Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.45/, 2.6.32/, 3.9.4/
Date: Thu, 30 May 2013 11:43:56
Message-Id: 1369914216.98f0944d5d4dcb71e3c77924f54f81cd836c04b4.blueness@gentoo
1 commit: 98f0944d5d4dcb71e3c77924f54f81cd836c04b4
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Thu May 30 11:43:36 2013 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Thu May 30 11:43:36 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=98f0944d
7
8 Grsec/PaX: 2.9.1-{2.6.32.60,3.2.45,3.9.4}-201305292151
9
10 ---
11 2.6.32/0000_README | 2 +-
12 ..._grsecurity-2.9.1-2.6.32.60-201305292148.patch} | 141 +++-
13 3.2.45/0000_README | 2 +-
14 ...420_grsecurity-2.9.1-3.2.45-201305292150.patch} | 426 +++++++++---
15 3.9.4/0000_README | 2 +-
16 ...4420_grsecurity-2.9.1-3.9.4-201305292151.patch} | 751 +++++++++++++++++++--
17 6 files changed, 1141 insertions(+), 183 deletions(-)
18
19 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
20 index 5ca0857..378709b 100644
21 --- a/2.6.32/0000_README
22 +++ b/2.6.32/0000_README
23 @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch
24 From: http://www.kernel.org
25 Desc: Linux 2.6.32.59
26
27 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305251007.patch
28 +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305292148.patch
29 From: http://www.grsecurity.net
30 Desc: hardened-sources base patch from upstream grsecurity
31
32
33 diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305251007.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305292148.patch
34 similarity index 99%
35 rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305251007.patch
36 rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305292148.patch
37 index f7ef7a8..a6ebcd3 100644
38 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305251007.patch
39 +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305292148.patch
40 @@ -43345,7 +43345,7 @@ index 62f282e..e45c45c 100644
41 cdev_init(&ptmx_cdev, &ptmx_fops);
42 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
43 diff --git a/drivers/char/random.c b/drivers/char/random.c
44 -index 446b20a..710568a 100644
45 +index 446b20a..1193fa7 100644
46 --- a/drivers/char/random.c
47 +++ b/drivers/char/random.c
48 @@ -269,8 +269,13 @@
49 @@ -43399,36 +43399,94 @@ index 446b20a..710568a 100644
50 smp_wmb();
51
52 if (out)
53 -@@ -942,6 +955,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
54 +@@ -840,6 +853,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
55 + int reserved)
56 + {
57 + unsigned long flags;
58 ++ int wakeup_write = 0;
59 +
60 + /* Hold lock while accounting */
61 + spin_lock_irqsave(&r->lock, flags);
62 +@@ -852,19 +866,25 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
63 + if (r->entropy_count / 8 < min + reserved) {
64 + nbytes = 0;
65 + } else {
66 ++ int entropy_count, orig;
67 ++retry:
68 ++ entropy_count = orig = ACCESS_ONCE(r->entropy_count);
69 + /* If limited, never pull more than available */
70 +- if (r->limit && nbytes + reserved >= r->entropy_count / 8)
71 +- nbytes = r->entropy_count/8 - reserved;
72 ++ if (r->limit && nbytes + reserved >= entropy_count / 8)
73 ++ nbytes = entropy_count/8 - reserved;
74 +
75 +- if (r->entropy_count / 8 >= nbytes + reserved)
76 +- r->entropy_count -= nbytes*8;
77 +- else
78 +- r->entropy_count = reserved;
79 +-
80 +- if (r->entropy_count < random_write_wakeup_thresh) {
81 +- wake_up_interruptible(&random_write_wait);
82 +- kill_fasync(&fasync, SIGIO, POLL_OUT);
83 ++ if (entropy_count / 8 >= nbytes + reserved) {
84 ++ entropy_count -= nbytes*8;
85 ++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
86 ++ goto retry;
87 ++ } else {
88 ++ entropy_count = reserved;
89 ++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
90 ++ goto retry;
91 + }
92 ++
93 ++ if (entropy_count < random_write_wakeup_thresh)
94 ++ wakeup_write = 1;
95 + }
96 +
97 + DEBUG_ENT("debiting %d entropy credits from %s%s\n",
98 +@@ -872,6 +892,11 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
99 +
100 + spin_unlock_irqrestore(&r->lock, flags);
101 +
102 ++ if (wakeup_write) {
103 ++ wake_up_interruptible(&random_write_wait);
104 ++ kill_fasync(&fasync, SIGIO, POLL_OUT);
105 ++ }
106 ++
107 + return nbytes;
108 + }
109 +
110 +@@ -941,6 +966,21 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
111 + {
112 ssize_t ret = 0, i;
113 __u8 tmp[EXTRACT_SIZE];
114 -
115 -+ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
116 -+ if (fips_enabled && !r->last_data_init)
117 -+ nbytes += EXTRACT_SIZE;
118 ++ unsigned long flags;
119 +
120 ++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
121 ++ if (fips_enabled) {
122 ++ spin_lock_irqsave(&r->lock, flags);
123 ++ if (!r->last_data_init) {
124 ++ r->last_data_init = true;
125 ++ spin_unlock_irqrestore(&r->lock, flags);
126 ++ xfer_secondary_pool(r, EXTRACT_SIZE);
127 ++ extract_buf(r, tmp);
128 ++ spin_lock_irqsave(&r->lock, flags);
129 ++ memcpy(r->last_data, tmp, EXTRACT_SIZE);
130 ++ }
131 ++ spin_unlock_irqrestore(&r->lock, flags);
132 ++ }
133 +
134 xfer_secondary_pool(r, nbytes);
135 nbytes = account(r, nbytes, min, reserved);
136 +@@ -949,8 +989,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
137 + extract_buf(r, tmp);
138
139 -@@ -951,6 +968,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
140 if (fips_enabled) {
141 - unsigned long flags;
142 -
143 -+
144 -+ /* prime last_data value if need be, per fips 140-2 */
145 -+ if (!r->last_data_init) {
146 -+ spin_lock_irqsave(&r->lock, flags);
147 -+ memcpy(r->last_data, tmp, EXTRACT_SIZE);
148 -+ r->last_data_init = true;
149 -+ nbytes -= EXTRACT_SIZE;
150 -+ spin_unlock_irqrestore(&r->lock, flags);
151 -+ extract_buf(r, tmp);
152 -+ }
153 -+
154 +- unsigned long flags;
155 +-
156 spin_lock_irqsave(&r->lock, flags);
157 if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
158 panic("Hardware RNG duplicated output!\n");
159 -@@ -1015,7 +1043,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
160 +@@ -1015,7 +1053,21 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
161 */
162 void get_random_bytes(void *buf, int nbytes)
163 {
164 @@ -43451,7 +43509,7 @@ index 446b20a..710568a 100644
165 }
166 EXPORT_SYMBOL(get_random_bytes);
167
168 -@@ -1068,6 +1110,7 @@ static void init_std_data(struct entropy_store *r)
169 +@@ -1068,6 +1120,7 @@ static void init_std_data(struct entropy_store *r)
170
171 r->entropy_count = 0;
172 r->entropy_total = 0;
173 @@ -43459,7 +43517,7 @@ index 446b20a..710568a 100644
174 mix_pool_bytes(r, &now, sizeof(now), NULL);
175 for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
176 if (!arch_get_random_long(&rv))
177 -@@ -1322,7 +1365,7 @@ EXPORT_SYMBOL(generate_random_uuid);
178 +@@ -1322,7 +1375,7 @@ EXPORT_SYMBOL(generate_random_uuid);
179 #include <linux/sysctl.h>
180
181 static int min_read_thresh = 8, min_write_thresh;
182 @@ -43468,7 +43526,7 @@ index 446b20a..710568a 100644
183 static int max_write_thresh = INPUT_POOL_WORDS * 32;
184 static char sysctl_bootid[16];
185
186 -@@ -1397,6 +1440,7 @@ static int uuid_strategy(ctl_table *table,
187 +@@ -1397,6 +1450,7 @@ static int uuid_strategy(ctl_table *table,
188 }
189
190 static int sysctl_poolsize = INPUT_POOL_WORDS * 32;
191 @@ -43476,7 +43534,7 @@ index 446b20a..710568a 100644
192 ctl_table random_table[] = {
193 {
194 .ctl_name = RANDOM_POOLSIZE,
195 -@@ -1472,7 +1516,7 @@ late_initcall(random_int_secret_init);
196 +@@ -1472,7 +1526,7 @@ late_initcall(random_int_secret_init);
197 * value is not cryptographically secure but for several uses the cost of
198 * depleting entropy is too high
199 */
200 @@ -71823,7 +71881,7 @@ index 913b4a4..4de325a9 100644
201 crtc.h_tot_disp = aty_ld_le32(CRTC_H_TOTAL_DISP, par);
202 crtc.h_sync_strt_wid = aty_ld_le32(CRTC_H_SYNC_STRT_WID, par);
203 diff --git a/drivers/video/aty/radeon_backlight.c b/drivers/video/aty/radeon_backlight.c
204 -index 1a056ad..221bd6a 100644
205 +index 1a056ad..221bd6ae 100644
206 --- a/drivers/video/aty/radeon_backlight.c
207 +++ b/drivers/video/aty/radeon_backlight.c
208 @@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(struct backlight_device *bd)
209 @@ -79170,7 +79228,7 @@ index f1e7077..edd86b2 100644
210 .store = ext4_attr_store,
211 };
212 diff --git a/fs/fat/inode.c b/fs/fat/inode.c
213 -index 76b7961..c187e92 100644
214 +index 76b7961..ca5f1c9 100644
215 --- a/fs/fat/inode.c
216 +++ b/fs/fat/inode.c
217 @@ -558,7 +558,7 @@ static int fat_statfs(struct dentry *dentry, struct kstatfs *buf)
218 @@ -79182,6 +79240,35 @@ index 76b7961..c187e92 100644
219
220 return 0;
221 }
222 +@@ -1206,6 +1206,19 @@ static int fat_read_root(struct inode *inode)
223 + return 0;
224 + }
225 +
226 ++static unsigned long calc_fat_clusters(struct super_block *sb)
227 ++{
228 ++ struct msdos_sb_info *sbi = MSDOS_SB(sb);
229 ++
230 ++ /* Divide first to avoid overflow */
231 ++ if (sbi->fat_bits != 12) {
232 ++ unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits;
233 ++ return ent_per_sec * sbi->fat_length;
234 ++ }
235 ++
236 ++ return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
237 ++}
238 ++
239 + /*
240 + * Read the super block of an MS-DOS FS.
241 + */
242 +@@ -1400,7 +1413,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent,
243 + sbi->fat_bits = (total_clusters > MAX_FAT12) ? 16 : 12;
244 +
245 + /* check that FAT table does not overflow */
246 +- fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
247 ++ fat_clusters = calc_fat_clusters(sb);
248 + total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT);
249 + if (total_clusters > MAX_FAT(sb)) {
250 + if (!silent)
251 diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c
252 index 72646e2..4251f35 100644
253 --- a/fs/fat/namei_vfat.c
254
255 diff --git a/3.2.45/0000_README b/3.2.45/0000_README
256 index ba3ec05..577c9db 100644
257 --- a/3.2.45/0000_README
258 +++ b/3.2.45/0000_README
259 @@ -98,7 +98,7 @@ Patch: 1044_linux-3.2.45.patch
260 From: http://www.kernel.org
261 Desc: Linux 3.2.45
262
263 -Patch: 4420_grsecurity-2.9.1-3.2.45-201305251007.patch
264 +Patch: 4420_grsecurity-2.9.1-3.2.45-201305292150.patch
265 From: http://www.grsecurity.net
266 Desc: hardened-sources base patch from upstream grsecurity
267
268
269 diff --git a/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305251007.patch b/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305292150.patch
270 similarity index 99%
271 rename from 3.2.45/4420_grsecurity-2.9.1-3.2.45-201305251007.patch
272 rename to 3.2.45/4420_grsecurity-2.9.1-3.2.45-201305292150.patch
273 index bc81306..52e473e 100644
274 --- a/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305251007.patch
275 +++ b/3.2.45/4420_grsecurity-2.9.1-3.2.45-201305292150.patch
276 @@ -1858,6 +1858,28 @@ index 7ac5dfd..0ce09c2 100644
277 if (ret != NOTIFY_STOP)
278 do_exit(SIGSEGV);
279 }
280 +diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
281 +index 20b3041..da44b1f 100644
282 +--- a/arch/arm/kernel/vmlinux.lds.S
283 ++++ b/arch/arm/kernel/vmlinux.lds.S
284 +@@ -103,6 +103,8 @@ SECTIONS
285 + ARM_CPU_KEEP(PROC_INFO)
286 + }
287 +
288 ++ _etext = .; /* End of text section */
289 ++
290 + RO_DATA(PAGE_SIZE)
291 +
292 + #ifdef CONFIG_ARM_UNWIND
293 +@@ -122,8 +124,6 @@ SECTIONS
294 + }
295 + #endif
296 +
297 +- _etext = .; /* End of text and rodata section */
298 +-
299 + #ifndef CONFIG_XIP_KERNEL
300 + . = ALIGN(PAGE_SIZE);
301 + __init_begin = .;
302 diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
303 index 66a477a..bee61d3 100644
304 --- a/arch/arm/lib/copy_from_user.S
305 @@ -2210,7 +2232,7 @@ index c3a58a1..78fbf54 100644
306 /*
307 * Memory returned by kmalloc() may be used for DMA, so we must make
308 diff --git a/arch/avr32/include/asm/elf.h b/arch/avr32/include/asm/elf.h
309 -index 3b3159b..425ea94 100644
310 +index 3b3159b..425ea94d 100644
311 --- a/arch/avr32/include/asm/elf.h
312 +++ b/arch/avr32/include/asm/elf.h
313 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpregset_t;
314 @@ -28041,7 +28063,7 @@ index 6687022..ceabcfa 100644
315 + pax_force_retaddr
316 ret
317 diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
318 -index 5a5b6e4..2265c0f 100644
319 +index 5a5b6e4..37ccbe3 100644
320 --- a/arch/x86/net/bpf_jit_comp.c
321 +++ b/arch/x86/net/bpf_jit_comp.c
322 @@ -11,6 +11,7 @@
323 @@ -28052,7 +28074,7 @@ index 5a5b6e4..2265c0f 100644
324
325 /*
326 * Conventions :
327 -@@ -45,13 +46,87 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
328 +@@ -45,13 +46,84 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
329 return ptr + len;
330 }
331
332 @@ -28104,6 +28126,10 @@ index 5a5b6e4..2265c0f 100644
333 + /* mov esi, ecx */ \
334 + EMIT2(0x89, 0xce); \
335 + break; \
336 ++ case 0xe8: /* call rel imm32, always to known funcs */ \
337 ++ EMIT1(b1); \
338 ++ EMIT(_off, 4); \
339 ++ break; \
340 + case 0xe9: /* jmp rel imm32 */ \
341 + EMIT1(b1); \
342 + EMIT(_off, 4); \
343 @@ -28112,25 +28138,18 @@ index 5a5b6e4..2265c0f 100644
344 + EMIT(0xcccccccc, 4); \
345 + break; \
346 + default: \
347 -+ EMIT1(b1); \
348 -+ EMIT(_off, 4); \
349 ++ BUILD_BUG_ON(1); \
350 + } \
351 +} while (0)
352 +
353 +#define EMIT2_off32(b1, b2, _off) \
354 +do { \
355 -+ if ((b1) == 0x8d && (b2) == 0xb3) { /* lea esi, [rbx+imm32] */ \
356 -+ EMIT2(0x8d, 0xb3); /* lea esi, [rbx+randkey] */ \
357 -+ EMIT(randkey, 4); \
358 -+ EMIT2(0x8d, 0xb6); /* lea esi, [esi+off-randkey] */ \
359 -+ EMIT((_off) - randkey, 4); \
360 -+ } else if ((b1) == 0x69 && (b2) == 0xc0) { /* imul eax, imm32 */\
361 ++ if ((b1) == 0x69 && (b2) == 0xc0) { /* imul eax, imm32 */ \
362 + DILUTE_CONST_SEQUENCE(_off, randkey); \
363 + /* imul eax, ecx */ \
364 + EMIT3(0x0f, 0xaf, 0xc1); \
365 + } else { \
366 -+ EMIT2(b1, b2); \
367 -+ EMIT(_off, 4); \
368 ++ BUILD_BUG_ON(1); \
369 + } \
370 +} while (0)
371 +#else
372 @@ -28140,7 +28159,7 @@ index 5a5b6e4..2265c0f 100644
373
374 #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */
375 #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */
376 -@@ -86,6 +161,24 @@ do { \
377 +@@ -86,6 +158,24 @@ do { \
378 #define X86_JBE 0x76
379 #define X86_JA 0x77
380
381 @@ -28165,7 +28184,7 @@ index 5a5b6e4..2265c0f 100644
382 #define EMIT_COND_JMP(op, offset) \
383 do { \
384 if (is_near(offset)) \
385 -@@ -93,6 +186,7 @@ do { \
386 +@@ -93,6 +183,7 @@ do { \
387 else { \
388 EMIT2(0x0f, op + 0x10); \
389 EMIT(offset, 4); /* jxx .+off32 */ \
390 @@ -28173,7 +28192,7 @@ index 5a5b6e4..2265c0f 100644
391 } \
392 } while (0)
393
394 -@@ -117,10 +211,14 @@ static inline void bpf_flush_icache(void *start, void *end)
395 +@@ -117,10 +208,14 @@ static inline void bpf_flush_icache(void *start, void *end)
396 set_fs(old_fs);
397 }
398
399 @@ -28189,7 +28208,7 @@ index 5a5b6e4..2265c0f 100644
400 u8 *prog;
401 unsigned int proglen, oldproglen = 0;
402 int ilen, i;
403 -@@ -133,6 +231,9 @@ void bpf_jit_compile(struct sk_filter *fp)
404 +@@ -133,6 +228,9 @@ void bpf_jit_compile(struct sk_filter *fp)
405 unsigned int *addrs;
406 const struct sock_filter *filter = fp->insns;
407 int flen = fp->len;
408 @@ -28199,7 +28218,7 @@ index 5a5b6e4..2265c0f 100644
409
410 if (!bpf_jit_enable)
411 return;
412 -@@ -141,11 +242,19 @@ void bpf_jit_compile(struct sk_filter *fp)
413 +@@ -141,11 +239,19 @@ void bpf_jit_compile(struct sk_filter *fp)
414 if (addrs == NULL)
415 return;
416
417 @@ -28221,7 +28240,7 @@ index 5a5b6e4..2265c0f 100644
418 addrs[i] = proglen;
419 }
420 cleanup_addr = proglen; /* epilogue address */
421 -@@ -253,10 +362,8 @@ void bpf_jit_compile(struct sk_filter *fp)
422 +@@ -253,10 +359,8 @@ void bpf_jit_compile(struct sk_filter *fp)
423 case BPF_S_ALU_MUL_K: /* A *= K */
424 if (is_imm8(K))
425 EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */
426 @@ -28234,7 +28253,7 @@ index 5a5b6e4..2265c0f 100644
427 break;
428 case BPF_S_ALU_DIV_X: /* A /= X; */
429 seen |= SEEN_XREG;
430 -@@ -276,8 +383,14 @@ void bpf_jit_compile(struct sk_filter *fp)
431 +@@ -276,8 +380,14 @@ void bpf_jit_compile(struct sk_filter *fp)
432 EMIT4(0x31, 0xd2, 0xf7, 0xf3); /* xor %edx,%edx; div %ebx */
433 break;
434 case BPF_S_ALU_DIV_K: /* A = reciprocal_divide(A, K); */
435 @@ -28249,7 +28268,7 @@ index 5a5b6e4..2265c0f 100644
436 EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */
437 break;
438 case BPF_S_ALU_AND_X:
439 -@@ -477,7 +590,7 @@ void bpf_jit_compile(struct sk_filter *fp)
440 +@@ -477,7 +587,7 @@ void bpf_jit_compile(struct sk_filter *fp)
441 common_load: seen |= SEEN_DATAREF;
442 if ((int)K < 0) {
443 /* Abort the JIT because __load_pointer() is needed. */
444 @@ -28258,7 +28277,7 @@ index 5a5b6e4..2265c0f 100644
445 }
446 t_offset = func - (image + addrs[i]);
447 EMIT1_off32(0xbe, K); /* mov imm32,%esi */
448 -@@ -492,7 +605,7 @@ common_load: seen |= SEEN_DATAREF;
449 +@@ -492,7 +602,7 @@ common_load: seen |= SEEN_DATAREF;
450 case BPF_S_LDX_B_MSH:
451 if ((int)K < 0) {
452 /* Abort the JIT because __load_pointer() is needed. */
453 @@ -28267,7 +28286,7 @@ index 5a5b6e4..2265c0f 100644
454 }
455 seen |= SEEN_DATAREF | SEEN_XREG;
456 t_offset = sk_load_byte_msh - (image + addrs[i]);
457 -@@ -582,17 +695,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
458 +@@ -582,17 +692,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
459 break;
460 default:
461 /* hmm, too complex filter, give up with jit compiler */
462 @@ -28290,7 +28309,7 @@ index 5a5b6e4..2265c0f 100644
463 }
464 proglen += ilen;
465 addrs[i] = proglen;
466 -@@ -613,11 +727,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
467 +@@ -613,11 +724,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
468 break;
469 }
470 if (proglen == oldproglen) {
471 @@ -28304,7 +28323,7 @@ index 5a5b6e4..2265c0f 100644
472 }
473 oldproglen = proglen;
474 }
475 -@@ -633,7 +745,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
476 +@@ -633,7 +742,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
477 bpf_flush_icache(image, image + proglen);
478
479 fp->bpf_func = (void *)image;
480 @@ -28316,7 +28335,7 @@ index 5a5b6e4..2265c0f 100644
481 out:
482 kfree(addrs);
483 return;
484 -@@ -641,18 +756,20 @@ out:
485 +@@ -641,18 +753,20 @@ out:
486
487 static void jit_free_defer(struct work_struct *arg)
488 {
489 @@ -32413,7 +32432,7 @@ index da3cfee..a5a6606 100644
490
491 *ppos = i;
492 diff --git a/drivers/char/random.c b/drivers/char/random.c
493 -index 8ae9235..ea94cf2 100644
494 +index 8ae9235..788c4ba 100644
495 --- a/drivers/char/random.c
496 +++ b/drivers/char/random.c
497 @@ -269,8 +269,13 @@
498 @@ -32467,36 +32486,94 @@ index 8ae9235..ea94cf2 100644
499 smp_wmb();
500
501 if (out)
502 -@@ -979,6 +992,10 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
503 +@@ -877,6 +890,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
504 + int reserved)
505 + {
506 + unsigned long flags;
507 ++ int wakeup_write = 0;
508 +
509 + /* Hold lock while accounting */
510 + spin_lock_irqsave(&r->lock, flags);
511 +@@ -889,19 +903,25 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
512 + if (r->entropy_count / 8 < min + reserved) {
513 + nbytes = 0;
514 + } else {
515 ++ int entropy_count, orig;
516 ++retry:
517 ++ entropy_count = orig = ACCESS_ONCE(r->entropy_count);
518 + /* If limited, never pull more than available */
519 +- if (r->limit && nbytes + reserved >= r->entropy_count / 8)
520 +- nbytes = r->entropy_count/8 - reserved;
521 ++ if (r->limit && nbytes + reserved >= entropy_count / 8)
522 ++ nbytes = entropy_count/8 - reserved;
523 +
524 +- if (r->entropy_count / 8 >= nbytes + reserved)
525 +- r->entropy_count -= nbytes*8;
526 +- else
527 +- r->entropy_count = reserved;
528 +-
529 +- if (r->entropy_count < random_write_wakeup_thresh) {
530 +- wake_up_interruptible(&random_write_wait);
531 +- kill_fasync(&fasync, SIGIO, POLL_OUT);
532 ++ if (entropy_count / 8 >= nbytes + reserved) {
533 ++ entropy_count -= nbytes*8;
534 ++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
535 ++ goto retry;
536 ++ } else {
537 ++ entropy_count = reserved;
538 ++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
539 ++ goto retry;
540 + }
541 ++
542 ++ if (entropy_count < random_write_wakeup_thresh)
543 ++ wakeup_write = 1;
544 + }
545 +
546 + DEBUG_ENT("debiting %d entropy credits from %s%s\n",
547 +@@ -909,6 +929,11 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
548 +
549 + spin_unlock_irqrestore(&r->lock, flags);
550 +
551 ++ if (wakeup_write) {
552 ++ wake_up_interruptible(&random_write_wait);
553 ++ kill_fasync(&fasync, SIGIO, POLL_OUT);
554 ++ }
555 ++
556 + return nbytes;
557 + }
558 +
559 +@@ -978,6 +1003,21 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
560 + {
561 ssize_t ret = 0, i;
562 __u8 tmp[EXTRACT_SIZE];
563 -
564 -+ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
565 -+ if (fips_enabled && !r->last_data_init)
566 -+ nbytes += EXTRACT_SIZE;
567 ++ unsigned long flags;
568 +
569 ++ /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
570 ++ if (fips_enabled) {
571 ++ spin_lock_irqsave(&r->lock, flags);
572 ++ if (!r->last_data_init) {
573 ++ r->last_data_init = true;
574 ++ spin_unlock_irqrestore(&r->lock, flags);
575 ++ xfer_secondary_pool(r, EXTRACT_SIZE);
576 ++ extract_buf(r, tmp);
577 ++ spin_lock_irqsave(&r->lock, flags);
578 ++ memcpy(r->last_data, tmp, EXTRACT_SIZE);
579 ++ }
580 ++ spin_unlock_irqrestore(&r->lock, flags);
581 ++ }
582 +
583 xfer_secondary_pool(r, nbytes);
584 nbytes = account(r, nbytes, min, reserved);
585 +@@ -986,8 +1026,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
586 + extract_buf(r, tmp);
587
588 -@@ -988,6 +1005,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
589 if (fips_enabled) {
590 - unsigned long flags;
591 -
592 -+
593 -+ /* prime last_data value if need be, per fips 140-2 */
594 -+ if (!r->last_data_init) {
595 -+ spin_lock_irqsave(&r->lock, flags);
596 -+ memcpy(r->last_data, tmp, EXTRACT_SIZE);
597 -+ r->last_data_init = true;
598 -+ nbytes -= EXTRACT_SIZE;
599 -+ spin_unlock_irqrestore(&r->lock, flags);
600 -+ extract_buf(r, tmp);
601 -+ }
602 -+
603 +- unsigned long flags;
604 +-
605 spin_lock_irqsave(&r->lock, flags);
606 if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
607 panic("Hardware RNG duplicated output!\n");
608 -@@ -1028,7 +1056,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
609 +@@ -1028,7 +1066,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
610
611 extract_buf(r, tmp);
612 i = min_t(int, nbytes, EXTRACT_SIZE);
613 @@ -32505,7 +32582,7 @@ index 8ae9235..ea94cf2 100644
614 ret = -EFAULT;
615 break;
616 }
617 -@@ -1105,6 +1133,7 @@ static void init_std_data(struct entropy_store *r)
618 +@@ -1105,6 +1143,7 @@ static void init_std_data(struct entropy_store *r)
619
620 r->entropy_count = 0;
621 r->entropy_total = 0;
622 @@ -32513,7 +32590,7 @@ index 8ae9235..ea94cf2 100644
623 mix_pool_bytes(r, &now, sizeof(now), NULL);
624 for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
625 if (!arch_get_random_long(&rv))
626 -@@ -1379,7 +1408,7 @@ EXPORT_SYMBOL(generate_random_uuid);
627 +@@ -1379,7 +1418,7 @@ EXPORT_SYMBOL(generate_random_uuid);
628 #include <linux/sysctl.h>
629
630 static int min_read_thresh = 8, min_write_thresh;
631 @@ -32522,7 +32599,7 @@ index 8ae9235..ea94cf2 100644
632 static int max_write_thresh = INPUT_POOL_WORDS * 32;
633 static char sysctl_bootid[16];
634
635 -@@ -1395,7 +1424,7 @@ static char sysctl_bootid[16];
636 +@@ -1395,7 +1434,7 @@ static char sysctl_bootid[16];
637 static int proc_do_uuid(ctl_table *table, int write,
638 void __user *buffer, size_t *lenp, loff_t *ppos)
639 {
640 @@ -49494,10 +49571,10 @@ index 451b9b8..12e5a03 100644
641
642 out_free_fd:
643 diff --git a/fs/exec.c b/fs/exec.c
644 -index 312e297..437233e 100644
645 +index 312e297..4c133f2 100644
646 --- a/fs/exec.c
647 +++ b/fs/exec.c
648 -@@ -55,12 +55,34 @@
649 +@@ -55,12 +55,35 @@
650 #include <linux/pipe_fs_i.h>
651 #include <linux/oom.h>
652 #include <linux/compat.h>
653 @@ -49513,6 +49590,7 @@ index 312e297..437233e 100644
654 +#include <trace/events/fs.h>
655
656 #include <asm/uaccess.h>
657 ++#include <asm/sections.h>
658 #include <asm/mmu_context.h>
659 #include <asm/tlb.h>
660 #include "internal.h"
661 @@ -49532,7 +49610,7 @@ index 312e297..437233e 100644
662 int core_uses_pid;
663 char core_pattern[CORENAME_MAX_SIZE] = "core";
664 unsigned int core_pipe_limit;
665 -@@ -70,7 +92,7 @@ struct core_name {
666 +@@ -70,7 +93,7 @@ struct core_name {
667 char *corename;
668 int used, size;
669 };
670 @@ -49541,7 +49619,7 @@ index 312e297..437233e 100644
671
672 /* The maximal length of core_pattern is also specified in sysctl.c */
673
674 -@@ -82,8 +104,8 @@ int __register_binfmt(struct linux_binfmt * fmt, int insert)
675 +@@ -82,8 +105,8 @@ int __register_binfmt(struct linux_binfmt * fmt, int insert)
676 if (!fmt)
677 return -EINVAL;
678 write_lock(&binfmt_lock);
679 @@ -49552,7 +49630,7 @@ index 312e297..437233e 100644
680 write_unlock(&binfmt_lock);
681 return 0;
682 }
683 -@@ -93,7 +115,7 @@ EXPORT_SYMBOL(__register_binfmt);
684 +@@ -93,7 +116,7 @@ EXPORT_SYMBOL(__register_binfmt);
685 void unregister_binfmt(struct linux_binfmt * fmt)
686 {
687 write_lock(&binfmt_lock);
688 @@ -49561,7 +49639,7 @@ index 312e297..437233e 100644
689 write_unlock(&binfmt_lock);
690 }
691
692 -@@ -188,18 +210,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
693 +@@ -188,18 +211,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
694 int write)
695 {
696 struct page *page;
697 @@ -49583,7 +49661,7 @@ index 312e297..437233e 100644
698 return NULL;
699
700 if (write) {
701 -@@ -215,6 +229,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
702 +@@ -215,6 +230,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
703 if (size <= ARG_MAX)
704 return page;
705
706 @@ -49601,7 +49679,7 @@ index 312e297..437233e 100644
707 /*
708 * Limit to 1/4-th the stack size for the argv+env strings.
709 * This ensures that:
710 -@@ -274,6 +299,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
711 +@@ -274,6 +300,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
712 vma->vm_end = STACK_TOP_MAX;
713 vma->vm_start = vma->vm_end - PAGE_SIZE;
714 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
715 @@ -49613,7 +49691,7 @@ index 312e297..437233e 100644
716 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
717 INIT_LIST_HEAD(&vma->anon_vma_chain);
718
719 -@@ -288,6 +318,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
720 +@@ -288,6 +319,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
721 mm->stack_vm = mm->total_vm = 1;
722 up_write(&mm->mmap_sem);
723 bprm->p = vma->vm_end - sizeof(void *);
724 @@ -49626,7 +49704,7 @@ index 312e297..437233e 100644
725 return 0;
726 err:
727 up_write(&mm->mmap_sem);
728 -@@ -403,12 +439,12 @@ struct user_arg_ptr {
729 +@@ -403,12 +440,12 @@ struct user_arg_ptr {
730 union {
731 const char __user *const __user *native;
732 #ifdef CONFIG_COMPAT
733 @@ -49641,7 +49719,7 @@ index 312e297..437233e 100644
734 {
735 const char __user *native;
736
737 -@@ -417,14 +453,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
738 +@@ -417,14 +454,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
739 compat_uptr_t compat;
740
741 if (get_user(compat, argv.ptr.compat + nr))
742 @@ -49658,7 +49736,7 @@ index 312e297..437233e 100644
743
744 return native;
745 }
746 -@@ -443,11 +479,12 @@ static int count(struct user_arg_ptr argv, int max)
747 +@@ -443,11 +480,12 @@ static int count(struct user_arg_ptr argv, int max)
748 if (!p)
749 break;
750
751 @@ -49673,7 +49751,7 @@ index 312e297..437233e 100644
752
753 if (fatal_signal_pending(current))
754 return -ERESTARTNOHAND;
755 -@@ -477,7 +514,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
756 +@@ -477,7 +515,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
757
758 ret = -EFAULT;
759 str = get_user_arg_ptr(argv, argc);
760 @@ -49682,7 +49760,7 @@ index 312e297..437233e 100644
761 goto out;
762
763 len = strnlen_user(str, MAX_ARG_STRLEN);
764 -@@ -559,7 +596,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
765 +@@ -559,7 +597,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
766 int r;
767 mm_segment_t oldfs = get_fs();
768 struct user_arg_ptr argv = {
769 @@ -49691,7 +49769,7 @@ index 312e297..437233e 100644
770 };
771
772 set_fs(KERNEL_DS);
773 -@@ -594,7 +631,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
774 +@@ -594,7 +632,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
775 unsigned long new_end = old_end - shift;
776 struct mmu_gather tlb;
777
778 @@ -49701,7 +49779,7 @@ index 312e297..437233e 100644
779
780 /*
781 * ensure there are no vmas between where we want to go
782 -@@ -603,6 +641,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
783 +@@ -603,6 +642,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
784 if (vma != find_vma(mm, new_start))
785 return -EFAULT;
786
787 @@ -49712,7 +49790,7 @@ index 312e297..437233e 100644
788 /*
789 * cover the whole range: [new_start, old_end)
790 */
791 -@@ -683,10 +725,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
792 +@@ -683,10 +726,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
793 stack_top = arch_align_stack(stack_top);
794 stack_top = PAGE_ALIGN(stack_top);
795
796 @@ -49723,7 +49801,7 @@ index 312e297..437233e 100644
797 stack_shift = vma->vm_end - stack_top;
798
799 bprm->p -= stack_shift;
800 -@@ -698,8 +736,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
801 +@@ -698,8 +737,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
802 bprm->exec -= stack_shift;
803
804 down_write(&mm->mmap_sem);
805 @@ -49752,7 +49830,7 @@ index 312e297..437233e 100644
806 /*
807 * Adjust stack execute permissions; explicitly enable for
808 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
809 -@@ -718,13 +776,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
810 +@@ -718,13 +777,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
811 goto out_unlock;
812 BUG_ON(prev != vma);
813
814 @@ -49766,7 +49844,7 @@ index 312e297..437233e 100644
815 /* mprotect_fixup is overkill to remove the temporary stack flags */
816 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
817
818 -@@ -748,6 +799,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
819 +@@ -748,6 +800,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
820 #endif
821 current->mm->start_stack = bprm->p;
822 ret = expand_stack(vma, stack_base);
823 @@ -49794,7 +49872,7 @@ index 312e297..437233e 100644
824 if (ret)
825 ret = -EFAULT;
826
827 -@@ -782,6 +854,8 @@ struct file *open_exec(const char *name)
828 +@@ -782,6 +855,8 @@ struct file *open_exec(const char *name)
829
830 fsnotify_open(file);
831
832 @@ -49803,7 +49881,7 @@ index 312e297..437233e 100644
833 err = deny_write_access(file);
834 if (err)
835 goto exit;
836 -@@ -805,7 +879,7 @@ int kernel_read(struct file *file, loff_t offset,
837 +@@ -805,7 +880,7 @@ int kernel_read(struct file *file, loff_t offset,
838 old_fs = get_fs();
839 set_fs(get_ds());
840 /* The cast to a user pointer is valid due to the set_fs() */
841 @@ -49812,7 +49890,7 @@ index 312e297..437233e 100644
842 set_fs(old_fs);
843 return result;
844 }
845 -@@ -1070,6 +1144,21 @@ void set_task_comm(struct task_struct *tsk, char *buf)
846 +@@ -1070,6 +1145,21 @@ void set_task_comm(struct task_struct *tsk, char *buf)
847 perf_event_comm(tsk);
848 }
849
850 @@ -49834,7 +49912,7 @@ index 312e297..437233e 100644
851 int flush_old_exec(struct linux_binprm * bprm)
852 {
853 int retval;
854 -@@ -1084,6 +1173,7 @@ int flush_old_exec(struct linux_binprm * bprm)
855 +@@ -1084,6 +1174,7 @@ int flush_old_exec(struct linux_binprm * bprm)
856
857 set_mm_exe_file(bprm->mm, bprm->file);
858
859 @@ -49842,7 +49920,7 @@ index 312e297..437233e 100644
860 /*
861 * Release all of the old mmap stuff
862 */
863 -@@ -1116,10 +1206,6 @@ EXPORT_SYMBOL(would_dump);
864 +@@ -1116,10 +1207,6 @@ EXPORT_SYMBOL(would_dump);
865
866 void setup_new_exec(struct linux_binprm * bprm)
867 {
868 @@ -49853,7 +49931,7 @@ index 312e297..437233e 100644
869 arch_pick_mmap_layout(current->mm);
870
871 /* This is the point of no return */
872 -@@ -1130,18 +1216,7 @@ void setup_new_exec(struct linux_binprm * bprm)
873 +@@ -1130,18 +1217,7 @@ void setup_new_exec(struct linux_binprm * bprm)
874 else
875 set_dumpable(current->mm, suid_dumpable);
876
877 @@ -49873,7 +49951,7 @@ index 312e297..437233e 100644
878
879 /* Set the new mm task size. We have to do that late because it may
880 * depend on TIF_32BIT which is only updated in flush_thread() on
881 -@@ -1266,7 +1341,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
882 +@@ -1266,7 +1342,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
883 }
884 rcu_read_unlock();
885
886 @@ -49882,7 +49960,7 @@ index 312e297..437233e 100644
887 bprm->unsafe |= LSM_UNSAFE_SHARE;
888 } else {
889 res = -EAGAIN;
890 -@@ -1461,6 +1536,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
891 +@@ -1461,6 +1537,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
892
893 EXPORT_SYMBOL(search_binary_handler);
894
895 @@ -49914,7 +49992,7 @@ index 312e297..437233e 100644
896 /*
897 * sys_execve() executes a new program.
898 */
899 -@@ -1469,6 +1569,11 @@ static int do_execve_common(const char *filename,
900 +@@ -1469,6 +1570,11 @@ static int do_execve_common(const char *filename,
901 struct user_arg_ptr envp,
902 struct pt_regs *regs)
903 {
904 @@ -49926,7 +50004,7 @@ index 312e297..437233e 100644
905 struct linux_binprm *bprm;
906 struct file *file;
907 struct files_struct *displaced;
908 -@@ -1476,6 +1581,8 @@ static int do_execve_common(const char *filename,
909 +@@ -1476,6 +1582,8 @@ static int do_execve_common(const char *filename,
910 int retval;
911 const struct cred *cred = current_cred();
912
913 @@ -49935,7 +50013,7 @@ index 312e297..437233e 100644
914 /*
915 * We move the actual failure in case of RLIMIT_NPROC excess from
916 * set*uid() to execve() because too many poorly written programs
917 -@@ -1516,12 +1623,27 @@ static int do_execve_common(const char *filename,
918 +@@ -1516,12 +1624,27 @@ static int do_execve_common(const char *filename,
919 if (IS_ERR(file))
920 goto out_unmark;
921
922 @@ -49963,7 +50041,7 @@ index 312e297..437233e 100644
923 retval = bprm_mm_init(bprm);
924 if (retval)
925 goto out_file;
926 -@@ -1538,24 +1660,65 @@ static int do_execve_common(const char *filename,
927 +@@ -1538,24 +1661,65 @@ static int do_execve_common(const char *filename,
928 if (retval < 0)
929 goto out;
930
931 @@ -50033,7 +50111,7 @@ index 312e297..437233e 100644
932 current->fs->in_exec = 0;
933 current->in_execve = 0;
934 acct_update_integrals(current);
935 -@@ -1564,6 +1727,14 @@ static int do_execve_common(const char *filename,
936 +@@ -1564,6 +1728,14 @@ static int do_execve_common(const char *filename,
937 put_files_struct(displaced);
938 return retval;
939
940 @@ -50048,7 +50126,7 @@ index 312e297..437233e 100644
941 out:
942 if (bprm->mm) {
943 acct_arg_size(bprm, 0);
944 -@@ -1637,7 +1808,7 @@ static int expand_corename(struct core_name *cn)
945 +@@ -1637,7 +1809,7 @@ static int expand_corename(struct core_name *cn)
946 {
947 char *old_corename = cn->corename;
948
949 @@ -50057,7 +50135,7 @@ index 312e297..437233e 100644
950 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
951
952 if (!cn->corename) {
953 -@@ -1734,7 +1905,7 @@ static int format_corename(struct core_name *cn, long signr)
954 +@@ -1734,7 +1906,7 @@ static int format_corename(struct core_name *cn, long signr)
955 int pid_in_pattern = 0;
956 int err = 0;
957
958 @@ -50066,7 +50144,7 @@ index 312e297..437233e 100644
959 cn->corename = kmalloc(cn->size, GFP_KERNEL);
960 cn->used = 0;
961
962 -@@ -1831,6 +2002,250 @@ out:
963 +@@ -1831,6 +2003,280 @@ out:
964 return ispipe;
965 }
966
967 @@ -50271,7 +50349,30 @@ index 312e297..437233e 100644
968 +}
969 +#endif
970 +
971 -+void __check_object_size(const void *ptr, unsigned long n, bool to)
972 ++#ifdef CONFIG_PAX_USERCOPY
973 ++static inline bool check_kernel_text_object(unsigned long low, unsigned long high)
974 ++{
975 ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
976 ++ unsigned long textlow = ktla_ktva((unsigned long)_stext);
977 ++#ifdef CONFIG_MODULES
978 ++ unsigned long texthigh = (unsigned long)MODULES_EXEC_VADDR;
979 ++#else
980 ++ unsigned long texthigh = ktla_ktva((unsigned long)_etext);
981 ++#endif
982 ++
983 ++#else
984 ++ unsigned long textlow = _stext;
985 ++ unsigned long texthigh = _etext;
986 ++#endif
987 ++
988 ++ if (high <= textlow || low > texthigh)
989 ++ return false;
990 ++ else
991 ++ return true;
992 ++}
993 ++#endif
994 ++
995 ++void __check_object_size(const void *ptr, unsigned long n, bool to_user)
996 +{
997 +
998 +#ifdef CONFIG_PAX_USERCOPY
999 @@ -50282,12 +50383,19 @@ index 312e297..437233e 100644
1000 +
1001 + type = check_heap_object(ptr, n);
1002 + if (!type) {
1003 -+ if (check_stack_object(ptr, n) != -1)
1004 ++ int ret = check_stack_object(ptr, n);
1005 ++ if (ret == 1 || ret == 2)
1006 + return;
1007 -+ type = "<process stack>";
1008 ++ if (ret == 0) {
1009 ++ if (check_kernel_text_object((unsigned long)ptr, (unsigned long)ptr + n))
1010 ++ type = "<kernel text>";
1011 ++ else
1012 ++ return;
1013 ++ } else
1014 ++ type = "<process stack>";
1015 + }
1016 +
1017 -+ pax_report_usercopy(ptr, n, to, type);
1018 ++ pax_report_usercopy(ptr, n, to_user, type);
1019 +#endif
1020 +
1021 +}
1022 @@ -50317,7 +50425,7 @@ index 312e297..437233e 100644
1023 static int zap_process(struct task_struct *start, int exit_code)
1024 {
1025 struct task_struct *t;
1026 -@@ -2004,17 +2419,17 @@ static void coredump_finish(struct mm_struct *mm)
1027 +@@ -2004,17 +2450,17 @@ static void coredump_finish(struct mm_struct *mm)
1028 void set_dumpable(struct mm_struct *mm, int value)
1029 {
1030 switch (value) {
1031 @@ -50338,7 +50446,7 @@ index 312e297..437233e 100644
1032 set_bit(MMF_DUMP_SECURELY, &mm->flags);
1033 smp_wmb();
1034 set_bit(MMF_DUMPABLE, &mm->flags);
1035 -@@ -2027,7 +2442,7 @@ static int __get_dumpable(unsigned long mm_flags)
1036 +@@ -2027,7 +2473,7 @@ static int __get_dumpable(unsigned long mm_flags)
1037 int ret;
1038
1039 ret = mm_flags & MMF_DUMPABLE_MASK;
1040 @@ -50347,7 +50455,7 @@ index 312e297..437233e 100644
1041 }
1042
1043 int get_dumpable(struct mm_struct *mm)
1044 -@@ -2042,17 +2457,17 @@ static void wait_for_dump_helpers(struct file *file)
1045 +@@ -2042,17 +2488,17 @@ static void wait_for_dump_helpers(struct file *file)
1046 pipe = file->f_path.dentry->d_inode->i_pipe;
1047
1048 pipe_lock(pipe);
1049 @@ -50370,7 +50478,7 @@ index 312e297..437233e 100644
1050 pipe_unlock(pipe);
1051
1052 }
1053 -@@ -2113,7 +2528,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1054 +@@ -2113,7 +2559,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1055 int retval = 0;
1056 int flag = 0;
1057 int ispipe;
1058 @@ -50380,7 +50488,7 @@ index 312e297..437233e 100644
1059 struct coredump_params cprm = {
1060 .signr = signr,
1061 .regs = regs,
1062 -@@ -2128,6 +2544,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1063 +@@ -2128,6 +2575,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1064
1065 audit_core_dumps(signr);
1066
1067 @@ -50390,7 +50498,7 @@ index 312e297..437233e 100644
1068 binfmt = mm->binfmt;
1069 if (!binfmt || !binfmt->core_dump)
1070 goto fail;
1071 -@@ -2138,14 +2557,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1072 +@@ -2138,14 +2588,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1073 if (!cred)
1074 goto fail;
1075 /*
1076 @@ -50411,7 +50519,7 @@ index 312e297..437233e 100644
1077 }
1078
1079 retval = coredump_wait(exit_code, &core_state);
1080 -@@ -2195,7 +2616,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1081 +@@ -2195,7 +2647,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1082 }
1083 cprm.limit = RLIM_INFINITY;
1084
1085 @@ -50420,7 +50528,7 @@ index 312e297..437233e 100644
1086 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
1087 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
1088 task_tgid_vnr(current), current->comm);
1089 -@@ -2222,9 +2643,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1090 +@@ -2222,9 +2674,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
1091 } else {
1092 struct inode *inode;
1093
1094 @@ -50440,7 +50548,7 @@ index 312e297..437233e 100644
1095 cprm.file = filp_open(cn.corename,
1096 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
1097 0600);
1098 -@@ -2265,7 +2696,7 @@ close_fail:
1099 +@@ -2265,7 +2727,7 @@ close_fail:
1100 filp_close(cprm.file, NULL);
1101 fail_dropcount:
1102 if (ispipe)
1103 @@ -50449,7 +50557,7 @@ index 312e297..437233e 100644
1104 fail_unlock:
1105 kfree(cn.corename);
1106 fail_corename:
1107 -@@ -2284,7 +2715,7 @@ fail:
1108 +@@ -2284,7 +2746,7 @@ fail:
1109 */
1110 int dump_write(struct file *file, const void *addr, int nr)
1111 {
1112 @@ -50753,6 +50861,39 @@ index cc386b2..22725d2 100644
1113
1114 static int __init ext4_init_feat_adverts(void)
1115 {
1116 +diff --git a/fs/fat/inode.c b/fs/fat/inode.c
1117 +index 808cac7..fc33ca1 100644
1118 +--- a/fs/fat/inode.c
1119 ++++ b/fs/fat/inode.c
1120 +@@ -1238,6 +1238,19 @@ static int fat_read_root(struct inode *inode)
1121 + return 0;
1122 + }
1123 +
1124 ++static unsigned long calc_fat_clusters(struct super_block *sb)
1125 ++{
1126 ++ struct msdos_sb_info *sbi = MSDOS_SB(sb);
1127 ++
1128 ++ /* Divide first to avoid overflow */
1129 ++ if (sbi->fat_bits != 12) {
1130 ++ unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits;
1131 ++ return ent_per_sec * sbi->fat_length;
1132 ++ }
1133 ++
1134 ++ return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
1135 ++}
1136 ++
1137 + /*
1138 + * Read the super block of an MS-DOS FS.
1139 + */
1140 +@@ -1434,7 +1447,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat,
1141 + sbi->fat_bits = (total_clusters > MAX_FAT12) ? 16 : 12;
1142 +
1143 + /* check that FAT table does not overflow */
1144 +- fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
1145 ++ fat_clusters = calc_fat_clusters(sb);
1146 + total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT);
1147 + if (total_clusters > MAX_FAT(sb)) {
1148 + if (!silent)
1149 diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c
1150 index 216b419..350a088 100644
1151 --- a/fs/fat/namei_msdos.c
1152 @@ -67711,7 +67852,7 @@ index dfadc96..23c5182 100644
1153
1154 #if __GNUC_MINOR__ > 0
1155 diff --git a/include/linux/compiler.h b/include/linux/compiler.h
1156 -index 320d6c9..df26a76 100644
1157 +index 320d6c9..2d1df6b 100644
1158 --- a/include/linux/compiler.h
1159 +++ b/include/linux/compiler.h
1160 @@ -5,31 +5,51 @@
1161 @@ -67824,22 +67965,26 @@ index 320d6c9..df26a76 100644
1162 /* Simple shorthand for a section definition */
1163 #ifndef __section
1164 # define __section(S) __attribute__ ((__section__(#S)))
1165 -@@ -294,6 +348,14 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
1166 - # define __compiletime_error(message)
1167 +@@ -292,6 +346,18 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
1168 #endif
1169 -
1170 + #ifndef __compiletime_error
1171 + # define __compiletime_error(message)
1172 ++# define __compiletime_error_fallback(condition) \
1173 ++ do { ((void)sizeof(char[1 - 2*!!(condition)])); } while (0)
1174 ++#else
1175 ++# define __compiletime_error_fallback(condition) do { } while (0)
1176 ++#endif
1177 ++
1178 +#ifndef __size_overflow
1179 +# define __size_overflow(...)
1180 +#endif
1181 +
1182 +#ifndef __intentional_overflow
1183 +# define __intentional_overflow(...)
1184 -+#endif
1185 -+
1186 + #endif
1187 +
1188 /*
1189 - * Prevent the compiler from merging or refetching accesses. The compiler
1190 - * is also forbidden from reordering successive instances of ACCESS_ONCE(),
1191 -@@ -306,6 +368,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
1192 +@@ -306,6 +372,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
1193 * use is to mediate communication between process-level code and irq/NMI
1194 * handlers, all running on the same CPU.
1195 */
1196 @@ -69802,6 +69947,53 @@ index 3875719..4cd454c 100644
1197
1198 /* This macro allows us to keep printk typechecking */
1199 static __printf(1, 2)
1200 +diff --git a/include/linux/kernel.h b/include/linux/kernel.h
1201 +index a70783d..77f7750 100644
1202 +--- a/include/linux/kernel.h
1203 ++++ b/include/linux/kernel.h
1204 +@@ -696,24 +696,30 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { }
1205 + * @condition: the condition which the compiler should know is false.
1206 + *
1207 + * If you have some code which relies on certain constants being equal, or
1208 +- * other compile-time-evaluated condition, you should use BUILD_BUG_ON to
1209 ++ * some other compile-time-evaluated condition, you should use BUILD_BUG_ON to
1210 + * detect if someone changes it.
1211 + *
1212 +- * The implementation uses gcc's reluctance to create a negative array, but
1213 +- * gcc (as of 4.4) only emits that error for obvious cases (eg. not arguments
1214 +- * to inline functions). So as a fallback we use the optimizer; if it can't
1215 +- * prove the condition is false, it will cause a link error on the undefined
1216 +- * "__build_bug_on_failed". This error message can be harder to track down
1217 +- * though, hence the two different methods.
1218 ++ * The implementation uses gcc's reluctance to create a negative array, but gcc
1219 ++ * (as of 4.4) only emits that error for obvious cases (e.g. not arguments to
1220 ++ * inline functions). Luckily, in 4.3 they added the "error" function
1221 ++ * attribute just for this type of case. Thus, we use a negative sized array
1222 ++ * (should always create an error on gcc versions older than 4.4) and then call
1223 ++ * an undefined function with the error attribute (should always create an
1224 ++ * error on gcc 4.3 and later). If for some reason, neither creates a
1225 ++ * compile-time error, we'll still have a link-time error, which is harder to
1226 ++ * track down.
1227 + */
1228 + #ifndef __OPTIMIZE__
1229 + #define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
1230 + #else
1231 +-extern int __build_bug_on_failed;
1232 +-#define BUILD_BUG_ON(condition) \
1233 +- do { \
1234 +- ((void)sizeof(char[1 - 2*!!(condition)])); \
1235 +- if (condition) __build_bug_on_failed = 1; \
1236 ++#define BUILD_BUG_ON(condition) \
1237 ++ do { \
1238 ++ bool __cond = !!(condition); \
1239 ++ extern void __build_bug_on_failed(void) \
1240 ++ __compiletime_error("BUILD_BUG_ON failed"); \
1241 ++ if (__cond) \
1242 ++ __build_bug_on_failed(); \
1243 ++ __compiletime_error_fallback(__cond); \
1244 + } while(0)
1245 + #endif
1246 + #endif /* __CHECKER__ */
1247 diff --git a/include/linux/key-type.h b/include/linux/key-type.h
1248 index 9efd081..19f989c 100644
1249 --- a/include/linux/key-type.h
1250 @@ -80550,7 +80742,7 @@ index 2a07f97..2cdc054 100644
1251 set_page_address(page, (void *)vaddr);
1252
1253 diff --git a/mm/huge_memory.c b/mm/huge_memory.c
1254 -index 470cbb4..8d01b5a 100644
1255 +index 470cbb4..9fd73bc 100644
1256 --- a/mm/huge_memory.c
1257 +++ b/mm/huge_memory.c
1258 @@ -704,7 +704,7 @@ out:
1259 @@ -80562,6 +80754,20 @@ index 470cbb4..8d01b5a 100644
1260 return VM_FAULT_OOM;
1261 /* if an huge pmd materialized from under us just retry later */
1262 if (unlikely(pmd_trans_huge(*pmd)))
1263 +@@ -1937,7 +1937,12 @@ static void collapse_huge_page(struct mm_struct *mm,
1264 + pte_unmap(pte);
1265 + spin_lock(&mm->page_table_lock);
1266 + BUG_ON(!pmd_none(*pmd));
1267 +- set_pmd_at(mm, address, pmd, _pmd);
1268 ++ /*
1269 ++ * We can only use set_pmd_at when establishing
1270 ++ * hugepmds and never for establishing regular pmds that
1271 ++ * points to regular pagetables. Use pmd_populate for that
1272 ++ */
1273 ++ pmd_populate(mm, pmd, pmd_pgtable(_pmd));
1274 + spin_unlock(&mm->page_table_lock);
1275 + anon_vma_unlock(vma->anon_vma);
1276 + goto out;
1277 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
1278 index 70b4733..ab692a7 100644
1279 --- a/mm/hugetlb.c
1280
1281 diff --git a/3.9.4/0000_README b/3.9.4/0000_README
1282 index 5540390..66c5468 100644
1283 --- a/3.9.4/0000_README
1284 +++ b/3.9.4/0000_README
1285 @@ -2,7 +2,7 @@ README
1286 -----------------------------------------------------------------------------
1287 Individual Patch Descriptions:
1288 -----------------------------------------------------------------------------
1289 -Patch: 4420_grsecurity-2.9.1-3.9.4-201305251009.patch
1290 +Patch: 4420_grsecurity-2.9.1-3.9.4-201305292151.patch
1291 From: http://www.grsecurity.net
1292 Desc: hardened-sources base patch from upstream grsecurity
1293
1294
1295 diff --git a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201305251009.patch b/3.9.4/4420_grsecurity-2.9.1-3.9.4-201305292151.patch
1296 similarity index 99%
1297 rename from 3.9.4/4420_grsecurity-2.9.1-3.9.4-201305251009.patch
1298 rename to 3.9.4/4420_grsecurity-2.9.1-3.9.4-201305292151.patch
1299 index 6715b49..8cdedca 100644
1300 --- a/3.9.4/4420_grsecurity-2.9.1-3.9.4-201305251009.patch
1301 +++ b/3.9.4/4420_grsecurity-2.9.1-3.9.4-201305292151.patch
1302 @@ -17725,6 +17725,19 @@ index 74467fe..18793d5 100644
1303 crash_fixup_ss_esp(&fixed_regs, regs);
1304 regs = &fixed_regs;
1305 }
1306 +diff --git a/arch/x86/kernel/crash_dump_64.c b/arch/x86/kernel/crash_dump_64.c
1307 +index afa64ad..dce67dd 100644
1308 +--- a/arch/x86/kernel/crash_dump_64.c
1309 ++++ b/arch/x86/kernel/crash_dump_64.c
1310 +@@ -36,7 +36,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf,
1311 + return -ENOMEM;
1312 +
1313 + if (userbuf) {
1314 +- if (copy_to_user(buf, vaddr + offset, csize)) {
1315 ++ if (copy_to_user((char __force_user *)buf, vaddr + offset, csize)) {
1316 + iounmap(vaddr);
1317 + return -EFAULT;
1318 + }
1319 diff --git a/arch/x86/kernel/doublefault_32.c b/arch/x86/kernel/doublefault_32.c
1320 index 37250fe..bf2ec74 100644
1321 --- a/arch/x86/kernel/doublefault_32.c
1322 @@ -29551,7 +29564,7 @@ index 877b9a1..a8ecf42 100644
1323 + pax_force_retaddr
1324 ret
1325 diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
1326 -index 3cbe4538..fd756dc 100644
1327 +index 3cbe4538..003d011 100644
1328 --- a/arch/x86/net/bpf_jit_comp.c
1329 +++ b/arch/x86/net/bpf_jit_comp.c
1330 @@ -12,6 +12,7 @@
1331 @@ -29562,7 +29575,7 @@ index 3cbe4538..fd756dc 100644
1332
1333 /*
1334 * Conventions :
1335 -@@ -49,13 +50,87 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
1336 +@@ -49,13 +50,90 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
1337 return ptr + len;
1338 }
1339
1340 @@ -29599,6 +29612,7 @@ index 3cbe4538..fd756dc 100644
1341 + case 0x25: /* and eax, imm32 */ \
1342 + case 0x0d: /* or eax, imm32 */ \
1343 + case 0xb8: /* mov eax, imm32 */ \
1344 ++ case 0x35: /* xor eax, imm32 */ \
1345 + case 0x3d: /* cmp eax, imm32 */ \
1346 + case 0xa9: /* test eax, imm32 */ \
1347 + DILUTE_CONST_SEQUENCE(_off, randkey); \
1348 @@ -29614,6 +29628,10 @@ index 3cbe4538..fd756dc 100644
1349 + /* mov esi, ecx */ \
1350 + EMIT2(0x89, 0xce); \
1351 + break; \
1352 ++ case 0xe8: /* call rel imm32, always to known funcs */ \
1353 ++ EMIT1(b1); \
1354 ++ EMIT(_off, 4); \
1355 ++ break; \
1356 + case 0xe9: /* jmp rel imm32 */ \
1357 + EMIT1(b1); \
1358 + EMIT(_off, 4); \
1359 @@ -29622,8 +29640,7 @@ index 3cbe4538..fd756dc 100644
1360 + EMIT(0xcccccccc, 4); \
1361 + break; \
1362 + default: \
1363 -+ EMIT1(b1); \
1364 -+ EMIT(_off, 4); \
1365 ++ BUILD_BUG(); \
1366 + } \
1367 +} while (0)
1368 +
1369 @@ -29639,8 +29656,7 @@ index 3cbe4538..fd756dc 100644
1370 + /* imul eax, ecx */ \
1371 + EMIT3(0x0f, 0xaf, 0xc1); \
1372 + } else { \
1373 -+ EMIT2(b1, b2); \
1374 -+ EMIT(_off, 4); \
1375 ++ BUILD_BUG(); \
1376 + } \
1377 +} while (0)
1378 +#else
1379 @@ -29650,7 +29666,7 @@ index 3cbe4538..fd756dc 100644
1380
1381 #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */
1382 #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */
1383 -@@ -90,6 +165,24 @@ do { \
1384 +@@ -90,6 +168,24 @@ do { \
1385 #define X86_JBE 0x76
1386 #define X86_JA 0x77
1387
1388 @@ -29675,7 +29691,7 @@ index 3cbe4538..fd756dc 100644
1389 #define EMIT_COND_JMP(op, offset) \
1390 do { \
1391 if (is_near(offset)) \
1392 -@@ -97,6 +190,7 @@ do { \
1393 +@@ -97,6 +193,7 @@ do { \
1394 else { \
1395 EMIT2(0x0f, op + 0x10); \
1396 EMIT(offset, 4); /* jxx .+off32 */ \
1397 @@ -29683,7 +29699,7 @@ index 3cbe4538..fd756dc 100644
1398 } \
1399 } while (0)
1400
1401 -@@ -121,6 +215,11 @@ static inline void bpf_flush_icache(void *start, void *end)
1402 +@@ -121,6 +218,11 @@ static inline void bpf_flush_icache(void *start, void *end)
1403 set_fs(old_fs);
1404 }
1405
1406 @@ -29695,7 +29711,7 @@ index 3cbe4538..fd756dc 100644
1407 #define CHOOSE_LOAD_FUNC(K, func) \
1408 ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
1409
1410 -@@ -146,7 +245,7 @@ static int pkt_type_offset(void)
1411 +@@ -146,7 +248,7 @@ static int pkt_type_offset(void)
1412
1413 void bpf_jit_compile(struct sk_filter *fp)
1414 {
1415 @@ -29704,7 +29720,7 @@ index 3cbe4538..fd756dc 100644
1416 u8 *prog;
1417 unsigned int proglen, oldproglen = 0;
1418 int ilen, i;
1419 -@@ -159,6 +258,9 @@ void bpf_jit_compile(struct sk_filter *fp)
1420 +@@ -159,6 +261,9 @@ void bpf_jit_compile(struct sk_filter *fp)
1421 unsigned int *addrs;
1422 const struct sock_filter *filter = fp->insns;
1423 int flen = fp->len;
1424 @@ -29714,7 +29730,7 @@ index 3cbe4538..fd756dc 100644
1425
1426 if (!bpf_jit_enable)
1427 return;
1428 -@@ -167,11 +269,19 @@ void bpf_jit_compile(struct sk_filter *fp)
1429 +@@ -167,11 +272,19 @@ void bpf_jit_compile(struct sk_filter *fp)
1430 if (addrs == NULL)
1431 return;
1432
1433 @@ -29736,7 +29752,7 @@ index 3cbe4538..fd756dc 100644
1434 addrs[i] = proglen;
1435 }
1436 cleanup_addr = proglen; /* epilogue address */
1437 -@@ -282,10 +392,8 @@ void bpf_jit_compile(struct sk_filter *fp)
1438 +@@ -282,10 +395,8 @@ void bpf_jit_compile(struct sk_filter *fp)
1439 case BPF_S_ALU_MUL_K: /* A *= K */
1440 if (is_imm8(K))
1441 EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */
1442 @@ -29749,7 +29765,7 @@ index 3cbe4538..fd756dc 100644
1443 break;
1444 case BPF_S_ALU_DIV_X: /* A /= X; */
1445 seen |= SEEN_XREG;
1446 -@@ -325,13 +433,23 @@ void bpf_jit_compile(struct sk_filter *fp)
1447 +@@ -325,13 +436,23 @@ void bpf_jit_compile(struct sk_filter *fp)
1448 break;
1449 case BPF_S_ALU_MOD_K: /* A %= K; */
1450 EMIT2(0x31, 0xd2); /* xor %edx,%edx */
1451 @@ -29773,7 +29789,7 @@ index 3cbe4538..fd756dc 100644
1452 EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */
1453 break;
1454 case BPF_S_ALU_AND_X:
1455 -@@ -602,8 +720,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG;
1456 +@@ -602,8 +723,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG;
1457 if (is_imm8(K)) {
1458 EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */
1459 } else {
1460 @@ -29783,7 +29799,7 @@ index 3cbe4538..fd756dc 100644
1461 }
1462 } else {
1463 EMIT2(0x89,0xde); /* mov %ebx,%esi */
1464 -@@ -686,17 +803,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
1465 +@@ -686,17 +806,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
1466 break;
1467 default:
1468 /* hmm, too complex filter, give up with jit compiler */
1469 @@ -29806,7 +29822,7 @@ index 3cbe4538..fd756dc 100644
1470 }
1471 proglen += ilen;
1472 addrs[i] = proglen;
1473 -@@ -717,11 +835,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
1474 +@@ -717,11 +838,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
1475 break;
1476 }
1477 if (proglen == oldproglen) {
1478 @@ -29820,7 +29836,7 @@ index 3cbe4538..fd756dc 100644
1479 }
1480 oldproglen = proglen;
1481 }
1482 -@@ -737,7 +853,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
1483 +@@ -737,7 +856,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
1484 bpf_flush_icache(image, image + proglen);
1485
1486 fp->bpf_func = (void *)image;
1487 @@ -29832,7 +29848,7 @@ index 3cbe4538..fd756dc 100644
1488 out:
1489 kfree(addrs);
1490 return;
1491 -@@ -745,18 +864,20 @@ out:
1492 +@@ -745,18 +867,20 @@ out:
1493
1494 static void jit_free_defer(struct work_struct *arg)
1495 {
1496 @@ -32940,7 +32956,7 @@ index 519865b..e540db3 100644
1497 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
1498 while ((dev = subsys_dev_iter_next(&iter)))
1499 diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
1500 -index 01fc5b0..d0ed716 100644
1501 +index 01fc5b0..917801f 100644
1502 --- a/drivers/base/devtmpfs.c
1503 +++ b/drivers/base/devtmpfs.c
1504 @@ -348,7 +348,7 @@ int devtmpfs_mount(const char *mntdir)
1505 @@ -32952,6 +32968,21 @@ index 01fc5b0..d0ed716 100644
1506 if (err)
1507 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
1508 else
1509 +@@ -373,11 +373,11 @@ static int devtmpfsd(void *p)
1510 + *err = sys_unshare(CLONE_NEWNS);
1511 + if (*err)
1512 + goto out;
1513 +- *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options);
1514 ++ *err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)"/", (char __force_user *)"devtmpfs", MS_SILENT, (char __force_user *)options);
1515 + if (*err)
1516 + goto out;
1517 +- sys_chdir("/.."); /* will traverse into overmounted root */
1518 +- sys_chroot(".");
1519 ++ sys_chdir((char __force_user *)"/.."); /* will traverse into overmounted root */
1520 ++ sys_chroot((char __force_user *)".");
1521 + complete(&setup_done);
1522 + while (1) {
1523 + spin_lock(&req_lock);
1524 diff --git a/drivers/base/node.c b/drivers/base/node.c
1525 index fac124a..66bd4ab 100644
1526 --- a/drivers/base/node.c
1527 @@ -33578,8 +33609,21 @@ index 3bb6fa3..34013fb 100644
1528 default y
1529
1530 source "drivers/s390/char/Kconfig"
1531 +diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c
1532 +index a48e05b..6bac831 100644
1533 +--- a/drivers/char/agp/compat_ioctl.c
1534 ++++ b/drivers/char/agp/compat_ioctl.c
1535 +@@ -108,7 +108,7 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user
1536 + return -ENOMEM;
1537 + }
1538 +
1539 +- if (copy_from_user(usegment, (void __user *) ureserve.seg_list,
1540 ++ if (copy_from_user(usegment, (void __force_user *) ureserve.seg_list,
1541 + sizeof(*usegment) * ureserve.seg_count)) {
1542 + kfree(usegment);
1543 + kfree(ksegment);
1544 diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
1545 -index 2e04433..22afc64 100644
1546 +index 2e04433..771f2cc 100644
1547 --- a/drivers/char/agp/frontend.c
1548 +++ b/drivers/char/agp/frontend.c
1549 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
1550 @@ -33591,6 +33635,15 @@ index 2e04433..22afc64 100644
1551 return -EFAULT;
1552
1553 client = agp_find_client_by_pid(reserve.pid);
1554 +@@ -847,7 +847,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
1555 + if (segment == NULL)
1556 + return -ENOMEM;
1557 +
1558 +- if (copy_from_user(segment, (void __user *) reserve.seg_list,
1559 ++ if (copy_from_user(segment, (void __force_user *) reserve.seg_list,
1560 + sizeof(struct agp_segment) * reserve.seg_count)) {
1561 + kfree(segment);
1562 + return -EFAULT;
1563 diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c
1564 index 21cb980..f15107c 100644
1565 --- a/drivers/char/genrtc.c
1566 @@ -33685,7 +33738,7 @@ index 0ac9b45..6179fb5 100644
1567 new_smi->interrupt_disabled = 1;
1568 atomic_set(&new_smi->stop_operation, 0);
1569 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
1570 -index 2c644af..b867b3e 100644
1571 +index 2c644af..d4d7f17 100644
1572 --- a/drivers/char/mem.c
1573 +++ b/drivers/char/mem.c
1574 @@ -18,6 +18,7 @@
1575 @@ -33766,6 +33819,15 @@ index 2c644af..b867b3e 100644
1576 unxlate_dev_mem_ptr(p, ptr);
1577 if (remaining)
1578 return -EFAULT;
1579 +@@ -378,7 +409,7 @@ static ssize_t read_oldmem(struct file *file, char __user *buf,
1580 + else
1581 + csize = count;
1582 +
1583 +- rc = copy_oldmem_page(pfn, buf, csize, offset, 1);
1584 ++ rc = copy_oldmem_page(pfn, (char __force_kernel *)buf, csize, offset, 1);
1585 + if (rc < 0)
1586 + return rc;
1587 + buf += csize;
1588 @@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
1589 size_t count, loff_t *ppos)
1590 {
1591 @@ -33909,7 +33971,7 @@ index 5c5cc00..ac9edb7 100644
1592
1593 if (cmd != SIOCWANDEV)
1594 diff --git a/drivers/char/random.c b/drivers/char/random.c
1595 -index 32a6c57..e7f0f7b 100644
1596 +index 32a6c57..98038d5 100644
1597 --- a/drivers/char/random.c
1598 +++ b/drivers/char/random.c
1599 @@ -272,8 +272,13 @@
1600 @@ -33955,7 +34017,85 @@ index 32a6c57..e7f0f7b 100644
1601 smp_wmb();
1602
1603 if (out)
1604 -@@ -1024,7 +1036,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
1605 +@@ -865,16 +877,24 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
1606 + if (r->entropy_count / 8 < min + reserved) {
1607 + nbytes = 0;
1608 + } else {
1609 ++ int entropy_count, orig;
1610 ++retry:
1611 ++ entropy_count = orig = ACCESS_ONCE(r->entropy_count);
1612 + /* If limited, never pull more than available */
1613 +- if (r->limit && nbytes + reserved >= r->entropy_count / 8)
1614 +- nbytes = r->entropy_count/8 - reserved;
1615 ++ if (r->limit && nbytes + reserved >= entropy_count / 8)
1616 ++ nbytes = entropy_count/8 - reserved;
1617 +
1618 +- if (r->entropy_count / 8 >= nbytes + reserved)
1619 +- r->entropy_count -= nbytes*8;
1620 +- else
1621 +- r->entropy_count = reserved;
1622 ++ if (entropy_count / 8 >= nbytes + reserved) {
1623 ++ entropy_count -= nbytes*8;
1624 ++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
1625 ++ goto retry;
1626 ++ } else {
1627 ++ entropy_count = reserved;
1628 ++ if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
1629 ++ goto retry;
1630 ++ }
1631 +
1632 +- if (r->entropy_count < random_write_wakeup_thresh)
1633 ++ if (entropy_count < random_write_wakeup_thresh)
1634 + wakeup_write = 1;
1635 + }
1636 +
1637 +@@ -957,10 +977,23 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
1638 + {
1639 + ssize_t ret = 0, i;
1640 + __u8 tmp[EXTRACT_SIZE];
1641 ++ unsigned long flags;
1642 +
1643 + /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
1644 +- if (fips_enabled && !r->last_data_init)
1645 +- nbytes += EXTRACT_SIZE;
1646 ++ if (fips_enabled) {
1647 ++ spin_lock_irqsave(&r->lock, flags);
1648 ++ if (!r->last_data_init) {
1649 ++ r->last_data_init = true;
1650 ++ spin_unlock_irqrestore(&r->lock, flags);
1651 ++ trace_extract_entropy(r->name, EXTRACT_SIZE,
1652 ++ r->entropy_count, _RET_IP_);
1653 ++ xfer_secondary_pool(r, EXTRACT_SIZE);
1654 ++ extract_buf(r, tmp);
1655 ++ spin_lock_irqsave(&r->lock, flags);
1656 ++ memcpy(r->last_data, tmp, EXTRACT_SIZE);
1657 ++ }
1658 ++ spin_unlock_irqrestore(&r->lock, flags);
1659 ++ }
1660 +
1661 + trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_);
1662 + xfer_secondary_pool(r, nbytes);
1663 +@@ -970,19 +1003,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
1664 + extract_buf(r, tmp);
1665 +
1666 + if (fips_enabled) {
1667 +- unsigned long flags;
1668 +-
1669 +-
1670 +- /* prime last_data value if need be, per fips 140-2 */
1671 +- if (!r->last_data_init) {
1672 +- spin_lock_irqsave(&r->lock, flags);
1673 +- memcpy(r->last_data, tmp, EXTRACT_SIZE);
1674 +- r->last_data_init = true;
1675 +- nbytes -= EXTRACT_SIZE;
1676 +- spin_unlock_irqrestore(&r->lock, flags);
1677 +- extract_buf(r, tmp);
1678 +- }
1679 +-
1680 + spin_lock_irqsave(&r->lock, flags);
1681 + if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
1682 + panic("Hardware RNG duplicated output!\n");
1683 +@@ -1024,7 +1044,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
1684
1685 extract_buf(r, tmp);
1686 i = min_t(int, nbytes, EXTRACT_SIZE);
1687 @@ -33964,7 +34104,7 @@ index 32a6c57..e7f0f7b 100644
1688 ret = -EFAULT;
1689 break;
1690 }
1691 -@@ -1360,7 +1372,7 @@ EXPORT_SYMBOL(generate_random_uuid);
1692 +@@ -1360,7 +1380,7 @@ EXPORT_SYMBOL(generate_random_uuid);
1693 #include <linux/sysctl.h>
1694
1695 static int min_read_thresh = 8, min_write_thresh;
1696 @@ -33973,7 +34113,7 @@ index 32a6c57..e7f0f7b 100644
1697 static int max_write_thresh = INPUT_POOL_WORDS * 32;
1698 static char sysctl_bootid[16];
1699
1700 -@@ -1376,7 +1388,7 @@ static char sysctl_bootid[16];
1701 +@@ -1376,7 +1396,7 @@ static char sysctl_bootid[16];
1702 static int proc_do_uuid(ctl_table *table, int write,
1703 void __user *buffer, size_t *lenp, loff_t *ppos)
1704 {
1705 @@ -35984,6 +36124,28 @@ index 3eb1486..0a47ee9 100644
1706 } while (*seqno == 0);
1707
1708 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
1709 +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
1710 +index c509d40..3b640c3 100644
1711 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
1712 ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
1713 +@@ -138,7 +138,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data,
1714 + int ret;
1715 +
1716 + num_clips = arg->num_clips;
1717 +- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
1718 ++ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
1719 +
1720 + if (unlikely(num_clips == 0))
1721 + return 0;
1722 +@@ -222,7 +222,7 @@ int vmw_present_readback_ioctl(struct drm_device *dev, void *data,
1723 + int ret;
1724 +
1725 + num_clips = arg->num_clips;
1726 +- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
1727 ++ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
1728 +
1729 + if (unlikely(num_clips == 0))
1730 + return 0;
1731 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
1732 index 4640adb..e1384ed 100644
1733 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
1734 @@ -36341,6 +36503,19 @@ index 29015eb..af2d8e9 100644
1735
1736 /* Wrapper access functions for multiplexed SMBus */
1737 static DEFINE_MUTEX(nforce2_lock);
1738 +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
1739 +index c3ccdea..5b3dc1a 100644
1740 +--- a/drivers/i2c/i2c-dev.c
1741 ++++ b/drivers/i2c/i2c-dev.c
1742 +@@ -271,7 +271,7 @@ static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client,
1743 + break;
1744 + }
1745 +
1746 +- data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
1747 ++ data_ptrs[i] = (u8 __force_user *)rdwr_pa[i].buf;
1748 + rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len);
1749 + if (IS_ERR(rdwr_pa[i].buf)) {
1750 + res = PTR_ERR(rdwr_pa[i].buf);
1751 diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
1752 index 8126824..55a2798 100644
1753 --- a/drivers/ide/ide-cd.c
1754 @@ -38425,11 +38600,72 @@ index 9578a67..31aa652 100644
1755
1756 /* debug */
1757 static int dvb_usb_dw2102_debug;
1758 +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
1759 +index 7157af3..139e91a 100644
1760 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
1761 ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
1762 +@@ -326,7 +326,7 @@ struct v4l2_buffer32 {
1763 + __u32 reserved;
1764 + };
1765 +
1766 +-static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
1767 ++static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
1768 + enum v4l2_memory memory)
1769 + {
1770 + void __user *up_pln;
1771 +@@ -355,7 +355,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
1772 + return 0;
1773 + }
1774 +
1775 +-static int put_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
1776 ++static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
1777 + enum v4l2_memory memory)
1778 + {
1779 + if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
1780 +@@ -772,7 +772,7 @@ static int put_v4l2_subdev_edid32(struct v4l2_subdev_edid *kp, struct v4l2_subde
1781 + put_user(kp->start_block, &up->start_block) ||
1782 + put_user(kp->blocks, &up->blocks) ||
1783 + put_user(tmp, &up->edid) ||
1784 +- copy_to_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
1785 ++ copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
1786 + return -EFAULT;
1787 + return 0;
1788 + }
1789 diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
1790 -index aa6e7c7..4cd8061 100644
1791 +index aa6e7c7..cb5de87 100644
1792 --- a/drivers/media/v4l2-core/v4l2-ioctl.c
1793 +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
1794 -@@ -1923,7 +1923,8 @@ struct v4l2_ioctl_info {
1795 +@@ -236,7 +236,7 @@ static void v4l_print_format(const void *arg, bool write_only)
1796 + const struct v4l2_vbi_format *vbi;
1797 + const struct v4l2_sliced_vbi_format *sliced;
1798 + const struct v4l2_window *win;
1799 +- const struct v4l2_clip *clip;
1800 ++ const struct v4l2_clip __user *pclip;
1801 + unsigned i;
1802 +
1803 + pr_cont("type=%s", prt_names(p->type, v4l2_type_names));
1804 +@@ -284,12 +284,16 @@ static void v4l_print_format(const void *arg, bool write_only)
1805 + win->w.left, win->w.top,
1806 + prt_names(win->field, v4l2_field_names),
1807 + win->chromakey, win->bitmap, win->global_alpha);
1808 +- clip = win->clips;
1809 ++ pclip = win->clips;
1810 + for (i = 0; i < win->clipcount; i++) {
1811 ++ struct v4l2_clip clip;
1812 ++
1813 ++ if (copy_from_user(&clip, pclip, sizeof clip))
1814 ++ break;
1815 + printk(KERN_DEBUG "clip %u: wxh=%dx%d, x,y=%d,%d\n",
1816 +- i, clip->c.width, clip->c.height,
1817 +- clip->c.left, clip->c.top);
1818 +- clip = clip->next;
1819 ++ i, clip.c.width, clip.c.height,
1820 ++ clip.c.left, clip.c.top);
1821 ++ pclip = clip.next;
1822 + }
1823 + break;
1824 + case V4L2_BUF_TYPE_VBI_CAPTURE:
1825 +@@ -1923,7 +1927,8 @@ struct v4l2_ioctl_info {
1826 struct file *file, void *fh, void *p);
1827 } u;
1828 void (*debug)(const void *arg, bool write_only);
1829 @@ -38439,7 +38675,7 @@ index aa6e7c7..4cd8061 100644
1830
1831 /* This control needs a priority check */
1832 #define INFO_FL_PRIO (1 << 0)
1833 -@@ -2108,7 +2109,7 @@ static long __video_do_ioctl(struct file *file,
1834 +@@ -2108,7 +2113,7 @@ static long __video_do_ioctl(struct file *file,
1835 struct video_device *vfd = video_devdata(file);
1836 const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops;
1837 bool write_only = false;
1838 @@ -38448,6 +38684,33 @@ index aa6e7c7..4cd8061 100644
1839 const struct v4l2_ioctl_info *info;
1840 void *fh = file->private_data;
1841 struct v4l2_fh *vfh = NULL;
1842 +@@ -2193,7 +2198,7 @@ done:
1843 + }
1844 +
1845 + static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
1846 +- void * __user *user_ptr, void ***kernel_ptr)
1847 ++ void __user **user_ptr, void ***kernel_ptr)
1848 + {
1849 + int ret = 0;
1850 +
1851 +@@ -2209,7 +2214,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
1852 + ret = -EINVAL;
1853 + break;
1854 + }
1855 +- *user_ptr = (void __user *)buf->m.planes;
1856 ++ *user_ptr = (void __force_user *)buf->m.planes;
1857 + *kernel_ptr = (void *)&buf->m.planes;
1858 + *array_size = sizeof(struct v4l2_plane) * buf->length;
1859 + ret = 1;
1860 +@@ -2244,7 +2249,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
1861 + ret = -EINVAL;
1862 + break;
1863 + }
1864 +- *user_ptr = (void __user *)ctrls->controls;
1865 ++ *user_ptr = (void __force_user *)ctrls->controls;
1866 + *kernel_ptr = (void *)&ctrls->controls;
1867 + *array_size = sizeof(struct v4l2_ext_control)
1868 + * ctrls->count;
1869 diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
1870 index fb69baa..3aeea2e 100644
1871 --- a/drivers/message/fusion/mptbase.c
1872 @@ -47532,6 +47795,19 @@ index fef20db..d28b1ab 100644
1873 if (!file->private_data)
1874 return -ENOMEM;
1875 return 0;
1876 +diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
1877 +index 0ad61c6..f198bd7 100644
1878 +--- a/fs/9p/vfs_addr.c
1879 ++++ b/fs/9p/vfs_addr.c
1880 +@@ -185,7 +185,7 @@ static int v9fs_vfs_writepage_locked(struct page *page)
1881 +
1882 + retval = v9fs_file_write_internal(inode,
1883 + v9inode->writeback_fid,
1884 +- (__force const char __user *)buffer,
1885 ++ (const char __force_user *)buffer,
1886 + len, &offset, 0);
1887 + if (retval > 0)
1888 + retval = 0;
1889 diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
1890 index d86edc8..40ff2fb 100644
1891 --- a/fs/9p/vfs_inode.c
1892 @@ -47769,7 +48045,7 @@ index bbc8f88..7c7ac97 100644
1893 fd_offset + ex.a_text);
1894 if (error != N_DATADDR(ex)) {
1895 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
1896 -index 86af964..8a1da7e 100644
1897 +index 86af964..5d53bf6 100644
1898 --- a/fs/binfmt_elf.c
1899 +++ b/fs/binfmt_elf.c
1900 @@ -34,6 +34,7 @@
1901 @@ -48004,7 +48280,7 @@ index 86af964..8a1da7e 100644
1902 +#endif
1903 +
1904 +#ifdef CONFIG_PAX_EMUTRAMP
1905 -+ if (pax_flags_softmode & MF_PAX_EMUTRAMP)
1906 ++ if ((pax_flags_softmode & MF_PAX_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
1907 + pax_flags |= MF_PAX_EMUTRAMP;
1908 +#endif
1909 +
1910 @@ -48465,6 +48741,15 @@ index 86af964..8a1da7e 100644
1911 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
1912 }
1913
1914 +@@ -1394,7 +1841,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
1915 + {
1916 + mm_segment_t old_fs = get_fs();
1917 + set_fs(KERNEL_DS);
1918 +- copy_siginfo_to_user((user_siginfo_t __user *) csigdata, siginfo);
1919 ++ copy_siginfo_to_user((user_siginfo_t __force_user *) csigdata, siginfo);
1920 + set_fs(old_fs);
1921 + fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
1922 + }
1923 @@ -2015,14 +2462,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
1924 }
1925
1926 @@ -49580,7 +49865,7 @@ index a81147e..20bf2b5 100644
1927
1928 /*
1929 diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
1930 -index 3ced75f..1eeca06 100644
1931 +index 3ced75f..b28d192 100644
1932 --- a/fs/compat_ioctl.c
1933 +++ b/fs/compat_ioctl.c
1934 @@ -623,7 +623,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
1935 @@ -49592,6 +49877,17 @@ index 3ced75f..1eeca06 100644
1936 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
1937 __get_user(ss.port_high, &ss32->port_high))
1938 return -EFAULT;
1939 +@@ -704,8 +704,8 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd,
1940 + for (i = 0; i < nmsgs; i++) {
1941 + if (copy_in_user(&tmsgs[i].addr, &umsgs[i].addr, 3*sizeof(u16)))
1942 + return -EFAULT;
1943 +- if (get_user(datap, &umsgs[i].buf) ||
1944 +- put_user(compat_ptr(datap), &tmsgs[i].buf))
1945 ++ if (get_user(datap, (u8 __user * __user *)&umsgs[i].buf) ||
1946 ++ put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf))
1947 + return -EFAULT;
1948 + }
1949 + return sys_ioctl(fd, cmd, (unsigned long)tdata);
1950 @@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file,
1951 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
1952 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
1953 @@ -49839,7 +50135,7 @@ index 6a16053..2155147 100644
1954 return rc;
1955 }
1956 diff --git a/fs/exec.c b/fs/exec.c
1957 -index 6d56ff2..fe44505 100644
1958 +index 6d56ff2..3bc6638 100644
1959 --- a/fs/exec.c
1960 +++ b/fs/exec.c
1961 @@ -55,8 +55,20 @@
1962 @@ -50016,7 +50312,7 @@ index 6d56ff2..fe44505 100644
1963 mm_segment_t oldfs = get_fs();
1964 struct user_arg_ptr argv = {
1965 - .ptr.native = (const char __user *const __user *)__argv,
1966 -+ .ptr.native = (const char __force_user *const __force_user *)__argv,
1967 ++ .ptr.native = (const char __force_user * const __force_user *)__argv,
1968 };
1969
1970 set_fs(KERNEL_DS);
1971 @@ -50540,8 +50836,8 @@ index 6d56ff2..fe44505 100644
1972 +#endif
1973 +
1974 +#else
1975 -+ unsigned long textlow = _stext;
1976 -+ unsigned long texthigh = _etext;
1977 ++ unsigned long textlow = (unsigned long)_stext;
1978 ++ unsigned long texthigh = (unsigned long)_etext;
1979 +#endif
1980 +
1981 + if (high <= textlow || low > texthigh)
1982 @@ -50813,6 +51109,39 @@ index febbe0e..782c4fd 100644
1983
1984 static int parse_strtoul(const char *buf,
1985 unsigned long max, unsigned long *value)
1986 +diff --git a/fs/fat/inode.c b/fs/fat/inode.c
1987 +index acf6e47..e7a7fde 100644
1988 +--- a/fs/fat/inode.c
1989 ++++ b/fs/fat/inode.c
1990 +@@ -1223,6 +1223,19 @@ static int fat_read_root(struct inode *inode)
1991 + return 0;
1992 + }
1993 +
1994 ++static unsigned long calc_fat_clusters(struct super_block *sb)
1995 ++{
1996 ++ struct msdos_sb_info *sbi = MSDOS_SB(sb);
1997 ++
1998 ++ /* Divide first to avoid overflow */
1999 ++ if (sbi->fat_bits != 12) {
2000 ++ unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits;
2001 ++ return ent_per_sec * sbi->fat_length;
2002 ++ }
2003 ++
2004 ++ return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
2005 ++}
2006 ++
2007 + /*
2008 + * Read the super block of an MS-DOS FS.
2009 + */
2010 +@@ -1427,7 +1440,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat,
2011 + sbi->dirty = b->fat16.state & FAT_STATE_DIRTY;
2012 +
2013 + /* check that FAT table does not overflow */
2014 +- fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
2015 ++ fat_clusters = calc_fat_clusters(sb);
2016 + total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT);
2017 + if (total_clusters > MAX_FAT(sb)) {
2018 + if (!silent)
2019 diff --git a/fs/fcntl.c b/fs/fcntl.c
2020 index 6599222..e7bf0de 100644
2021 --- a/fs/fcntl.c
2022 @@ -53240,7 +53569,7 @@ index 85e40d1..b66744e 100644
2023 out:
2024 return len;
2025 diff --git a/fs/namespace.c b/fs/namespace.c
2026 -index e945b81..1dd8104 100644
2027 +index e945b81..fc018e2 100644
2028 --- a/fs/namespace.c
2029 +++ b/fs/namespace.c
2030 @@ -1219,6 +1219,9 @@ static int do_umount(struct mount *mnt, int flags)
2031 @@ -53263,6 +53592,24 @@ index e945b81..1dd8104 100644
2032 return retval;
2033 }
2034
2035 +@@ -1257,7 +1263,7 @@ static inline bool may_mount(void)
2036 + * unixes. Our API is identical to OSF/1 to avoid making a mess of AMD
2037 + */
2038 +
2039 +-SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
2040 ++SYSCALL_DEFINE2(umount, const char __user *, name, int, flags)
2041 + {
2042 + struct path path;
2043 + struct mount *mnt;
2044 +@@ -1297,7 +1303,7 @@ out:
2045 + /*
2046 + * The 2.0 compatible umount. No flags.
2047 + */
2048 +-SYSCALL_DEFINE1(oldumount, char __user *, name)
2049 ++SYSCALL_DEFINE1(oldumount, const char __user *, name)
2050 + {
2051 + return sys_umount(name, 0);
2052 + }
2053 @@ -2267,6 +2273,16 @@ long do_mount(const char *dev_name, const char *dir_name,
2054 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
2055 MS_STRICTATIME);
2056 @@ -53290,6 +53637,17 @@ index e945b81..1dd8104 100644
2057 return retval;
2058 }
2059
2060 +@@ -2454,8 +2473,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
2061 + }
2062 + EXPORT_SYMBOL(mount_subtree);
2063 +
2064 +-SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
2065 +- char __user *, type, unsigned long, flags, void __user *, data)
2066 ++SYSCALL_DEFINE5(mount, const char __user *, dev_name, const char __user *, dir_name,
2067 ++ const char __user *, type, unsigned long, flags, void __user *, data)
2068 + {
2069 + int ret;
2070 + char *kernel_type;
2071 @@ -2567,6 +2586,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
2072 if (error)
2073 goto out2;
2074 @@ -55257,6 +55615,36 @@ index 56123a6..5a2f6ec 100644
2075 } else if (mm) {
2076 pid_t tid = vm_is_stack(priv->task, vma, is_pid);
2077
2078 +diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
2079 +index b870f74..e9048df 100644
2080 +--- a/fs/proc/vmcore.c
2081 ++++ b/fs/proc/vmcore.c
2082 +@@ -98,9 +98,13 @@ static ssize_t read_from_oldmem(char *buf, size_t count,
2083 + nr_bytes = count;
2084 +
2085 + /* If pfn is not ram, return zeros for sparse dump files */
2086 +- if (pfn_is_ram(pfn) == 0)
2087 +- memset(buf, 0, nr_bytes);
2088 +- else {
2089 ++ if (pfn_is_ram(pfn) == 0) {
2090 ++ if (userbuf) {
2091 ++ if (clear_user((char __force_user *)buf, nr_bytes))
2092 ++ return -EFAULT;
2093 ++ } else
2094 ++ memset(buf, 0, nr_bytes);
2095 ++ } else {
2096 + tmp = copy_oldmem_page(pfn, buf, nr_bytes,
2097 + offset, userbuf);
2098 + if (tmp < 0)
2099 +@@ -185,7 +189,7 @@ static ssize_t read_vmcore(struct file *file, char __user *buffer,
2100 + if (tsz > nr_bytes)
2101 + tsz = nr_bytes;
2102 +
2103 +- tmp = read_from_oldmem(buffer, tsz, &start, 1);
2104 ++ tmp = read_from_oldmem((char __force_kernel *)buffer, tsz, &start, 1);
2105 + if (tmp < 0)
2106 + return tmp;
2107 + buflen -= tsz;
2108 diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h
2109 index b00fcc9..e0c6381 100644
2110 --- a/fs/qnx6/qnx6.h
2111 @@ -55301,6 +55689,19 @@ index 16e8abb..2dcf914 100644
2112 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
2113 if (!msg_head) {
2114 printk(KERN_ERR
2115 +diff --git a/fs/read_write.c b/fs/read_write.c
2116 +index e6ddc8d..9155227 100644
2117 +--- a/fs/read_write.c
2118 ++++ b/fs/read_write.c
2119 +@@ -429,7 +429,7 @@ ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t
2120 +
2121 + old_fs = get_fs();
2122 + set_fs(get_ds());
2123 +- p = (__force const char __user *)buf;
2124 ++ p = (const char __force_user *)buf;
2125 + if (count > MAX_RW_COUNT)
2126 + count = MAX_RW_COUNT;
2127 + if (file->f_op->write)
2128 diff --git a/fs/readdir.c b/fs/readdir.c
2129 index fee38e0..12fdf47 100644
2130 --- a/fs/readdir.c
2131 @@ -71166,9 +71567,25 @@ index a5ffd32..0935dea 100644
2132 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
2133 unsigned long offset, size_t size,
2134 diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
2135 -index 313a8e0..1da8fc6 100644
2136 +index 313a8e0..6b273a9 100644
2137 --- a/include/linux/syscalls.h
2138 +++ b/include/linux/syscalls.h
2139 +@@ -418,11 +418,11 @@ asmlinkage long sys_sync(void);
2140 + asmlinkage long sys_fsync(unsigned int fd);
2141 + asmlinkage long sys_fdatasync(unsigned int fd);
2142 + asmlinkage long sys_bdflush(int func, long data);
2143 +-asmlinkage long sys_mount(char __user *dev_name, char __user *dir_name,
2144 +- char __user *type, unsigned long flags,
2145 ++asmlinkage long sys_mount(const char __user *dev_name, const char __user *dir_name,
2146 ++ const char __user *type, unsigned long flags,
2147 + void __user *data);
2148 +-asmlinkage long sys_umount(char __user *name, int flags);
2149 +-asmlinkage long sys_oldumount(char __user *name);
2150 ++asmlinkage long sys_umount(const char __user *name, int flags);
2151 ++asmlinkage long sys_oldumount(const char __user *name);
2152 + asmlinkage long sys_truncate(const char __user *path, long length);
2153 + asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length);
2154 + asmlinkage long sys_stat(const char __user *filename,
2155 @@ -634,7 +634,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *);
2156 asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *);
2157 asmlinkage long sys_send(int, void __user *, size_t, unsigned);
2158 @@ -72924,9 +73341,27 @@ index f5b978a..69dbfe8 100644
2159 if (!S_ISBLK(stat.st_mode))
2160 return 0;
2161 diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c
2162 -index a32ec1c..ac08811 100644
2163 +index a32ec1c..60a6659 100644
2164 --- a/init/do_mounts_initrd.c
2165 +++ b/init/do_mounts_initrd.c
2166 +@@ -37,13 +37,13 @@ static int init_linuxrc(struct subprocess_info *info, struct cred *new)
2167 + {
2168 + sys_unshare(CLONE_FS | CLONE_FILES);
2169 + /* stdin/stdout/stderr for /linuxrc */
2170 +- sys_open("/dev/console", O_RDWR, 0);
2171 ++ sys_open((const char __force_user *)"/dev/console", O_RDWR, 0);
2172 + sys_dup(0);
2173 + sys_dup(0);
2174 + /* move initrd over / and chdir/chroot in initrd root */
2175 +- sys_chdir("/root");
2176 +- sys_mount(".", "/", NULL, MS_MOVE, NULL);
2177 +- sys_chroot(".");
2178 ++ sys_chdir((const char __force_user *)"/root");
2179 ++ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
2180 ++ sys_chroot((const char __force_user *)".");
2181 + sys_setsid();
2182 + return 0;
2183 + }
2184 @@ -58,8 +58,8 @@ static void __init handle_initrd(void)
2185 create_dev("/dev/root.old", Root_RAM0);
2186 /* mount initrd on rootfs' /root */
2187 @@ -73149,7 +73584,7 @@ index a67ef9d..3d88592 100644
2188 next_state = Reset;
2189 return 0;
2190 diff --git a/init/main.c b/init/main.c
2191 -index 63534a1..8abcaf1 100644
2192 +index 63534a1..85feae2 100644
2193 --- a/init/main.c
2194 +++ b/init/main.c
2195 @@ -98,6 +98,8 @@ static inline void mark_rodata_ro(void) { }
2196 @@ -73286,6 +73721,17 @@ index 63534a1..8abcaf1 100644
2197 }
2198
2199 /*
2200 +@@ -811,8 +884,8 @@ static int run_init_process(const char *init_filename)
2201 + {
2202 + argv_init[0] = init_filename;
2203 + return do_execve(init_filename,
2204 +- (const char __user *const __user *)argv_init,
2205 +- (const char __user *const __user *)envp_init);
2206 ++ (const char __user *const __force_user *)argv_init,
2207 ++ (const char __user *const __force_user *)envp_init);
2208 + }
2209 +
2210 + static noinline void __init kernel_init_freeable(void);
2211 @@ -890,7 +963,7 @@ static noinline void __init kernel_init_freeable(void)
2212 do_basic_setup();
2213
2214 @@ -74134,7 +74580,7 @@ index 00eb8f7..d7e3244 100644
2215 #ifdef CONFIG_MODULE_UNLOAD
2216 {
2217 diff --git a/kernel/events/core.c b/kernel/events/core.c
2218 -index 9fcb094..5c06aeb 100644
2219 +index 9fcb094..fd68c54 100644
2220 --- a/kernel/events/core.c
2221 +++ b/kernel/events/core.c
2222 @@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu;
2223 @@ -74193,6 +74639,15 @@ index 9fcb094..5c06aeb 100644
2224
2225 arch_perf_update_userpage(userpg, now);
2226
2227 +@@ -3886,7 +3890,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
2228 +
2229 + /* Data. */
2230 + sp = perf_user_stack_pointer(regs);
2231 +- rem = __output_copy_user(handle, (void *) sp, dump_size);
2232 ++ rem = __output_copy_user(handle, (void __user *) sp, dump_size);
2233 + dyn_size = dump_size - rem;
2234 +
2235 + perf_output_skip(handle, rem);
2236 @@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
2237 values[n++] = perf_event_count(event);
2238 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
2239 @@ -74245,6 +74700,44 @@ index 9fcb094..5c06aeb 100644
2240 &parent_event->child_total_time_running);
2241
2242 /*
2243 +diff --git a/kernel/events/internal.h b/kernel/events/internal.h
2244 +index eb675c4..54912ff 100644
2245 +--- a/kernel/events/internal.h
2246 ++++ b/kernel/events/internal.h
2247 +@@ -77,10 +77,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb)
2248 + return rb->nr_pages << (PAGE_SHIFT + page_order(rb));
2249 + }
2250 +
2251 +-#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \
2252 ++#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \
2253 + static inline unsigned int \
2254 + func_name(struct perf_output_handle *handle, \
2255 +- const void *buf, unsigned int len) \
2256 ++ const void user *buf, unsigned int len) \
2257 + { \
2258 + unsigned long size, written; \
2259 + \
2260 +@@ -112,17 +112,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n)
2261 + return n;
2262 + }
2263 +
2264 +-DEFINE_OUTPUT_COPY(__output_copy, memcpy_common)
2265 ++DEFINE_OUTPUT_COPY(__output_copy, memcpy_common, )
2266 +
2267 + #define MEMCPY_SKIP(dst, src, n) (n)
2268 +
2269 +-DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP)
2270 ++DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP, )
2271 +
2272 + #ifndef arch_perf_out_copy_user
2273 + #define arch_perf_out_copy_user __copy_from_user_inatomic
2274 + #endif
2275 +
2276 +-DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user)
2277 ++DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user, __user)
2278 +
2279 + /* Callchain handling */
2280 + extern struct perf_callchain_entry *
2281 diff --git a/kernel/exit.c b/kernel/exit.c
2282 index 60bc027..ca6d727 100644
2283 --- a/kernel/exit.c
2284 @@ -79822,6 +80315,24 @@ index b32b70c..e512eb0 100644
2285 pkmap_count[last_pkmap_nr] = 1;
2286 set_page_address(page, (void *)vaddr);
2287
2288 +diff --git a/mm/huge_memory.c b/mm/huge_memory.c
2289 +index e2f7f5aa..a4510d4 100644
2290 +--- a/mm/huge_memory.c
2291 ++++ b/mm/huge_memory.c
2292 +@@ -2318,7 +2318,12 @@ static void collapse_huge_page(struct mm_struct *mm,
2293 + pte_unmap(pte);
2294 + spin_lock(&mm->page_table_lock);
2295 + BUG_ON(!pmd_none(*pmd));
2296 +- set_pmd_at(mm, address, pmd, _pmd);
2297 ++ /*
2298 ++ * We can only use set_pmd_at when establishing
2299 ++ * hugepmds and never for establishing regular pmds that
2300 ++ * points to regular pagetables. Use pmd_populate for that
2301 ++ */
2302 ++ pmd_populate(mm, pmd, pmd_pgtable(_pmd));
2303 + spin_unlock(&mm->page_table_lock);
2304 + anon_vma_unlock_write(vma->anon_vma);
2305 + goto out;
2306 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
2307 index 1a12f5b..a85b8fc 100644
2308 --- a/mm/hugetlb.c
2309 @@ -82287,6 +82798,133 @@ index 0dceed8..671951c 100644
2310 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
2311 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
2312
2313 +diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c
2314 +index be04122..6725ff1 100644
2315 +--- a/mm/mmu_notifier.c
2316 ++++ b/mm/mmu_notifier.c
2317 +@@ -40,48 +40,44 @@ void __mmu_notifier_release(struct mm_struct *mm)
2318 + int id;
2319 +
2320 + /*
2321 +- * srcu_read_lock() here will block synchronize_srcu() in
2322 +- * mmu_notifier_unregister() until all registered
2323 +- * ->release() callouts this function makes have
2324 +- * returned.
2325 ++ * SRCU here will block mmu_notifier_unregister until
2326 ++ * ->release returns.
2327 + */
2328 + id = srcu_read_lock(&srcu);
2329 ++ hlist_for_each_entry_rcu(mn, &mm->mmu_notifier_mm->list, hlist)
2330 ++ /*
2331 ++ * If ->release runs before mmu_notifier_unregister it must be
2332 ++ * handled, as it's the only way for the driver to flush all
2333 ++ * existing sptes and stop the driver from establishing any more
2334 ++ * sptes before all the pages in the mm are freed.
2335 ++ */
2336 ++ if (mn->ops->release)
2337 ++ mn->ops->release(mn, mm);
2338 ++ srcu_read_unlock(&srcu, id);
2339 ++
2340 + spin_lock(&mm->mmu_notifier_mm->lock);
2341 + while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) {
2342 + mn = hlist_entry(mm->mmu_notifier_mm->list.first,
2343 + struct mmu_notifier,
2344 + hlist);
2345 +-
2346 + /*
2347 +- * Unlink. This will prevent mmu_notifier_unregister()
2348 +- * from also making the ->release() callout.
2349 ++ * We arrived before mmu_notifier_unregister so
2350 ++ * mmu_notifier_unregister will do nothing other than to wait
2351 ++ * for ->release to finish and for mmu_notifier_unregister to
2352 ++ * return.
2353 + */
2354 + hlist_del_init_rcu(&mn->hlist);
2355 +- spin_unlock(&mm->mmu_notifier_mm->lock);
2356 +-
2357 +- /*
2358 +- * Clear sptes. (see 'release' description in mmu_notifier.h)
2359 +- */
2360 +- if (mn->ops->release)
2361 +- mn->ops->release(mn, mm);
2362 +-
2363 +- spin_lock(&mm->mmu_notifier_mm->lock);
2364 + }
2365 + spin_unlock(&mm->mmu_notifier_mm->lock);
2366 +
2367 + /*
2368 +- * All callouts to ->release() which we have done are complete.
2369 +- * Allow synchronize_srcu() in mmu_notifier_unregister() to complete
2370 +- */
2371 +- srcu_read_unlock(&srcu, id);
2372 +-
2373 +- /*
2374 +- * mmu_notifier_unregister() may have unlinked a notifier and may
2375 +- * still be calling out to it. Additionally, other notifiers
2376 +- * may have been active via vmtruncate() et. al. Block here
2377 +- * to ensure that all notifier callouts for this mm have been
2378 +- * completed and the sptes are really cleaned up before returning
2379 +- * to exit_mmap().
2380 ++ * synchronize_srcu here prevents mmu_notifier_release from returning to
2381 ++ * exit_mmap (which would proceed with freeing all pages in the mm)
2382 ++ * until the ->release method returns, if it was invoked by
2383 ++ * mmu_notifier_unregister.
2384 ++ *
2385 ++ * The mmu_notifier_mm can't go away from under us because one mm_count
2386 ++ * is held by exit_mmap.
2387 + */
2388 + synchronize_srcu(&srcu);
2389 + }
2390 +@@ -292,31 +288,34 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
2391 + {
2392 + BUG_ON(atomic_read(&mm->mm_count) <= 0);
2393 +
2394 +- spin_lock(&mm->mmu_notifier_mm->lock);
2395 + if (!hlist_unhashed(&mn->hlist)) {
2396 ++ /*
2397 ++ * SRCU here will force exit_mmap to wait for ->release to
2398 ++ * finish before freeing the pages.
2399 ++ */
2400 + int id;
2401 +
2402 +- /*
2403 +- * Ensure we synchronize up with __mmu_notifier_release().
2404 +- */
2405 + id = srcu_read_lock(&srcu);
2406 +-
2407 +- hlist_del_rcu(&mn->hlist);
2408 +- spin_unlock(&mm->mmu_notifier_mm->lock);
2409 +-
2410 +- if (mn->ops->release)
2411 +- mn->ops->release(mn, mm);
2412 +-
2413 + /*
2414 +- * Allow __mmu_notifier_release() to complete.
2415 ++ * exit_mmap will block in mmu_notifier_release to guarantee
2416 ++ * that ->release is called before freeing the pages.
2417 + */
2418 ++ if (mn->ops->release)
2419 ++ mn->ops->release(mn, mm);
2420 + srcu_read_unlock(&srcu, id);
2421 +- } else
2422 ++
2423 ++ spin_lock(&mm->mmu_notifier_mm->lock);
2424 ++ /*
2425 ++ * Can not use list_del_rcu() since __mmu_notifier_release
2426 ++ * can delete it before we hold the lock.
2427 ++ */
2428 ++ hlist_del_init_rcu(&mn->hlist);
2429 + spin_unlock(&mm->mmu_notifier_mm->lock);
2430 ++ }
2431 +
2432 + /*
2433 +- * Wait for any running method to finish, including ->release() if it
2434 +- * was run by __mmu_notifier_release() instead of us.
2435 ++ * Wait for any running method to finish, of course including
2436 ++ * ->release if it was run by mmu_notifier_relase instead of us.
2437 + */
2438 + synchronize_srcu(&srcu);
2439 +
2440 diff --git a/mm/mprotect.c b/mm/mprotect.c
2441 index 94722a4..07d9926 100644
2442 --- a/mm/mprotect.c
2443 @@ -82811,6 +83449,19 @@ index 8fcced7..ebcd481 100644
2444
2445 if (order && (gfp_flags & __GFP_COMP))
2446 prep_compound_page(page, order);
2447 +diff --git a/mm/page_io.c b/mm/page_io.c
2448 +index 6182870..4bba6a2 100644
2449 +--- a/mm/page_io.c
2450 ++++ b/mm/page_io.c
2451 +@@ -205,7 +205,7 @@ int swap_writepage(struct page *page, struct writeback_control *wbc)
2452 + struct file *swap_file = sis->swap_file;
2453 + struct address_space *mapping = swap_file->f_mapping;
2454 + struct iovec iov = {
2455 +- .iov_base = kmap(page),
2456 ++ .iov_base = (void __force_user *)kmap(page),
2457 + .iov_len = PAGE_SIZE,
2458 + };
2459 +
2460 diff --git a/mm/percpu.c b/mm/percpu.c
2461 index 8c8e08f..73a5cda 100644
2462 --- a/mm/percpu.c
2463 @@ -91446,6 +92097,19 @@ index d65fa7f..cbfe366 100644
2464 err:
2465 if (iov != iovstack)
2466 kfree(iov);
2467 +diff --git a/security/keys/internal.h b/security/keys/internal.h
2468 +index 8bbefc3..299d03f 100644
2469 +--- a/security/keys/internal.h
2470 ++++ b/security/keys/internal.h
2471 +@@ -240,7 +240,7 @@ extern long keyctl_instantiate_key_iov(key_serial_t,
2472 + extern long keyctl_invalidate_key(key_serial_t);
2473 +
2474 + extern long keyctl_instantiate_key_common(key_serial_t,
2475 +- const struct iovec *,
2476 ++ const struct iovec __user *,
2477 + unsigned, size_t, key_serial_t);
2478 +
2479 + /*
2480 diff --git a/security/keys/key.c b/security/keys/key.c
2481 index 8fb7c7b..ba3610d 100644
2482 --- a/security/keys/key.c
2483 @@ -92335,10 +92999,10 @@ index 0000000..144dbee
2484 +targets += size_overflow_hash.h
2485 diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c
2486 new file mode 100644
2487 -index 0000000..d41b5af
2488 +index 0000000..22f03c0
2489 --- /dev/null
2490 +++ b/tools/gcc/checker_plugin.c
2491 -@@ -0,0 +1,171 @@
2492 +@@ -0,0 +1,172 @@
2493 +/*
2494 + * Copyright 2011 by the PaX Team <pageexec@××××××××.hu>
2495 + * Licensed under the GPL v2
2496 @@ -92392,6 +93056,7 @@ index 0000000..d41b5af
2497 +
2498 +static struct plugin_info checker_plugin_info = {
2499 + .version = "201111150100",
2500 ++ .help = NULL,
2501 +};
2502 +
2503 +#define ADDR_SPACE_KERNEL 0
Report Message
Find on MARC Find on Google Groups