pc) +-#define _LDT_empty(info) \ ++/* This intentionally ignores lm, since 32-bit apps don't have that field. */ ++#define LDT_empty(info) \ + ((info)->base_addr == 0 && \ + (info)->limit == 0 && \ + (info)->contents == 0 && \ +@@ -258,11 +272,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu) + (info)->seg_not_present == 1 && \ + (info)->useable == 0) + +-#ifdef CONFIG_X86_64 +-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0)) +-#else +-#define LDT_empty(info) (_LDT_empty(info)) +-#endif ++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */ ++static inline bool LDT_zero(const struct user_desc *info) ++{ ++ return (info->base_addr == 0 && ++ info->limit == 0 && ++ info->contents == 0 && ++ info->read_exec_only == 0 && ++ info->seg_32bit == 0 && ++ info->limit_in_pages == 0 && ++ info->seg_not_present == 0 && ++ info->useable == 0); ++} + + static inline void clear_LDT(void) + { +@@ -284,7 +305,7 @@ static inline void load_LDT(mm_context_t *pc) preempt_enable(); } @@ -13670,7 +13699,7 @@ index 41935fa..2be7ac3 100644 { return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24)); } -@@ -307,7 +320,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) +@@ -307,7 +328,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit) desc->limit = (limit >> 16) & 0xf; } @@ -13679,7 +13708,7 @@ index 41935fa..2be7ac3 100644 unsigned dpl, unsigned ist, unsigned seg) { gate_desc s; -@@ -326,7 +339,7 @@ static inline void _set_gate(int gate, unsigned type, void *addr, +@@ -326,7 +347,7 @@ static inline void _set_gate(int gate, unsigned type, void *addr, * Pentium F0 0F bugfix can have resulted in the mapped * IDT being write-protected. */ @@ -13688,7 +13717,7 @@ index 41935fa..2be7ac3 100644 { BUG_ON((unsigned)n > 0xFF); _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS); -@@ -356,19 +369,19 @@ static inline void alloc_intr_gate(unsigned int n, void *addr) +@@ -356,19 +377,19 @@ static inline void alloc_intr_gate(unsigned int n, void *addr) /* * This routine sets up an interrupt gate at directory privilege level 3. */ @@ -13711,7 +13740,7 @@ index 41935fa..2be7ac3 100644 { BUG_ON((unsigned)n > 0xFF); _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS); -@@ -377,19 +390,31 @@ static inline void set_trap_gate(unsigned int n, void *addr) +@@ -377,19 +398,31 @@ static inline void set_trap_gate(unsigned int n, void *addr) static inline void set_task_gate(unsigned int n, unsigned int gdt_entry) { BUG_ON((unsigned)n > 0xFF); @@ -24361,10 +24390,40 @@ index dd5fbf4..b7f2232 100644 return pc; } diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c -index 7af7338..36ed955 100644 +index 7af7338..79ea0e3 100644 --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c -@@ -40,6 +40,22 @@ static bool tls_desc_okay(const struct user_desc *info) +@@ -30,7 +30,28 @@ static int get_free_idx(void) + + static bool tls_desc_okay(const struct user_desc *info) + { +- if (LDT_empty(info)) ++ /* ++ * For historical reasons (i.e. no one ever documented how any ++ * of the segmentation APIs work), user programs can and do ++ * assume that a struct user_desc that's all zeros except for ++ * entry_number means "no segment at all". This never actually ++ * worked. In fact, up to Linux 3.19, a struct user_desc like ++ * this would create a 16-bit read-write segment with base and ++ * limit both equal to zero. ++ * ++ * That was close enough to "no segment at all" until we ++ * hardened this function to disallow 16-bit TLS segments. Fix ++ * it up by interpreting these zeroed segments the way that they ++ * were almost certainly intended to be interpreted. ++ * ++ * The correct way to ask for "no segment at all" is to specify ++ * a user_desc that satisfies LDT_empty. To keep everything ++ * working, we accept both. ++ * ++ * Note that there's a similar kludge in modify_ldt -- look at ++ * the distinction between modes 1 and 0x11. ++ */ ++ if (LDT_empty(info) || LDT_zero(info)) + return true; + + /* +@@ -40,6 +61,22 @@ static bool tls_desc_okay(const struct user_desc *info) if (!info->seg_32bit) return false; @@ -24387,7 +24446,16 @@ index 7af7338..36ed955 100644 return true; } -@@ -103,6 +119,11 @@ int do_set_thread_area(struct task_struct *p, int idx, +@@ -56,7 +93,7 @@ static void set_tls_desc(struct task_struct *p, int idx, + cpu = get_cpu(); + + while (n-- > 0) { +- if (LDT_empty(info)) ++ if (LDT_empty(info) || LDT_zero(info)) + desc->a = desc->b = 0; + else + fill_ldt(desc, info); +@@ -103,6 +140,11 @@ int do_set_thread_area(struct task_struct *p, int idx, if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) return -EINVAL; @@ -24399,7 +24467,7 @@ index 7af7338..36ed955 100644 set_tls_desc(p, idx, &info, 1); return 0; -@@ -224,7 +245,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, +@@ -224,7 +266,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, if (kbuf) info = kbuf; @@ -25116,7 +25184,7 @@ index 7110911..069da9c 100644 /* * Encountered an error while doing the restore from the diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index f0ac042..ea3fe9c 100644 +index f0ac042..39c366e 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -249,6 +249,7 @@ struct gprefix { @@ -25154,7 +25222,49 @@ index f0ac042..ea3fe9c 100644 } while (0) /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */ -@@ -3003,7 +3000,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) +@@ -2077,23 +2074,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + setup_syscalls_segments(ctxt, &cs, &ss); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +- switch (ctxt->mode) { +- case X86EMUL_MODE_PROT32: +- if ((msr_data & 0xfffc) == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- case X86EMUL_MODE_PROT64: +- if (msr_data == 0x0) +- return emulate_gp(ctxt, 0); +- break; +- } ++ if ((msr_data & 0xfffc) == 0x0) ++ return emulate_gp(ctxt, 0); + + ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF); +- cs_sel = (u16)msr_data; +- cs_sel &= ~SELECTOR_RPL_MASK; ++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK; + ss_sel = cs_sel + 8; +- ss_sel &= ~SELECTOR_RPL_MASK; +- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) { ++ if (efer & EFER_LMA) { + cs.d = 0; + cs.l = 1; + } +@@ -2102,10 +2089,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt) + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data); +- ctxt->_eip = msr_data; ++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data; + + ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data); +- ctxt->regs[VCPU_REGS_RSP] = msr_data; ++ ctxt->regs[VCPU_REGS_RSP] = (efer & EFER_LMA) ? msr_data : ++ (u32)msr_data; + + return X86EMUL_CONTINUE; + } +@@ -3003,7 +2991,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) int cr = ctxt->modrm_reg; u64 efer = 0; @@ -25163,7 +25273,7 @@ index f0ac042..ea3fe9c 100644 0xffffffff00000000ULL, 0, 0, 0, /* CR3 checked later */ CR4_RESERVED_BITS, -@@ -3038,7 +3035,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) +@@ -3038,7 +3026,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); if (efer & EFER_LMA) @@ -68808,10 +68918,10 @@ index 0000000..30ababb +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..0069a59 +index 0000000..99cbce0 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,2827 @@ +@@ -0,0 +1,2845 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -69970,9 +70080,10 @@ index 0000000..0069a59 + rcu_read_lock(); + read_lock(&tasklist_lock); + read_lock(&grsec_exec_file_lock); ++ except in the case of gr_set_role_label() (for __gr_get_subject_for_task) +*/ + -+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename) ++struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback) +{ + char *tmpname; + struct acl_subject_label *tmpsubj; @@ -70014,15 +70125,15 @@ index 0000000..0069a59 + /* this also works for the reload case -- if we don't match a potentially inherited subject + then we fall back to a normal lookup based on the binary's ino/dev + */ -+ if (tmpsubj == NULL) ++ if (tmpsubj == NULL && fallback) + tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role); + + return tmpsubj; +} + -+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename) ++static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback) +{ -+ return __gr_get_subject_for_task(&running_polstate, task, filename); ++ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback); +} + +void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj) @@ -70086,7 +70197,7 @@ index 0000000..0069a59 + task->role = current->role; + rcu_read_lock(); + read_lock(&grsec_exec_file_lock); -+ subj = gr_get_subject_for_task(task, NULL); ++ subj = gr_get_subject_for_task(task, NULL, 1); + gr_apply_subject_to_task(task, subj); + read_unlock(&grsec_exec_file_lock); + rcu_read_unlock(); @@ -70466,6 +70577,7 @@ index 0000000..0069a59 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid) +{ + struct acl_role_label *role = task->role; ++ struct acl_role_label *origrole = role; + struct acl_subject_label *subj = NULL; + struct acl_object_label *obj; + struct file *filp; @@ -70493,10 +70605,28 @@ index 0000000..0069a59 + ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID)))) + return; + -+ /* perform subject lookup in possibly new role -+ we can use this result below in the case where role == task->role -+ */ -+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); ++ task->role = role; ++ ++ if (task->inherited) { ++ /* if we reached our subject through inheritance, then first see ++ if there's a subject of the same name in the new role that has ++ an object that would result in the same inherited subject ++ */ ++ subj = gr_get_subject_for_task(task, task->acl->filename, 0); ++ if (subj) { ++ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj); ++ if (!(obj->mode & GR_INHERIT)) ++ subj = NULL; ++ } ++ ++ } ++ if (subj == NULL) { ++ /* otherwise: ++ perform subject lookup in possibly new role ++ we can use this result below in the case where role == task->role ++ */ ++ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role); ++ } + + /* if we changed uid/gid, but result in the same role + and are using inheritance, don't lose the inherited subject @@ -70504,14 +70634,12 @@ index 0000000..0069a59 + would result in, we arrived via inheritance, don't + lose subject + */ -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) && ++ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) && + (subj == task->acl))) + task->acl = subj; + + /* leave task->inherited unaffected */ + -+ task->role = role; -+ + task->is_writable = 0; + + /* ignore additional mmap checks for processes that are writable @@ -73202,7 +73330,7 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..3768798 +index 0000000..94ef7e60 --- /dev/null +++ b/grsecurity/gracl_policy.c @@ -0,0 +1,1781 @@ @@ -73275,7 +73403,7 @@ index 0000000..3768798 +extern void gr_remove_uid(uid_t uid); +extern int gr_find_uid(uid_t uid); + -+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename); ++extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback); +extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj); +extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb); +extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry); @@ -74380,8 +74508,8 @@ index 0000000..3768798 + } + /* this handles non-nested inherited subjects, nested subjects will still + be dropped currently */ -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); -+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL); ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); ++ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1); + /* change the role back so that we've made no modifications to the policy */ + task->role = rtmp; + @@ -74413,7 +74541,7 @@ index 0000000..3768798 + /* this handles non-nested inherited subjects, nested subjects will still + be dropped currently */ + if (!reload_state->oldmode && task->inherited) -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename); ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1); + else { + /* looked up and tagged to the task previously */ + subj = task->tmpacl; @@ -74962,7 +75090,7 @@ index 0000000..3768798 + if (task->exec_file) { + cred = __task_cred(task); + task->role = __lookup_acl_role_label(polstate, task, cred->uid, cred->gid); -+ subj = __gr_get_subject_for_task(polstate, task, NULL); ++ subj = __gr_get_subject_for_task(polstate, task, NULL, 1); + if (subj == NULL) { + ret = -EINVAL; + read_unlock(&grsec_exec_file_lock); @@ -104598,10 +104726,23 @@ index a639967..8f44480 100644 pr_err("Unable to proc dir entry\n"); ret = -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index d495d4b..c95851f 100644 +index d495d4b..db46e69 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c -@@ -842,7 +842,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, +@@ -716,8 +716,11 @@ void ping_rcv(struct sk_buff *skb) + sk = ping_v4_lookup(net, saddr, daddr, ntohs(icmph->un.echo.id), + skb->dev->ifindex); + if (sk != NULL) { ++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC); ++ + pr_debug("rcv on socket %p\n", sk); +- ping_queue_rcv_skb(sk, skb_get(skb)); ++ if (skb2) ++ ping_queue_rcv_skb(sk, skb2); + sock_put(sk); + return; + } +@@ -842,7 +845,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -108256,6 +108397,18 @@ index 7635107..4670276 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index 5b2d8e6..d014b05 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -1272,7 +1272,6 @@ void sctp_assoc_update(struct sctp_association *asoc, + asoc->peer.peer_hmacs = new->peer.peer_hmacs; + new->peer.peer_hmacs = NULL; + +- sctp_auth_key_put(asoc->asoc_shared_key); + sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC); + } + diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 0b6a391..febcef2 100644 --- a/net/sctp/ipv6.c |