1 |
commit: 98f0944d5d4dcb71e3c77924f54f81cd836c04b4 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu May 30 11:43:36 2013 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 30 11:43:36 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=98f0944d |
7 |
|
8 |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.4}-201305292151 |
9 |
|
10 |
--- |
11 |
2.6.32/0000_README | 2 +- |
12 |
..._grsecurity-2.9.1-2.6.32.60-201305292148.patch} | 141 +++- |
13 |
3.2.45/0000_README | 2 +- |
14 |
...420_grsecurity-2.9.1-3.2.45-201305292150.patch} | 426 +++++++++--- |
15 |
3.9.4/0000_README | 2 +- |
16 |
...4420_grsecurity-2.9.1-3.9.4-201305292151.patch} | 751 +++++++++++++++++++-- |
17 |
6 files changed, 1141 insertions(+), 183 deletions(-) |
18 |
|
19 |
diff --git a/2.6.32/0000_README b/2.6.32/0000_README |
20 |
index 5ca0857..378709b 100644 |
21 |
--- a/2.6.32/0000_README |
22 |
+++ b/2.6.32/0000_README |
23 |
@@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch |
24 |
From: http://www.kernel.org |
25 |
Desc: Linux 2.6.32.59 |
26 |
|
27 |
-Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305251007.patch |
28 |
+Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305292148.patch |
29 |
From: http://www.grsecurity.net |
30 |
Desc: hardened-sources base patch from upstream grsecurity |
31 |
|
32 |
|
33 |
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305251007.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305292148.patch |
34 |
similarity index 99% |
35 |
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305251007.patch |
36 |
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305292148.patch |
37 |
index f7ef7a8..a6ebcd3 100644 |
38 |
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305251007.patch |
39 |
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305292148.patch |
40 |
@@ -43345,7 +43345,7 @@ index 62f282e..e45c45c 100644 |
41 |
cdev_init(&ptmx_cdev, &ptmx_fops); |
42 |
if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) || |
43 |
diff --git a/drivers/char/random.c b/drivers/char/random.c |
44 |
-index 446b20a..710568a 100644 |
45 |
+index 446b20a..1193fa7 100644 |
46 |
--- a/drivers/char/random.c |
47 |
+++ b/drivers/char/random.c |
48 |
@@ -269,8 +269,13 @@ |
49 |
@@ -43399,36 +43399,94 @@ index 446b20a..710568a 100644 |
50 |
smp_wmb(); |
51 |
|
52 |
if (out) |
53 |
-@@ -942,6 +955,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
54 |
+@@ -840,6 +853,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, |
55 |
+ int reserved) |
56 |
+ { |
57 |
+ unsigned long flags; |
58 |
++ int wakeup_write = 0; |
59 |
+ |
60 |
+ /* Hold lock while accounting */ |
61 |
+ spin_lock_irqsave(&r->lock, flags); |
62 |
+@@ -852,19 +866,25 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, |
63 |
+ if (r->entropy_count / 8 < min + reserved) { |
64 |
+ nbytes = 0; |
65 |
+ } else { |
66 |
++ int entropy_count, orig; |
67 |
++retry: |
68 |
++ entropy_count = orig = ACCESS_ONCE(r->entropy_count); |
69 |
+ /* If limited, never pull more than available */ |
70 |
+- if (r->limit && nbytes + reserved >= r->entropy_count / 8) |
71 |
+- nbytes = r->entropy_count/8 - reserved; |
72 |
++ if (r->limit && nbytes + reserved >= entropy_count / 8) |
73 |
++ nbytes = entropy_count/8 - reserved; |
74 |
+ |
75 |
+- if (r->entropy_count / 8 >= nbytes + reserved) |
76 |
+- r->entropy_count -= nbytes*8; |
77 |
+- else |
78 |
+- r->entropy_count = reserved; |
79 |
+- |
80 |
+- if (r->entropy_count < random_write_wakeup_thresh) { |
81 |
+- wake_up_interruptible(&random_write_wait); |
82 |
+- kill_fasync(&fasync, SIGIO, POLL_OUT); |
83 |
++ if (entropy_count / 8 >= nbytes + reserved) { |
84 |
++ entropy_count -= nbytes*8; |
85 |
++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) |
86 |
++ goto retry; |
87 |
++ } else { |
88 |
++ entropy_count = reserved; |
89 |
++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) |
90 |
++ goto retry; |
91 |
+ } |
92 |
++ |
93 |
++ if (entropy_count < random_write_wakeup_thresh) |
94 |
++ wakeup_write = 1; |
95 |
+ } |
96 |
+ |
97 |
+ DEBUG_ENT("debiting %d entropy credits from %s%s\n", |
98 |
+@@ -872,6 +892,11 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, |
99 |
+ |
100 |
+ spin_unlock_irqrestore(&r->lock, flags); |
101 |
+ |
102 |
++ if (wakeup_write) { |
103 |
++ wake_up_interruptible(&random_write_wait); |
104 |
++ kill_fasync(&fasync, SIGIO, POLL_OUT); |
105 |
++ } |
106 |
++ |
107 |
+ return nbytes; |
108 |
+ } |
109 |
+ |
110 |
+@@ -941,6 +966,21 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
111 |
+ { |
112 |
ssize_t ret = 0, i; |
113 |
__u8 tmp[EXTRACT_SIZE]; |
114 |
- |
115 |
-+ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ |
116 |
-+ if (fips_enabled && !r->last_data_init) |
117 |
-+ nbytes += EXTRACT_SIZE; |
118 |
++ unsigned long flags; |
119 |
+ |
120 |
++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ |
121 |
++ if (fips_enabled) { |
122 |
++ spin_lock_irqsave(&r->lock, flags); |
123 |
++ if (!r->last_data_init) { |
124 |
++ r->last_data_init = true; |
125 |
++ spin_unlock_irqrestore(&r->lock, flags); |
126 |
++ xfer_secondary_pool(r, EXTRACT_SIZE); |
127 |
++ extract_buf(r, tmp); |
128 |
++ spin_lock_irqsave(&r->lock, flags); |
129 |
++ memcpy(r->last_data, tmp, EXTRACT_SIZE); |
130 |
++ } |
131 |
++ spin_unlock_irqrestore(&r->lock, flags); |
132 |
++ } |
133 |
+ |
134 |
xfer_secondary_pool(r, nbytes); |
135 |
nbytes = account(r, nbytes, min, reserved); |
136 |
+@@ -949,8 +989,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
137 |
+ extract_buf(r, tmp); |
138 |
|
139 |
-@@ -951,6 +968,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
140 |
if (fips_enabled) { |
141 |
- unsigned long flags; |
142 |
- |
143 |
-+ |
144 |
-+ /* prime last_data value if need be, per fips 140-2 */ |
145 |
-+ if (!r->last_data_init) { |
146 |
-+ spin_lock_irqsave(&r->lock, flags); |
147 |
-+ memcpy(r->last_data, tmp, EXTRACT_SIZE); |
148 |
-+ r->last_data_init = true; |
149 |
-+ nbytes -= EXTRACT_SIZE; |
150 |
-+ spin_unlock_irqrestore(&r->lock, flags); |
151 |
-+ extract_buf(r, tmp); |
152 |
-+ } |
153 |
-+ |
154 |
+- unsigned long flags; |
155 |
+- |
156 |
spin_lock_irqsave(&r->lock, flags); |
157 |
if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) |
158 |
panic("Hardware RNG duplicated output!\n"); |
159 |
-@@ -1015,7 +1043,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, |
160 |
+@@ -1015,7 +1053,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, |
161 |
*/ |
162 |
void get_random_bytes(void *buf, int nbytes) |
163 |
{ |
164 |
@@ -43451,7 +43509,7 @@ index 446b20a..710568a 100644 |
165 |
} |
166 |
EXPORT_SYMBOL(get_random_bytes); |
167 |
|
168 |
-@@ -1068,6 +1110,7 @@ static void init_std_data(struct entropy_store *r) |
169 |
+@@ -1068,6 +1120,7 @@ static void init_std_data(struct entropy_store *r) |
170 |
|
171 |
r->entropy_count = 0; |
172 |
r->entropy_total = 0; |
173 |
@@ -43459,7 +43517,7 @@ index 446b20a..710568a 100644 |
174 |
mix_pool_bytes(r, &now, sizeof(now), NULL); |
175 |
for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) { |
176 |
if (!arch_get_random_long(&rv)) |
177 |
-@@ -1322,7 +1365,7 @@ EXPORT_SYMBOL(generate_random_uuid); |
178 |
+@@ -1322,7 +1375,7 @@ EXPORT_SYMBOL(generate_random_uuid); |
179 |
#include <linux/sysctl.h> |
180 |
|
181 |
static int min_read_thresh = 8, min_write_thresh; |
182 |
@@ -43468,7 +43526,7 @@ index 446b20a..710568a 100644 |
183 |
static int max_write_thresh = INPUT_POOL_WORDS * 32; |
184 |
static char sysctl_bootid[16]; |
185 |
|
186 |
-@@ -1397,6 +1440,7 @@ static int uuid_strategy(ctl_table *table, |
187 |
+@@ -1397,6 +1450,7 @@ static int uuid_strategy(ctl_table *table, |
188 |
} |
189 |
|
190 |
static int sysctl_poolsize = INPUT_POOL_WORDS * 32; |
191 |
@@ -43476,7 +43534,7 @@ index 446b20a..710568a 100644 |
192 |
ctl_table random_table[] = { |
193 |
{ |
194 |
.ctl_name = RANDOM_POOLSIZE, |
195 |
-@@ -1472,7 +1516,7 @@ late_initcall(random_int_secret_init); |
196 |
+@@ -1472,7 +1526,7 @@ late_initcall(random_int_secret_init); |
197 |
* value is not cryptographically secure but for several uses the cost of |
198 |
* depleting entropy is too high |
199 |
*/ |
200 |
@@ -71823,7 +71881,7 @@ index 913b4a4..4de325a9 100644 |
201 |
crtc.h_tot_disp = aty_ld_le32(CRTC_H_TOTAL_DISP, par); |
202 |
crtc.h_sync_strt_wid = aty_ld_le32(CRTC_H_SYNC_STRT_WID, par); |
203 |
diff --git a/drivers/video/aty/radeon_backlight.c b/drivers/video/aty/radeon_backlight.c |
204 |
-index 1a056ad..221bd6a 100644 |
205 |
+index 1a056ad..221bd6ae 100644 |
206 |
--- a/drivers/video/aty/radeon_backlight.c |
207 |
+++ b/drivers/video/aty/radeon_backlight.c |
208 |
@@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(struct backlight_device *bd) |
209 |
@@ -79170,7 +79228,7 @@ index f1e7077..edd86b2 100644 |
210 |
.store = ext4_attr_store, |
211 |
}; |
212 |
diff --git a/fs/fat/inode.c b/fs/fat/inode.c |
213 |
-index 76b7961..c187e92 100644 |
214 |
+index 76b7961..ca5f1c9 100644 |
215 |
--- a/fs/fat/inode.c |
216 |
+++ b/fs/fat/inode.c |
217 |
@@ -558,7 +558,7 @@ static int fat_statfs(struct dentry *dentry, struct kstatfs *buf) |
218 |
@@ -79182,6 +79240,35 @@ index 76b7961..c187e92 100644 |
219 |
|
220 |
return 0; |
221 |
} |
222 |
+@@ -1206,6 +1206,19 @@ static int fat_read_root(struct inode *inode) |
223 |
+ return 0; |
224 |
+ } |
225 |
+ |
226 |
++static unsigned long calc_fat_clusters(struct super_block *sb) |
227 |
++{ |
228 |
++ struct msdos_sb_info *sbi = MSDOS_SB(sb); |
229 |
++ |
230 |
++ /* Divide first to avoid overflow */ |
231 |
++ if (sbi->fat_bits != 12) { |
232 |
++ unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits; |
233 |
++ return ent_per_sec * sbi->fat_length; |
234 |
++ } |
235 |
++ |
236 |
++ return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; |
237 |
++} |
238 |
++ |
239 |
+ /* |
240 |
+ * Read the super block of an MS-DOS FS. |
241 |
+ */ |
242 |
+@@ -1400,7 +1413,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, |
243 |
+ sbi->fat_bits = (total_clusters > MAX_FAT12) ? 16 : 12; |
244 |
+ |
245 |
+ /* check that FAT table does not overflow */ |
246 |
+- fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; |
247 |
++ fat_clusters = calc_fat_clusters(sb); |
248 |
+ total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT); |
249 |
+ if (total_clusters > MAX_FAT(sb)) { |
250 |
+ if (!silent) |
251 |
diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c |
252 |
index 72646e2..4251f35 100644 |
253 |
--- a/fs/fat/namei_vfat.c |
254 |
|
255 |
diff --git a/3.2.45/0000_README b/3.2.45/0000_README |
256 |
index ba3ec05..577c9db 100644 |
257 |
--- a/3.2.45/0000_README |
258 |
+++ b/3.2.45/0000_README |
259 |
@@ -98,7 +98,7 @@ Patch: 1044_linux-3.2.45.patch |
260 |
From: http://www.kernel.org |
261 |
Desc: Linux 3.2.45 |
262 |
|
263 |
-Patch: 4420_grsecurity-2.9.1-3.2.45-201305251007.patch |
264 |
+Patch: 4420_grsecurity-2.9.1-3.2.45-201305292150.patch |
265 |
From: http://www.grsecurity.net |
266 |
Desc: hardened-sources base patch from upstream grsecurity |
267 |
|
268 |
|
269 |
diff --git a/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305251007.patch b/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305292150.patch |
270 |
similarity index 99% |
271 |
rename from 3.2.45/4420_grsecurity-2.9.1-3.2.45-201305251007.patch |
272 |
rename to 3.2.45/4420_grsecurity-2.9.1-3.2.45-201305292150.patch |
273 |
index bc81306..52e473e 100644 |
274 |
--- a/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305251007.patch |
275 |
+++ b/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305292150.patch |
276 |
@@ -1858,6 +1858,28 @@ index 7ac5dfd..0ce09c2 100644 |
277 |
if (ret != NOTIFY_STOP) |
278 |
do_exit(SIGSEGV); |
279 |
} |
280 |
+diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S |
281 |
+index 20b3041..da44b1f 100644 |
282 |
+--- a/arch/arm/kernel/vmlinux.lds.S |
283 |
++++ b/arch/arm/kernel/vmlinux.lds.S |
284 |
+@@ -103,6 +103,8 @@ SECTIONS |
285 |
+ ARM_CPU_KEEP(PROC_INFO) |
286 |
+ } |
287 |
+ |
288 |
++ _etext = .; /* End of text section */ |
289 |
++ |
290 |
+ RO_DATA(PAGE_SIZE) |
291 |
+ |
292 |
+ #ifdef CONFIG_ARM_UNWIND |
293 |
+@@ -122,8 +124,6 @@ SECTIONS |
294 |
+ } |
295 |
+ #endif |
296 |
+ |
297 |
+- _etext = .; /* End of text and rodata section */ |
298 |
+- |
299 |
+ #ifndef CONFIG_XIP_KERNEL |
300 |
+ . = ALIGN(PAGE_SIZE); |
301 |
+ __init_begin = .; |
302 |
diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S |
303 |
index 66a477a..bee61d3 100644 |
304 |
--- a/arch/arm/lib/copy_from_user.S |
305 |
@@ -2210,7 +2232,7 @@ index c3a58a1..78fbf54 100644 |
306 |
/* |
307 |
* Memory returned by kmalloc() may be used for DMA, so we must make |
308 |
diff --git a/arch/avr32/include/asm/elf.h b/arch/avr32/include/asm/elf.h |
309 |
-index 3b3159b..425ea94 100644 |
310 |
+index 3b3159b..425ea94d 100644 |
311 |
--- a/arch/avr32/include/asm/elf.h |
312 |
+++ b/arch/avr32/include/asm/elf.h |
313 |
@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpregset_t; |
314 |
@@ -28041,7 +28063,7 @@ index 6687022..ceabcfa 100644 |
315 |
+ pax_force_retaddr |
316 |
ret |
317 |
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c |
318 |
-index 5a5b6e4..2265c0f 100644 |
319 |
+index 5a5b6e4..37ccbe3 100644 |
320 |
--- a/arch/x86/net/bpf_jit_comp.c |
321 |
+++ b/arch/x86/net/bpf_jit_comp.c |
322 |
@@ -11,6 +11,7 @@ |
323 |
@@ -28052,7 +28074,7 @@ index 5a5b6e4..2265c0f 100644 |
324 |
|
325 |
/* |
326 |
* Conventions : |
327 |
-@@ -45,13 +46,87 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len) |
328 |
+@@ -45,13 +46,84 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len) |
329 |
return ptr + len; |
330 |
} |
331 |
|
332 |
@@ -28104,6 +28126,10 @@ index 5a5b6e4..2265c0f 100644 |
333 |
+ /* mov esi, ecx */ \ |
334 |
+ EMIT2(0x89, 0xce); \ |
335 |
+ break; \ |
336 |
++ case 0xe8: /* call rel imm32, always to known funcs */ \ |
337 |
++ EMIT1(b1); \ |
338 |
++ EMIT(_off, 4); \ |
339 |
++ break; \ |
340 |
+ case 0xe9: /* jmp rel imm32 */ \ |
341 |
+ EMIT1(b1); \ |
342 |
+ EMIT(_off, 4); \ |
343 |
@@ -28112,25 +28138,18 @@ index 5a5b6e4..2265c0f 100644 |
344 |
+ EMIT(0xcccccccc, 4); \ |
345 |
+ break; \ |
346 |
+ default: \ |
347 |
-+ EMIT1(b1); \ |
348 |
-+ EMIT(_off, 4); \ |
349 |
++ BUILD_BUG_ON(1); \ |
350 |
+ } \ |
351 |
+} while (0) |
352 |
+ |
353 |
+#define EMIT2_off32(b1, b2, _off) \ |
354 |
+do { \ |
355 |
-+ if ((b1) == 0x8d && (b2) == 0xb3) { /* lea esi, [rbx+imm32] */ \ |
356 |
-+ EMIT2(0x8d, 0xb3); /* lea esi, [rbx+randkey] */ \ |
357 |
-+ EMIT(randkey, 4); \ |
358 |
-+ EMIT2(0x8d, 0xb6); /* lea esi, [esi+off-randkey] */ \ |
359 |
-+ EMIT((_off) - randkey, 4); \ |
360 |
-+ } else if ((b1) == 0x69 && (b2) == 0xc0) { /* imul eax, imm32 */\ |
361 |
++ if ((b1) == 0x69 && (b2) == 0xc0) { /* imul eax, imm32 */ \ |
362 |
+ DILUTE_CONST_SEQUENCE(_off, randkey); \ |
363 |
+ /* imul eax, ecx */ \ |
364 |
+ EMIT3(0x0f, 0xaf, 0xc1); \ |
365 |
+ } else { \ |
366 |
-+ EMIT2(b1, b2); \ |
367 |
-+ EMIT(_off, 4); \ |
368 |
++ BUILD_BUG_ON(1); \ |
369 |
+ } \ |
370 |
+} while (0) |
371 |
+#else |
372 |
@@ -28140,7 +28159,7 @@ index 5a5b6e4..2265c0f 100644 |
373 |
|
374 |
#define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */ |
375 |
#define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */ |
376 |
-@@ -86,6 +161,24 @@ do { \ |
377 |
+@@ -86,6 +158,24 @@ do { \ |
378 |
#define X86_JBE 0x76 |
379 |
#define X86_JA 0x77 |
380 |
|
381 |
@@ -28165,7 +28184,7 @@ index 5a5b6e4..2265c0f 100644 |
382 |
#define EMIT_COND_JMP(op, offset) \ |
383 |
do { \ |
384 |
if (is_near(offset)) \ |
385 |
-@@ -93,6 +186,7 @@ do { \ |
386 |
+@@ -93,6 +183,7 @@ do { \ |
387 |
else { \ |
388 |
EMIT2(0x0f, op + 0x10); \ |
389 |
EMIT(offset, 4); /* jxx .+off32 */ \ |
390 |
@@ -28173,7 +28192,7 @@ index 5a5b6e4..2265c0f 100644 |
391 |
} \ |
392 |
} while (0) |
393 |
|
394 |
-@@ -117,10 +211,14 @@ static inline void bpf_flush_icache(void *start, void *end) |
395 |
+@@ -117,10 +208,14 @@ static inline void bpf_flush_icache(void *start, void *end) |
396 |
set_fs(old_fs); |
397 |
} |
398 |
|
399 |
@@ -28189,7 +28208,7 @@ index 5a5b6e4..2265c0f 100644 |
400 |
u8 *prog; |
401 |
unsigned int proglen, oldproglen = 0; |
402 |
int ilen, i; |
403 |
-@@ -133,6 +231,9 @@ void bpf_jit_compile(struct sk_filter *fp) |
404 |
+@@ -133,6 +228,9 @@ void bpf_jit_compile(struct sk_filter *fp) |
405 |
unsigned int *addrs; |
406 |
const struct sock_filter *filter = fp->insns; |
407 |
int flen = fp->len; |
408 |
@@ -28199,7 +28218,7 @@ index 5a5b6e4..2265c0f 100644 |
409 |
|
410 |
if (!bpf_jit_enable) |
411 |
return; |
412 |
-@@ -141,11 +242,19 @@ void bpf_jit_compile(struct sk_filter *fp) |
413 |
+@@ -141,11 +239,19 @@ void bpf_jit_compile(struct sk_filter *fp) |
414 |
if (addrs == NULL) |
415 |
return; |
416 |
|
417 |
@@ -28221,7 +28240,7 @@ index 5a5b6e4..2265c0f 100644 |
418 |
addrs[i] = proglen; |
419 |
} |
420 |
cleanup_addr = proglen; /* epilogue address */ |
421 |
-@@ -253,10 +362,8 @@ void bpf_jit_compile(struct sk_filter *fp) |
422 |
+@@ -253,10 +359,8 @@ void bpf_jit_compile(struct sk_filter *fp) |
423 |
case BPF_S_ALU_MUL_K: /* A *= K */ |
424 |
if (is_imm8(K)) |
425 |
EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */ |
426 |
@@ -28234,7 +28253,7 @@ index 5a5b6e4..2265c0f 100644 |
427 |
break; |
428 |
case BPF_S_ALU_DIV_X: /* A /= X; */ |
429 |
seen |= SEEN_XREG; |
430 |
-@@ -276,8 +383,14 @@ void bpf_jit_compile(struct sk_filter *fp) |
431 |
+@@ -276,8 +380,14 @@ void bpf_jit_compile(struct sk_filter *fp) |
432 |
EMIT4(0x31, 0xd2, 0xf7, 0xf3); /* xor %edx,%edx; div %ebx */ |
433 |
break; |
434 |
case BPF_S_ALU_DIV_K: /* A = reciprocal_divide(A, K); */ |
435 |
@@ -28249,7 +28268,7 @@ index 5a5b6e4..2265c0f 100644 |
436 |
EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */ |
437 |
break; |
438 |
case BPF_S_ALU_AND_X: |
439 |
-@@ -477,7 +590,7 @@ void bpf_jit_compile(struct sk_filter *fp) |
440 |
+@@ -477,7 +587,7 @@ void bpf_jit_compile(struct sk_filter *fp) |
441 |
common_load: seen |= SEEN_DATAREF; |
442 |
if ((int)K < 0) { |
443 |
/* Abort the JIT because __load_pointer() is needed. */ |
444 |
@@ -28258,7 +28277,7 @@ index 5a5b6e4..2265c0f 100644 |
445 |
} |
446 |
t_offset = func - (image + addrs[i]); |
447 |
EMIT1_off32(0xbe, K); /* mov imm32,%esi */ |
448 |
-@@ -492,7 +605,7 @@ common_load: seen |= SEEN_DATAREF; |
449 |
+@@ -492,7 +602,7 @@ common_load: seen |= SEEN_DATAREF; |
450 |
case BPF_S_LDX_B_MSH: |
451 |
if ((int)K < 0) { |
452 |
/* Abort the JIT because __load_pointer() is needed. */ |
453 |
@@ -28267,7 +28286,7 @@ index 5a5b6e4..2265c0f 100644 |
454 |
} |
455 |
seen |= SEEN_DATAREF | SEEN_XREG; |
456 |
t_offset = sk_load_byte_msh - (image + addrs[i]); |
457 |
-@@ -582,17 +695,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
458 |
+@@ -582,17 +692,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
459 |
break; |
460 |
default: |
461 |
/* hmm, too complex filter, give up with jit compiler */ |
462 |
@@ -28290,7 +28309,7 @@ index 5a5b6e4..2265c0f 100644 |
463 |
} |
464 |
proglen += ilen; |
465 |
addrs[i] = proglen; |
466 |
-@@ -613,11 +727,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
467 |
+@@ -613,11 +724,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
468 |
break; |
469 |
} |
470 |
if (proglen == oldproglen) { |
471 |
@@ -28304,7 +28323,7 @@ index 5a5b6e4..2265c0f 100644 |
472 |
} |
473 |
oldproglen = proglen; |
474 |
} |
475 |
-@@ -633,7 +745,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
476 |
+@@ -633,7 +742,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
477 |
bpf_flush_icache(image, image + proglen); |
478 |
|
479 |
fp->bpf_func = (void *)image; |
480 |
@@ -28316,7 +28335,7 @@ index 5a5b6e4..2265c0f 100644 |
481 |
out: |
482 |
kfree(addrs); |
483 |
return; |
484 |
-@@ -641,18 +756,20 @@ out: |
485 |
+@@ -641,18 +753,20 @@ out: |
486 |
|
487 |
static void jit_free_defer(struct work_struct *arg) |
488 |
{ |
489 |
@@ -32413,7 +32432,7 @@ index da3cfee..a5a6606 100644 |
490 |
|
491 |
*ppos = i; |
492 |
diff --git a/drivers/char/random.c b/drivers/char/random.c |
493 |
-index 8ae9235..ea94cf2 100644 |
494 |
+index 8ae9235..788c4ba 100644 |
495 |
--- a/drivers/char/random.c |
496 |
+++ b/drivers/char/random.c |
497 |
@@ -269,8 +269,13 @@ |
498 |
@@ -32467,36 +32486,94 @@ index 8ae9235..ea94cf2 100644 |
499 |
smp_wmb(); |
500 |
|
501 |
if (out) |
502 |
-@@ -979,6 +992,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
503 |
+@@ -877,6 +890,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, |
504 |
+ int reserved) |
505 |
+ { |
506 |
+ unsigned long flags; |
507 |
++ int wakeup_write = 0; |
508 |
+ |
509 |
+ /* Hold lock while accounting */ |
510 |
+ spin_lock_irqsave(&r->lock, flags); |
511 |
+@@ -889,19 +903,25 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, |
512 |
+ if (r->entropy_count / 8 < min + reserved) { |
513 |
+ nbytes = 0; |
514 |
+ } else { |
515 |
++ int entropy_count, orig; |
516 |
++retry: |
517 |
++ entropy_count = orig = ACCESS_ONCE(r->entropy_count); |
518 |
+ /* If limited, never pull more than available */ |
519 |
+- if (r->limit && nbytes + reserved >= r->entropy_count / 8) |
520 |
+- nbytes = r->entropy_count/8 - reserved; |
521 |
++ if (r->limit && nbytes + reserved >= entropy_count / 8) |
522 |
++ nbytes = entropy_count/8 - reserved; |
523 |
+ |
524 |
+- if (r->entropy_count / 8 >= nbytes + reserved) |
525 |
+- r->entropy_count -= nbytes*8; |
526 |
+- else |
527 |
+- r->entropy_count = reserved; |
528 |
+- |
529 |
+- if (r->entropy_count < random_write_wakeup_thresh) { |
530 |
+- wake_up_interruptible(&random_write_wait); |
531 |
+- kill_fasync(&fasync, SIGIO, POLL_OUT); |
532 |
++ if (entropy_count / 8 >= nbytes + reserved) { |
533 |
++ entropy_count -= nbytes*8; |
534 |
++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) |
535 |
++ goto retry; |
536 |
++ } else { |
537 |
++ entropy_count = reserved; |
538 |
++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) |
539 |
++ goto retry; |
540 |
+ } |
541 |
++ |
542 |
++ if (entropy_count < random_write_wakeup_thresh) |
543 |
++ wakeup_write = 1; |
544 |
+ } |
545 |
+ |
546 |
+ DEBUG_ENT("debiting %d entropy credits from %s%s\n", |
547 |
+@@ -909,6 +929,11 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, |
548 |
+ |
549 |
+ spin_unlock_irqrestore(&r->lock, flags); |
550 |
+ |
551 |
++ if (wakeup_write) { |
552 |
++ wake_up_interruptible(&random_write_wait); |
553 |
++ kill_fasync(&fasync, SIGIO, POLL_OUT); |
554 |
++ } |
555 |
++ |
556 |
+ return nbytes; |
557 |
+ } |
558 |
+ |
559 |
+@@ -978,6 +1003,21 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
560 |
+ { |
561 |
ssize_t ret = 0, i; |
562 |
__u8 tmp[EXTRACT_SIZE]; |
563 |
- |
564 |
-+ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ |
565 |
-+ if (fips_enabled && !r->last_data_init) |
566 |
-+ nbytes += EXTRACT_SIZE; |
567 |
++ unsigned long flags; |
568 |
+ |
569 |
++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ |
570 |
++ if (fips_enabled) { |
571 |
++ spin_lock_irqsave(&r->lock, flags); |
572 |
++ if (!r->last_data_init) { |
573 |
++ r->last_data_init = true; |
574 |
++ spin_unlock_irqrestore(&r->lock, flags); |
575 |
++ xfer_secondary_pool(r, EXTRACT_SIZE); |
576 |
++ extract_buf(r, tmp); |
577 |
++ spin_lock_irqsave(&r->lock, flags); |
578 |
++ memcpy(r->last_data, tmp, EXTRACT_SIZE); |
579 |
++ } |
580 |
++ spin_unlock_irqrestore(&r->lock, flags); |
581 |
++ } |
582 |
+ |
583 |
xfer_secondary_pool(r, nbytes); |
584 |
nbytes = account(r, nbytes, min, reserved); |
585 |
+@@ -986,8 +1026,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
586 |
+ extract_buf(r, tmp); |
587 |
|
588 |
-@@ -988,6 +1005,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
589 |
if (fips_enabled) { |
590 |
- unsigned long flags; |
591 |
- |
592 |
-+ |
593 |
-+ /* prime last_data value if need be, per fips 140-2 */ |
594 |
-+ if (!r->last_data_init) { |
595 |
-+ spin_lock_irqsave(&r->lock, flags); |
596 |
-+ memcpy(r->last_data, tmp, EXTRACT_SIZE); |
597 |
-+ r->last_data_init = true; |
598 |
-+ nbytes -= EXTRACT_SIZE; |
599 |
-+ spin_unlock_irqrestore(&r->lock, flags); |
600 |
-+ extract_buf(r, tmp); |
601 |
-+ } |
602 |
-+ |
603 |
+- unsigned long flags; |
604 |
+- |
605 |
spin_lock_irqsave(&r->lock, flags); |
606 |
if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) |
607 |
panic("Hardware RNG duplicated output!\n"); |
608 |
-@@ -1028,7 +1056,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, |
609 |
+@@ -1028,7 +1066,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, |
610 |
|
611 |
extract_buf(r, tmp); |
612 |
i = min_t(int, nbytes, EXTRACT_SIZE); |
613 |
@@ -32505,7 +32582,7 @@ index 8ae9235..ea94cf2 100644 |
614 |
ret = -EFAULT; |
615 |
break; |
616 |
} |
617 |
-@@ -1105,6 +1133,7 @@ static void init_std_data(struct entropy_store *r) |
618 |
+@@ -1105,6 +1143,7 @@ static void init_std_data(struct entropy_store *r) |
619 |
|
620 |
r->entropy_count = 0; |
621 |
r->entropy_total = 0; |
622 |
@@ -32513,7 +32590,7 @@ index 8ae9235..ea94cf2 100644 |
623 |
mix_pool_bytes(r, &now, sizeof(now), NULL); |
624 |
for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) { |
625 |
if (!arch_get_random_long(&rv)) |
626 |
-@@ -1379,7 +1408,7 @@ EXPORT_SYMBOL(generate_random_uuid); |
627 |
+@@ -1379,7 +1418,7 @@ EXPORT_SYMBOL(generate_random_uuid); |
628 |
#include <linux/sysctl.h> |
629 |
|
630 |
static int min_read_thresh = 8, min_write_thresh; |
631 |
@@ -32522,7 +32599,7 @@ index 8ae9235..ea94cf2 100644 |
632 |
static int max_write_thresh = INPUT_POOL_WORDS * 32; |
633 |
static char sysctl_bootid[16]; |
634 |
|
635 |
-@@ -1395,7 +1424,7 @@ static char sysctl_bootid[16]; |
636 |
+@@ -1395,7 +1434,7 @@ static char sysctl_bootid[16]; |
637 |
static int proc_do_uuid(ctl_table *table, int write, |
638 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
639 |
{ |
640 |
@@ -49494,10 +49571,10 @@ index 451b9b8..12e5a03 100644 |
641 |
|
642 |
out_free_fd: |
643 |
diff --git a/fs/exec.c b/fs/exec.c |
644 |
-index 312e297..437233e 100644 |
645 |
+index 312e297..4c133f2 100644 |
646 |
--- a/fs/exec.c |
647 |
+++ b/fs/exec.c |
648 |
-@@ -55,12 +55,34 @@ |
649 |
+@@ -55,12 +55,35 @@ |
650 |
#include <linux/pipe_fs_i.h> |
651 |
#include <linux/oom.h> |
652 |
#include <linux/compat.h> |
653 |
@@ -49513,6 +49590,7 @@ index 312e297..437233e 100644 |
654 |
+#include <trace/events/fs.h> |
655 |
|
656 |
#include <asm/uaccess.h> |
657 |
++#include <asm/sections.h> |
658 |
#include <asm/mmu_context.h> |
659 |
#include <asm/tlb.h> |
660 |
#include "internal.h" |
661 |
@@ -49532,7 +49610,7 @@ index 312e297..437233e 100644 |
662 |
int core_uses_pid; |
663 |
char core_pattern[CORENAME_MAX_SIZE] = "core"; |
664 |
unsigned int core_pipe_limit; |
665 |
-@@ -70,7 +92,7 @@ struct core_name { |
666 |
+@@ -70,7 +93,7 @@ struct core_name { |
667 |
char *corename; |
668 |
int used, size; |
669 |
}; |
670 |
@@ -49541,7 +49619,7 @@ index 312e297..437233e 100644 |
671 |
|
672 |
/* The maximal length of core_pattern is also specified in sysctl.c */ |
673 |
|
674 |
-@@ -82,8 +104,8 @@ int __register_binfmt(struct linux_binfmt * fmt, int insert) |
675 |
+@@ -82,8 +105,8 @@ int __register_binfmt(struct linux_binfmt * fmt, int insert) |
676 |
if (!fmt) |
677 |
return -EINVAL; |
678 |
write_lock(&binfmt_lock); |
679 |
@@ -49552,7 +49630,7 @@ index 312e297..437233e 100644 |
680 |
write_unlock(&binfmt_lock); |
681 |
return 0; |
682 |
} |
683 |
-@@ -93,7 +115,7 @@ EXPORT_SYMBOL(__register_binfmt); |
684 |
+@@ -93,7 +116,7 @@ EXPORT_SYMBOL(__register_binfmt); |
685 |
void unregister_binfmt(struct linux_binfmt * fmt) |
686 |
{ |
687 |
write_lock(&binfmt_lock); |
688 |
@@ -49561,7 +49639,7 @@ index 312e297..437233e 100644 |
689 |
write_unlock(&binfmt_lock); |
690 |
} |
691 |
|
692 |
-@@ -188,18 +210,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, |
693 |
+@@ -188,18 +211,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, |
694 |
int write) |
695 |
{ |
696 |
struct page *page; |
697 |
@@ -49583,7 +49661,7 @@ index 312e297..437233e 100644 |
698 |
return NULL; |
699 |
|
700 |
if (write) { |
701 |
-@@ -215,6 +229,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, |
702 |
+@@ -215,6 +230,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, |
703 |
if (size <= ARG_MAX) |
704 |
return page; |
705 |
|
706 |
@@ -49601,7 +49679,7 @@ index 312e297..437233e 100644 |
707 |
/* |
708 |
* Limit to 1/4-th the stack size for the argv+env strings. |
709 |
* This ensures that: |
710 |
-@@ -274,6 +299,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm) |
711 |
+@@ -274,6 +300,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm) |
712 |
vma->vm_end = STACK_TOP_MAX; |
713 |
vma->vm_start = vma->vm_end - PAGE_SIZE; |
714 |
vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP; |
715 |
@@ -49613,7 +49691,7 @@ index 312e297..437233e 100644 |
716 |
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); |
717 |
INIT_LIST_HEAD(&vma->anon_vma_chain); |
718 |
|
719 |
-@@ -288,6 +318,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm) |
720 |
+@@ -288,6 +319,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm) |
721 |
mm->stack_vm = mm->total_vm = 1; |
722 |
up_write(&mm->mmap_sem); |
723 |
bprm->p = vma->vm_end - sizeof(void *); |
724 |
@@ -49626,7 +49704,7 @@ index 312e297..437233e 100644 |
725 |
return 0; |
726 |
err: |
727 |
up_write(&mm->mmap_sem); |
728 |
-@@ -403,12 +439,12 @@ struct user_arg_ptr { |
729 |
+@@ -403,12 +440,12 @@ struct user_arg_ptr { |
730 |
union { |
731 |
const char __user *const __user *native; |
732 |
#ifdef CONFIG_COMPAT |
733 |
@@ -49641,7 +49719,7 @@ index 312e297..437233e 100644 |
734 |
{ |
735 |
const char __user *native; |
736 |
|
737 |
-@@ -417,14 +453,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) |
738 |
+@@ -417,14 +454,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) |
739 |
compat_uptr_t compat; |
740 |
|
741 |
if (get_user(compat, argv.ptr.compat + nr)) |
742 |
@@ -49658,7 +49736,7 @@ index 312e297..437233e 100644 |
743 |
|
744 |
return native; |
745 |
} |
746 |
-@@ -443,11 +479,12 @@ static int count(struct user_arg_ptr argv, int max) |
747 |
+@@ -443,11 +480,12 @@ static int count(struct user_arg_ptr argv, int max) |
748 |
if (!p) |
749 |
break; |
750 |
|
751 |
@@ -49673,7 +49751,7 @@ index 312e297..437233e 100644 |
752 |
|
753 |
if (fatal_signal_pending(current)) |
754 |
return -ERESTARTNOHAND; |
755 |
-@@ -477,7 +514,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv, |
756 |
+@@ -477,7 +515,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv, |
757 |
|
758 |
ret = -EFAULT; |
759 |
str = get_user_arg_ptr(argv, argc); |
760 |
@@ -49682,7 +49760,7 @@ index 312e297..437233e 100644 |
761 |
goto out; |
762 |
|
763 |
len = strnlen_user(str, MAX_ARG_STRLEN); |
764 |
-@@ -559,7 +596,7 @@ int copy_strings_kernel(int argc, const char *const *__argv, |
765 |
+@@ -559,7 +597,7 @@ int copy_strings_kernel(int argc, const char *const *__argv, |
766 |
int r; |
767 |
mm_segment_t oldfs = get_fs(); |
768 |
struct user_arg_ptr argv = { |
769 |
@@ -49691,7 +49769,7 @@ index 312e297..437233e 100644 |
770 |
}; |
771 |
|
772 |
set_fs(KERNEL_DS); |
773 |
-@@ -594,7 +631,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) |
774 |
+@@ -594,7 +632,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) |
775 |
unsigned long new_end = old_end - shift; |
776 |
struct mmu_gather tlb; |
777 |
|
778 |
@@ -49701,7 +49779,7 @@ index 312e297..437233e 100644 |
779 |
|
780 |
/* |
781 |
* ensure there are no vmas between where we want to go |
782 |
-@@ -603,6 +641,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) |
783 |
+@@ -603,6 +642,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) |
784 |
if (vma != find_vma(mm, new_start)) |
785 |
return -EFAULT; |
786 |
|
787 |
@@ -49712,7 +49790,7 @@ index 312e297..437233e 100644 |
788 |
/* |
789 |
* cover the whole range: [new_start, old_end) |
790 |
*/ |
791 |
-@@ -683,10 +725,6 @@ int setup_arg_pages(struct linux_binprm *bprm, |
792 |
+@@ -683,10 +726,6 @@ int setup_arg_pages(struct linux_binprm *bprm, |
793 |
stack_top = arch_align_stack(stack_top); |
794 |
stack_top = PAGE_ALIGN(stack_top); |
795 |
|
796 |
@@ -49723,7 +49801,7 @@ index 312e297..437233e 100644 |
797 |
stack_shift = vma->vm_end - stack_top; |
798 |
|
799 |
bprm->p -= stack_shift; |
800 |
-@@ -698,8 +736,28 @@ int setup_arg_pages(struct linux_binprm *bprm, |
801 |
+@@ -698,8 +737,28 @@ int setup_arg_pages(struct linux_binprm *bprm, |
802 |
bprm->exec -= stack_shift; |
803 |
|
804 |
down_write(&mm->mmap_sem); |
805 |
@@ -49752,7 +49830,7 @@ index 312e297..437233e 100644 |
806 |
/* |
807 |
* Adjust stack execute permissions; explicitly enable for |
808 |
* EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone |
809 |
-@@ -718,13 +776,6 @@ int setup_arg_pages(struct linux_binprm *bprm, |
810 |
+@@ -718,13 +777,6 @@ int setup_arg_pages(struct linux_binprm *bprm, |
811 |
goto out_unlock; |
812 |
BUG_ON(prev != vma); |
813 |
|
814 |
@@ -49766,7 +49844,7 @@ index 312e297..437233e 100644 |
815 |
/* mprotect_fixup is overkill to remove the temporary stack flags */ |
816 |
vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP; |
817 |
|
818 |
-@@ -748,6 +799,27 @@ int setup_arg_pages(struct linux_binprm *bprm, |
819 |
+@@ -748,6 +800,27 @@ int setup_arg_pages(struct linux_binprm *bprm, |
820 |
#endif |
821 |
current->mm->start_stack = bprm->p; |
822 |
ret = expand_stack(vma, stack_base); |
823 |
@@ -49794,7 +49872,7 @@ index 312e297..437233e 100644 |
824 |
if (ret) |
825 |
ret = -EFAULT; |
826 |
|
827 |
-@@ -782,6 +854,8 @@ struct file *open_exec(const char *name) |
828 |
+@@ -782,6 +855,8 @@ struct file *open_exec(const char *name) |
829 |
|
830 |
fsnotify_open(file); |
831 |
|
832 |
@@ -49803,7 +49881,7 @@ index 312e297..437233e 100644 |
833 |
err = deny_write_access(file); |
834 |
if (err) |
835 |
goto exit; |
836 |
-@@ -805,7 +879,7 @@ int kernel_read(struct file *file, loff_t offset, |
837 |
+@@ -805,7 +880,7 @@ int kernel_read(struct file *file, loff_t offset, |
838 |
old_fs = get_fs(); |
839 |
set_fs(get_ds()); |
840 |
/* The cast to a user pointer is valid due to the set_fs() */ |
841 |
@@ -49812,7 +49890,7 @@ index 312e297..437233e 100644 |
842 |
set_fs(old_fs); |
843 |
return result; |
844 |
} |
845 |
-@@ -1070,6 +1144,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) |
846 |
+@@ -1070,6 +1145,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) |
847 |
perf_event_comm(tsk); |
848 |
} |
849 |
|
850 |
@@ -49834,7 +49912,7 @@ index 312e297..437233e 100644 |
851 |
int flush_old_exec(struct linux_binprm * bprm) |
852 |
{ |
853 |
int retval; |
854 |
-@@ -1084,6 +1173,7 @@ int flush_old_exec(struct linux_binprm * bprm) |
855 |
+@@ -1084,6 +1174,7 @@ int flush_old_exec(struct linux_binprm * bprm) |
856 |
|
857 |
set_mm_exe_file(bprm->mm, bprm->file); |
858 |
|
859 |
@@ -49842,7 +49920,7 @@ index 312e297..437233e 100644 |
860 |
/* |
861 |
* Release all of the old mmap stuff |
862 |
*/ |
863 |
-@@ -1116,10 +1206,6 @@ EXPORT_SYMBOL(would_dump); |
864 |
+@@ -1116,10 +1207,6 @@ EXPORT_SYMBOL(would_dump); |
865 |
|
866 |
void setup_new_exec(struct linux_binprm * bprm) |
867 |
{ |
868 |
@@ -49853,7 +49931,7 @@ index 312e297..437233e 100644 |
869 |
arch_pick_mmap_layout(current->mm); |
870 |
|
871 |
/* This is the point of no return */ |
872 |
-@@ -1130,18 +1216,7 @@ void setup_new_exec(struct linux_binprm * bprm) |
873 |
+@@ -1130,18 +1217,7 @@ void setup_new_exec(struct linux_binprm * bprm) |
874 |
else |
875 |
set_dumpable(current->mm, suid_dumpable); |
876 |
|
877 |
@@ -49873,7 +49951,7 @@ index 312e297..437233e 100644 |
878 |
|
879 |
/* Set the new mm task size. We have to do that late because it may |
880 |
* depend on TIF_32BIT which is only updated in flush_thread() on |
881 |
-@@ -1266,7 +1341,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) |
882 |
+@@ -1266,7 +1342,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) |
883 |
} |
884 |
rcu_read_unlock(); |
885 |
|
886 |
@@ -49882,7 +49960,7 @@ index 312e297..437233e 100644 |
887 |
bprm->unsafe |= LSM_UNSAFE_SHARE; |
888 |
} else { |
889 |
res = -EAGAIN; |
890 |
-@@ -1461,6 +1536,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) |
891 |
+@@ -1461,6 +1537,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) |
892 |
|
893 |
EXPORT_SYMBOL(search_binary_handler); |
894 |
|
895 |
@@ -49914,7 +49992,7 @@ index 312e297..437233e 100644 |
896 |
/* |
897 |
* sys_execve() executes a new program. |
898 |
*/ |
899 |
-@@ -1469,6 +1569,11 @@ static int do_execve_common(const char *filename, |
900 |
+@@ -1469,6 +1570,11 @@ static int do_execve_common(const char *filename, |
901 |
struct user_arg_ptr envp, |
902 |
struct pt_regs *regs) |
903 |
{ |
904 |
@@ -49926,7 +50004,7 @@ index 312e297..437233e 100644 |
905 |
struct linux_binprm *bprm; |
906 |
struct file *file; |
907 |
struct files_struct *displaced; |
908 |
-@@ -1476,6 +1581,8 @@ static int do_execve_common(const char *filename, |
909 |
+@@ -1476,6 +1582,8 @@ static int do_execve_common(const char *filename, |
910 |
int retval; |
911 |
const struct cred *cred = current_cred(); |
912 |
|
913 |
@@ -49935,7 +50013,7 @@ index 312e297..437233e 100644 |
914 |
/* |
915 |
* We move the actual failure in case of RLIMIT_NPROC excess from |
916 |
* set*uid() to execve() because too many poorly written programs |
917 |
-@@ -1516,12 +1623,27 @@ static int do_execve_common(const char *filename, |
918 |
+@@ -1516,12 +1624,27 @@ static int do_execve_common(const char *filename, |
919 |
if (IS_ERR(file)) |
920 |
goto out_unmark; |
921 |
|
922 |
@@ -49963,7 +50041,7 @@ index 312e297..437233e 100644 |
923 |
retval = bprm_mm_init(bprm); |
924 |
if (retval) |
925 |
goto out_file; |
926 |
-@@ -1538,24 +1660,65 @@ static int do_execve_common(const char *filename, |
927 |
+@@ -1538,24 +1661,65 @@ static int do_execve_common(const char *filename, |
928 |
if (retval < 0) |
929 |
goto out; |
930 |
|
931 |
@@ -50033,7 +50111,7 @@ index 312e297..437233e 100644 |
932 |
current->fs->in_exec = 0; |
933 |
current->in_execve = 0; |
934 |
acct_update_integrals(current); |
935 |
-@@ -1564,6 +1727,14 @@ static int do_execve_common(const char *filename, |
936 |
+@@ -1564,6 +1728,14 @@ static int do_execve_common(const char *filename, |
937 |
put_files_struct(displaced); |
938 |
return retval; |
939 |
|
940 |
@@ -50048,7 +50126,7 @@ index 312e297..437233e 100644 |
941 |
out: |
942 |
if (bprm->mm) { |
943 |
acct_arg_size(bprm, 0); |
944 |
-@@ -1637,7 +1808,7 @@ static int expand_corename(struct core_name *cn) |
945 |
+@@ -1637,7 +1809,7 @@ static int expand_corename(struct core_name *cn) |
946 |
{ |
947 |
char *old_corename = cn->corename; |
948 |
|
949 |
@@ -50057,7 +50135,7 @@ index 312e297..437233e 100644 |
950 |
cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL); |
951 |
|
952 |
if (!cn->corename) { |
953 |
-@@ -1734,7 +1905,7 @@ static int format_corename(struct core_name *cn, long signr) |
954 |
+@@ -1734,7 +1906,7 @@ static int format_corename(struct core_name *cn, long signr) |
955 |
int pid_in_pattern = 0; |
956 |
int err = 0; |
957 |
|
958 |
@@ -50066,7 +50144,7 @@ index 312e297..437233e 100644 |
959 |
cn->corename = kmalloc(cn->size, GFP_KERNEL); |
960 |
cn->used = 0; |
961 |
|
962 |
-@@ -1831,6 +2002,250 @@ out: |
963 |
+@@ -1831,6 +2003,280 @@ out: |
964 |
return ispipe; |
965 |
} |
966 |
|
967 |
@@ -50271,7 +50349,30 @@ index 312e297..437233e 100644 |
968 |
+} |
969 |
+#endif |
970 |
+ |
971 |
-+void __check_object_size(const void *ptr, unsigned long n, bool to) |
972 |
++#ifdef CONFIG_PAX_USERCOPY |
973 |
++static inline bool check_kernel_text_object(unsigned long low, unsigned long high) |
974 |
++{ |
975 |
++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) |
976 |
++ unsigned long textlow = ktla_ktva((unsigned long)_stext); |
977 |
++#ifdef CONFIG_MODULES |
978 |
++ unsigned long texthigh = (unsigned long)MODULES_EXEC_VADDR; |
979 |
++#else |
980 |
++ unsigned long texthigh = ktla_ktva((unsigned long)_etext); |
981 |
++#endif |
982 |
++ |
983 |
++#else |
984 |
++ unsigned long textlow = _stext; |
985 |
++ unsigned long texthigh = _etext; |
986 |
++#endif |
987 |
++ |
988 |
++ if (high <= textlow || low > texthigh) |
989 |
++ return false; |
990 |
++ else |
991 |
++ return true; |
992 |
++} |
993 |
++#endif |
994 |
++ |
995 |
++void __check_object_size(const void *ptr, unsigned long n, bool to_user) |
996 |
+{ |
997 |
+ |
998 |
+#ifdef CONFIG_PAX_USERCOPY |
999 |
@@ -50282,12 +50383,19 @@ index 312e297..437233e 100644 |
1000 |
+ |
1001 |
+ type = check_heap_object(ptr, n); |
1002 |
+ if (!type) { |
1003 |
-+ if (check_stack_object(ptr, n) != -1) |
1004 |
++ int ret = check_stack_object(ptr, n); |
1005 |
++ if (ret == 1 || ret == 2) |
1006 |
+ return; |
1007 |
-+ type = "<process stack>"; |
1008 |
++ if (ret == 0) { |
1009 |
++ if (check_kernel_text_object((unsigned long)ptr, (unsigned long)ptr + n)) |
1010 |
++ type = "<kernel text>"; |
1011 |
++ else |
1012 |
++ return; |
1013 |
++ } else |
1014 |
++ type = "<process stack>"; |
1015 |
+ } |
1016 |
+ |
1017 |
-+ pax_report_usercopy(ptr, n, to, type); |
1018 |
++ pax_report_usercopy(ptr, n, to_user, type); |
1019 |
+#endif |
1020 |
+ |
1021 |
+} |
1022 |
@@ -50317,7 +50425,7 @@ index 312e297..437233e 100644 |
1023 |
static int zap_process(struct task_struct *start, int exit_code) |
1024 |
{ |
1025 |
struct task_struct *t; |
1026 |
-@@ -2004,17 +2419,17 @@ static void coredump_finish(struct mm_struct *mm) |
1027 |
+@@ -2004,17 +2450,17 @@ static void coredump_finish(struct mm_struct *mm) |
1028 |
void set_dumpable(struct mm_struct *mm, int value) |
1029 |
{ |
1030 |
switch (value) { |
1031 |
@@ -50338,7 +50446,7 @@ index 312e297..437233e 100644 |
1032 |
set_bit(MMF_DUMP_SECURELY, &mm->flags); |
1033 |
smp_wmb(); |
1034 |
set_bit(MMF_DUMPABLE, &mm->flags); |
1035 |
-@@ -2027,7 +2442,7 @@ static int __get_dumpable(unsigned long mm_flags) |
1036 |
+@@ -2027,7 +2473,7 @@ static int __get_dumpable(unsigned long mm_flags) |
1037 |
int ret; |
1038 |
|
1039 |
ret = mm_flags & MMF_DUMPABLE_MASK; |
1040 |
@@ -50347,7 +50455,7 @@ index 312e297..437233e 100644 |
1041 |
} |
1042 |
|
1043 |
int get_dumpable(struct mm_struct *mm) |
1044 |
-@@ -2042,17 +2457,17 @@ static void wait_for_dump_helpers(struct file *file) |
1045 |
+@@ -2042,17 +2488,17 @@ static void wait_for_dump_helpers(struct file *file) |
1046 |
pipe = file->f_path.dentry->d_inode->i_pipe; |
1047 |
|
1048 |
pipe_lock(pipe); |
1049 |
@@ -50370,7 +50478,7 @@ index 312e297..437233e 100644 |
1050 |
pipe_unlock(pipe); |
1051 |
|
1052 |
} |
1053 |
-@@ -2113,7 +2528,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1054 |
+@@ -2113,7 +2559,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1055 |
int retval = 0; |
1056 |
int flag = 0; |
1057 |
int ispipe; |
1058 |
@@ -50380,7 +50488,7 @@ index 312e297..437233e 100644 |
1059 |
struct coredump_params cprm = { |
1060 |
.signr = signr, |
1061 |
.regs = regs, |
1062 |
-@@ -2128,6 +2544,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1063 |
+@@ -2128,6 +2575,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1064 |
|
1065 |
audit_core_dumps(signr); |
1066 |
|
1067 |
@@ -50390,7 +50498,7 @@ index 312e297..437233e 100644 |
1068 |
binfmt = mm->binfmt; |
1069 |
if (!binfmt || !binfmt->core_dump) |
1070 |
goto fail; |
1071 |
-@@ -2138,14 +2557,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1072 |
+@@ -2138,14 +2588,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1073 |
if (!cred) |
1074 |
goto fail; |
1075 |
/* |
1076 |
@@ -50411,7 +50519,7 @@ index 312e297..437233e 100644 |
1077 |
} |
1078 |
|
1079 |
retval = coredump_wait(exit_code, &core_state); |
1080 |
-@@ -2195,7 +2616,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1081 |
+@@ -2195,7 +2647,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1082 |
} |
1083 |
cprm.limit = RLIM_INFINITY; |
1084 |
|
1085 |
@@ -50420,7 +50528,7 @@ index 312e297..437233e 100644 |
1086 |
if (core_pipe_limit && (core_pipe_limit < dump_count)) { |
1087 |
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", |
1088 |
task_tgid_vnr(current), current->comm); |
1089 |
-@@ -2222,9 +2643,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1090 |
+@@ -2222,9 +2674,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
1091 |
} else { |
1092 |
struct inode *inode; |
1093 |
|
1094 |
@@ -50440,7 +50548,7 @@ index 312e297..437233e 100644 |
1095 |
cprm.file = filp_open(cn.corename, |
1096 |
O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, |
1097 |
0600); |
1098 |
-@@ -2265,7 +2696,7 @@ close_fail: |
1099 |
+@@ -2265,7 +2727,7 @@ close_fail: |
1100 |
filp_close(cprm.file, NULL); |
1101 |
fail_dropcount: |
1102 |
if (ispipe) |
1103 |
@@ -50449,7 +50557,7 @@ index 312e297..437233e 100644 |
1104 |
fail_unlock: |
1105 |
kfree(cn.corename); |
1106 |
fail_corename: |
1107 |
-@@ -2284,7 +2715,7 @@ fail: |
1108 |
+@@ -2284,7 +2746,7 @@ fail: |
1109 |
*/ |
1110 |
int dump_write(struct file *file, const void *addr, int nr) |
1111 |
{ |
1112 |
@@ -50753,6 +50861,39 @@ index cc386b2..22725d2 100644 |
1113 |
|
1114 |
static int __init ext4_init_feat_adverts(void) |
1115 |
{ |
1116 |
+diff --git a/fs/fat/inode.c b/fs/fat/inode.c |
1117 |
+index 808cac7..fc33ca1 100644 |
1118 |
+--- a/fs/fat/inode.c |
1119 |
++++ b/fs/fat/inode.c |
1120 |
+@@ -1238,6 +1238,19 @@ static int fat_read_root(struct inode *inode) |
1121 |
+ return 0; |
1122 |
+ } |
1123 |
+ |
1124 |
++static unsigned long calc_fat_clusters(struct super_block *sb) |
1125 |
++{ |
1126 |
++ struct msdos_sb_info *sbi = MSDOS_SB(sb); |
1127 |
++ |
1128 |
++ /* Divide first to avoid overflow */ |
1129 |
++ if (sbi->fat_bits != 12) { |
1130 |
++ unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits; |
1131 |
++ return ent_per_sec * sbi->fat_length; |
1132 |
++ } |
1133 |
++ |
1134 |
++ return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; |
1135 |
++} |
1136 |
++ |
1137 |
+ /* |
1138 |
+ * Read the super block of an MS-DOS FS. |
1139 |
+ */ |
1140 |
+@@ -1434,7 +1447,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat, |
1141 |
+ sbi->fat_bits = (total_clusters > MAX_FAT12) ? 16 : 12; |
1142 |
+ |
1143 |
+ /* check that FAT table does not overflow */ |
1144 |
+- fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; |
1145 |
++ fat_clusters = calc_fat_clusters(sb); |
1146 |
+ total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT); |
1147 |
+ if (total_clusters > MAX_FAT(sb)) { |
1148 |
+ if (!silent) |
1149 |
diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c |
1150 |
index 216b419..350a088 100644 |
1151 |
--- a/fs/fat/namei_msdos.c |
1152 |
@@ -67711,7 +67852,7 @@ index dfadc96..23c5182 100644 |
1153 |
|
1154 |
#if __GNUC_MINOR__ > 0 |
1155 |
diff --git a/include/linux/compiler.h b/include/linux/compiler.h |
1156 |
-index 320d6c9..df26a76 100644 |
1157 |
+index 320d6c9..2d1df6b 100644 |
1158 |
--- a/include/linux/compiler.h |
1159 |
+++ b/include/linux/compiler.h |
1160 |
@@ -5,31 +5,51 @@ |
1161 |
@@ -67824,22 +67965,26 @@ index 320d6c9..df26a76 100644 |
1162 |
/* Simple shorthand for a section definition */ |
1163 |
#ifndef __section |
1164 |
# define __section(S) __attribute__ ((__section__(#S))) |
1165 |
-@@ -294,6 +348,14 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); |
1166 |
- # define __compiletime_error(message) |
1167 |
+@@ -292,6 +346,18 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); |
1168 |
#endif |
1169 |
- |
1170 |
+ #ifndef __compiletime_error |
1171 |
+ # define __compiletime_error(message) |
1172 |
++# define __compiletime_error_fallback(condition) \ |
1173 |
++ do { ((void)sizeof(char[1 - 2*!!(condition)])); } while (0) |
1174 |
++#else |
1175 |
++# define __compiletime_error_fallback(condition) do { } while (0) |
1176 |
++#endif |
1177 |
++ |
1178 |
+#ifndef __size_overflow |
1179 |
+# define __size_overflow(...) |
1180 |
+#endif |
1181 |
+ |
1182 |
+#ifndef __intentional_overflow |
1183 |
+# define __intentional_overflow(...) |
1184 |
-+#endif |
1185 |
-+ |
1186 |
+ #endif |
1187 |
+ |
1188 |
/* |
1189 |
- * Prevent the compiler from merging or refetching accesses. The compiler |
1190 |
- * is also forbidden from reordering successive instances of ACCESS_ONCE(), |
1191 |
-@@ -306,6 +368,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); |
1192 |
+@@ -306,6 +372,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); |
1193 |
* use is to mediate communication between process-level code and irq/NMI |
1194 |
* handlers, all running on the same CPU. |
1195 |
*/ |
1196 |
@@ -69802,6 +69947,53 @@ index 3875719..4cd454c 100644 |
1197 |
|
1198 |
/* This macro allows us to keep printk typechecking */ |
1199 |
static __printf(1, 2) |
1200 |
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h |
1201 |
+index a70783d..77f7750 100644 |
1202 |
+--- a/include/linux/kernel.h |
1203 |
++++ b/include/linux/kernel.h |
1204 |
+@@ -696,24 +696,30 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } |
1205 |
+ * @condition: the condition which the compiler should know is false. |
1206 |
+ * |
1207 |
+ * If you have some code which relies on certain constants being equal, or |
1208 |
+- * other compile-time-evaluated condition, you should use BUILD_BUG_ON to |
1209 |
++ * some other compile-time-evaluated condition, you should use BUILD_BUG_ON to |
1210 |
+ * detect if someone changes it. |
1211 |
+ * |
1212 |
+- * The implementation uses gcc's reluctance to create a negative array, but |
1213 |
+- * gcc (as of 4.4) only emits that error for obvious cases (eg. not arguments |
1214 |
+- * to inline functions). So as a fallback we use the optimizer; if it can't |
1215 |
+- * prove the condition is false, it will cause a link error on the undefined |
1216 |
+- * "__build_bug_on_failed". This error message can be harder to track down |
1217 |
+- * though, hence the two different methods. |
1218 |
++ * The implementation uses gcc's reluctance to create a negative array, but gcc |
1219 |
++ * (as of 4.4) only emits that error for obvious cases (e.g. not arguments to |
1220 |
++ * inline functions). Luckily, in 4.3 they added the "error" function |
1221 |
++ * attribute just for this type of case. Thus, we use a negative sized array |
1222 |
++ * (should always create an error on gcc versions older than 4.4) and then call |
1223 |
++ * an undefined function with the error attribute (should always create an |
1224 |
++ * error on gcc 4.3 and later). If for some reason, neither creates a |
1225 |
++ * compile-time error, we'll still have a link-time error, which is harder to |
1226 |
++ * track down. |
1227 |
+ */ |
1228 |
+ #ifndef __OPTIMIZE__ |
1229 |
+ #define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)])) |
1230 |
+ #else |
1231 |
+-extern int __build_bug_on_failed; |
1232 |
+-#define BUILD_BUG_ON(condition) \ |
1233 |
+- do { \ |
1234 |
+- ((void)sizeof(char[1 - 2*!!(condition)])); \ |
1235 |
+- if (condition) __build_bug_on_failed = 1; \ |
1236 |
++#define BUILD_BUG_ON(condition) \ |
1237 |
++ do { \ |
1238 |
++ bool __cond = !!(condition); \ |
1239 |
++ extern void __build_bug_on_failed(void) \ |
1240 |
++ __compiletime_error("BUILD_BUG_ON failed"); \ |
1241 |
++ if (__cond) \ |
1242 |
++ __build_bug_on_failed(); \ |
1243 |
++ __compiletime_error_fallback(__cond); \ |
1244 |
+ } while(0) |
1245 |
+ #endif |
1246 |
+ #endif /* __CHECKER__ */ |
1247 |
diff --git a/include/linux/key-type.h b/include/linux/key-type.h |
1248 |
index 9efd081..19f989c 100644 |
1249 |
--- a/include/linux/key-type.h |
1250 |
@@ -80550,7 +80742,7 @@ index 2a07f97..2cdc054 100644 |
1251 |
set_page_address(page, (void *)vaddr); |
1252 |
|
1253 |
diff --git a/mm/huge_memory.c b/mm/huge_memory.c |
1254 |
-index 470cbb4..8d01b5a 100644 |
1255 |
+index 470cbb4..9fd73bc 100644 |
1256 |
--- a/mm/huge_memory.c |
1257 |
+++ b/mm/huge_memory.c |
1258 |
@@ -704,7 +704,7 @@ out: |
1259 |
@@ -80562,6 +80754,20 @@ index 470cbb4..8d01b5a 100644 |
1260 |
return VM_FAULT_OOM; |
1261 |
/* if an huge pmd materialized from under us just retry later */ |
1262 |
if (unlikely(pmd_trans_huge(*pmd))) |
1263 |
+@@ -1937,7 +1937,12 @@ static void collapse_huge_page(struct mm_struct *mm, |
1264 |
+ pte_unmap(pte); |
1265 |
+ spin_lock(&mm->page_table_lock); |
1266 |
+ BUG_ON(!pmd_none(*pmd)); |
1267 |
+- set_pmd_at(mm, address, pmd, _pmd); |
1268 |
++ /* |
1269 |
++ * We can only use set_pmd_at when establishing |
1270 |
++ * hugepmds and never for establishing regular pmds that |
1271 |
++ * points to regular pagetables. Use pmd_populate for that |
1272 |
++ */ |
1273 |
++ pmd_populate(mm, pmd, pmd_pgtable(_pmd)); |
1274 |
+ spin_unlock(&mm->page_table_lock); |
1275 |
+ anon_vma_unlock(vma->anon_vma); |
1276 |
+ goto out; |
1277 |
diff --git a/mm/hugetlb.c b/mm/hugetlb.c |
1278 |
index 70b4733..ab692a7 100644 |
1279 |
--- a/mm/hugetlb.c |
1280 |
|
1281 |
diff --git a/3.9.4/0000_README b/3.9.4/0000_README |
1282 |
index 5540390..66c5468 100644 |
1283 |
--- a/3.9.4/0000_README |
1284 |
+++ b/3.9.4/0000_README |
1285 |
@@ -2,7 +2,7 @@ README |
1286 |
----------------------------------------------------------------------------- |
1287 |
Individual Patch Descriptions: |
1288 |
----------------------------------------------------------------------------- |
1289 |
-Patch: 4420_grsecurity-2.9.1-3.9.4-201305251009.patch |
1290 |
+Patch: 4420_grsecurity-2.9.1-3.9.4-201305292151.patch |
1291 |
From: http://www.grsecurity.net |
1292 |
Desc: hardened-sources base patch from upstream grsecurity |
1293 |
|
1294 |
|
1295 |
diff --git a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201305251009.patch b/3.9.4/4420_grsecurity-2.9.1-3.9.4-201305292151.patch |
1296 |
similarity index 99% |
1297 |
rename from 3.9.4/4420_grsecurity-2.9.1-3.9.4-201305251009.patch |
1298 |
rename to 3.9.4/4420_grsecurity-2.9.1-3.9.4-201305292151.patch |
1299 |
index 6715b49..8cdedca 100644 |
1300 |
--- a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201305251009.patch |
1301 |
+++ b/3.9.4/4420_grsecurity-2.9.1-3.9.4-201305292151.patch |
1302 |
@@ -17725,6 +17725,19 @@ index 74467fe..18793d5 100644 |
1303 |
crash_fixup_ss_esp(&fixed_regs, regs); |
1304 |
regs = &fixed_regs; |
1305 |
} |
1306 |
+diff --git a/arch/x86/kernel/crash_dump_64.c b/arch/x86/kernel/crash_dump_64.c |
1307 |
+index afa64ad..dce67dd 100644 |
1308 |
+--- a/arch/x86/kernel/crash_dump_64.c |
1309 |
++++ b/arch/x86/kernel/crash_dump_64.c |
1310 |
+@@ -36,7 +36,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, |
1311 |
+ return -ENOMEM; |
1312 |
+ |
1313 |
+ if (userbuf) { |
1314 |
+- if (copy_to_user(buf, vaddr + offset, csize)) { |
1315 |
++ if (copy_to_user((char __force_user *)buf, vaddr + offset, csize)) { |
1316 |
+ iounmap(vaddr); |
1317 |
+ return -EFAULT; |
1318 |
+ } |
1319 |
diff --git a/arch/x86/kernel/doublefault_32.c b/arch/x86/kernel/doublefault_32.c |
1320 |
index 37250fe..bf2ec74 100644 |
1321 |
--- a/arch/x86/kernel/doublefault_32.c |
1322 |
@@ -29551,7 +29564,7 @@ index 877b9a1..a8ecf42 100644 |
1323 |
+ pax_force_retaddr |
1324 |
ret |
1325 |
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c |
1326 |
-index 3cbe4538..fd756dc 100644 |
1327 |
+index 3cbe4538..003d011 100644 |
1328 |
--- a/arch/x86/net/bpf_jit_comp.c |
1329 |
+++ b/arch/x86/net/bpf_jit_comp.c |
1330 |
@@ -12,6 +12,7 @@ |
1331 |
@@ -29562,7 +29575,7 @@ index 3cbe4538..fd756dc 100644 |
1332 |
|
1333 |
/* |
1334 |
* Conventions : |
1335 |
-@@ -49,13 +50,87 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len) |
1336 |
+@@ -49,13 +50,90 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len) |
1337 |
return ptr + len; |
1338 |
} |
1339 |
|
1340 |
@@ -29599,6 +29612,7 @@ index 3cbe4538..fd756dc 100644 |
1341 |
+ case 0x25: /* and eax, imm32 */ \ |
1342 |
+ case 0x0d: /* or eax, imm32 */ \ |
1343 |
+ case 0xb8: /* mov eax, imm32 */ \ |
1344 |
++ case 0x35: /* xor eax, imm32 */ \ |
1345 |
+ case 0x3d: /* cmp eax, imm32 */ \ |
1346 |
+ case 0xa9: /* test eax, imm32 */ \ |
1347 |
+ DILUTE_CONST_SEQUENCE(_off, randkey); \ |
1348 |
@@ -29614,6 +29628,10 @@ index 3cbe4538..fd756dc 100644 |
1349 |
+ /* mov esi, ecx */ \ |
1350 |
+ EMIT2(0x89, 0xce); \ |
1351 |
+ break; \ |
1352 |
++ case 0xe8: /* call rel imm32, always to known funcs */ \ |
1353 |
++ EMIT1(b1); \ |
1354 |
++ EMIT(_off, 4); \ |
1355 |
++ break; \ |
1356 |
+ case 0xe9: /* jmp rel imm32 */ \ |
1357 |
+ EMIT1(b1); \ |
1358 |
+ EMIT(_off, 4); \ |
1359 |
@@ -29622,8 +29640,7 @@ index 3cbe4538..fd756dc 100644 |
1360 |
+ EMIT(0xcccccccc, 4); \ |
1361 |
+ break; \ |
1362 |
+ default: \ |
1363 |
-+ EMIT1(b1); \ |
1364 |
-+ EMIT(_off, 4); \ |
1365 |
++ BUILD_BUG(); \ |
1366 |
+ } \ |
1367 |
+} while (0) |
1368 |
+ |
1369 |
@@ -29639,8 +29656,7 @@ index 3cbe4538..fd756dc 100644 |
1370 |
+ /* imul eax, ecx */ \ |
1371 |
+ EMIT3(0x0f, 0xaf, 0xc1); \ |
1372 |
+ } else { \ |
1373 |
-+ EMIT2(b1, b2); \ |
1374 |
-+ EMIT(_off, 4); \ |
1375 |
++ BUILD_BUG(); \ |
1376 |
+ } \ |
1377 |
+} while (0) |
1378 |
+#else |
1379 |
@@ -29650,7 +29666,7 @@ index 3cbe4538..fd756dc 100644 |
1380 |
|
1381 |
#define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */ |
1382 |
#define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */ |
1383 |
-@@ -90,6 +165,24 @@ do { \ |
1384 |
+@@ -90,6 +168,24 @@ do { \ |
1385 |
#define X86_JBE 0x76 |
1386 |
#define X86_JA 0x77 |
1387 |
|
1388 |
@@ -29675,7 +29691,7 @@ index 3cbe4538..fd756dc 100644 |
1389 |
#define EMIT_COND_JMP(op, offset) \ |
1390 |
do { \ |
1391 |
if (is_near(offset)) \ |
1392 |
-@@ -97,6 +190,7 @@ do { \ |
1393 |
+@@ -97,6 +193,7 @@ do { \ |
1394 |
else { \ |
1395 |
EMIT2(0x0f, op + 0x10); \ |
1396 |
EMIT(offset, 4); /* jxx .+off32 */ \ |
1397 |
@@ -29683,7 +29699,7 @@ index 3cbe4538..fd756dc 100644 |
1398 |
} \ |
1399 |
} while (0) |
1400 |
|
1401 |
-@@ -121,6 +215,11 @@ static inline void bpf_flush_icache(void *start, void *end) |
1402 |
+@@ -121,6 +218,11 @@ static inline void bpf_flush_icache(void *start, void *end) |
1403 |
set_fs(old_fs); |
1404 |
} |
1405 |
|
1406 |
@@ -29695,7 +29711,7 @@ index 3cbe4538..fd756dc 100644 |
1407 |
#define CHOOSE_LOAD_FUNC(K, func) \ |
1408 |
((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset) |
1409 |
|
1410 |
-@@ -146,7 +245,7 @@ static int pkt_type_offset(void) |
1411 |
+@@ -146,7 +248,7 @@ static int pkt_type_offset(void) |
1412 |
|
1413 |
void bpf_jit_compile(struct sk_filter *fp) |
1414 |
{ |
1415 |
@@ -29704,7 +29720,7 @@ index 3cbe4538..fd756dc 100644 |
1416 |
u8 *prog; |
1417 |
unsigned int proglen, oldproglen = 0; |
1418 |
int ilen, i; |
1419 |
-@@ -159,6 +258,9 @@ void bpf_jit_compile(struct sk_filter *fp) |
1420 |
+@@ -159,6 +261,9 @@ void bpf_jit_compile(struct sk_filter *fp) |
1421 |
unsigned int *addrs; |
1422 |
const struct sock_filter *filter = fp->insns; |
1423 |
int flen = fp->len; |
1424 |
@@ -29714,7 +29730,7 @@ index 3cbe4538..fd756dc 100644 |
1425 |
|
1426 |
if (!bpf_jit_enable) |
1427 |
return; |
1428 |
-@@ -167,11 +269,19 @@ void bpf_jit_compile(struct sk_filter *fp) |
1429 |
+@@ -167,11 +272,19 @@ void bpf_jit_compile(struct sk_filter *fp) |
1430 |
if (addrs == NULL) |
1431 |
return; |
1432 |
|
1433 |
@@ -29736,7 +29752,7 @@ index 3cbe4538..fd756dc 100644 |
1434 |
addrs[i] = proglen; |
1435 |
} |
1436 |
cleanup_addr = proglen; /* epilogue address */ |
1437 |
-@@ -282,10 +392,8 @@ void bpf_jit_compile(struct sk_filter *fp) |
1438 |
+@@ -282,10 +395,8 @@ void bpf_jit_compile(struct sk_filter *fp) |
1439 |
case BPF_S_ALU_MUL_K: /* A *= K */ |
1440 |
if (is_imm8(K)) |
1441 |
EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */ |
1442 |
@@ -29749,7 +29765,7 @@ index 3cbe4538..fd756dc 100644 |
1443 |
break; |
1444 |
case BPF_S_ALU_DIV_X: /* A /= X; */ |
1445 |
seen |= SEEN_XREG; |
1446 |
-@@ -325,13 +433,23 @@ void bpf_jit_compile(struct sk_filter *fp) |
1447 |
+@@ -325,13 +436,23 @@ void bpf_jit_compile(struct sk_filter *fp) |
1448 |
break; |
1449 |
case BPF_S_ALU_MOD_K: /* A %= K; */ |
1450 |
EMIT2(0x31, 0xd2); /* xor %edx,%edx */ |
1451 |
@@ -29773,7 +29789,7 @@ index 3cbe4538..fd756dc 100644 |
1452 |
EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */ |
1453 |
break; |
1454 |
case BPF_S_ALU_AND_X: |
1455 |
-@@ -602,8 +720,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG; |
1456 |
+@@ -602,8 +723,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG; |
1457 |
if (is_imm8(K)) { |
1458 |
EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */ |
1459 |
} else { |
1460 |
@@ -29783,7 +29799,7 @@ index 3cbe4538..fd756dc 100644 |
1461 |
} |
1462 |
} else { |
1463 |
EMIT2(0x89,0xde); /* mov %ebx,%esi */ |
1464 |
-@@ -686,17 +803,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
1465 |
+@@ -686,17 +806,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
1466 |
break; |
1467 |
default: |
1468 |
/* hmm, too complex filter, give up with jit compiler */ |
1469 |
@@ -29806,7 +29822,7 @@ index 3cbe4538..fd756dc 100644 |
1470 |
} |
1471 |
proglen += ilen; |
1472 |
addrs[i] = proglen; |
1473 |
-@@ -717,11 +835,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
1474 |
+@@ -717,11 +838,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
1475 |
break; |
1476 |
} |
1477 |
if (proglen == oldproglen) { |
1478 |
@@ -29820,7 +29836,7 @@ index 3cbe4538..fd756dc 100644 |
1479 |
} |
1480 |
oldproglen = proglen; |
1481 |
} |
1482 |
-@@ -737,7 +853,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
1483 |
+@@ -737,7 +856,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; |
1484 |
bpf_flush_icache(image, image + proglen); |
1485 |
|
1486 |
fp->bpf_func = (void *)image; |
1487 |
@@ -29832,7 +29848,7 @@ index 3cbe4538..fd756dc 100644 |
1488 |
out: |
1489 |
kfree(addrs); |
1490 |
return; |
1491 |
-@@ -745,18 +864,20 @@ out: |
1492 |
+@@ -745,18 +867,20 @@ out: |
1493 |
|
1494 |
static void jit_free_defer(struct work_struct *arg) |
1495 |
{ |
1496 |
@@ -32940,7 +32956,7 @@ index 519865b..e540db3 100644 |
1497 |
subsys_dev_iter_init(&iter, subsys, NULL, NULL); |
1498 |
while ((dev = subsys_dev_iter_next(&iter))) |
1499 |
diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c |
1500 |
-index 01fc5b0..d0ed716 100644 |
1501 |
+index 01fc5b0..917801f 100644 |
1502 |
--- a/drivers/base/devtmpfs.c |
1503 |
+++ b/drivers/base/devtmpfs.c |
1504 |
@@ -348,7 +348,7 @@ int devtmpfs_mount(const char *mntdir) |
1505 |
@@ -32952,6 +32968,21 @@ index 01fc5b0..d0ed716 100644 |
1506 |
if (err) |
1507 |
printk(KERN_INFO "devtmpfs: error mounting %i\n", err); |
1508 |
else |
1509 |
+@@ -373,11 +373,11 @@ static int devtmpfsd(void *p) |
1510 |
+ *err = sys_unshare(CLONE_NEWNS); |
1511 |
+ if (*err) |
1512 |
+ goto out; |
1513 |
+- *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options); |
1514 |
++ *err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)"/", (char __force_user *)"devtmpfs", MS_SILENT, (char __force_user *)options); |
1515 |
+ if (*err) |
1516 |
+ goto out; |
1517 |
+- sys_chdir("/.."); /* will traverse into overmounted root */ |
1518 |
+- sys_chroot("."); |
1519 |
++ sys_chdir((char __force_user *)"/.."); /* will traverse into overmounted root */ |
1520 |
++ sys_chroot((char __force_user *)"."); |
1521 |
+ complete(&setup_done); |
1522 |
+ while (1) { |
1523 |
+ spin_lock(&req_lock); |
1524 |
diff --git a/drivers/base/node.c b/drivers/base/node.c |
1525 |
index fac124a..66bd4ab 100644 |
1526 |
--- a/drivers/base/node.c |
1527 |
@@ -33578,8 +33609,21 @@ index 3bb6fa3..34013fb 100644 |
1528 |
default y |
1529 |
|
1530 |
source "drivers/s390/char/Kconfig" |
1531 |
+diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c |
1532 |
+index a48e05b..6bac831 100644 |
1533 |
+--- a/drivers/char/agp/compat_ioctl.c |
1534 |
++++ b/drivers/char/agp/compat_ioctl.c |
1535 |
+@@ -108,7 +108,7 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user |
1536 |
+ return -ENOMEM; |
1537 |
+ } |
1538 |
+ |
1539 |
+- if (copy_from_user(usegment, (void __user *) ureserve.seg_list, |
1540 |
++ if (copy_from_user(usegment, (void __force_user *) ureserve.seg_list, |
1541 |
+ sizeof(*usegment) * ureserve.seg_count)) { |
1542 |
+ kfree(usegment); |
1543 |
+ kfree(ksegment); |
1544 |
diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c |
1545 |
-index 2e04433..22afc64 100644 |
1546 |
+index 2e04433..771f2cc 100644 |
1547 |
--- a/drivers/char/agp/frontend.c |
1548 |
+++ b/drivers/char/agp/frontend.c |
1549 |
@@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) |
1550 |
@@ -33591,6 +33635,15 @@ index 2e04433..22afc64 100644 |
1551 |
return -EFAULT; |
1552 |
|
1553 |
client = agp_find_client_by_pid(reserve.pid); |
1554 |
+@@ -847,7 +847,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg) |
1555 |
+ if (segment == NULL) |
1556 |
+ return -ENOMEM; |
1557 |
+ |
1558 |
+- if (copy_from_user(segment, (void __user *) reserve.seg_list, |
1559 |
++ if (copy_from_user(segment, (void __force_user *) reserve.seg_list, |
1560 |
+ sizeof(struct agp_segment) * reserve.seg_count)) { |
1561 |
+ kfree(segment); |
1562 |
+ return -EFAULT; |
1563 |
diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c |
1564 |
index 21cb980..f15107c 100644 |
1565 |
--- a/drivers/char/genrtc.c |
1566 |
@@ -33685,7 +33738,7 @@ index 0ac9b45..6179fb5 100644 |
1567 |
new_smi->interrupt_disabled = 1; |
1568 |
atomic_set(&new_smi->stop_operation, 0); |
1569 |
diff --git a/drivers/char/mem.c b/drivers/char/mem.c |
1570 |
-index 2c644af..b867b3e 100644 |
1571 |
+index 2c644af..d4d7f17 100644 |
1572 |
--- a/drivers/char/mem.c |
1573 |
+++ b/drivers/char/mem.c |
1574 |
@@ -18,6 +18,7 @@ |
1575 |
@@ -33766,6 +33819,15 @@ index 2c644af..b867b3e 100644 |
1576 |
unxlate_dev_mem_ptr(p, ptr); |
1577 |
if (remaining) |
1578 |
return -EFAULT; |
1579 |
+@@ -378,7 +409,7 @@ static ssize_t read_oldmem(struct file *file, char __user *buf, |
1580 |
+ else |
1581 |
+ csize = count; |
1582 |
+ |
1583 |
+- rc = copy_oldmem_page(pfn, buf, csize, offset, 1); |
1584 |
++ rc = copy_oldmem_page(pfn, (char __force_kernel *)buf, csize, offset, 1); |
1585 |
+ if (rc < 0) |
1586 |
+ return rc; |
1587 |
+ buf += csize; |
1588 |
@@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, |
1589 |
size_t count, loff_t *ppos) |
1590 |
{ |
1591 |
@@ -33909,7 +33971,7 @@ index 5c5cc00..ac9edb7 100644 |
1592 |
|
1593 |
if (cmd != SIOCWANDEV) |
1594 |
diff --git a/drivers/char/random.c b/drivers/char/random.c |
1595 |
-index 32a6c57..e7f0f7b 100644 |
1596 |
+index 32a6c57..98038d5 100644 |
1597 |
--- a/drivers/char/random.c |
1598 |
+++ b/drivers/char/random.c |
1599 |
@@ -272,8 +272,13 @@ |
1600 |
@@ -33955,7 +34017,85 @@ index 32a6c57..e7f0f7b 100644 |
1601 |
smp_wmb(); |
1602 |
|
1603 |
if (out) |
1604 |
-@@ -1024,7 +1036,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, |
1605 |
+@@ -865,16 +877,24 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min, |
1606 |
+ if (r->entropy_count / 8 < min + reserved) { |
1607 |
+ nbytes = 0; |
1608 |
+ } else { |
1609 |
++ int entropy_count, orig; |
1610 |
++retry: |
1611 |
++ entropy_count = orig = ACCESS_ONCE(r->entropy_count); |
1612 |
+ /* If limited, never pull more than available */ |
1613 |
+- if (r->limit && nbytes + reserved >= r->entropy_count / 8) |
1614 |
+- nbytes = r->entropy_count/8 - reserved; |
1615 |
++ if (r->limit && nbytes + reserved >= entropy_count / 8) |
1616 |
++ nbytes = entropy_count/8 - reserved; |
1617 |
+ |
1618 |
+- if (r->entropy_count / 8 >= nbytes + reserved) |
1619 |
+- r->entropy_count -= nbytes*8; |
1620 |
+- else |
1621 |
+- r->entropy_count = reserved; |
1622 |
++ if (entropy_count / 8 >= nbytes + reserved) { |
1623 |
++ entropy_count -= nbytes*8; |
1624 |
++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) |
1625 |
++ goto retry; |
1626 |
++ } else { |
1627 |
++ entropy_count = reserved; |
1628 |
++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig) |
1629 |
++ goto retry; |
1630 |
++ } |
1631 |
+ |
1632 |
+- if (r->entropy_count < random_write_wakeup_thresh) |
1633 |
++ if (entropy_count < random_write_wakeup_thresh) |
1634 |
+ wakeup_write = 1; |
1635 |
+ } |
1636 |
+ |
1637 |
+@@ -957,10 +977,23 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
1638 |
+ { |
1639 |
+ ssize_t ret = 0, i; |
1640 |
+ __u8 tmp[EXTRACT_SIZE]; |
1641 |
++ unsigned long flags; |
1642 |
+ |
1643 |
+ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */ |
1644 |
+- if (fips_enabled && !r->last_data_init) |
1645 |
+- nbytes += EXTRACT_SIZE; |
1646 |
++ if (fips_enabled) { |
1647 |
++ spin_lock_irqsave(&r->lock, flags); |
1648 |
++ if (!r->last_data_init) { |
1649 |
++ r->last_data_init = true; |
1650 |
++ spin_unlock_irqrestore(&r->lock, flags); |
1651 |
++ trace_extract_entropy(r->name, EXTRACT_SIZE, |
1652 |
++ r->entropy_count, _RET_IP_); |
1653 |
++ xfer_secondary_pool(r, EXTRACT_SIZE); |
1654 |
++ extract_buf(r, tmp); |
1655 |
++ spin_lock_irqsave(&r->lock, flags); |
1656 |
++ memcpy(r->last_data, tmp, EXTRACT_SIZE); |
1657 |
++ } |
1658 |
++ spin_unlock_irqrestore(&r->lock, flags); |
1659 |
++ } |
1660 |
+ |
1661 |
+ trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_); |
1662 |
+ xfer_secondary_pool(r, nbytes); |
1663 |
+@@ -970,19 +1003,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf, |
1664 |
+ extract_buf(r, tmp); |
1665 |
+ |
1666 |
+ if (fips_enabled) { |
1667 |
+- unsigned long flags; |
1668 |
+- |
1669 |
+- |
1670 |
+- /* prime last_data value if need be, per fips 140-2 */ |
1671 |
+- if (!r->last_data_init) { |
1672 |
+- spin_lock_irqsave(&r->lock, flags); |
1673 |
+- memcpy(r->last_data, tmp, EXTRACT_SIZE); |
1674 |
+- r->last_data_init = true; |
1675 |
+- nbytes -= EXTRACT_SIZE; |
1676 |
+- spin_unlock_irqrestore(&r->lock, flags); |
1677 |
+- extract_buf(r, tmp); |
1678 |
+- } |
1679 |
+- |
1680 |
+ spin_lock_irqsave(&r->lock, flags); |
1681 |
+ if (!memcmp(tmp, r->last_data, EXTRACT_SIZE)) |
1682 |
+ panic("Hardware RNG duplicated output!\n"); |
1683 |
+@@ -1024,7 +1044,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, |
1684 |
|
1685 |
extract_buf(r, tmp); |
1686 |
i = min_t(int, nbytes, EXTRACT_SIZE); |
1687 |
@@ -33964,7 +34104,7 @@ index 32a6c57..e7f0f7b 100644 |
1688 |
ret = -EFAULT; |
1689 |
break; |
1690 |
} |
1691 |
-@@ -1360,7 +1372,7 @@ EXPORT_SYMBOL(generate_random_uuid); |
1692 |
+@@ -1360,7 +1380,7 @@ EXPORT_SYMBOL(generate_random_uuid); |
1693 |
#include <linux/sysctl.h> |
1694 |
|
1695 |
static int min_read_thresh = 8, min_write_thresh; |
1696 |
@@ -33973,7 +34113,7 @@ index 32a6c57..e7f0f7b 100644 |
1697 |
static int max_write_thresh = INPUT_POOL_WORDS * 32; |
1698 |
static char sysctl_bootid[16]; |
1699 |
|
1700 |
-@@ -1376,7 +1388,7 @@ static char sysctl_bootid[16]; |
1701 |
+@@ -1376,7 +1396,7 @@ static char sysctl_bootid[16]; |
1702 |
static int proc_do_uuid(ctl_table *table, int write, |
1703 |
void __user *buffer, size_t *lenp, loff_t *ppos) |
1704 |
{ |
1705 |
@@ -35984,6 +36124,28 @@ index 3eb1486..0a47ee9 100644 |
1706 |
} while (*seqno == 0); |
1707 |
|
1708 |
if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) { |
1709 |
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c |
1710 |
+index c509d40..3b640c3 100644 |
1711 |
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c |
1712 |
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c |
1713 |
+@@ -138,7 +138,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data, |
1714 |
+ int ret; |
1715 |
+ |
1716 |
+ num_clips = arg->num_clips; |
1717 |
+- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr; |
1718 |
++ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr; |
1719 |
+ |
1720 |
+ if (unlikely(num_clips == 0)) |
1721 |
+ return 0; |
1722 |
+@@ -222,7 +222,7 @@ int vmw_present_readback_ioctl(struct drm_device *dev, void *data, |
1723 |
+ int ret; |
1724 |
+ |
1725 |
+ num_clips = arg->num_clips; |
1726 |
+- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr; |
1727 |
++ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr; |
1728 |
+ |
1729 |
+ if (unlikely(num_clips == 0)) |
1730 |
+ return 0; |
1731 |
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c |
1732 |
index 4640adb..e1384ed 100644 |
1733 |
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c |
1734 |
@@ -36341,6 +36503,19 @@ index 29015eb..af2d8e9 100644 |
1735 |
|
1736 |
/* Wrapper access functions for multiplexed SMBus */ |
1737 |
static DEFINE_MUTEX(nforce2_lock); |
1738 |
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c |
1739 |
+index c3ccdea..5b3dc1a 100644 |
1740 |
+--- a/drivers/i2c/i2c-dev.c |
1741 |
++++ b/drivers/i2c/i2c-dev.c |
1742 |
+@@ -271,7 +271,7 @@ static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client, |
1743 |
+ break; |
1744 |
+ } |
1745 |
+ |
1746 |
+- data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf; |
1747 |
++ data_ptrs[i] = (u8 __force_user *)rdwr_pa[i].buf; |
1748 |
+ rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len); |
1749 |
+ if (IS_ERR(rdwr_pa[i].buf)) { |
1750 |
+ res = PTR_ERR(rdwr_pa[i].buf); |
1751 |
diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c |
1752 |
index 8126824..55a2798 100644 |
1753 |
--- a/drivers/ide/ide-cd.c |
1754 |
@@ -38425,11 +38600,72 @@ index 9578a67..31aa652 100644 |
1755 |
|
1756 |
/* debug */ |
1757 |
static int dvb_usb_dw2102_debug; |
1758 |
+diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c |
1759 |
+index 7157af3..139e91a 100644 |
1760 |
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c |
1761 |
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c |
1762 |
+@@ -326,7 +326,7 @@ struct v4l2_buffer32 { |
1763 |
+ __u32 reserved; |
1764 |
+ }; |
1765 |
+ |
1766 |
+-static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, |
1767 |
++static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32, |
1768 |
+ enum v4l2_memory memory) |
1769 |
+ { |
1770 |
+ void __user *up_pln; |
1771 |
+@@ -355,7 +355,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, |
1772 |
+ return 0; |
1773 |
+ } |
1774 |
+ |
1775 |
+-static int put_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32, |
1776 |
++static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32, |
1777 |
+ enum v4l2_memory memory) |
1778 |
+ { |
1779 |
+ if (copy_in_user(up32, up, 2 * sizeof(__u32)) || |
1780 |
+@@ -772,7 +772,7 @@ static int put_v4l2_subdev_edid32(struct v4l2_subdev_edid *kp, struct v4l2_subde |
1781 |
+ put_user(kp->start_block, &up->start_block) || |
1782 |
+ put_user(kp->blocks, &up->blocks) || |
1783 |
+ put_user(tmp, &up->edid) || |
1784 |
+- copy_to_user(kp->reserved, up->reserved, sizeof(kp->reserved))) |
1785 |
++ copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) |
1786 |
+ return -EFAULT; |
1787 |
+ return 0; |
1788 |
+ } |
1789 |
diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c |
1790 |
-index aa6e7c7..4cd8061 100644 |
1791 |
+index aa6e7c7..cb5de87 100644 |
1792 |
--- a/drivers/media/v4l2-core/v4l2-ioctl.c |
1793 |
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c |
1794 |
-@@ -1923,7 +1923,8 @@ struct v4l2_ioctl_info { |
1795 |
+@@ -236,7 +236,7 @@ static void v4l_print_format(const void *arg, bool write_only) |
1796 |
+ const struct v4l2_vbi_format *vbi; |
1797 |
+ const struct v4l2_sliced_vbi_format *sliced; |
1798 |
+ const struct v4l2_window *win; |
1799 |
+- const struct v4l2_clip *clip; |
1800 |
++ const struct v4l2_clip __user *pclip; |
1801 |
+ unsigned i; |
1802 |
+ |
1803 |
+ pr_cont("type=%s", prt_names(p->type, v4l2_type_names)); |
1804 |
+@@ -284,12 +284,16 @@ static void v4l_print_format(const void *arg, bool write_only) |
1805 |
+ win->w.left, win->w.top, |
1806 |
+ prt_names(win->field, v4l2_field_names), |
1807 |
+ win->chromakey, win->bitmap, win->global_alpha); |
1808 |
+- clip = win->clips; |
1809 |
++ pclip = win->clips; |
1810 |
+ for (i = 0; i < win->clipcount; i++) { |
1811 |
++ struct v4l2_clip clip; |
1812 |
++ |
1813 |
++ if (copy_from_user(&clip, pclip, sizeof clip)) |
1814 |
++ break; |
1815 |
+ printk(KERN_DEBUG "clip %u: wxh=%dx%d, x,y=%d,%d\n", |
1816 |
+- i, clip->c.width, clip->c.height, |
1817 |
+- clip->c.left, clip->c.top); |
1818 |
+- clip = clip->next; |
1819 |
++ i, clip.c.width, clip.c.height, |
1820 |
++ clip.c.left, clip.c.top); |
1821 |
++ pclip = clip.next; |
1822 |
+ } |
1823 |
+ break; |
1824 |
+ case V4L2_BUF_TYPE_VBI_CAPTURE: |
1825 |
+@@ -1923,7 +1927,8 @@ struct v4l2_ioctl_info { |
1826 |
struct file *file, void *fh, void *p); |
1827 |
} u; |
1828 |
void (*debug)(const void *arg, bool write_only); |
1829 |
@@ -38439,7 +38675,7 @@ index aa6e7c7..4cd8061 100644 |
1830 |
|
1831 |
/* This control needs a priority check */ |
1832 |
#define INFO_FL_PRIO (1 << 0) |
1833 |
-@@ -2108,7 +2109,7 @@ static long __video_do_ioctl(struct file *file, |
1834 |
+@@ -2108,7 +2113,7 @@ static long __video_do_ioctl(struct file *file, |
1835 |
struct video_device *vfd = video_devdata(file); |
1836 |
const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops; |
1837 |
bool write_only = false; |
1838 |
@@ -38448,6 +38684,33 @@ index aa6e7c7..4cd8061 100644 |
1839 |
const struct v4l2_ioctl_info *info; |
1840 |
void *fh = file->private_data; |
1841 |
struct v4l2_fh *vfh = NULL; |
1842 |
+@@ -2193,7 +2198,7 @@ done: |
1843 |
+ } |
1844 |
+ |
1845 |
+ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, |
1846 |
+- void * __user *user_ptr, void ***kernel_ptr) |
1847 |
++ void __user **user_ptr, void ***kernel_ptr) |
1848 |
+ { |
1849 |
+ int ret = 0; |
1850 |
+ |
1851 |
+@@ -2209,7 +2214,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, |
1852 |
+ ret = -EINVAL; |
1853 |
+ break; |
1854 |
+ } |
1855 |
+- *user_ptr = (void __user *)buf->m.planes; |
1856 |
++ *user_ptr = (void __force_user *)buf->m.planes; |
1857 |
+ *kernel_ptr = (void *)&buf->m.planes; |
1858 |
+ *array_size = sizeof(struct v4l2_plane) * buf->length; |
1859 |
+ ret = 1; |
1860 |
+@@ -2244,7 +2249,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, |
1861 |
+ ret = -EINVAL; |
1862 |
+ break; |
1863 |
+ } |
1864 |
+- *user_ptr = (void __user *)ctrls->controls; |
1865 |
++ *user_ptr = (void __force_user *)ctrls->controls; |
1866 |
+ *kernel_ptr = (void *)&ctrls->controls; |
1867 |
+ *array_size = sizeof(struct v4l2_ext_control) |
1868 |
+ * ctrls->count; |
1869 |
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c |
1870 |
index fb69baa..3aeea2e 100644 |
1871 |
--- a/drivers/message/fusion/mptbase.c |
1872 |
@@ -47532,6 +47795,19 @@ index fef20db..d28b1ab 100644 |
1873 |
if (!file->private_data) |
1874 |
return -ENOMEM; |
1875 |
return 0; |
1876 |
+diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c |
1877 |
+index 0ad61c6..f198bd7 100644 |
1878 |
+--- a/fs/9p/vfs_addr.c |
1879 |
++++ b/fs/9p/vfs_addr.c |
1880 |
+@@ -185,7 +185,7 @@ static int v9fs_vfs_writepage_locked(struct page *page) |
1881 |
+ |
1882 |
+ retval = v9fs_file_write_internal(inode, |
1883 |
+ v9inode->writeback_fid, |
1884 |
+- (__force const char __user *)buffer, |
1885 |
++ (const char __force_user *)buffer, |
1886 |
+ len, &offset, 0); |
1887 |
+ if (retval > 0) |
1888 |
+ retval = 0; |
1889 |
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c |
1890 |
index d86edc8..40ff2fb 100644 |
1891 |
--- a/fs/9p/vfs_inode.c |
1892 |
@@ -47769,7 +48045,7 @@ index bbc8f88..7c7ac97 100644 |
1893 |
fd_offset + ex.a_text); |
1894 |
if (error != N_DATADDR(ex)) { |
1895 |
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c |
1896 |
-index 86af964..8a1da7e 100644 |
1897 |
+index 86af964..5d53bf6 100644 |
1898 |
--- a/fs/binfmt_elf.c |
1899 |
+++ b/fs/binfmt_elf.c |
1900 |
@@ -34,6 +34,7 @@ |
1901 |
@@ -48004,7 +48280,7 @@ index 86af964..8a1da7e 100644 |
1902 |
+#endif |
1903 |
+ |
1904 |
+#ifdef CONFIG_PAX_EMUTRAMP |
1905 |
-+ if (pax_flags_softmode & MF_PAX_EMUTRAMP) |
1906 |
++ if ((pax_flags_softmode & MF_PAX_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))) |
1907 |
+ pax_flags |= MF_PAX_EMUTRAMP; |
1908 |
+#endif |
1909 |
+ |
1910 |
@@ -48465,6 +48741,15 @@ index 86af964..8a1da7e 100644 |
1911 |
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); |
1912 |
} |
1913 |
|
1914 |
+@@ -1394,7 +1841,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, |
1915 |
+ { |
1916 |
+ mm_segment_t old_fs = get_fs(); |
1917 |
+ set_fs(KERNEL_DS); |
1918 |
+- copy_siginfo_to_user((user_siginfo_t __user *) csigdata, siginfo); |
1919 |
++ copy_siginfo_to_user((user_siginfo_t __force_user *) csigdata, siginfo); |
1920 |
+ set_fs(old_fs); |
1921 |
+ fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata); |
1922 |
+ } |
1923 |
@@ -2015,14 +2462,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, |
1924 |
} |
1925 |
|
1926 |
@@ -49580,7 +49865,7 @@ index a81147e..20bf2b5 100644 |
1927 |
|
1928 |
/* |
1929 |
diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c |
1930 |
-index 3ced75f..1eeca06 100644 |
1931 |
+index 3ced75f..b28d192 100644 |
1932 |
--- a/fs/compat_ioctl.c |
1933 |
+++ b/fs/compat_ioctl.c |
1934 |
@@ -623,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd, |
1935 |
@@ -49592,6 +49877,17 @@ index 3ced75f..1eeca06 100644 |
1936 |
if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) || |
1937 |
__get_user(ss.port_high, &ss32->port_high)) |
1938 |
return -EFAULT; |
1939 |
+@@ -704,8 +704,8 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd, |
1940 |
+ for (i = 0; i < nmsgs; i++) { |
1941 |
+ if (copy_in_user(&tmsgs[i].addr, &umsgs[i].addr, 3*sizeof(u16))) |
1942 |
+ return -EFAULT; |
1943 |
+- if (get_user(datap, &umsgs[i].buf) || |
1944 |
+- put_user(compat_ptr(datap), &tmsgs[i].buf)) |
1945 |
++ if (get_user(datap, (u8 __user * __user *)&umsgs[i].buf) || |
1946 |
++ put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf)) |
1947 |
+ return -EFAULT; |
1948 |
+ } |
1949 |
+ return sys_ioctl(fd, cmd, (unsigned long)tdata); |
1950 |
@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file, |
1951 |
copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) || |
1952 |
copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) || |
1953 |
@@ -49839,7 +50135,7 @@ index 6a16053..2155147 100644 |
1954 |
return rc; |
1955 |
} |
1956 |
diff --git a/fs/exec.c b/fs/exec.c |
1957 |
-index 6d56ff2..fe44505 100644 |
1958 |
+index 6d56ff2..3bc6638 100644 |
1959 |
--- a/fs/exec.c |
1960 |
+++ b/fs/exec.c |
1961 |
@@ -55,8 +55,20 @@ |
1962 |
@@ -50016,7 +50312,7 @@ index 6d56ff2..fe44505 100644 |
1963 |
mm_segment_t oldfs = get_fs(); |
1964 |
struct user_arg_ptr argv = { |
1965 |
- .ptr.native = (const char __user *const __user *)__argv, |
1966 |
-+ .ptr.native = (const char __force_user *const __force_user *)__argv, |
1967 |
++ .ptr.native = (const char __force_user * const __force_user *)__argv, |
1968 |
}; |
1969 |
|
1970 |
set_fs(KERNEL_DS); |
1971 |
@@ -50540,8 +50836,8 @@ index 6d56ff2..fe44505 100644 |
1972 |
+#endif |
1973 |
+ |
1974 |
+#else |
1975 |
-+ unsigned long textlow = _stext; |
1976 |
-+ unsigned long texthigh = _etext; |
1977 |
++ unsigned long textlow = (unsigned long)_stext; |
1978 |
++ unsigned long texthigh = (unsigned long)_etext; |
1979 |
+#endif |
1980 |
+ |
1981 |
+ if (high <= textlow || low > texthigh) |
1982 |
@@ -50813,6 +51109,39 @@ index febbe0e..782c4fd 100644 |
1983 |
|
1984 |
static int parse_strtoul(const char *buf, |
1985 |
unsigned long max, unsigned long *value) |
1986 |
+diff --git a/fs/fat/inode.c b/fs/fat/inode.c |
1987 |
+index acf6e47..e7a7fde 100644 |
1988 |
+--- a/fs/fat/inode.c |
1989 |
++++ b/fs/fat/inode.c |
1990 |
+@@ -1223,6 +1223,19 @@ static int fat_read_root(struct inode *inode) |
1991 |
+ return 0; |
1992 |
+ } |
1993 |
+ |
1994 |
++static unsigned long calc_fat_clusters(struct super_block *sb) |
1995 |
++{ |
1996 |
++ struct msdos_sb_info *sbi = MSDOS_SB(sb); |
1997 |
++ |
1998 |
++ /* Divide first to avoid overflow */ |
1999 |
++ if (sbi->fat_bits != 12) { |
2000 |
++ unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits; |
2001 |
++ return ent_per_sec * sbi->fat_length; |
2002 |
++ } |
2003 |
++ |
2004 |
++ return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; |
2005 |
++} |
2006 |
++ |
2007 |
+ /* |
2008 |
+ * Read the super block of an MS-DOS FS. |
2009 |
+ */ |
2010 |
+@@ -1427,7 +1440,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat, |
2011 |
+ sbi->dirty = b->fat16.state & FAT_STATE_DIRTY; |
2012 |
+ |
2013 |
+ /* check that FAT table does not overflow */ |
2014 |
+- fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits; |
2015 |
++ fat_clusters = calc_fat_clusters(sb); |
2016 |
+ total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT); |
2017 |
+ if (total_clusters > MAX_FAT(sb)) { |
2018 |
+ if (!silent) |
2019 |
diff --git a/fs/fcntl.c b/fs/fcntl.c |
2020 |
index 6599222..e7bf0de 100644 |
2021 |
--- a/fs/fcntl.c |
2022 |
@@ -53240,7 +53569,7 @@ index 85e40d1..b66744e 100644 |
2023 |
out: |
2024 |
return len; |
2025 |
diff --git a/fs/namespace.c b/fs/namespace.c |
2026 |
-index e945b81..1dd8104 100644 |
2027 |
+index e945b81..fc018e2 100644 |
2028 |
--- a/fs/namespace.c |
2029 |
+++ b/fs/namespace.c |
2030 |
@@ -1219,6 +1219,9 @@ static int do_umount(struct mount *mnt, int flags) |
2031 |
@@ -53263,6 +53592,24 @@ index e945b81..1dd8104 100644 |
2032 |
return retval; |
2033 |
} |
2034 |
|
2035 |
+@@ -1257,7 +1263,7 @@ static inline bool may_mount(void) |
2036 |
+ * unixes. Our API is identical to OSF/1 to avoid making a mess of AMD |
2037 |
+ */ |
2038 |
+ |
2039 |
+-SYSCALL_DEFINE2(umount, char __user *, name, int, flags) |
2040 |
++SYSCALL_DEFINE2(umount, const char __user *, name, int, flags) |
2041 |
+ { |
2042 |
+ struct path path; |
2043 |
+ struct mount *mnt; |
2044 |
+@@ -1297,7 +1303,7 @@ out: |
2045 |
+ /* |
2046 |
+ * The 2.0 compatible umount. No flags. |
2047 |
+ */ |
2048 |
+-SYSCALL_DEFINE1(oldumount, char __user *, name) |
2049 |
++SYSCALL_DEFINE1(oldumount, const char __user *, name) |
2050 |
+ { |
2051 |
+ return sys_umount(name, 0); |
2052 |
+ } |
2053 |
@@ -2267,6 +2273,16 @@ long do_mount(const char *dev_name, const char *dir_name, |
2054 |
MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | |
2055 |
MS_STRICTATIME); |
2056 |
@@ -53290,6 +53637,17 @@ index e945b81..1dd8104 100644 |
2057 |
return retval; |
2058 |
} |
2059 |
|
2060 |
+@@ -2454,8 +2473,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) |
2061 |
+ } |
2062 |
+ EXPORT_SYMBOL(mount_subtree); |
2063 |
+ |
2064 |
+-SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name, |
2065 |
+- char __user *, type, unsigned long, flags, void __user *, data) |
2066 |
++SYSCALL_DEFINE5(mount, const char __user *, dev_name, const char __user *, dir_name, |
2067 |
++ const char __user *, type, unsigned long, flags, void __user *, data) |
2068 |
+ { |
2069 |
+ int ret; |
2070 |
+ char *kernel_type; |
2071 |
@@ -2567,6 +2586,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, |
2072 |
if (error) |
2073 |
goto out2; |
2074 |
@@ -55257,6 +55615,36 @@ index 56123a6..5a2f6ec 100644 |
2075 |
} else if (mm) { |
2076 |
pid_t tid = vm_is_stack(priv->task, vma, is_pid); |
2077 |
|
2078 |
+diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c |
2079 |
+index b870f74..e9048df 100644 |
2080 |
+--- a/fs/proc/vmcore.c |
2081 |
++++ b/fs/proc/vmcore.c |
2082 |
+@@ -98,9 +98,13 @@ static ssize_t read_from_oldmem(char *buf, size_t count, |
2083 |
+ nr_bytes = count; |
2084 |
+ |
2085 |
+ /* If pfn is not ram, return zeros for sparse dump files */ |
2086 |
+- if (pfn_is_ram(pfn) == 0) |
2087 |
+- memset(buf, 0, nr_bytes); |
2088 |
+- else { |
2089 |
++ if (pfn_is_ram(pfn) == 0) { |
2090 |
++ if (userbuf) { |
2091 |
++ if (clear_user((char __force_user *)buf, nr_bytes)) |
2092 |
++ return -EFAULT; |
2093 |
++ } else |
2094 |
++ memset(buf, 0, nr_bytes); |
2095 |
++ } else { |
2096 |
+ tmp = copy_oldmem_page(pfn, buf, nr_bytes, |
2097 |
+ offset, userbuf); |
2098 |
+ if (tmp < 0) |
2099 |
+@@ -185,7 +189,7 @@ static ssize_t read_vmcore(struct file *file, char __user *buffer, |
2100 |
+ if (tsz > nr_bytes) |
2101 |
+ tsz = nr_bytes; |
2102 |
+ |
2103 |
+- tmp = read_from_oldmem(buffer, tsz, &start, 1); |
2104 |
++ tmp = read_from_oldmem((char __force_kernel *)buffer, tsz, &start, 1); |
2105 |
+ if (tmp < 0) |
2106 |
+ return tmp; |
2107 |
+ buflen -= tsz; |
2108 |
diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h |
2109 |
index b00fcc9..e0c6381 100644 |
2110 |
--- a/fs/qnx6/qnx6.h |
2111 |
@@ -55301,6 +55689,19 @@ index 16e8abb..2dcf914 100644 |
2112 |
"a_genl_family, 0, QUOTA_NL_C_WARNING); |
2113 |
if (!msg_head) { |
2114 |
printk(KERN_ERR |
2115 |
+diff --git a/fs/read_write.c b/fs/read_write.c |
2116 |
+index e6ddc8d..9155227 100644 |
2117 |
+--- a/fs/read_write.c |
2118 |
++++ b/fs/read_write.c |
2119 |
+@@ -429,7 +429,7 @@ ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t |
2120 |
+ |
2121 |
+ old_fs = get_fs(); |
2122 |
+ set_fs(get_ds()); |
2123 |
+- p = (__force const char __user *)buf; |
2124 |
++ p = (const char __force_user *)buf; |
2125 |
+ if (count > MAX_RW_COUNT) |
2126 |
+ count = MAX_RW_COUNT; |
2127 |
+ if (file->f_op->write) |
2128 |
diff --git a/fs/readdir.c b/fs/readdir.c |
2129 |
index fee38e0..12fdf47 100644 |
2130 |
--- a/fs/readdir.c |
2131 |
@@ -71166,9 +71567,25 @@ index a5ffd32..0935dea 100644 |
2132 |
extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page, |
2133 |
unsigned long offset, size_t size, |
2134 |
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h |
2135 |
-index 313a8e0..1da8fc6 100644 |
2136 |
+index 313a8e0..6b273a9 100644 |
2137 |
--- a/include/linux/syscalls.h |
2138 |
+++ b/include/linux/syscalls.h |
2139 |
+@@ -418,11 +418,11 @@ asmlinkage long sys_sync(void); |
2140 |
+ asmlinkage long sys_fsync(unsigned int fd); |
2141 |
+ asmlinkage long sys_fdatasync(unsigned int fd); |
2142 |
+ asmlinkage long sys_bdflush(int func, long data); |
2143 |
+-asmlinkage long sys_mount(char __user *dev_name, char __user *dir_name, |
2144 |
+- char __user *type, unsigned long flags, |
2145 |
++asmlinkage long sys_mount(const char __user *dev_name, const char __user *dir_name, |
2146 |
++ const char __user *type, unsigned long flags, |
2147 |
+ void __user *data); |
2148 |
+-asmlinkage long sys_umount(char __user *name, int flags); |
2149 |
+-asmlinkage long sys_oldumount(char __user *name); |
2150 |
++asmlinkage long sys_umount(const char __user *name, int flags); |
2151 |
++asmlinkage long sys_oldumount(const char __user *name); |
2152 |
+ asmlinkage long sys_truncate(const char __user *path, long length); |
2153 |
+ asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length); |
2154 |
+ asmlinkage long sys_stat(const char __user *filename, |
2155 |
@@ -634,7 +634,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *); |
2156 |
asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *); |
2157 |
asmlinkage long sys_send(int, void __user *, size_t, unsigned); |
2158 |
@@ -72924,9 +73341,27 @@ index f5b978a..69dbfe8 100644 |
2159 |
if (!S_ISBLK(stat.st_mode)) |
2160 |
return 0; |
2161 |
diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c |
2162 |
-index a32ec1c..ac08811 100644 |
2163 |
+index a32ec1c..60a6659 100644 |
2164 |
--- a/init/do_mounts_initrd.c |
2165 |
+++ b/init/do_mounts_initrd.c |
2166 |
+@@ -37,13 +37,13 @@ static int init_linuxrc(struct subprocess_info *info, struct cred *new) |
2167 |
+ { |
2168 |
+ sys_unshare(CLONE_FS | CLONE_FILES); |
2169 |
+ /* stdin/stdout/stderr for /linuxrc */ |
2170 |
+- sys_open("/dev/console", O_RDWR, 0); |
2171 |
++ sys_open((const char __force_user *)"/dev/console", O_RDWR, 0); |
2172 |
+ sys_dup(0); |
2173 |
+ sys_dup(0); |
2174 |
+ /* move initrd over / and chdir/chroot in initrd root */ |
2175 |
+- sys_chdir("/root"); |
2176 |
+- sys_mount(".", "/", NULL, MS_MOVE, NULL); |
2177 |
+- sys_chroot("."); |
2178 |
++ sys_chdir((const char __force_user *)"/root"); |
2179 |
++ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL); |
2180 |
++ sys_chroot((const char __force_user *)"."); |
2181 |
+ sys_setsid(); |
2182 |
+ return 0; |
2183 |
+ } |
2184 |
@@ -58,8 +58,8 @@ static void __init handle_initrd(void) |
2185 |
create_dev("/dev/root.old", Root_RAM0); |
2186 |
/* mount initrd on rootfs' /root */ |
2187 |
@@ -73149,7 +73584,7 @@ index a67ef9d..3d88592 100644 |
2188 |
next_state = Reset; |
2189 |
return 0; |
2190 |
diff --git a/init/main.c b/init/main.c |
2191 |
-index 63534a1..8abcaf1 100644 |
2192 |
+index 63534a1..85feae2 100644 |
2193 |
--- a/init/main.c |
2194 |
+++ b/init/main.c |
2195 |
@@ -98,6 +98,8 @@ static inline void mark_rodata_ro(void) { } |
2196 |
@@ -73286,6 +73721,17 @@ index 63534a1..8abcaf1 100644 |
2197 |
} |
2198 |
|
2199 |
/* |
2200 |
+@@ -811,8 +884,8 @@ static int run_init_process(const char *init_filename) |
2201 |
+ { |
2202 |
+ argv_init[0] = init_filename; |
2203 |
+ return do_execve(init_filename, |
2204 |
+- (const char __user *const __user *)argv_init, |
2205 |
+- (const char __user *const __user *)envp_init); |
2206 |
++ (const char __user *const __force_user *)argv_init, |
2207 |
++ (const char __user *const __force_user *)envp_init); |
2208 |
+ } |
2209 |
+ |
2210 |
+ static noinline void __init kernel_init_freeable(void); |
2211 |
@@ -890,7 +963,7 @@ static noinline void __init kernel_init_freeable(void) |
2212 |
do_basic_setup(); |
2213 |
|
2214 |
@@ -74134,7 +74580,7 @@ index 00eb8f7..d7e3244 100644 |
2215 |
#ifdef CONFIG_MODULE_UNLOAD |
2216 |
{ |
2217 |
diff --git a/kernel/events/core.c b/kernel/events/core.c |
2218 |
-index 9fcb094..5c06aeb 100644 |
2219 |
+index 9fcb094..fd68c54 100644 |
2220 |
--- a/kernel/events/core.c |
2221 |
+++ b/kernel/events/core.c |
2222 |
@@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu; |
2223 |
@@ -74193,6 +74639,15 @@ index 9fcb094..5c06aeb 100644 |
2224 |
|
2225 |
arch_perf_update_userpage(userpg, now); |
2226 |
|
2227 |
+@@ -3886,7 +3890,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, |
2228 |
+ |
2229 |
+ /* Data. */ |
2230 |
+ sp = perf_user_stack_pointer(regs); |
2231 |
+- rem = __output_copy_user(handle, (void *) sp, dump_size); |
2232 |
++ rem = __output_copy_user(handle, (void __user *) sp, dump_size); |
2233 |
+ dyn_size = dump_size - rem; |
2234 |
+ |
2235 |
+ perf_output_skip(handle, rem); |
2236 |
@@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, |
2237 |
values[n++] = perf_event_count(event); |
2238 |
if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { |
2239 |
@@ -74245,6 +74700,44 @@ index 9fcb094..5c06aeb 100644 |
2240 |
&parent_event->child_total_time_running); |
2241 |
|
2242 |
/* |
2243 |
+diff --git a/kernel/events/internal.h b/kernel/events/internal.h |
2244 |
+index eb675c4..54912ff 100644 |
2245 |
+--- a/kernel/events/internal.h |
2246 |
++++ b/kernel/events/internal.h |
2247 |
+@@ -77,10 +77,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb) |
2248 |
+ return rb->nr_pages << (PAGE_SHIFT + page_order(rb)); |
2249 |
+ } |
2250 |
+ |
2251 |
+-#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \ |
2252 |
++#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \ |
2253 |
+ static inline unsigned int \ |
2254 |
+ func_name(struct perf_output_handle *handle, \ |
2255 |
+- const void *buf, unsigned int len) \ |
2256 |
++ const void user *buf, unsigned int len) \ |
2257 |
+ { \ |
2258 |
+ unsigned long size, written; \ |
2259 |
+ \ |
2260 |
+@@ -112,17 +112,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n) |
2261 |
+ return n; |
2262 |
+ } |
2263 |
+ |
2264 |
+-DEFINE_OUTPUT_COPY(__output_copy, memcpy_common) |
2265 |
++DEFINE_OUTPUT_COPY(__output_copy, memcpy_common, ) |
2266 |
+ |
2267 |
+ #define MEMCPY_SKIP(dst, src, n) (n) |
2268 |
+ |
2269 |
+-DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP) |
2270 |
++DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP, ) |
2271 |
+ |
2272 |
+ #ifndef arch_perf_out_copy_user |
2273 |
+ #define arch_perf_out_copy_user __copy_from_user_inatomic |
2274 |
+ #endif |
2275 |
+ |
2276 |
+-DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user) |
2277 |
++DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user, __user) |
2278 |
+ |
2279 |
+ /* Callchain handling */ |
2280 |
+ extern struct perf_callchain_entry * |
2281 |
diff --git a/kernel/exit.c b/kernel/exit.c |
2282 |
index 60bc027..ca6d727 100644 |
2283 |
--- a/kernel/exit.c |
2284 |
@@ -79822,6 +80315,24 @@ index b32b70c..e512eb0 100644 |
2285 |
pkmap_count[last_pkmap_nr] = 1; |
2286 |
set_page_address(page, (void *)vaddr); |
2287 |
|
2288 |
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c |
2289 |
+index e2f7f5aa..a4510d4 100644 |
2290 |
+--- a/mm/huge_memory.c |
2291 |
++++ b/mm/huge_memory.c |
2292 |
+@@ -2318,7 +2318,12 @@ static void collapse_huge_page(struct mm_struct *mm, |
2293 |
+ pte_unmap(pte); |
2294 |
+ spin_lock(&mm->page_table_lock); |
2295 |
+ BUG_ON(!pmd_none(*pmd)); |
2296 |
+- set_pmd_at(mm, address, pmd, _pmd); |
2297 |
++ /* |
2298 |
++ * We can only use set_pmd_at when establishing |
2299 |
++ * hugepmds and never for establishing regular pmds that |
2300 |
++ * points to regular pagetables. Use pmd_populate for that |
2301 |
++ */ |
2302 |
++ pmd_populate(mm, pmd, pmd_pgtable(_pmd)); |
2303 |
+ spin_unlock(&mm->page_table_lock); |
2304 |
+ anon_vma_unlock_write(vma->anon_vma); |
2305 |
+ goto out; |
2306 |
diff --git a/mm/hugetlb.c b/mm/hugetlb.c |
2307 |
index 1a12f5b..a85b8fc 100644 |
2308 |
--- a/mm/hugetlb.c |
2309 |
@@ -82287,6 +82798,133 @@ index 0dceed8..671951c 100644 |
2310 |
vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND; |
2311 |
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); |
2312 |
|
2313 |
+diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c |
2314 |
+index be04122..6725ff1 100644 |
2315 |
+--- a/mm/mmu_notifier.c |
2316 |
++++ b/mm/mmu_notifier.c |
2317 |
+@@ -40,48 +40,44 @@ void __mmu_notifier_release(struct mm_struct *mm) |
2318 |
+ int id; |
2319 |
+ |
2320 |
+ /* |
2321 |
+- * srcu_read_lock() here will block synchronize_srcu() in |
2322 |
+- * mmu_notifier_unregister() until all registered |
2323 |
+- * ->release() callouts this function makes have |
2324 |
+- * returned. |
2325 |
++ * SRCU here will block mmu_notifier_unregister until |
2326 |
++ * ->release returns. |
2327 |
+ */ |
2328 |
+ id = srcu_read_lock(&srcu); |
2329 |
++ hlist_for_each_entry_rcu(mn, &mm->mmu_notifier_mm->list, hlist) |
2330 |
++ /* |
2331 |
++ * If ->release runs before mmu_notifier_unregister it must be |
2332 |
++ * handled, as it's the only way for the driver to flush all |
2333 |
++ * existing sptes and stop the driver from establishing any more |
2334 |
++ * sptes before all the pages in the mm are freed. |
2335 |
++ */ |
2336 |
++ if (mn->ops->release) |
2337 |
++ mn->ops->release(mn, mm); |
2338 |
++ srcu_read_unlock(&srcu, id); |
2339 |
++ |
2340 |
+ spin_lock(&mm->mmu_notifier_mm->lock); |
2341 |
+ while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) { |
2342 |
+ mn = hlist_entry(mm->mmu_notifier_mm->list.first, |
2343 |
+ struct mmu_notifier, |
2344 |
+ hlist); |
2345 |
+- |
2346 |
+ /* |
2347 |
+- * Unlink. This will prevent mmu_notifier_unregister() |
2348 |
+- * from also making the ->release() callout. |
2349 |
++ * We arrived before mmu_notifier_unregister so |
2350 |
++ * mmu_notifier_unregister will do nothing other than to wait |
2351 |
++ * for ->release to finish and for mmu_notifier_unregister to |
2352 |
++ * return. |
2353 |
+ */ |
2354 |
+ hlist_del_init_rcu(&mn->hlist); |
2355 |
+- spin_unlock(&mm->mmu_notifier_mm->lock); |
2356 |
+- |
2357 |
+- /* |
2358 |
+- * Clear sptes. (see 'release' description in mmu_notifier.h) |
2359 |
+- */ |
2360 |
+- if (mn->ops->release) |
2361 |
+- mn->ops->release(mn, mm); |
2362 |
+- |
2363 |
+- spin_lock(&mm->mmu_notifier_mm->lock); |
2364 |
+ } |
2365 |
+ spin_unlock(&mm->mmu_notifier_mm->lock); |
2366 |
+ |
2367 |
+ /* |
2368 |
+- * All callouts to ->release() which we have done are complete. |
2369 |
+- * Allow synchronize_srcu() in mmu_notifier_unregister() to complete |
2370 |
+- */ |
2371 |
+- srcu_read_unlock(&srcu, id); |
2372 |
+- |
2373 |
+- /* |
2374 |
+- * mmu_notifier_unregister() may have unlinked a notifier and may |
2375 |
+- * still be calling out to it. Additionally, other notifiers |
2376 |
+- * may have been active via vmtruncate() et. al. Block here |
2377 |
+- * to ensure that all notifier callouts for this mm have been |
2378 |
+- * completed and the sptes are really cleaned up before returning |
2379 |
+- * to exit_mmap(). |
2380 |
++ * synchronize_srcu here prevents mmu_notifier_release from returning to |
2381 |
++ * exit_mmap (which would proceed with freeing all pages in the mm) |
2382 |
++ * until the ->release method returns, if it was invoked by |
2383 |
++ * mmu_notifier_unregister. |
2384 |
++ * |
2385 |
++ * The mmu_notifier_mm can't go away from under us because one mm_count |
2386 |
++ * is held by exit_mmap. |
2387 |
+ */ |
2388 |
+ synchronize_srcu(&srcu); |
2389 |
+ } |
2390 |
+@@ -292,31 +288,34 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm) |
2391 |
+ { |
2392 |
+ BUG_ON(atomic_read(&mm->mm_count) <= 0); |
2393 |
+ |
2394 |
+- spin_lock(&mm->mmu_notifier_mm->lock); |
2395 |
+ if (!hlist_unhashed(&mn->hlist)) { |
2396 |
++ /* |
2397 |
++ * SRCU here will force exit_mmap to wait for ->release to |
2398 |
++ * finish before freeing the pages. |
2399 |
++ */ |
2400 |
+ int id; |
2401 |
+ |
2402 |
+- /* |
2403 |
+- * Ensure we synchronize up with __mmu_notifier_release(). |
2404 |
+- */ |
2405 |
+ id = srcu_read_lock(&srcu); |
2406 |
+- |
2407 |
+- hlist_del_rcu(&mn->hlist); |
2408 |
+- spin_unlock(&mm->mmu_notifier_mm->lock); |
2409 |
+- |
2410 |
+- if (mn->ops->release) |
2411 |
+- mn->ops->release(mn, mm); |
2412 |
+- |
2413 |
+ /* |
2414 |
+- * Allow __mmu_notifier_release() to complete. |
2415 |
++ * exit_mmap will block in mmu_notifier_release to guarantee |
2416 |
++ * that ->release is called before freeing the pages. |
2417 |
+ */ |
2418 |
++ if (mn->ops->release) |
2419 |
++ mn->ops->release(mn, mm); |
2420 |
+ srcu_read_unlock(&srcu, id); |
2421 |
+- } else |
2422 |
++ |
2423 |
++ spin_lock(&mm->mmu_notifier_mm->lock); |
2424 |
++ /* |
2425 |
++ * Can not use list_del_rcu() since __mmu_notifier_release |
2426 |
++ * can delete it before we hold the lock. |
2427 |
++ */ |
2428 |
++ hlist_del_init_rcu(&mn->hlist); |
2429 |
+ spin_unlock(&mm->mmu_notifier_mm->lock); |
2430 |
++ } |
2431 |
+ |
2432 |
+ /* |
2433 |
+- * Wait for any running method to finish, including ->release() if it |
2434 |
+- * was run by __mmu_notifier_release() instead of us. |
2435 |
++ * Wait for any running method to finish, of course including |
2436 |
++ * ->release if it was run by mmu_notifier_relase instead of us. |
2437 |
+ */ |
2438 |
+ synchronize_srcu(&srcu); |
2439 |
+ |
2440 |
diff --git a/mm/mprotect.c b/mm/mprotect.c |
2441 |
index 94722a4..07d9926 100644 |
2442 |
--- a/mm/mprotect.c |
2443 |
@@ -82811,6 +83449,19 @@ index 8fcced7..ebcd481 100644 |
2444 |
|
2445 |
if (order && (gfp_flags & __GFP_COMP)) |
2446 |
prep_compound_page(page, order); |
2447 |
+diff --git a/mm/page_io.c b/mm/page_io.c |
2448 |
+index 6182870..4bba6a2 100644 |
2449 |
+--- a/mm/page_io.c |
2450 |
++++ b/mm/page_io.c |
2451 |
+@@ -205,7 +205,7 @@ int swap_writepage(struct page *page, struct writeback_control *wbc) |
2452 |
+ struct file *swap_file = sis->swap_file; |
2453 |
+ struct address_space *mapping = swap_file->f_mapping; |
2454 |
+ struct iovec iov = { |
2455 |
+- .iov_base = kmap(page), |
2456 |
++ .iov_base = (void __force_user *)kmap(page), |
2457 |
+ .iov_len = PAGE_SIZE, |
2458 |
+ }; |
2459 |
+ |
2460 |
diff --git a/mm/percpu.c b/mm/percpu.c |
2461 |
index 8c8e08f..73a5cda 100644 |
2462 |
--- a/mm/percpu.c |
2463 |
@@ -91446,6 +92097,19 @@ index d65fa7f..cbfe366 100644 |
2464 |
err: |
2465 |
if (iov != iovstack) |
2466 |
kfree(iov); |
2467 |
+diff --git a/security/keys/internal.h b/security/keys/internal.h |
2468 |
+index 8bbefc3..299d03f 100644 |
2469 |
+--- a/security/keys/internal.h |
2470 |
++++ b/security/keys/internal.h |
2471 |
+@@ -240,7 +240,7 @@ extern long keyctl_instantiate_key_iov(key_serial_t, |
2472 |
+ extern long keyctl_invalidate_key(key_serial_t); |
2473 |
+ |
2474 |
+ extern long keyctl_instantiate_key_common(key_serial_t, |
2475 |
+- const struct iovec *, |
2476 |
++ const struct iovec __user *, |
2477 |
+ unsigned, size_t, key_serial_t); |
2478 |
+ |
2479 |
+ /* |
2480 |
diff --git a/security/keys/key.c b/security/keys/key.c |
2481 |
index 8fb7c7b..ba3610d 100644 |
2482 |
--- a/security/keys/key.c |
2483 |
@@ -92335,10 +92999,10 @@ index 0000000..144dbee |
2484 |
+targets += size_overflow_hash.h |
2485 |
diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c |
2486 |
new file mode 100644 |
2487 |
-index 0000000..d41b5af |
2488 |
+index 0000000..22f03c0 |
2489 |
--- /dev/null |
2490 |
+++ b/tools/gcc/checker_plugin.c |
2491 |
-@@ -0,0 +1,171 @@ |
2492 |
+@@ -0,0 +1,172 @@ |
2493 |
+/* |
2494 |
+ * Copyright 2011 by the PaX Team <pageexec@××××××××.hu> |
2495 |
+ * Licensed under the GPL v2 |
2496 |
@@ -92392,6 +93056,7 @@ index 0000000..d41b5af |
2497 |
+ |
2498 |
+static struct plugin_info checker_plugin_info = { |
2499 |
+ .version = "201111150100", |
2500 |
++ .help = NULL, |
2501 |
+}; |
2502 |
+ |
2503 |
+#define ADDR_SPACE_KERNEL 0 |