Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.66/, 3.18.3/, 3.14.29/, 3.14.30/, 3.18.4/
Date: Thu, 29 Jan 2015 11:42:28
Message-Id: 1422531711.cf65d04c20ef96fe10613b77e58f65f11f612701.blueness@gentoo
1 commit: cf65d04c20ef96fe10613b77e58f65f11f612701
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jan 29 11:41:51 2015 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Thu Jan 29 11:41:51 2015 +0000
6 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=cf65d04c
7
8 Grsec/PaX: 3.0-{3.2.66,3.14.30,3.18.4}-201501272307
9
10 ---
11 {3.14.29 => 3.14.30}/0000_README | 2 +-
12 .../4420_grsecurity-3.0-3.14.30-201501272307.patch | 661 ++++++++++++------
13 {3.18.3 => 3.14.30}/4425_grsec_remove_EI_PAX.patch | 0
14 .../4427_force_XATTR_PAX_tmpfs.patch | 0
15 .../4430_grsec-remove-localversion-grsec.patch | 0
16 .../4435_grsec-mute-warnings.patch | 0
17 .../4440_grsec-remove-protected-paths.patch | 0
18 .../4450_grsec-kconfig-default-gids.patch | 0
19 .../4465_selinux-avc_audit-log-curr_ip.patch | 0
20 .../4470_disable-compat_vdso.patch | 0
21 {3.18.3 => 3.14.30}/4475_emutramp_default_on.patch | 0
22 {3.18.3 => 3.18.4}/0000_README | 4 +-
23 .../4420_grsecurity-3.0-3.18.4-201501272307.patch | 743 ++++++++++++++++-----
24 {3.14.29 => 3.18.4}/4425_grsec_remove_EI_PAX.patch | 0
25 .../4427_force_XATTR_PAX_tmpfs.patch | 0
26 .../4430_grsec-remove-localversion-grsec.patch | 0
27 {3.18.3 => 3.18.4}/4435_grsec-mute-warnings.patch | 0
28 .../4440_grsec-remove-protected-paths.patch | 0
29 .../4450_grsec-kconfig-default-gids.patch | 12 +-
30 .../4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
31 {3.18.3 => 3.18.4}/4470_disable-compat_vdso.patch | 0
32 {3.14.29 => 3.18.4}/4475_emutramp_default_on.patch | 0
33 3.2.66/0000_README | 2 +-
34 ... 4420_grsecurity-3.0-3.2.66-201501272306.patch} | 227 ++++++-
35 24 files changed, 1208 insertions(+), 445 deletions(-)
36
37 diff --git a/3.14.29/0000_README b/3.14.30/0000_README
38 similarity index 96%
39 rename from 3.14.29/0000_README
40 rename to 3.14.30/0000_README
41 index 77bdae3..e7390a1 100644
42 --- a/3.14.29/0000_README
43 +++ b/3.14.30/0000_README
44 @@ -2,7 +2,7 @@ README
45 -----------------------------------------------------------------------------
46 Individual Patch Descriptions:
47 -----------------------------------------------------------------------------
48 -Patch: 4420_grsecurity-3.0-3.14.29-201501211943.patch
49 +Patch: 4420_grsecurity-3.0-3.14.30-201501272307.patch
50 From: http://www.grsecurity.net
51 Desc: hardened-sources base patch from upstream grsecurity
52
53
54 diff --git a/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch b/3.14.30/4420_grsecurity-3.0-3.14.30-201501272307.patch
55 similarity index 99%
56 rename from 3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch
57 rename to 3.14.30/4420_grsecurity-3.0-3.14.30-201501272307.patch
58 index 5df869a..fa3669a 100644
59 --- a/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch
60 +++ b/3.14.30/4420_grsecurity-3.0-3.14.30-201501272307.patch
61 @@ -235,7 +235,7 @@ index b89a739..e289b9b 100644
62 +zconf.lex.c
63 zoffset.h
64 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
65 -index 7116fda..2f71588 100644
66 +index 5d91ba1..935a4e7 100644
67 --- a/Documentation/kernel-parameters.txt
68 +++ b/Documentation/kernel-parameters.txt
69 @@ -1084,6 +1084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
70 @@ -249,7 +249,7 @@ index 7116fda..2f71588 100644
71 hashdist= [KNL,NUMA] Large hashes allocated during boot
72 are distributed across NUMA nodes. Defaults on
73 for 64-bit NUMA, off otherwise.
74 -@@ -2080,6 +2084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
75 +@@ -2081,6 +2085,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
76 noexec=on: enable non-executable mappings (default)
77 noexec=off: disable non-executable mappings
78
79 @@ -260,7 +260,7 @@ index 7116fda..2f71588 100644
80 nosmap [X86]
81 Disable SMAP (Supervisor Mode Access Prevention)
82 even if it is supported by processor.
83 -@@ -2347,6 +2355,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
84 +@@ -2348,6 +2356,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
85 the specified number of seconds. This is to be used if
86 your oopses keep scrolling off the screen.
87
88 @@ -292,7 +292,7 @@ index 7116fda..2f71588 100644
89
90 pcd. [PARIDE]
91 diff --git a/Makefile b/Makefile
92 -index 7aff64e..32dc1aa 100644
93 +index 5b94752..8acf114 100644
94 --- a/Makefile
95 +++ b/Makefile
96 @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
97 @@ -16387,7 +16387,7 @@ index 1717156..14e260a 100644
98 "6:\n"
99 ".previous\n"
100 diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
101 -index 50d033a..37deb26 100644
102 +index 50d033a..59ecefa 100644
103 --- a/arch/x86/include/asm/desc.h
104 +++ b/arch/x86/include/asm/desc.h
105 @@ -4,6 +4,7 @@
106 @@ -16485,7 +16485,7 @@ index 50d033a..37deb26 100644
107 }
108
109 static inline void native_load_gdt(const struct desc_ptr *dtr)
110 -@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
111 +@@ -247,11 +258,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
112 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
113 unsigned int i;
114
115 @@ -16495,8 +16495,37 @@ index 50d033a..37deb26 100644
116 + pax_close_kernel();
117 }
118
119 - #define _LDT_empty(info) \
120 -@@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc)
121 +-#define _LDT_empty(info) \
122 ++/* This intentionally ignores lm, since 32-bit apps don't have that field. */
123 ++#define LDT_empty(info) \
124 + ((info)->base_addr == 0 && \
125 + (info)->limit == 0 && \
126 + (info)->contents == 0 && \
127 +@@ -261,11 +275,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
128 + (info)->seg_not_present == 1 && \
129 + (info)->useable == 0)
130 +
131 +-#ifdef CONFIG_X86_64
132 +-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0))
133 +-#else
134 +-#define LDT_empty(info) (_LDT_empty(info))
135 +-#endif
136 ++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */
137 ++static inline bool LDT_zero(const struct user_desc *info)
138 ++{
139 ++ return (info->base_addr == 0 &&
140 ++ info->limit == 0 &&
141 ++ info->contents == 0 &&
142 ++ info->read_exec_only == 0 &&
143 ++ info->seg_32bit == 0 &&
144 ++ info->limit_in_pages == 0 &&
145 ++ info->seg_not_present == 0 &&
146 ++ info->useable == 0);
147 ++}
148 +
149 + static inline void clear_LDT(void)
150 + {
151 +@@ -287,7 +308,7 @@ static inline void load_LDT(mm_context_t *pc)
152 preempt_enable();
153 }
154
155 @@ -16505,7 +16534,7 @@ index 50d033a..37deb26 100644
156 {
157 return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
158 }
159 -@@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
160 +@@ -311,7 +332,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
161 }
162
163 #ifdef CONFIG_X86_64
164 @@ -16514,7 +16543,7 @@ index 50d033a..37deb26 100644
165 {
166 gate_desc s;
167
168 -@@ -321,14 +334,14 @@ static inline void set_nmi_gate(int gate, void *addr)
169 +@@ -321,14 +342,14 @@ static inline void set_nmi_gate(int gate, void *addr)
170 #endif
171
172 #ifdef CONFIG_TRACING
173 @@ -16532,7 +16561,7 @@ index 50d033a..37deb26 100644
174 unsigned dpl, unsigned ist, unsigned seg)
175 {
176 gate_desc s;
177 -@@ -348,7 +361,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
178 +@@ -348,7 +369,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
179 #define _trace_set_gate(gate, type, addr, dpl, ist, seg)
180 #endif
181
182 @@ -16541,7 +16570,7 @@ index 50d033a..37deb26 100644
183 unsigned dpl, unsigned ist, unsigned seg)
184 {
185 gate_desc s;
186 -@@ -371,9 +384,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
187 +@@ -371,9 +392,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
188 #define set_intr_gate(n, addr) \
189 do { \
190 BUG_ON((unsigned)n > 0xFF); \
191 @@ -16553,7 +16582,7 @@ index 50d033a..37deb26 100644
192 0, 0, __KERNEL_CS); \
193 } while (0)
194
195 -@@ -401,19 +414,19 @@ static inline void alloc_system_vector(int vector)
196 +@@ -401,19 +422,19 @@ static inline void alloc_system_vector(int vector)
197 /*
198 * This routine sets up an interrupt gate at directory privilege level 3.
199 */
200 @@ -16576,7 +16605,7 @@ index 50d033a..37deb26 100644
201 {
202 BUG_ON((unsigned)n > 0xFF);
203 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
204 -@@ -422,16 +435,16 @@ static inline void set_trap_gate(unsigned int n, void *addr)
205 +@@ -422,16 +443,16 @@ static inline void set_trap_gate(unsigned int n, void *addr)
206 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
207 {
208 BUG_ON((unsigned)n > 0xFF);
209 @@ -16596,7 +16625,7 @@ index 50d033a..37deb26 100644
210 {
211 BUG_ON((unsigned)n > 0xFF);
212 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
213 -@@ -503,4 +516,17 @@ static inline void load_current_idt(void)
214 +@@ -503,4 +524,17 @@ static inline void load_current_idt(void)
215 else
216 load_idt((const struct desc_ptr *)&idt_descr);
217 }
218 @@ -22264,10 +22293,10 @@ index 01d1c18..8073693 100644
219 #include <asm/processor.h>
220 #include <asm/fcntl.h>
221 diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
222 -index c5a9cb9..228d280 100644
223 +index c5a9cb9..b6a5426 100644
224 --- a/arch/x86/kernel/entry_32.S
225 +++ b/arch/x86/kernel/entry_32.S
226 -@@ -177,13 +177,153 @@
227 +@@ -177,13 +177,154 @@
228 /*CFI_REL_OFFSET gs, PT_GS*/
229 .endm
230 .macro SET_KERNEL_GS reg
231 @@ -22396,6 +22425,7 @@ index c5a9cb9..228d280 100644
232 + jne 1b
233 +
234 +2: cld
235 ++ or $2*4, %edi
236 + mov %esp, %ecx
237 + sub %edi, %ecx
238 +
239 @@ -22422,7 +22452,7 @@ index c5a9cb9..228d280 100644
240 cld
241 PUSH_GS
242 pushl_cfi %fs
243 -@@ -206,7 +346,7 @@
244 +@@ -206,7 +347,7 @@
245 CFI_REL_OFFSET ecx, 0
246 pushl_cfi %ebx
247 CFI_REL_OFFSET ebx, 0
248 @@ -22431,7 +22461,7 @@ index c5a9cb9..228d280 100644
249 movl %edx, %ds
250 movl %edx, %es
251 movl $(__KERNEL_PERCPU), %edx
252 -@@ -214,6 +354,15 @@
253 +@@ -214,6 +355,15 @@
254 SET_KERNEL_GS %edx
255 .endm
256
257 @@ -22447,7 +22477,7 @@ index c5a9cb9..228d280 100644
258 .macro RESTORE_INT_REGS
259 popl_cfi %ebx
260 CFI_RESTORE ebx
261 -@@ -297,7 +446,7 @@ ENTRY(ret_from_fork)
262 +@@ -297,7 +447,7 @@ ENTRY(ret_from_fork)
263 popfl_cfi
264 jmp syscall_exit
265 CFI_ENDPROC
266 @@ -22456,7 +22486,7 @@ index c5a9cb9..228d280 100644
267
268 ENTRY(ret_from_kernel_thread)
269 CFI_STARTPROC
270 -@@ -344,7 +493,15 @@ ret_from_intr:
271 +@@ -344,7 +494,15 @@ ret_from_intr:
272 andl $SEGMENT_RPL_MASK, %eax
273 #endif
274 cmpl $USER_RPL, %eax
275 @@ -22472,7 +22502,7 @@ index c5a9cb9..228d280 100644
276
277 ENTRY(resume_userspace)
278 LOCKDEP_SYS_EXIT
279 -@@ -356,8 +513,8 @@ ENTRY(resume_userspace)
280 +@@ -356,8 +514,8 @@ ENTRY(resume_userspace)
281 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
282 # int/exception return?
283 jne work_pending
284 @@ -22483,7 +22513,7 @@ index c5a9cb9..228d280 100644
285
286 #ifdef CONFIG_PREEMPT
287 ENTRY(resume_kernel)
288 -@@ -369,7 +526,7 @@ need_resched:
289 +@@ -369,7 +527,7 @@ need_resched:
290 jz restore_all
291 call preempt_schedule_irq
292 jmp need_resched
293 @@ -22492,7 +22522,7 @@ index c5a9cb9..228d280 100644
294 #endif
295 CFI_ENDPROC
296 /*
297 -@@ -403,30 +560,45 @@ sysenter_past_esp:
298 +@@ -403,30 +561,45 @@ sysenter_past_esp:
299 /*CFI_REL_OFFSET cs, 0*/
300 /*
301 * Push current_thread_info()->sysenter_return to the stack.
302 @@ -22541,7 +22571,7 @@ index c5a9cb9..228d280 100644
303 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp)
304 jnz sysenter_audit
305 sysenter_do_call:
306 -@@ -442,12 +614,24 @@ sysenter_after_call:
307 +@@ -442,12 +615,24 @@ sysenter_after_call:
308 testl $_TIF_ALLWORK_MASK, %ecx
309 jne sysexit_audit
310 sysenter_exit:
311 @@ -22566,7 +22596,7 @@ index c5a9cb9..228d280 100644
312 PTGS_TO_GS
313 ENABLE_INTERRUPTS_SYSEXIT
314
315 -@@ -464,6 +648,9 @@ sysenter_audit:
316 +@@ -464,6 +649,9 @@ sysenter_audit:
317 movl %eax,%edx /* 2nd arg: syscall number */
318 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
319 call __audit_syscall_entry
320 @@ -22576,7 +22606,7 @@ index c5a9cb9..228d280 100644
321 pushl_cfi %ebx
322 movl PT_EAX(%esp),%eax /* reload syscall number */
323 jmp sysenter_do_call
324 -@@ -489,10 +676,16 @@ sysexit_audit:
325 +@@ -489,10 +677,16 @@ sysexit_audit:
326
327 CFI_ENDPROC
328 .pushsection .fixup,"ax"
329 @@ -22595,7 +22625,7 @@ index c5a9cb9..228d280 100644
330 PTGS_TO_GS_EX
331 ENDPROC(ia32_sysenter_target)
332
333 -@@ -507,6 +700,11 @@ ENTRY(system_call)
334 +@@ -507,6 +701,11 @@ ENTRY(system_call)
335 pushl_cfi %eax # save orig_eax
336 SAVE_ALL
337 GET_THREAD_INFO(%ebp)
338 @@ -22607,7 +22637,7 @@ index c5a9cb9..228d280 100644
339 # system call tracing in operation / emulation
340 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp)
341 jnz syscall_trace_entry
342 -@@ -526,6 +724,15 @@ syscall_exit:
343 +@@ -526,6 +725,15 @@ syscall_exit:
344 testl $_TIF_ALLWORK_MASK, %ecx # current->work
345 jne syscall_exit_work
346
347 @@ -22623,7 +22653,7 @@ index c5a9cb9..228d280 100644
348 restore_all:
349 TRACE_IRQS_IRET
350 restore_all_notrace:
351 -@@ -580,14 +787,34 @@ ldt_ss:
352 +@@ -580,14 +788,34 @@ ldt_ss:
353 * compensating for the offset by changing to the ESPFIX segment with
354 * a base address that matches for the difference.
355 */
356 @@ -22661,7 +22691,7 @@ index c5a9cb9..228d280 100644
357 pushl_cfi $__ESPFIX_SS
358 pushl_cfi %eax /* new kernel esp */
359 /* Disable interrupts, but do not irqtrace this section: we
360 -@@ -617,20 +844,18 @@ work_resched:
361 +@@ -617,20 +845,18 @@ work_resched:
362 movl TI_flags(%ebp), %ecx
363 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
364 # than syscall tracing?
365 @@ -22684,7 +22714,7 @@ index c5a9cb9..228d280 100644
366 #endif
367 TRACE_IRQS_ON
368 ENABLE_INTERRUPTS(CLBR_NONE)
369 -@@ -651,7 +876,7 @@ work_notifysig_v86:
370 +@@ -651,7 +877,7 @@ work_notifysig_v86:
371 movl %eax, %esp
372 jmp 1b
373 #endif
374 @@ -22693,7 +22723,7 @@ index c5a9cb9..228d280 100644
375
376 # perform syscall exit tracing
377 ALIGN
378 -@@ -659,11 +884,14 @@ syscall_trace_entry:
379 +@@ -659,11 +885,14 @@ syscall_trace_entry:
380 movl $-ENOSYS,PT_EAX(%esp)
381 movl %esp, %eax
382 call syscall_trace_enter
383 @@ -22709,7 +22739,7 @@ index c5a9cb9..228d280 100644
384
385 # perform syscall exit tracing
386 ALIGN
387 -@@ -676,26 +904,30 @@ syscall_exit_work:
388 +@@ -676,26 +905,30 @@ syscall_exit_work:
389 movl %esp, %eax
390 call syscall_trace_leave
391 jmp resume_userspace
392 @@ -22744,7 +22774,7 @@ index c5a9cb9..228d280 100644
393 CFI_ENDPROC
394 /*
395 * End of kprobes section
396 -@@ -712,8 +944,15 @@ END(syscall_badsys)
397 +@@ -712,8 +945,15 @@ END(syscall_badsys)
398 */
399 #ifdef CONFIG_X86_ESPFIX32
400 /* fixup the stack */
401 @@ -22762,7 +22792,7 @@ index c5a9cb9..228d280 100644
402 shl $16, %eax
403 addl %esp, %eax /* the adjusted stack pointer */
404 pushl_cfi $__KERNEL_DS
405 -@@ -769,7 +1008,7 @@ vector=vector+1
406 +@@ -769,7 +1009,7 @@ vector=vector+1
407 .endr
408 2: jmp common_interrupt
409 .endr
410 @@ -22771,7 +22801,7 @@ index c5a9cb9..228d280 100644
411
412 .previous
413 END(interrupt)
414 -@@ -830,7 +1069,7 @@ ENTRY(coprocessor_error)
415 +@@ -830,7 +1070,7 @@ ENTRY(coprocessor_error)
416 pushl_cfi $do_coprocessor_error
417 jmp error_code
418 CFI_ENDPROC
419 @@ -22780,7 +22810,7 @@ index c5a9cb9..228d280 100644
420
421 ENTRY(simd_coprocessor_error)
422 RING0_INT_FRAME
423 -@@ -843,7 +1082,7 @@ ENTRY(simd_coprocessor_error)
424 +@@ -843,7 +1083,7 @@ ENTRY(simd_coprocessor_error)
425 .section .altinstructions,"a"
426 altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f
427 .previous
428 @@ -22789,7 +22819,7 @@ index c5a9cb9..228d280 100644
429 663: pushl $do_simd_coprocessor_error
430 664:
431 .previous
432 -@@ -852,7 +1091,7 @@ ENTRY(simd_coprocessor_error)
433 +@@ -852,7 +1092,7 @@ ENTRY(simd_coprocessor_error)
434 #endif
435 jmp error_code
436 CFI_ENDPROC
437 @@ -22798,7 +22828,7 @@ index c5a9cb9..228d280 100644
438
439 ENTRY(device_not_available)
440 RING0_INT_FRAME
441 -@@ -861,18 +1100,18 @@ ENTRY(device_not_available)
442 +@@ -861,18 +1101,18 @@ ENTRY(device_not_available)
443 pushl_cfi $do_device_not_available
444 jmp error_code
445 CFI_ENDPROC
446 @@ -22820,7 +22850,7 @@ index c5a9cb9..228d280 100644
447 #endif
448
449 ENTRY(overflow)
450 -@@ -882,7 +1121,7 @@ ENTRY(overflow)
451 +@@ -882,7 +1122,7 @@ ENTRY(overflow)
452 pushl_cfi $do_overflow
453 jmp error_code
454 CFI_ENDPROC
455 @@ -22829,7 +22859,7 @@ index c5a9cb9..228d280 100644
456
457 ENTRY(bounds)
458 RING0_INT_FRAME
459 -@@ -891,7 +1130,7 @@ ENTRY(bounds)
460 +@@ -891,7 +1131,7 @@ ENTRY(bounds)
461 pushl_cfi $do_bounds
462 jmp error_code
463 CFI_ENDPROC
464 @@ -22838,7 +22868,7 @@ index c5a9cb9..228d280 100644
465
466 ENTRY(invalid_op)
467 RING0_INT_FRAME
468 -@@ -900,7 +1139,7 @@ ENTRY(invalid_op)
469 +@@ -900,7 +1140,7 @@ ENTRY(invalid_op)
470 pushl_cfi $do_invalid_op
471 jmp error_code
472 CFI_ENDPROC
473 @@ -22847,7 +22877,7 @@ index c5a9cb9..228d280 100644
474
475 ENTRY(coprocessor_segment_overrun)
476 RING0_INT_FRAME
477 -@@ -909,7 +1148,7 @@ ENTRY(coprocessor_segment_overrun)
478 +@@ -909,7 +1149,7 @@ ENTRY(coprocessor_segment_overrun)
479 pushl_cfi $do_coprocessor_segment_overrun
480 jmp error_code
481 CFI_ENDPROC
482 @@ -22856,7 +22886,7 @@ index c5a9cb9..228d280 100644
483
484 ENTRY(invalid_TSS)
485 RING0_EC_FRAME
486 -@@ -917,7 +1156,7 @@ ENTRY(invalid_TSS)
487 +@@ -917,7 +1157,7 @@ ENTRY(invalid_TSS)
488 pushl_cfi $do_invalid_TSS
489 jmp error_code
490 CFI_ENDPROC
491 @@ -22865,7 +22895,7 @@ index c5a9cb9..228d280 100644
492
493 ENTRY(segment_not_present)
494 RING0_EC_FRAME
495 -@@ -925,7 +1164,7 @@ ENTRY(segment_not_present)
496 +@@ -925,7 +1165,7 @@ ENTRY(segment_not_present)
497 pushl_cfi $do_segment_not_present
498 jmp error_code
499 CFI_ENDPROC
500 @@ -22874,7 +22904,7 @@ index c5a9cb9..228d280 100644
501
502 ENTRY(stack_segment)
503 RING0_EC_FRAME
504 -@@ -933,7 +1172,7 @@ ENTRY(stack_segment)
505 +@@ -933,7 +1173,7 @@ ENTRY(stack_segment)
506 pushl_cfi $do_stack_segment
507 jmp error_code
508 CFI_ENDPROC
509 @@ -22883,7 +22913,7 @@ index c5a9cb9..228d280 100644
510
511 ENTRY(alignment_check)
512 RING0_EC_FRAME
513 -@@ -941,7 +1180,7 @@ ENTRY(alignment_check)
514 +@@ -941,7 +1181,7 @@ ENTRY(alignment_check)
515 pushl_cfi $do_alignment_check
516 jmp error_code
517 CFI_ENDPROC
518 @@ -22892,7 +22922,7 @@ index c5a9cb9..228d280 100644
519
520 ENTRY(divide_error)
521 RING0_INT_FRAME
522 -@@ -950,7 +1189,7 @@ ENTRY(divide_error)
523 +@@ -950,7 +1190,7 @@ ENTRY(divide_error)
524 pushl_cfi $do_divide_error
525 jmp error_code
526 CFI_ENDPROC
527 @@ -22901,7 +22931,7 @@ index c5a9cb9..228d280 100644
528
529 #ifdef CONFIG_X86_MCE
530 ENTRY(machine_check)
531 -@@ -960,7 +1199,7 @@ ENTRY(machine_check)
532 +@@ -960,7 +1200,7 @@ ENTRY(machine_check)
533 pushl_cfi machine_check_vector
534 jmp error_code
535 CFI_ENDPROC
536 @@ -22910,7 +22940,7 @@ index c5a9cb9..228d280 100644
537 #endif
538
539 ENTRY(spurious_interrupt_bug)
540 -@@ -970,7 +1209,7 @@ ENTRY(spurious_interrupt_bug)
541 +@@ -970,7 +1210,7 @@ ENTRY(spurious_interrupt_bug)
542 pushl_cfi $do_spurious_interrupt_bug
543 jmp error_code
544 CFI_ENDPROC
545 @@ -22919,7 +22949,7 @@ index c5a9cb9..228d280 100644
546 /*
547 * End of kprobes section
548 */
549 -@@ -1080,7 +1319,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR,
550 +@@ -1080,7 +1320,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR,
551
552 ENTRY(mcount)
553 ret
554 @@ -22928,7 +22958,7 @@ index c5a9cb9..228d280 100644
555
556 ENTRY(ftrace_caller)
557 cmpl $0, function_trace_stop
558 -@@ -1113,7 +1352,7 @@ ftrace_graph_call:
559 +@@ -1113,7 +1353,7 @@ ftrace_graph_call:
560 .globl ftrace_stub
561 ftrace_stub:
562 ret
563 @@ -22937,7 +22967,7 @@ index c5a9cb9..228d280 100644
564
565 ENTRY(ftrace_regs_caller)
566 pushf /* push flags before compare (in cs location) */
567 -@@ -1217,7 +1456,7 @@ trace:
568 +@@ -1217,7 +1457,7 @@ trace:
569 popl %ecx
570 popl %eax
571 jmp ftrace_stub
572 @@ -22946,7 +22976,7 @@ index c5a9cb9..228d280 100644
573 #endif /* CONFIG_DYNAMIC_FTRACE */
574 #endif /* CONFIG_FUNCTION_TRACER */
575
576 -@@ -1235,7 +1474,7 @@ ENTRY(ftrace_graph_caller)
577 +@@ -1235,7 +1475,7 @@ ENTRY(ftrace_graph_caller)
578 popl %ecx
579 popl %eax
580 ret
581 @@ -22955,7 +22985,7 @@ index c5a9cb9..228d280 100644
582
583 .globl return_to_handler
584 return_to_handler:
585 -@@ -1301,15 +1540,18 @@ error_code:
586 +@@ -1301,15 +1541,18 @@ error_code:
587 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
588 REG_TO_PTGS %ecx
589 SET_KERNEL_GS %ecx
590 @@ -22976,7 +23006,7 @@ index c5a9cb9..228d280 100644
591
592 /*
593 * Debug traps and NMI can happen at the one SYSENTER instruction
594 -@@ -1352,7 +1594,7 @@ debug_stack_correct:
595 +@@ -1352,7 +1595,7 @@ debug_stack_correct:
596 call do_debug
597 jmp ret_from_exception
598 CFI_ENDPROC
599 @@ -22985,7 +23015,7 @@ index c5a9cb9..228d280 100644
600
601 /*
602 * NMI is doubly nasty. It can happen _while_ we're handling
603 -@@ -1392,6 +1634,9 @@ nmi_stack_correct:
604 +@@ -1392,6 +1635,9 @@ nmi_stack_correct:
605 xorl %edx,%edx # zero error code
606 movl %esp,%eax # pt_regs pointer
607 call do_nmi
608 @@ -22995,7 +23025,7 @@ index c5a9cb9..228d280 100644
609 jmp restore_all_notrace
610 CFI_ENDPROC
611
612 -@@ -1429,13 +1674,16 @@ nmi_espfix_stack:
613 +@@ -1429,13 +1675,16 @@ nmi_espfix_stack:
614 FIXUP_ESPFIX_STACK # %eax == %esp
615 xorl %edx,%edx # zero error code
616 call do_nmi
617 @@ -23013,7 +23043,7 @@ index c5a9cb9..228d280 100644
618
619 ENTRY(int3)
620 RING0_INT_FRAME
621 -@@ -1448,14 +1696,14 @@ ENTRY(int3)
622 +@@ -1448,14 +1697,14 @@ ENTRY(int3)
623 call do_int3
624 jmp ret_from_exception
625 CFI_ENDPROC
626 @@ -23030,7 +23060,7 @@ index c5a9cb9..228d280 100644
627
628 #ifdef CONFIG_KVM_GUEST
629 ENTRY(async_page_fault)
630 -@@ -1464,7 +1712,7 @@ ENTRY(async_page_fault)
631 +@@ -1464,7 +1713,7 @@ ENTRY(async_page_fault)
632 pushl_cfi $do_async_page_fault
633 jmp error_code
634 CFI_ENDPROC
635 @@ -23040,7 +23070,7 @@ index c5a9cb9..228d280 100644
636
637 /*
638 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
639 -index 02553d6..d1fcecb 100644
640 +index 02553d6..81f4dc7 100644
641 --- a/arch/x86/kernel/entry_64.S
642 +++ b/arch/x86/kernel/entry_64.S
643 @@ -60,6 +60,8 @@
644 @@ -23127,7 +23157,7 @@ index 02553d6..d1fcecb 100644
645 #endif
646
647
648 -@@ -285,6 +294,430 @@ ENTRY(native_usergs_sysret64)
649 +@@ -285,6 +294,431 @@ ENTRY(native_usergs_sysret64)
650 ENDPROC(native_usergs_sysret64)
651 #endif /* CONFIG_PARAVIRT */
652
653 @@ -23532,6 +23562,7 @@ index 02553d6..d1fcecb 100644
654 + jne 1b
655 +
656 +2: cld
657 ++ or $2*8, %rdi
658 + mov %esp, %ecx
659 + sub %edi, %ecx
660 +
661 @@ -23558,7 +23589,7 @@ index 02553d6..d1fcecb 100644
662
663 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
664 #ifdef CONFIG_TRACE_IRQFLAGS
665 -@@ -321,7 +754,7 @@ ENDPROC(native_usergs_sysret64)
666 +@@ -321,7 +755,7 @@ ENDPROC(native_usergs_sysret64)
667 .endm
668
669 .macro TRACE_IRQS_IRETQ_DEBUG offset=ARGOFFSET
670 @@ -23567,7 +23598,7 @@ index 02553d6..d1fcecb 100644
671 jnc 1f
672 TRACE_IRQS_ON_DEBUG
673 1:
674 -@@ -359,27 +792,6 @@ ENDPROC(native_usergs_sysret64)
675 +@@ -359,27 +793,6 @@ ENDPROC(native_usergs_sysret64)
676 movq \tmp,R11+\offset(%rsp)
677 .endm
678
679 @@ -23595,7 +23626,7 @@ index 02553d6..d1fcecb 100644
680 /*
681 * initial frame state for interrupts (and exceptions without error code)
682 */
683 -@@ -446,25 +858,26 @@ ENDPROC(native_usergs_sysret64)
684 +@@ -446,25 +859,26 @@ ENDPROC(native_usergs_sysret64)
685 /* save partial stack frame */
686 .macro SAVE_ARGS_IRQ
687 cld
688 @@ -23635,7 +23666,7 @@ index 02553d6..d1fcecb 100644
689 je 1f
690 SWAPGS
691 /*
692 -@@ -484,6 +897,18 @@ ENDPROC(native_usergs_sysret64)
693 +@@ -484,6 +898,18 @@ ENDPROC(native_usergs_sysret64)
694 0x06 /* DW_OP_deref */, \
695 0x08 /* DW_OP_const1u */, SS+8-RBP, \
696 0x22 /* DW_OP_plus */
697 @@ -23654,7 +23685,7 @@ index 02553d6..d1fcecb 100644
698 /* We entered an interrupt context - irqs are off: */
699 TRACE_IRQS_OFF
700 .endm
701 -@@ -515,9 +940,52 @@ ENTRY(save_paranoid)
702 +@@ -515,9 +941,52 @@ ENTRY(save_paranoid)
703 js 1f /* negative -> in kernel */
704 SWAPGS
705 xorl %ebx,%ebx
706 @@ -23709,7 +23740,7 @@ index 02553d6..d1fcecb 100644
707 .popsection
708
709 /*
710 -@@ -539,7 +1007,7 @@ ENTRY(ret_from_fork)
711 +@@ -539,7 +1008,7 @@ ENTRY(ret_from_fork)
712
713 RESTORE_REST
714
715 @@ -23718,7 +23749,7 @@ index 02553d6..d1fcecb 100644
716 jz 1f
717
718 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
719 -@@ -549,15 +1017,13 @@ ENTRY(ret_from_fork)
720 +@@ -549,15 +1018,13 @@ ENTRY(ret_from_fork)
721 jmp ret_from_sys_call # go to the SYSRET fastpath
722
723 1:
724 @@ -23735,7 +23766,7 @@ index 02553d6..d1fcecb 100644
725
726 /*
727 * System call entry. Up to 6 arguments in registers are supported.
728 -@@ -594,7 +1060,7 @@ END(ret_from_fork)
729 +@@ -594,7 +1061,7 @@ END(ret_from_fork)
730 ENTRY(system_call)
731 CFI_STARTPROC simple
732 CFI_SIGNAL_FRAME
733 @@ -23744,7 +23775,7 @@ index 02553d6..d1fcecb 100644
734 CFI_REGISTER rip,rcx
735 /*CFI_REGISTER rflags,r11*/
736 SWAPGS_UNSAFE_STACK
737 -@@ -607,16 +1073,23 @@ GLOBAL(system_call_after_swapgs)
738 +@@ -607,16 +1074,23 @@ GLOBAL(system_call_after_swapgs)
739
740 movq %rsp,PER_CPU_VAR(old_rsp)
741 movq PER_CPU_VAR(kernel_stack),%rsp
742 @@ -23770,7 +23801,7 @@ index 02553d6..d1fcecb 100644
743 jnz tracesys
744 system_call_fastpath:
745 #if __SYSCALL_MASK == ~0
746 -@@ -640,10 +1113,13 @@ sysret_check:
747 +@@ -640,10 +1114,13 @@ sysret_check:
748 LOCKDEP_SYS_EXIT
749 DISABLE_INTERRUPTS(CLBR_NONE)
750 TRACE_IRQS_OFF
751 @@ -23785,7 +23816,7 @@ index 02553d6..d1fcecb 100644
752 /*
753 * sysretq will re-enable interrupts:
754 */
755 -@@ -702,6 +1178,9 @@ auditsys:
756 +@@ -702,6 +1179,9 @@ auditsys:
757 movq %rax,%rsi /* 2nd arg: syscall number */
758 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
759 call __audit_syscall_entry
760 @@ -23795,7 +23826,7 @@ index 02553d6..d1fcecb 100644
761 LOAD_ARGS 0 /* reload call-clobbered registers */
762 jmp system_call_fastpath
763
764 -@@ -723,7 +1202,7 @@ sysret_audit:
765 +@@ -723,7 +1203,7 @@ sysret_audit:
766 /* Do syscall tracing */
767 tracesys:
768 #ifdef CONFIG_AUDITSYSCALL
769 @@ -23804,7 +23835,7 @@ index 02553d6..d1fcecb 100644
770 jz auditsys
771 #endif
772 SAVE_REST
773 -@@ -731,12 +1210,15 @@ tracesys:
774 +@@ -731,12 +1211,15 @@ tracesys:
775 FIXUP_TOP_OF_STACK %rdi
776 movq %rsp,%rdi
777 call syscall_trace_enter
778 @@ -23821,7 +23852,7 @@ index 02553d6..d1fcecb 100644
779 RESTORE_REST
780 #if __SYSCALL_MASK == ~0
781 cmpq $__NR_syscall_max,%rax
782 -@@ -766,7 +1248,9 @@ GLOBAL(int_with_check)
783 +@@ -766,7 +1249,9 @@ GLOBAL(int_with_check)
784 andl %edi,%edx
785 jnz int_careful
786 andl $~TS_COMPAT,TI_status(%rcx)
787 @@ -23832,7 +23863,7 @@ index 02553d6..d1fcecb 100644
788
789 /* Either reschedule or signal or syscall exit tracking needed. */
790 /* First do a reschedule test. */
791 -@@ -812,7 +1296,7 @@ int_restore_rest:
792 +@@ -812,7 +1297,7 @@ int_restore_rest:
793 TRACE_IRQS_OFF
794 jmp int_with_check
795 CFI_ENDPROC
796 @@ -23841,7 +23872,7 @@ index 02553d6..d1fcecb 100644
797
798 .macro FORK_LIKE func
799 ENTRY(stub_\func)
800 -@@ -825,9 +1309,10 @@ ENTRY(stub_\func)
801 +@@ -825,9 +1310,10 @@ ENTRY(stub_\func)
802 DEFAULT_FRAME 0 8 /* offset 8: return address */
803 call sys_\func
804 RESTORE_TOP_OF_STACK %r11, 8
805 @@ -23854,7 +23885,7 @@ index 02553d6..d1fcecb 100644
806 .endm
807
808 .macro FIXED_FRAME label,func
809 -@@ -837,9 +1322,10 @@ ENTRY(\label)
810 +@@ -837,9 +1323,10 @@ ENTRY(\label)
811 FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET
812 call \func
813 RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET
814 @@ -23866,7 +23897,7 @@ index 02553d6..d1fcecb 100644
815 .endm
816
817 FORK_LIKE clone
818 -@@ -847,19 +1333,6 @@ END(\label)
819 +@@ -847,19 +1334,6 @@ END(\label)
820 FORK_LIKE vfork
821 FIXED_FRAME stub_iopl, sys_iopl
822
823 @@ -23886,7 +23917,7 @@ index 02553d6..d1fcecb 100644
824 ENTRY(stub_execve)
825 CFI_STARTPROC
826 addq $8, %rsp
827 -@@ -871,7 +1344,7 @@ ENTRY(stub_execve)
828 +@@ -871,7 +1345,7 @@ ENTRY(stub_execve)
829 RESTORE_REST
830 jmp int_ret_from_sys_call
831 CFI_ENDPROC
832 @@ -23895,7 +23926,7 @@ index 02553d6..d1fcecb 100644
833
834 /*
835 * sigreturn is special because it needs to restore all registers on return.
836 -@@ -888,7 +1361,7 @@ ENTRY(stub_rt_sigreturn)
837 +@@ -888,7 +1362,7 @@ ENTRY(stub_rt_sigreturn)
838 RESTORE_REST
839 jmp int_ret_from_sys_call
840 CFI_ENDPROC
841 @@ -23904,7 +23935,7 @@ index 02553d6..d1fcecb 100644
842
843 #ifdef CONFIG_X86_X32_ABI
844 ENTRY(stub_x32_rt_sigreturn)
845 -@@ -902,7 +1375,7 @@ ENTRY(stub_x32_rt_sigreturn)
846 +@@ -902,7 +1376,7 @@ ENTRY(stub_x32_rt_sigreturn)
847 RESTORE_REST
848 jmp int_ret_from_sys_call
849 CFI_ENDPROC
850 @@ -23913,7 +23944,7 @@ index 02553d6..d1fcecb 100644
851
852 ENTRY(stub_x32_execve)
853 CFI_STARTPROC
854 -@@ -916,7 +1389,7 @@ ENTRY(stub_x32_execve)
855 +@@ -916,7 +1390,7 @@ ENTRY(stub_x32_execve)
856 RESTORE_REST
857 jmp int_ret_from_sys_call
858 CFI_ENDPROC
859 @@ -23922,7 +23953,7 @@ index 02553d6..d1fcecb 100644
860
861 #endif
862
863 -@@ -953,7 +1426,7 @@ vector=vector+1
864 +@@ -953,7 +1427,7 @@ vector=vector+1
865 2: jmp common_interrupt
866 .endr
867 CFI_ENDPROC
868 @@ -23931,7 +23962,7 @@ index 02553d6..d1fcecb 100644
869
870 .previous
871 END(interrupt)
872 -@@ -970,8 +1443,8 @@ END(interrupt)
873 +@@ -970,8 +1444,8 @@ END(interrupt)
874 /* 0(%rsp): ~(interrupt number) */
875 .macro interrupt func
876 /* reserve pt_regs for scratch regs and rbp */
877 @@ -23942,7 +23973,7 @@ index 02553d6..d1fcecb 100644
878 SAVE_ARGS_IRQ
879 call \func
880 .endm
881 -@@ -998,14 +1471,14 @@ ret_from_intr:
882 +@@ -998,14 +1472,14 @@ ret_from_intr:
883
884 /* Restore saved previous stack */
885 popq %rsi
886 @@ -23961,7 +23992,7 @@ index 02553d6..d1fcecb 100644
887 je retint_kernel
888
889 /* Interrupt came from user space */
890 -@@ -1027,12 +1500,35 @@ retint_swapgs: /* return to user-space */
891 +@@ -1027,12 +1501,35 @@ retint_swapgs: /* return to user-space */
892 * The iretq could re-enable interrupts:
893 */
894 DISABLE_INTERRUPTS(CLBR_ANY)
895 @@ -23997,7 +24028,7 @@ index 02553d6..d1fcecb 100644
896 /*
897 * The iretq could re-enable interrupts:
898 */
899 -@@ -1070,15 +1566,15 @@ native_irq_return_ldt:
900 +@@ -1070,15 +1567,15 @@ native_irq_return_ldt:
901 SWAPGS
902 movq PER_CPU_VAR(espfix_waddr),%rdi
903 movq %rax,(0*8)(%rdi) /* RAX */
904 @@ -24018,7 +24049,7 @@ index 02553d6..d1fcecb 100644
905 movq %rax,(4*8)(%rdi)
906 andl $0xffff0000,%eax
907 popq_cfi %rdi
908 -@@ -1132,7 +1628,7 @@ ENTRY(retint_kernel)
909 +@@ -1132,7 +1629,7 @@ ENTRY(retint_kernel)
910 jmp exit_intr
911 #endif
912 CFI_ENDPROC
913 @@ -24027,7 +24058,7 @@ index 02553d6..d1fcecb 100644
914
915 /*
916 * End of kprobes section
917 -@@ -1151,7 +1647,7 @@ ENTRY(\sym)
918 +@@ -1151,7 +1648,7 @@ ENTRY(\sym)
919 interrupt \do_sym
920 jmp ret_from_intr
921 CFI_ENDPROC
922 @@ -24036,7 +24067,7 @@ index 02553d6..d1fcecb 100644
923 .endm
924
925 #ifdef CONFIG_TRACING
926 -@@ -1239,7 +1735,7 @@ ENTRY(\sym)
927 +@@ -1239,7 +1736,7 @@ ENTRY(\sym)
928 call \do_sym
929 jmp error_exit /* %ebx: no swapgs flag */
930 CFI_ENDPROC
931 @@ -24045,7 +24076,7 @@ index 02553d6..d1fcecb 100644
932 .endm
933
934 .macro paranoidzeroentry sym do_sym
935 -@@ -1257,10 +1753,10 @@ ENTRY(\sym)
936 +@@ -1257,10 +1754,10 @@ ENTRY(\sym)
937 call \do_sym
938 jmp paranoid_exit /* %ebx: no swapgs flag */
939 CFI_ENDPROC
940 @@ -24058,7 +24089,7 @@ index 02553d6..d1fcecb 100644
941 .macro paranoidzeroentry_ist sym do_sym ist
942 ENTRY(\sym)
943 INTR_FRAME
944 -@@ -1273,12 +1769,18 @@ ENTRY(\sym)
945 +@@ -1273,12 +1770,18 @@ ENTRY(\sym)
946 TRACE_IRQS_OFF_DEBUG
947 movq %rsp,%rdi /* pt_regs pointer */
948 xorl %esi,%esi /* no error code */
949 @@ -24078,7 +24109,7 @@ index 02553d6..d1fcecb 100644
950 .endm
951
952 .macro errorentry sym do_sym
953 -@@ -1296,7 +1798,7 @@ ENTRY(\sym)
954 +@@ -1296,7 +1799,7 @@ ENTRY(\sym)
955 call \do_sym
956 jmp error_exit /* %ebx: no swapgs flag */
957 CFI_ENDPROC
958 @@ -24087,7 +24118,7 @@ index 02553d6..d1fcecb 100644
959 .endm
960
961 #ifdef CONFIG_TRACING
962 -@@ -1327,7 +1829,7 @@ ENTRY(\sym)
963 +@@ -1327,7 +1830,7 @@ ENTRY(\sym)
964 call \do_sym
965 jmp paranoid_exit /* %ebx: no swapgs flag */
966 CFI_ENDPROC
967 @@ -24096,7 +24127,7 @@ index 02553d6..d1fcecb 100644
968 .endm
969
970 zeroentry divide_error do_divide_error
971 -@@ -1357,9 +1859,10 @@ gs_change:
972 +@@ -1357,9 +1860,10 @@ gs_change:
973 2: mfence /* workaround */
974 SWAPGS
975 popfq_cfi
976 @@ -24108,7 +24139,7 @@ index 02553d6..d1fcecb 100644
977
978 _ASM_EXTABLE(gs_change,bad_gs)
979 .section .fixup,"ax"
980 -@@ -1387,9 +1890,10 @@ ENTRY(do_softirq_own_stack)
981 +@@ -1387,9 +1891,10 @@ ENTRY(do_softirq_own_stack)
982 CFI_DEF_CFA_REGISTER rsp
983 CFI_ADJUST_CFA_OFFSET -8
984 decl PER_CPU_VAR(irq_count)
985 @@ -24120,7 +24151,7 @@ index 02553d6..d1fcecb 100644
986
987 #ifdef CONFIG_XEN
988 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
989 -@@ -1427,7 +1931,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs)
990 +@@ -1427,7 +1932,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs)
991 decl PER_CPU_VAR(irq_count)
992 jmp error_exit
993 CFI_ENDPROC
994 @@ -24129,7 +24160,7 @@ index 02553d6..d1fcecb 100644
995
996 /*
997 * Hypervisor uses this for application faults while it executes.
998 -@@ -1486,7 +1990,7 @@ ENTRY(xen_failsafe_callback)
999 +@@ -1486,7 +1991,7 @@ ENTRY(xen_failsafe_callback)
1000 SAVE_ALL
1001 jmp error_exit
1002 CFI_ENDPROC
1003 @@ -24138,7 +24169,7 @@ index 02553d6..d1fcecb 100644
1004
1005 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
1006 xen_hvm_callback_vector xen_evtchn_do_upcall
1007 -@@ -1538,18 +2042,33 @@ ENTRY(paranoid_exit)
1008 +@@ -1538,18 +2043,33 @@ ENTRY(paranoid_exit)
1009 DEFAULT_FRAME
1010 DISABLE_INTERRUPTS(CLBR_NONE)
1011 TRACE_IRQS_OFF_DEBUG
1012 @@ -24174,7 +24205,7 @@ index 02553d6..d1fcecb 100644
1013 jmp irq_return
1014 paranoid_userspace:
1015 GET_THREAD_INFO(%rcx)
1016 -@@ -1578,7 +2097,7 @@ paranoid_schedule:
1017 +@@ -1578,7 +2098,7 @@ paranoid_schedule:
1018 TRACE_IRQS_OFF
1019 jmp paranoid_userspace
1020 CFI_ENDPROC
1021 @@ -24183,7 +24214,7 @@ index 02553d6..d1fcecb 100644
1022
1023 /*
1024 * Exception entry point. This expects an error code/orig_rax on the stack.
1025 -@@ -1605,12 +2124,23 @@ ENTRY(error_entry)
1026 +@@ -1605,12 +2125,23 @@ ENTRY(error_entry)
1027 movq_cfi r14, R14+8
1028 movq_cfi r15, R15+8
1029 xorl %ebx,%ebx
1030 @@ -24208,7 +24239,7 @@ index 02553d6..d1fcecb 100644
1031 ret
1032
1033 /*
1034 -@@ -1644,7 +2174,7 @@ error_bad_iret:
1035 +@@ -1644,7 +2175,7 @@ error_bad_iret:
1036 decl %ebx /* Return to usergs */
1037 jmp error_sti
1038 CFI_ENDPROC
1039 @@ -24217,7 +24248,7 @@ index 02553d6..d1fcecb 100644
1040
1041
1042 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
1043 -@@ -1655,7 +2185,7 @@ ENTRY(error_exit)
1044 +@@ -1655,7 +2186,7 @@ ENTRY(error_exit)
1045 DISABLE_INTERRUPTS(CLBR_NONE)
1046 TRACE_IRQS_OFF
1047 GET_THREAD_INFO(%rcx)
1048 @@ -24226,7 +24257,7 @@ index 02553d6..d1fcecb 100644
1049 jne retint_kernel
1050 LOCKDEP_SYS_EXIT_IRQ
1051 movl TI_flags(%rcx),%edx
1052 -@@ -1664,7 +2194,7 @@ ENTRY(error_exit)
1053 +@@ -1664,7 +2195,7 @@ ENTRY(error_exit)
1054 jnz retint_careful
1055 jmp retint_swapgs
1056 CFI_ENDPROC
1057 @@ -24235,7 +24266,7 @@ index 02553d6..d1fcecb 100644
1058
1059 /*
1060 * Test if a given stack is an NMI stack or not.
1061 -@@ -1722,9 +2252,11 @@ ENTRY(nmi)
1062 +@@ -1722,9 +2253,11 @@ ENTRY(nmi)
1063 * If %cs was not the kernel segment, then the NMI triggered in user
1064 * space, which means it is definitely not nested.
1065 */
1066 @@ -24248,7 +24279,7 @@ index 02553d6..d1fcecb 100644
1067 /*
1068 * Check the special variable on the stack to see if NMIs are
1069 * executing.
1070 -@@ -1758,8 +2290,7 @@ nested_nmi:
1071 +@@ -1758,8 +2291,7 @@ nested_nmi:
1072
1073 1:
1074 /* Set up the interrupted NMIs stack to jump to repeat_nmi */
1075 @@ -24258,7 +24289,7 @@ index 02553d6..d1fcecb 100644
1076 CFI_ADJUST_CFA_OFFSET 1*8
1077 leaq -10*8(%rsp), %rdx
1078 pushq_cfi $__KERNEL_DS
1079 -@@ -1777,6 +2308,7 @@ nested_nmi_out:
1080 +@@ -1777,6 +2309,7 @@ nested_nmi_out:
1081 CFI_RESTORE rdx
1082
1083 /* No need to check faults here */
1084 @@ -24266,7 +24297,7 @@ index 02553d6..d1fcecb 100644
1085 INTERRUPT_RETURN
1086
1087 CFI_RESTORE_STATE
1088 -@@ -1873,13 +2405,13 @@ end_repeat_nmi:
1089 +@@ -1873,13 +2406,13 @@ end_repeat_nmi:
1090 subq $ORIG_RAX-R15, %rsp
1091 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
1092 /*
1093 @@ -24282,7 +24313,7 @@ index 02553d6..d1fcecb 100644
1094 DEFAULT_FRAME 0
1095
1096 /*
1097 -@@ -1889,9 +2421,9 @@ end_repeat_nmi:
1098 +@@ -1889,9 +2422,9 @@ end_repeat_nmi:
1099 * NMI itself takes a page fault, the page fault that was preempted
1100 * will read the information from the NMI page fault and not the
1101 * origin fault. Save it off and restore it if it changes.
1102 @@ -24294,7 +24325,7 @@ index 02553d6..d1fcecb 100644
1103
1104 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
1105 movq %rsp,%rdi
1106 -@@ -1900,31 +2432,36 @@ end_repeat_nmi:
1107 +@@ -1900,31 +2433,36 @@ end_repeat_nmi:
1108
1109 /* Did the NMI take a page fault? Restore cr2 if it did */
1110 movq %cr2, %rcx
1111 @@ -25668,7 +25699,7 @@ index 7ec1d5f..5a7d130 100644
1112 }
1113
1114 diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
1115 -index 79a3f96..6ba030a 100644
1116 +index a1f5b18..9d9e077 100644
1117 --- a/arch/x86/kernel/kprobes/core.c
1118 +++ b/arch/x86/kernel/kprobes/core.c
1119 @@ -119,9 +119,12 @@ static void __kprobes __synthesize_relative_insn(void *from, void *to, u8 op)
1120 @@ -26573,7 +26604,7 @@ index 3fb8d95..254dc51 100644
1121 +}
1122 +#endif
1123 diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
1124 -index 0de43e9..056b840 100644
1125 +index 0de43e9..b0211fe 100644
1126 --- a/arch/x86/kernel/process_32.c
1127 +++ b/arch/x86/kernel/process_32.c
1128 @@ -64,6 +64,7 @@ asmlinkage void ret_from_kernel_thread(void) __asm__("ret_from_kernel_thread");
1129 @@ -26618,7 +26649,7 @@ index 0de43e9..056b840 100644
1130
1131 p->thread.sp = (unsigned long) childregs;
1132 p->thread.sp0 = (unsigned long) (childregs+1);
1133 -+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
1134 ++ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long);
1135
1136 if (unlikely(p->flags & PF_KTHREAD)) {
1137 /* kernel thread */
1138 @@ -26678,7 +26709,7 @@ index 0de43e9..056b840 100644
1139 }
1140 -
1141 diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
1142 -index e2d26ce..10f7ec2 100644
1143 +index e2d26ce..d49eb67 100644
1144 --- a/arch/x86/kernel/process_64.c
1145 +++ b/arch/x86/kernel/process_64.c
1146 @@ -158,10 +158,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
1147 @@ -26690,7 +26721,7 @@ index e2d26ce..10f7ec2 100644
1148 childregs = task_pt_regs(p);
1149 p->thread.sp = (unsigned long) childregs;
1150 p->thread.usersp = me->thread.usersp;
1151 -+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
1152 ++ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long);
1153 set_tsk_thread_flag(p, TIF_FORK);
1154 p->thread.fpu_counter = 0;
1155 p->thread.io_bitmap_ptr = NULL;
1156 @@ -27835,10 +27866,49 @@ index 24d3c91..d06b473 100644
1157 return pc;
1158 }
1159 diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
1160 -index 4e942f3..d0f623f 100644
1161 +index 4e942f3..c6e445a 100644
1162 --- a/arch/x86/kernel/tls.c
1163 +++ b/arch/x86/kernel/tls.c
1164 -@@ -118,6 +118,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
1165 +@@ -29,7 +29,28 @@ static int get_free_idx(void)
1166 +
1167 + static bool tls_desc_okay(const struct user_desc *info)
1168 + {
1169 +- if (LDT_empty(info))
1170 ++ /*
1171 ++ * For historical reasons (i.e. no one ever documented how any
1172 ++ * of the segmentation APIs work), user programs can and do
1173 ++ * assume that a struct user_desc that's all zeros except for
1174 ++ * entry_number means "no segment at all". This never actually
1175 ++ * worked. In fact, up to Linux 3.19, a struct user_desc like
1176 ++ * this would create a 16-bit read-write segment with base and
1177 ++ * limit both equal to zero.
1178 ++ *
1179 ++ * That was close enough to "no segment at all" until we
1180 ++ * hardened this function to disallow 16-bit TLS segments. Fix
1181 ++ * it up by interpreting these zeroed segments the way that they
1182 ++ * were almost certainly intended to be interpreted.
1183 ++ *
1184 ++ * The correct way to ask for "no segment at all" is to specify
1185 ++ * a user_desc that satisfies LDT_empty. To keep everything
1186 ++ * working, we accept both.
1187 ++ *
1188 ++ * Note that there's a similar kludge in modify_ldt -- look at
1189 ++ * the distinction between modes 1 and 0x11.
1190 ++ */
1191 ++ if (LDT_empty(info) || LDT_zero(info))
1192 + return true;
1193 +
1194 + /*
1195 +@@ -71,7 +92,7 @@ static void set_tls_desc(struct task_struct *p, int idx,
1196 + cpu = get_cpu();
1197 +
1198 + while (n-- > 0) {
1199 +- if (LDT_empty(info))
1200 ++ if (LDT_empty(info) || LDT_zero(info))
1201 + desc->a = desc->b = 0;
1202 + else
1203 + fill_ldt(desc, info);
1204 +@@ -118,6 +139,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
1205 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
1206 return -EINVAL;
1207
1208 @@ -27850,7 +27920,7 @@ index 4e942f3..d0f623f 100644
1209 set_tls_desc(p, idx, &info, 1);
1210
1211 return 0;
1212 -@@ -235,7 +240,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
1213 +@@ -235,7 +261,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
1214
1215 if (kbuf)
1216 info = kbuf;
1217 @@ -28654,10 +28724,63 @@ index c697625..a032162 100644
1218
1219 out:
1220 diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
1221 -index 38d3751..1702329 100644
1222 +index 38d3751..497a96f 100644
1223 --- a/arch/x86/kvm/emulate.c
1224 +++ b/arch/x86/kvm/emulate.c
1225 -@@ -3401,7 +3401,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
1226 +@@ -2258,7 +2258,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
1227 + * Not recognized on AMD in compat mode (but is recognized in legacy
1228 + * mode).
1229 + */
1230 +- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
1231 ++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
1232 + && !vendor_intel(ctxt))
1233 + return emulate_ud(ctxt);
1234 +
1235 +@@ -2271,25 +2271,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
1236 + setup_syscalls_segments(ctxt, &cs, &ss);
1237 +
1238 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
1239 +- switch (ctxt->mode) {
1240 +- case X86EMUL_MODE_PROT32:
1241 +- if ((msr_data & 0xfffc) == 0x0)
1242 +- return emulate_gp(ctxt, 0);
1243 +- break;
1244 +- case X86EMUL_MODE_PROT64:
1245 +- if (msr_data == 0x0)
1246 +- return emulate_gp(ctxt, 0);
1247 +- break;
1248 +- default:
1249 +- break;
1250 +- }
1251 ++ if ((msr_data & 0xfffc) == 0x0)
1252 ++ return emulate_gp(ctxt, 0);
1253 +
1254 + ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1255 +- cs_sel = (u16)msr_data;
1256 +- cs_sel &= ~SELECTOR_RPL_MASK;
1257 ++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
1258 + ss_sel = cs_sel + 8;
1259 +- ss_sel &= ~SELECTOR_RPL_MASK;
1260 +- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
1261 ++ if (efer & EFER_LMA) {
1262 + cs.d = 0;
1263 + cs.l = 1;
1264 + }
1265 +@@ -2298,10 +2286,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
1266 + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
1267 +
1268 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
1269 +- ctxt->_eip = msr_data;
1270 ++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
1271 +
1272 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
1273 +- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
1274 ++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
1275 ++ (u32)msr_data;
1276 +
1277 + return X86EMUL_CONTINUE;
1278 + }
1279 +@@ -3401,7 +3390,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
1280 int cr = ctxt->modrm_reg;
1281 u64 efer = 0;
1282
1283 @@ -28666,7 +28789,7 @@ index 38d3751..1702329 100644
1284 0xffffffff00000000ULL,
1285 0, 0, 0, /* CR3 checked later */
1286 CR4_RESERVED_BITS,
1287 -@@ -3436,7 +3436,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
1288 +@@ -3436,7 +3425,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
1289
1290 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
1291 if (efer & EFER_LMA)
1292 @@ -28675,6 +28798,17 @@ index 38d3751..1702329 100644
1293 else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
1294 rsvd = CR3_PAE_RESERVED_BITS;
1295 else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
1296 +@@ -3668,8 +3657,8 @@ static const struct opcode group5[] = {
1297 + };
1298 +
1299 + static const struct opcode group6[] = {
1300 +- DI(Prot, sldt),
1301 +- DI(Prot, str),
1302 ++ DI(Prot | DstMem, sldt),
1303 ++ DI(Prot | DstMem, str),
1304 + II(Prot | Priv | SrcMem16, em_lldt, lldt),
1305 + II(Prot | Priv | SrcMem16, em_ltr, ltr),
1306 + N, N, N, N,
1307 diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
1308 index 453e5fb..214168f 100644
1309 --- a/arch/x86/kvm/lapic.c
1310 @@ -28729,7 +28863,7 @@ index 9643eda6..c9cb765 100644
1311
1312 local_irq_disable();
1313 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
1314 -index 0c90f4b..9fca4d7 100644
1315 +index de42688..6e3ace5 100644
1316 --- a/arch/x86/kvm/vmx.c
1317 +++ b/arch/x86/kvm/vmx.c
1318 @@ -441,6 +441,7 @@ struct vcpu_vmx {
1319 @@ -41997,7 +42131,7 @@ index 956ab7f..fbd36d8 100644
1320 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
1321
1322 diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
1323 -index 040a2a1..eae4e54 100644
1324 +index 45a9a03..3cadf87 100644
1325 --- a/drivers/gpu/drm/radeon/radeon_ttm.c
1326 +++ b/drivers/gpu/drm/radeon/radeon_ttm.c
1327 @@ -790,7 +790,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size)
1328 @@ -42102,7 +42236,7 @@ index dbc2def..0a9f710 100644
1329 kobject_put(&zone->kobj);
1330 return ret;
1331 diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
1332 -index cf4bad2..3d50d64 100644
1333 +index 76329d2..9c422dd 100644
1334 --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
1335 +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
1336 @@ -54,7 +54,7 @@
1337 @@ -42114,14 +42248,15 @@ index cf4bad2..3d50d64 100644
1338 /* times are in msecs */
1339 #define PAGE_FREE_INTERVAL 1000
1340
1341 -@@ -299,14 +299,13 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
1342 +@@ -299,15 +299,14 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
1343 * @free_all: If set to true will free all pages in pool
1344 - * @gfp: GFP flags.
1345 + * @use_static: Safe to use static buffer
1346 **/
1347 -static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free,
1348 +static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free,
1349 - gfp_t gfp)
1350 + bool use_static)
1351 {
1352 + static struct page *static_buf[NUM_PAGES_TO_ALLOC];
1353 unsigned long irq_flags;
1354 struct page *p;
1355 struct page **pages_to_free;
1356 @@ -42131,7 +42266,7 @@ index cf4bad2..3d50d64 100644
1357
1358 if (NUM_PAGES_TO_ALLOC < nr_free)
1359 npages_to_free = NUM_PAGES_TO_ALLOC;
1360 -@@ -366,7 +365,8 @@ restart:
1361 +@@ -371,7 +370,8 @@ restart:
1362 __list_del(&p->lru, &pool->list);
1363
1364 ttm_pool_update_free_locked(pool, freed_pages);
1365 @@ -42141,7 +42276,7 @@ index cf4bad2..3d50d64 100644
1366 }
1367
1368 spin_unlock_irqrestore(&pool->lock, irq_flags);
1369 -@@ -395,7 +395,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1370 +@@ -399,7 +399,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1371 unsigned i;
1372 unsigned pool_offset;
1373 struct ttm_page_pool *pool;
1374 @@ -42150,7 +42285,7 @@ index cf4bad2..3d50d64 100644
1375 unsigned long freed = 0;
1376
1377 if (!mutex_trylock(&lock))
1378 -@@ -403,7 +403,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1379 +@@ -407,7 +407,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1380 pool_offset = ++start_pool % NUM_POOLS;
1381 /* select start pool in round robin fashion */
1382 for (i = 0; i < NUM_POOLS; ++i) {
1383 @@ -42159,7 +42294,7 @@ index cf4bad2..3d50d64 100644
1384 if (shrink_pages == 0)
1385 break;
1386 pool = &_manager->pools[(i + pool_offset)%NUM_POOLS];
1387 -@@ -669,7 +669,7 @@ out:
1388 +@@ -673,7 +673,7 @@ out:
1389 }
1390
1391 /* Put all pages in pages list to correct pool to wait for reuse */
1392 @@ -42168,7 +42303,7 @@ index cf4bad2..3d50d64 100644
1393 enum ttm_caching_state cstate)
1394 {
1395 unsigned long irq_flags;
1396 -@@ -724,7 +724,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
1397 +@@ -728,7 +728,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
1398 struct list_head plist;
1399 struct page *p = NULL;
1400 gfp_t gfp_flags = GFP_USER;
1401 @@ -42178,7 +42313,7 @@ index cf4bad2..3d50d64 100644
1402
1403 /* set zero flag for page allocation if required */
1404 diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
1405 -index ca65df1..4f0024b 100644
1406 +index 3dfa97d..44bfcb7 100644
1407 --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
1408 +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
1409 @@ -56,7 +56,7 @@
1410 @@ -42190,15 +42325,16 @@ index ca65df1..4f0024b 100644
1411 /* times are in msecs */
1412 #define IS_UNDEFINED (0)
1413 #define IS_WC (1<<1)
1414 -@@ -413,15 +413,14 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page)
1415 +@@ -413,7 +413,7 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page)
1416 * @nr_free: If set to true will free all pages in pool
1417 - * @gfp: GFP flags.
1418 + * @use_static: Safe to use static buffer
1419 **/
1420 -static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
1421 +static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free,
1422 - gfp_t gfp)
1423 + bool use_static)
1424 {
1425 - unsigned long irq_flags;
1426 + static struct page *static_buf[NUM_PAGES_TO_ALLOC];
1427 +@@ -421,8 +421,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
1428 struct dma_page *dma_p, *tmp;
1429 struct page **pages_to_free;
1430 struct list_head d_pages;
1431 @@ -42208,7 +42344,7 @@ index ca65df1..4f0024b 100644
1432
1433 if (NUM_PAGES_TO_ALLOC < nr_free)
1434 npages_to_free = NUM_PAGES_TO_ALLOC;
1435 -@@ -494,7 +493,8 @@ restart:
1436 +@@ -499,7 +498,8 @@ restart:
1437 /* remove range of pages from the pool */
1438 if (freed_pages) {
1439 ttm_pool_update_free_locked(pool, freed_pages);
1440 @@ -42218,7 +42354,7 @@ index ca65df1..4f0024b 100644
1441 }
1442
1443 spin_unlock_irqrestore(&pool->lock, irq_flags);
1444 -@@ -928,7 +928,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev)
1445 +@@ -935,7 +935,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev)
1446 struct dma_page *d_page, *next;
1447 enum pool_type type;
1448 bool is_cached = false;
1449 @@ -42227,7 +42363,7 @@ index ca65df1..4f0024b 100644
1450 unsigned long irq_flags;
1451
1452 type = ttm_to_type(ttm->page_flags, ttm->caching_state);
1453 -@@ -1005,7 +1005,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1454 +@@ -1010,7 +1010,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1455 static unsigned start_pool;
1456 unsigned idx = 0;
1457 unsigned pool_offset;
1458 @@ -42236,7 +42372,7 @@ index ca65df1..4f0024b 100644
1459 struct device_pools *p;
1460 unsigned long freed = 0;
1461
1462 -@@ -1018,7 +1018,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1463 +@@ -1023,7 +1023,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1464 goto out;
1465 pool_offset = ++start_pool % _manager->npools;
1466 list_for_each_entry(p, &_manager->pools, pools) {
1467 @@ -42245,8 +42381,8 @@ index ca65df1..4f0024b 100644
1468
1469 if (!p->dev)
1470 continue;
1471 -@@ -1032,7 +1032,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1472 - sc->gfp_mask);
1473 +@@ -1037,7 +1037,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
1474 + shrink_pages = ttm_dma_page_pool_free(p->pool, nr_free, true);
1475 freed += nr_free - shrink_pages;
1476
1477 - pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n",
1478 @@ -48334,10 +48470,10 @@ index 1252d9c..80e660b 100644
1479
1480 /* We've got a compressed packet; read the change byte */
1481 diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
1482 -index 979fe43..3f92d61 100644
1483 +index 32efe83..cef96b8 100644
1484 --- a/drivers/net/team/team.c
1485 +++ b/drivers/net/team/team.c
1486 -@@ -2086,7 +2086,7 @@ static unsigned int team_get_num_rx_queues(void)
1487 +@@ -2098,7 +2098,7 @@ static unsigned int team_get_num_rx_queues(void)
1488 return TEAM_DEFAULT_NUM_RX_QUEUES;
1489 }
1490
1491 @@ -48346,7 +48482,7 @@ index 979fe43..3f92d61 100644
1492 .kind = DRV_NAME,
1493 .priv_size = sizeof(struct team),
1494 .setup = team_setup,
1495 -@@ -2874,7 +2874,7 @@ static int team_device_event(struct notifier_block *unused,
1496 +@@ -2886,7 +2886,7 @@ static int team_device_event(struct notifier_block *unused,
1497 return NOTIFY_DONE;
1498 }
1499
1500 @@ -54494,10 +54630,10 @@ index ba6a5d6..f88f7f3 100644
1501 props.type = BACKLIGHT_RAW;
1502 props.max_brightness = 0xff;
1503 diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
1504 -index 8d7fc48..01c4986 100644
1505 +index 29fa1c3..a57b08e 100644
1506 --- a/drivers/usb/serial/console.c
1507 +++ b/drivers/usb/serial/console.c
1508 -@@ -123,7 +123,7 @@ static int usb_console_setup(struct console *co, char *options)
1509 +@@ -125,7 +125,7 @@ static int usb_console_setup(struct console *co, char *options)
1510
1511 info->port = port;
1512
1513 @@ -54506,7 +54642,7 @@ index 8d7fc48..01c4986 100644
1514 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) {
1515 if (serial->type->set_termios) {
1516 /*
1517 -@@ -167,7 +167,7 @@ static int usb_console_setup(struct console *co, char *options)
1518 +@@ -173,7 +173,7 @@ static int usb_console_setup(struct console *co, char *options)
1519 }
1520 /* Now that any required fake tty operations are completed restore
1521 * the tty port count */
1522 @@ -54515,16 +54651,16 @@ index 8d7fc48..01c4986 100644
1523 /* The console is special in terms of closing the device so
1524 * indicate this port is now acting as a system console. */
1525 port->port.console = 1;
1526 -@@ -180,7 +180,7 @@ static int usb_console_setup(struct console *co, char *options)
1527 - free_tty:
1528 - kfree(tty);
1529 +@@ -186,7 +186,7 @@ static int usb_console_setup(struct console *co, char *options)
1530 + put_tty:
1531 + tty_kref_put(tty);
1532 reset_open_count:
1533 - port->port.count = 0;
1534 + atomic_set(&port->port.count, 0);
1535 usb_autopm_put_interface(serial->interface);
1536 error_get_interface:
1537 usb_serial_put(serial);
1538 -@@ -191,7 +191,7 @@ static int usb_console_setup(struct console *co, char *options)
1539 +@@ -197,7 +197,7 @@ static int usb_console_setup(struct console *co, char *options)
1540 static void usb_console_write(struct console *co,
1541 const char *buf, unsigned count)
1542 {
1543 @@ -60765,7 +60901,7 @@ index e4141f2..d8263e8 100644
1544 i += packet_length_size;
1545 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
1546 diff --git a/fs/exec.c b/fs/exec.c
1547 -index ea4449d..cb8ebd8 100644
1548 +index ea4449d..cbad96a 100644
1549 --- a/fs/exec.c
1550 +++ b/fs/exec.c
1551 @@ -56,8 +56,20 @@
1552 @@ -61552,7 +61688,7 @@ index ea4449d..cb8ebd8 100644
1553 +{
1554 + unsigned long sp = (unsigned long)&sp;
1555 + if (sp < current_thread_info()->lowest_stack &&
1556 -+ sp > (unsigned long)task_stack_page(current))
1557 ++ sp >= (unsigned long)task_stack_page(current) + 2 * sizeof(unsigned long))
1558 + current_thread_info()->lowest_stack = sp;
1559 + if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16)))
1560 + BUG();
1561 @@ -66941,7 +67077,7 @@ index 87dbcbe..55e1b4d 100644
1562 }
1563
1564 diff --git a/fs/proc/stat.c b/fs/proc/stat.c
1565 -index 6f599c6..bd00271 100644
1566 +index dbd0272..3cd5915 100644
1567 --- a/fs/proc/stat.c
1568 +++ b/fs/proc/stat.c
1569 @@ -11,6 +11,7 @@
1570 @@ -67036,8 +67172,8 @@ index 6f599c6..bd00271 100644
1571
1572 /* sum again ? it could be updated? */
1573 for_each_irq_nr(j)
1574 -- seq_put_decimal_ull(p, ' ', kstat_irqs(j));
1575 -+ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL);
1576 +- seq_put_decimal_ull(p, ' ', kstat_irqs_usr(j));
1577 ++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs_usr(j) : 0ULL);
1578
1579 seq_printf(p,
1580 "\nctxt %llu\n"
1581 @@ -70239,10 +70375,10 @@ index 0000000..30ababb
1582 +endif
1583 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
1584 new file mode 100644
1585 -index 0000000..e56396f
1586 +index 0000000..c83525f
1587 --- /dev/null
1588 +++ b/grsecurity/gracl.c
1589 -@@ -0,0 +1,2679 @@
1590 +@@ -0,0 +1,2697 @@
1591 +#include <linux/kernel.h>
1592 +#include <linux/module.h>
1593 +#include <linux/sched.h>
1594 @@ -71416,9 +71552,10 @@ index 0000000..e56396f
1595 + rcu_read_lock();
1596 + read_lock(&tasklist_lock);
1597 + read_lock(&grsec_exec_file_lock);
1598 ++ except in the case of gr_set_role_label() (for __gr_get_subject_for_task)
1599 +*/
1600 +
1601 -+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename)
1602 ++struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback)
1603 +{
1604 + char *tmpname;
1605 + struct acl_subject_label *tmpsubj;
1606 @@ -71460,15 +71597,15 @@ index 0000000..e56396f
1607 + /* this also works for the reload case -- if we don't match a potentially inherited subject
1608 + then we fall back to a normal lookup based on the binary's ino/dev
1609 + */
1610 -+ if (tmpsubj == NULL)
1611 ++ if (tmpsubj == NULL && fallback)
1612 + tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role);
1613 +
1614 + return tmpsubj;
1615 +}
1616 +
1617 -+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename)
1618 ++static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback)
1619 +{
1620 -+ return __gr_get_subject_for_task(&running_polstate, task, filename);
1621 ++ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback);
1622 +}
1623 +
1624 +void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj)
1625 @@ -71532,7 +71669,7 @@ index 0000000..e56396f
1626 + task->role = current->role;
1627 + rcu_read_lock();
1628 + read_lock(&grsec_exec_file_lock);
1629 -+ subj = gr_get_subject_for_task(task, NULL);
1630 ++ subj = gr_get_subject_for_task(task, NULL, 1);
1631 + gr_apply_subject_to_task(task, subj);
1632 + read_unlock(&grsec_exec_file_lock);
1633 + rcu_read_unlock();
1634 @@ -71942,6 +72079,7 @@ index 0000000..e56396f
1635 +gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid)
1636 +{
1637 + struct acl_role_label *role = task->role;
1638 ++ struct acl_role_label *origrole = role;
1639 + struct acl_subject_label *subj = NULL;
1640 + struct acl_object_label *obj;
1641 + struct file *filp;
1642 @@ -71974,10 +72112,28 @@ index 0000000..e56396f
1643 + ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID))))
1644 + return;
1645 +
1646 -+ /* perform subject lookup in possibly new role
1647 -+ we can use this result below in the case where role == task->role
1648 -+ */
1649 -+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
1650 ++ task->role = role;
1651 ++
1652 ++ if (task->inherited) {
1653 ++ /* if we reached our subject through inheritance, then first see
1654 ++ if there's a subject of the same name in the new role that has
1655 ++ an object that would result in the same inherited subject
1656 ++ */
1657 ++ subj = gr_get_subject_for_task(task, task->acl->filename, 0);
1658 ++ if (subj) {
1659 ++ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj);
1660 ++ if (!(obj->mode & GR_INHERIT))
1661 ++ subj = NULL;
1662 ++ }
1663 ++
1664 ++ }
1665 ++ if (subj == NULL) {
1666 ++ /* otherwise:
1667 ++ perform subject lookup in possibly new role
1668 ++ we can use this result below in the case where role == task->role
1669 ++ */
1670 ++ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
1671 ++ }
1672 +
1673 + /* if we changed uid/gid, but result in the same role
1674 + and are using inheritance, don't lose the inherited subject
1675 @@ -71985,14 +72141,12 @@ index 0000000..e56396f
1676 + would result in, we arrived via inheritance, don't
1677 + lose subject
1678 + */
1679 -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
1680 ++ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) &&
1681 + (subj == task->acl)))
1682 + task->acl = subj;
1683 +
1684 + /* leave task->inherited unaffected */
1685 +
1686 -+ task->role = role;
1687 -+
1688 + task->is_writable = 0;
1689 +
1690 + /* ignore additional mmap checks for processes that are writable
1691 @@ -74494,7 +74648,7 @@ index 0000000..25f54ef
1692 +};
1693 diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c
1694 new file mode 100644
1695 -index 0000000..3f8ade0
1696 +index 0000000..7949dcd
1697 --- /dev/null
1698 +++ b/grsecurity/gracl_policy.c
1699 @@ -0,0 +1,1782 @@
1700 @@ -74568,7 +74722,7 @@ index 0000000..3f8ade0
1701 +extern void gr_remove_uid(uid_t uid);
1702 +extern int gr_find_uid(uid_t uid);
1703 +
1704 -+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename);
1705 ++extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback);
1706 +extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj);
1707 +extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb);
1708 +extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry);
1709 @@ -75673,8 +75827,8 @@ index 0000000..3f8ade0
1710 + }
1711 + /* this handles non-nested inherited subjects, nested subjects will still
1712 + be dropped currently */
1713 -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename);
1714 -+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL);
1715 ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
1716 ++ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1);
1717 + /* change the role back so that we've made no modifications to the policy */
1718 + task->role = rtmp;
1719 +
1720 @@ -75706,7 +75860,7 @@ index 0000000..3f8ade0
1721 + /* this handles non-nested inherited subjects, nested subjects will still
1722 + be dropped currently */
1723 + if (!reload_state->oldmode && task->inherited)
1724 -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename);
1725 ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
1726 + else {
1727 + /* looked up and tagged to the task previously */
1728 + subj = task->tmpacl;
1729 @@ -76255,7 +76409,7 @@ index 0000000..3f8ade0
1730 + if (task->exec_file) {
1731 + cred = __task_cred(task);
1732 + task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
1733 -+ subj = __gr_get_subject_for_task(polstate, task, NULL);
1734 ++ subj = __gr_get_subject_for_task(polstate, task, NULL, 1);
1735 + if (subj == NULL) {
1736 + ret = -EINVAL;
1737 + read_unlock(&grsec_exec_file_lock);
1738 @@ -101345,18 +101499,9 @@ index d074d06..ad3cfcf 100644
1739 if (ogm_packet->flags & BATADV_DIRECTLINK)
1740 has_directlink_flag = true;
1741 diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
1742 -index c46387a..3b6c10e 100644
1743 +index e5c5f57..1f25f1c 100644
1744 --- a/net/batman-adv/fragmentation.c
1745 +++ b/net/batman-adv/fragmentation.c
1746 -@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb)
1747 - kfree(entry);
1748 -
1749 - /* Make room for the rest of the fragments. */
1750 -- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) {
1751 -+ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {
1752 - kfree_skb(skb_out);
1753 - skb_out = NULL;
1754 - goto free;
1755 @@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
1756 frag_header.packet_type = BATADV_UNICAST_FRAG;
1757 frag_header.version = BATADV_COMPAT_VERSION;
1758 @@ -101956,7 +102101,7 @@ index a16ed7b..eb44d17 100644
1759
1760 return err;
1761 diff --git a/net/core/dev.c b/net/core/dev.c
1762 -index 3ed11a5..c177c8f 100644
1763 +index 86bb9cc..8814d50 100644
1764 --- a/net/core/dev.c
1765 +++ b/net/core/dev.c
1766 @@ -1695,14 +1695,14 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
1767 @@ -101976,7 +102121,7 @@ index 3ed11a5..c177c8f 100644
1768 kfree_skb(skb);
1769 return NET_RX_DROP;
1770 }
1771 -@@ -2460,7 +2460,7 @@ static int illegal_highdma(const struct net_device *dev, struct sk_buff *skb)
1772 +@@ -2461,7 +2461,7 @@ static int illegal_highdma(const struct net_device *dev, struct sk_buff *skb)
1773
1774 struct dev_gso_cb {
1775 void (*destructor)(struct sk_buff *skb);
1776 @@ -101985,7 +102130,7 @@ index 3ed11a5..c177c8f 100644
1777
1778 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
1779
1780 -@@ -3234,7 +3234,7 @@ enqueue:
1781 +@@ -3238,7 +3238,7 @@ enqueue:
1782
1783 local_irq_restore(flags);
1784
1785 @@ -101994,7 +102139,7 @@ index 3ed11a5..c177c8f 100644
1786 kfree_skb(skb);
1787 return NET_RX_DROP;
1788 }
1789 -@@ -3315,7 +3315,7 @@ int netif_rx_ni(struct sk_buff *skb)
1790 +@@ -3319,7 +3319,7 @@ int netif_rx_ni(struct sk_buff *skb)
1791 }
1792 EXPORT_SYMBOL(netif_rx_ni);
1793
1794 @@ -102003,7 +102148,7 @@ index 3ed11a5..c177c8f 100644
1795 {
1796 struct softnet_data *sd = &__get_cpu_var(softnet_data);
1797
1798 -@@ -3652,7 +3652,7 @@ ncls:
1799 +@@ -3656,7 +3656,7 @@ ncls:
1800 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
1801 } else {
1802 drop:
1803 @@ -102012,7 +102157,7 @@ index 3ed11a5..c177c8f 100644
1804 kfree_skb(skb);
1805 /* Jamal, now you will not able to escape explaining
1806 * me how you were going to use this. :-)
1807 -@@ -4342,7 +4342,7 @@ void netif_napi_del(struct napi_struct *napi)
1808 +@@ -4346,7 +4346,7 @@ void netif_napi_del(struct napi_struct *napi)
1809 }
1810 EXPORT_SYMBOL(netif_napi_del);
1811
1812 @@ -102021,7 +102166,7 @@ index 3ed11a5..c177c8f 100644
1813 {
1814 struct softnet_data *sd = &__get_cpu_var(softnet_data);
1815 unsigned long time_limit = jiffies + 2;
1816 -@@ -6311,7 +6311,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
1817 +@@ -6376,7 +6376,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
1818 } else {
1819 netdev_stats_to_stats64(storage, &dev->stats);
1820 }
1821 @@ -102444,7 +102589,7 @@ index b442e7e..6f5b5a2 100644
1822 {
1823 struct socket *sock;
1824 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
1825 -index baf6fc4..783639a 100644
1826 +index e2b1bba..71bd8fe 100644
1827 --- a/net/core/skbuff.c
1828 +++ b/net/core/skbuff.c
1829 @@ -360,18 +360,29 @@ refill:
1830 @@ -103128,7 +103273,7 @@ index c10a3ce..dd71f84 100644
1831 return -ENOMEM;
1832 }
1833 diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
1834 -index 94213c8..8bdb342 100644
1835 +index b40b90d..9e7ce17 100644
1836 --- a/net/ipv4/ip_gre.c
1837 +++ b/net/ipv4/ip_gre.c
1838 @@ -115,7 +115,7 @@ static bool log_ecn_error = true;
1839 @@ -103140,7 +103285,7 @@ index 94213c8..8bdb342 100644
1840 static int ipgre_tunnel_init(struct net_device *dev);
1841
1842 static int ipgre_net_id __read_mostly;
1843 -@@ -732,7 +732,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
1844 +@@ -733,7 +733,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
1845 [IFLA_GRE_PMTUDISC] = { .type = NLA_U8 },
1846 };
1847
1848 @@ -103149,7 +103294,7 @@ index 94213c8..8bdb342 100644
1849 .kind = "gre",
1850 .maxtype = IFLA_GRE_MAX,
1851 .policy = ipgre_policy,
1852 -@@ -746,7 +746,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
1853 +@@ -747,7 +747,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
1854 .fill_info = ipgre_fill_info,
1855 };
1856
1857 @@ -103412,7 +103557,7 @@ index 2510c02..cfb34fa 100644
1858 pr_err("Unable to proc dir entry\n");
1859 return -ENOMEM;
1860 diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
1861 -index 0d33f94..fcd69aa 100644
1862 +index 0d33f94..d0a62e6 100644
1863 --- a/net/ipv4/ping.c
1864 +++ b/net/ipv4/ping.c
1865 @@ -59,7 +59,7 @@ struct ping_table {
1866 @@ -103473,7 +103618,20 @@ index 0d33f94..fcd69aa 100644
1867 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags)
1868 ip_cmsg_recv(msg, skb);
1869 #endif
1870 -@@ -1113,7 +1113,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
1871 +@@ -973,8 +973,11 @@ void ping_rcv(struct sk_buff *skb)
1872 +
1873 + sk = ping_lookup(net, skb, ntohs(icmph->un.echo.id));
1874 + if (sk != NULL) {
1875 ++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
1876 ++
1877 + pr_debug("rcv on socket %p\n", sk);
1878 +- ping_queue_rcv_skb(sk, skb_get(skb));
1879 ++ if (skb2)
1880 ++ ping_queue_rcv_skb(sk, skb2);
1881 + sock_put(sk);
1882 + return;
1883 + }
1884 +@@ -1113,7 +1116,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
1885 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
1886 0, sock_i_ino(sp),
1887 atomic_read(&sp->sk_refcnt), sp,
1888 @@ -104893,10 +105051,10 @@ index 20b63d2..31a777d 100644
1889
1890 kfree_skb(skb);
1891 diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
1892 -index 5f8e128..9e02f78 100644
1893 +index 5f8e128..776fc30 100644
1894 --- a/net/ipv6/xfrm6_policy.c
1895 +++ b/net/ipv6/xfrm6_policy.c
1896 -@@ -130,8 +130,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1897 +@@ -130,12 +130,18 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1898 {
1899 struct flowi6 *fl6 = &fl->u.ip6;
1900 int onlyproto = 0;
1901 @@ -104905,8 +105063,19 @@ index 5f8e128..9e02f78 100644
1902 + u16 offset = sizeof(*hdr);
1903 struct ipv6_opt_hdr *exthdr;
1904 const unsigned char *nh = skb_network_header(skb);
1905 - u8 nexthdr = nh[IP6CB(skb)->nhoff];
1906 -@@ -170,8 +170,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1907 +- u8 nexthdr = nh[IP6CB(skb)->nhoff];
1908 ++ u16 nhoff = IP6CB(skb)->nhoff;
1909 + int oif = 0;
1910 ++ u8 nexthdr;
1911 ++
1912 ++ if (!nhoff)
1913 ++ nhoff = offsetof(struct ipv6hdr, nexthdr);
1914 ++
1915 ++ nexthdr = nh[nhoff];
1916 +
1917 + if (skb_dst(skb))
1918 + oif = skb_dst(skb)->dev->ifindex;
1919 +@@ -170,8 +176,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1920 case IPPROTO_DCCP:
1921 if (!onlyproto && (nh + offset + 4 < skb->data ||
1922 pskb_may_pull(skb, nh + offset + 4 - skb->data))) {
1923 @@ -104918,7 +105087,7 @@ index 5f8e128..9e02f78 100644
1924 fl6->fl6_sport = ports[!!reverse];
1925 fl6->fl6_dport = ports[!reverse];
1926 }
1927 -@@ -180,8 +182,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1928 +@@ -180,8 +188,10 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1929
1930 case IPPROTO_ICMPV6:
1931 if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
1932 @@ -104930,7 +105099,7 @@ index 5f8e128..9e02f78 100644
1933 fl6->fl6_icmp_type = icmp[0];
1934 fl6->fl6_icmp_code = icmp[1];
1935 }
1936 -@@ -192,8 +196,9 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1937 +@@ -192,8 +202,9 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1938 case IPPROTO_MH:
1939 if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
1940 struct ip6_mh *mh;
1941 @@ -104941,7 +105110,7 @@ index 5f8e128..9e02f78 100644
1942 fl6->fl6_mh_type = mh->ip6mh_type;
1943 }
1944 fl6->flowi6_proto = nexthdr;
1945 -@@ -212,11 +217,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1946 +@@ -212,11 +223,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
1947 }
1948 }
1949
1950 @@ -104955,7 +105124,7 @@ index 5f8e128..9e02f78 100644
1951 return dst_entries_get_fast(ops) > ops->gc_thresh * 2;
1952 }
1953
1954 -@@ -329,19 +334,19 @@ static struct ctl_table xfrm6_policy_table[] = {
1955 +@@ -329,19 +340,19 @@ static struct ctl_table xfrm6_policy_table[] = {
1956
1957 static int __net_init xfrm6_net_init(struct net *net)
1958 {
1959 @@ -104980,7 +105149,7 @@ index 5f8e128..9e02f78 100644
1960 if (!hdr)
1961 goto err_reg;
1962
1963 -@@ -349,8 +354,7 @@ static int __net_init xfrm6_net_init(struct net *net)
1964 +@@ -349,8 +360,7 @@ static int __net_init xfrm6_net_init(struct net *net)
1965 return 0;
1966
1967 err_reg:
1968 @@ -105407,10 +105576,10 @@ index bffdad7..f9317d1 100644
1969 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
1970 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
1971 diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
1972 -index cf99377..c09b5b7 100644
1973 +index 53ea164..c518529 100644
1974 --- a/net/netfilter/ipset/ip_set_core.c
1975 +++ b/net/netfilter/ipset/ip_set_core.c
1976 -@@ -1922,7 +1922,7 @@ done:
1977 +@@ -1928,7 +1928,7 @@ done:
1978 return ret;
1979 }
1980
1981 @@ -105969,7 +106138,7 @@ index 11de55e..f25e448 100644
1982 return 0;
1983 }
1984 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
1985 -index 7c177bc..d4abd23 100644
1986 +index 1d52506..b772b22 100644
1987 --- a/net/netlink/af_netlink.c
1988 +++ b/net/netlink/af_netlink.c
1989 @@ -257,7 +257,7 @@ static void netlink_overrun(struct sock *sk)
1990 @@ -105981,7 +106150,7 @@ index 7c177bc..d4abd23 100644
1991 }
1992
1993 static void netlink_rcv_wake(struct sock *sk)
1994 -@@ -3003,7 +3003,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
1995 +@@ -2983,7 +2983,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
1996 sk_wmem_alloc_get(s),
1997 nlk->cb_running,
1998 atomic_read(&s->sk_refcnt),
1999 @@ -106598,6 +106767,58 @@ index f226709..0e735a8 100644
2000 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
2001
2002 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
2003 +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
2004 +index 8e3cf49..4a8e322 100644
2005 +--- a/net/sched/cls_bpf.c
2006 ++++ b/net/sched/cls_bpf.c
2007 +@@ -182,6 +182,11 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
2008 + }
2009 +
2010 + bpf_size = bpf_len * sizeof(*bpf_ops);
2011 ++ if (bpf_size != nla_len(tb[TCA_BPF_OPS])) {
2012 ++ ret = -EINVAL;
2013 ++ goto errout;
2014 ++ }
2015 ++
2016 + bpf_ops = kzalloc(bpf_size, GFP_KERNEL);
2017 + if (bpf_ops == NULL) {
2018 + ret = -ENOMEM;
2019 +@@ -228,15 +233,21 @@ static u32 cls_bpf_grab_new_handle(struct tcf_proto *tp,
2020 + struct cls_bpf_head *head)
2021 + {
2022 + unsigned int i = 0x80000000;
2023 ++ u32 handle;
2024 +
2025 + do {
2026 + if (++head->hgen == 0x7FFFFFFF)
2027 + head->hgen = 1;
2028 + } while (--i > 0 && cls_bpf_get(tp, head->hgen));
2029 +- if (i == 0)
2030 ++
2031 ++ if (unlikely(i == 0)) {
2032 + pr_err("Insufficient number of handles\n");
2033 ++ handle = 0;
2034 ++ } else {
2035 ++ handle = head->hgen;
2036 ++ }
2037 +
2038 +- return i;
2039 ++ return handle;
2040 + }
2041 +
2042 + static int cls_bpf_change(struct net *net, struct sk_buff *in_skb,
2043 +diff --git a/net/sctp/associola.c b/net/sctp/associola.c
2044 +index d477d47..abc0922 100644
2045 +--- a/net/sctp/associola.c
2046 ++++ b/net/sctp/associola.c
2047 +@@ -1235,7 +1235,6 @@ void sctp_assoc_update(struct sctp_association *asoc,
2048 + asoc->peer.peer_hmacs = new->peer.peer_hmacs;
2049 + new->peer.peer_hmacs = NULL;
2050 +
2051 +- sctp_auth_key_put(asoc->asoc_shared_key);
2052 + sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC);
2053 + }
2054 +
2055 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
2056 index 2b1738e..a9d0fc9 100644
2057 --- a/net/sctp/ipv6.c
2058 @@ -118621,10 +118842,10 @@ index 0000000..4378111
2059 +}
2060 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
2061 new file mode 100644
2062 -index 0000000..dfb7516
2063 +index 0000000..7ab73a3
2064 --- /dev/null
2065 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
2066 -@@ -0,0 +1,6038 @@
2067 +@@ -0,0 +1,6040 @@
2068 +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
2069 +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL
2070 +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
2071 @@ -119594,6 +119815,7 @@ index 0000000..dfb7516
2072 +rd_build_prot_space_10761 rd_build_prot_space 2-3 10761 NULL
2073 +kvm_read_guest_atomic_10765 kvm_read_guest_atomic 4 10765 NULL
2074 +__qp_memcpy_to_queue_10779 __qp_memcpy_to_queue 2-4 10779 NULL
2075 ++ttm_dma_page_pool_free_10796 ttm_dma_page_pool_free 2-0 10796 NULL
2076 +diva_set_trace_filter_10820 diva_set_trace_filter 0-1 10820 NULL
2077 +lbs_sleepparams_read_10840 lbs_sleepparams_read 3 10840 NULL
2078 +ida_get_new_above_10853 ida_get_new_above 0 10853 NULL
2079 @@ -120901,6 +121123,7 @@ index 0000000..dfb7516
2080 +evdev_do_ioctl_24459 evdev_do_ioctl 2 24459 NULL
2081 +lbs_highsnr_write_24460 lbs_highsnr_write 3 24460 NULL
2082 +skb_copy_and_csum_datagram_iovec_24466 skb_copy_and_csum_datagram_iovec 2 24466 NULL
2083 ++ttm_page_pool_free_24486 ttm_page_pool_free 2-0 24486 NULL
2084 +dut_mode_read_24489 dut_mode_read 3 24489 NULL
2085 +read_file_spec_scan_ctl_24491 read_file_spec_scan_ctl 3 24491 NULL
2086 +pd_video_read_24510 pd_video_read 3 24510 NULL
2087
2088 diff --git a/3.18.3/4425_grsec_remove_EI_PAX.patch b/3.14.30/4425_grsec_remove_EI_PAX.patch
2089 similarity index 100%
2090 rename from 3.18.3/4425_grsec_remove_EI_PAX.patch
2091 rename to 3.14.30/4425_grsec_remove_EI_PAX.patch
2092
2093 diff --git a/3.14.29/4427_force_XATTR_PAX_tmpfs.patch b/3.14.30/4427_force_XATTR_PAX_tmpfs.patch
2094 similarity index 100%
2095 rename from 3.14.29/4427_force_XATTR_PAX_tmpfs.patch
2096 rename to 3.14.30/4427_force_XATTR_PAX_tmpfs.patch
2097
2098 diff --git a/3.18.3/4430_grsec-remove-localversion-grsec.patch b/3.14.30/4430_grsec-remove-localversion-grsec.patch
2099 similarity index 100%
2100 rename from 3.18.3/4430_grsec-remove-localversion-grsec.patch
2101 rename to 3.14.30/4430_grsec-remove-localversion-grsec.patch
2102
2103 diff --git a/3.14.29/4435_grsec-mute-warnings.patch b/3.14.30/4435_grsec-mute-warnings.patch
2104 similarity index 100%
2105 rename from 3.14.29/4435_grsec-mute-warnings.patch
2106 rename to 3.14.30/4435_grsec-mute-warnings.patch
2107
2108 diff --git a/3.18.3/4440_grsec-remove-protected-paths.patch b/3.14.30/4440_grsec-remove-protected-paths.patch
2109 similarity index 100%
2110 rename from 3.18.3/4440_grsec-remove-protected-paths.patch
2111 rename to 3.14.30/4440_grsec-remove-protected-paths.patch
2112
2113 diff --git a/3.14.29/4450_grsec-kconfig-default-gids.patch b/3.14.30/4450_grsec-kconfig-default-gids.patch
2114 similarity index 100%
2115 rename from 3.14.29/4450_grsec-kconfig-default-gids.patch
2116 rename to 3.14.30/4450_grsec-kconfig-default-gids.patch
2117
2118 diff --git a/3.14.29/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.30/4465_selinux-avc_audit-log-curr_ip.patch
2119 similarity index 100%
2120 rename from 3.14.29/4465_selinux-avc_audit-log-curr_ip.patch
2121 rename to 3.14.30/4465_selinux-avc_audit-log-curr_ip.patch
2122
2123 diff --git a/3.14.29/4470_disable-compat_vdso.patch b/3.14.30/4470_disable-compat_vdso.patch
2124 similarity index 100%
2125 rename from 3.14.29/4470_disable-compat_vdso.patch
2126 rename to 3.14.30/4470_disable-compat_vdso.patch
2127
2128 diff --git a/3.18.3/4475_emutramp_default_on.patch b/3.14.30/4475_emutramp_default_on.patch
2129 similarity index 100%
2130 rename from 3.18.3/4475_emutramp_default_on.patch
2131 rename to 3.14.30/4475_emutramp_default_on.patch
2132
2133 diff --git a/3.18.3/0000_README b/3.18.4/0000_README
2134 similarity index 91%
2135 rename from 3.18.3/0000_README
2136 rename to 3.18.4/0000_README
2137 index 910054e..d079d57 100644
2138 --- a/3.18.3/0000_README
2139 +++ b/3.18.4/0000_README
2140 @@ -2,7 +2,7 @@ README
2141 -----------------------------------------------------------------------------
2142 Individual Patch Descriptions:
2143 -----------------------------------------------------------------------------
2144 -Patch: 4420_grsecurity-3.0-3.18.3-201501211944.patch
2145 +Patch: 4420_grsecurity-3.0-3.18.4-201501272307.patch
2146 From: http://www.grsecurity.net
2147 Desc: hardened-sources base patch from upstream grsecurity
2148
2149 @@ -41,4 +41,4 @@ Desc: Disables VDSO_COMPAT operation completely
2150
2151 Patch: 4475_emutramp_default_on.patch
2152 From: Anthony G. Basile <blueness@g.o>
2153 -Desc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194
2154 +Dnux-3.18.4.patchesc: Set PAX_EMUTRAMP default on for libffi, bugs #329499 and #457194
2155
2156 diff --git a/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch b/3.18.4/4420_grsecurity-3.0-3.18.4-201501272307.patch
2157 similarity index 99%
2158 rename from 3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch
2159 rename to 3.18.4/4420_grsecurity-3.0-3.18.4-201501272307.patch
2160 index 93912cb..4163835 100644
2161 --- a/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch
2162 +++ b/3.18.4/4420_grsecurity-3.0-3.18.4-201501272307.patch
2163 @@ -313,7 +313,7 @@ index a311db8..415b28c 100644
2164 A typical pattern in a Kbuild file looks like this:
2165
2166 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
2167 -index 479f332..2475ac2 100644
2168 +index f4c71d4..66811b1 100644
2169 --- a/Documentation/kernel-parameters.txt
2170 +++ b/Documentation/kernel-parameters.txt
2171 @@ -1182,6 +1182,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
2172 @@ -327,7 +327,7 @@ index 479f332..2475ac2 100644
2173 hashdist= [KNL,NUMA] Large hashes allocated during boot
2174 are distributed across NUMA nodes. Defaults on
2175 for 64-bit NUMA, off otherwise.
2176 -@@ -2259,6 +2263,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
2177 +@@ -2260,6 +2264,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
2178 noexec=on: enable non-executable mappings (default)
2179 noexec=off: disable non-executable mappings
2180
2181 @@ -338,7 +338,7 @@ index 479f332..2475ac2 100644
2182 nosmap [X86]
2183 Disable SMAP (Supervisor Mode Access Prevention)
2184 even if it is supported by processor.
2185 -@@ -2551,6 +2559,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
2186 +@@ -2552,6 +2560,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
2187 the specified number of seconds. This is to be used if
2188 your oopses keep scrolling off the screen.
2189
2190 @@ -370,7 +370,7 @@ index 479f332..2475ac2 100644
2191
2192 pcd. [PARIDE]
2193 diff --git a/Makefile b/Makefile
2194 -index 91cfe8d..ccf7329 100644
2195 +index 4e93284..ba06195 100644
2196 --- a/Makefile
2197 +++ b/Makefile
2198 @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
2199 @@ -12721,10 +12721,10 @@ index 920e616..ac3d4df 100644
2200 +*** Please upgrade your binutils to 2.18 or newer
2201 +endef
2202 diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
2203 -index 5b016e2..04ef69c 100644
2204 +index 3db07f3..9d81d0f 100644
2205 --- a/arch/x86/boot/Makefile
2206 +++ b/arch/x86/boot/Makefile
2207 -@@ -55,6 +55,9 @@ endif
2208 +@@ -56,6 +56,9 @@ clean-files += cpustr.h
2209 # ---------------------------------------------------------------------------
2210
2211 KBUILD_CFLAGS := $(USERINCLUDE) $(REALMODE_CFLAGS) -D_SETUP
2212 @@ -16544,7 +16544,7 @@ index 0bb1335..8f1aec7 100644
2213 "6:\n"
2214 ".previous\n"
2215 diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
2216 -index 50d033a..37deb26 100644
2217 +index 50d033a..59ecefa 100644
2218 --- a/arch/x86/include/asm/desc.h
2219 +++ b/arch/x86/include/asm/desc.h
2220 @@ -4,6 +4,7 @@
2221 @@ -16642,7 +16642,7 @@ index 50d033a..37deb26 100644
2222 }
2223
2224 static inline void native_load_gdt(const struct desc_ptr *dtr)
2225 -@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
2226 +@@ -247,11 +258,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
2227 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
2228 unsigned int i;
2229
2230 @@ -16652,8 +16652,37 @@ index 50d033a..37deb26 100644
2231 + pax_close_kernel();
2232 }
2233
2234 - #define _LDT_empty(info) \
2235 -@@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc)
2236 +-#define _LDT_empty(info) \
2237 ++/* This intentionally ignores lm, since 32-bit apps don't have that field. */
2238 ++#define LDT_empty(info) \
2239 + ((info)->base_addr == 0 && \
2240 + (info)->limit == 0 && \
2241 + (info)->contents == 0 && \
2242 +@@ -261,11 +275,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
2243 + (info)->seg_not_present == 1 && \
2244 + (info)->useable == 0)
2245 +
2246 +-#ifdef CONFIG_X86_64
2247 +-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0))
2248 +-#else
2249 +-#define LDT_empty(info) (_LDT_empty(info))
2250 +-#endif
2251 ++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */
2252 ++static inline bool LDT_zero(const struct user_desc *info)
2253 ++{
2254 ++ return (info->base_addr == 0 &&
2255 ++ info->limit == 0 &&
2256 ++ info->contents == 0 &&
2257 ++ info->read_exec_only == 0 &&
2258 ++ info->seg_32bit == 0 &&
2259 ++ info->limit_in_pages == 0 &&
2260 ++ info->seg_not_present == 0 &&
2261 ++ info->useable == 0);
2262 ++}
2263 +
2264 + static inline void clear_LDT(void)
2265 + {
2266 +@@ -287,7 +308,7 @@ static inline void load_LDT(mm_context_t *pc)
2267 preempt_enable();
2268 }
2269
2270 @@ -16662,7 +16691,7 @@ index 50d033a..37deb26 100644
2271 {
2272 return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
2273 }
2274 -@@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
2275 +@@ -311,7 +332,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
2276 }
2277
2278 #ifdef CONFIG_X86_64
2279 @@ -16671,7 +16700,7 @@ index 50d033a..37deb26 100644
2280 {
2281 gate_desc s;
2282
2283 -@@ -321,14 +334,14 @@ static inline void set_nmi_gate(int gate, void *addr)
2284 +@@ -321,14 +342,14 @@ static inline void set_nmi_gate(int gate, void *addr)
2285 #endif
2286
2287 #ifdef CONFIG_TRACING
2288 @@ -16689,7 +16718,7 @@ index 50d033a..37deb26 100644
2289 unsigned dpl, unsigned ist, unsigned seg)
2290 {
2291 gate_desc s;
2292 -@@ -348,7 +361,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
2293 +@@ -348,7 +369,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
2294 #define _trace_set_gate(gate, type, addr, dpl, ist, seg)
2295 #endif
2296
2297 @@ -16698,7 +16727,7 @@ index 50d033a..37deb26 100644
2298 unsigned dpl, unsigned ist, unsigned seg)
2299 {
2300 gate_desc s;
2301 -@@ -371,9 +384,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
2302 +@@ -371,9 +392,9 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
2303 #define set_intr_gate(n, addr) \
2304 do { \
2305 BUG_ON((unsigned)n > 0xFF); \
2306 @@ -16710,7 +16739,7 @@ index 50d033a..37deb26 100644
2307 0, 0, __KERNEL_CS); \
2308 } while (0)
2309
2310 -@@ -401,19 +414,19 @@ static inline void alloc_system_vector(int vector)
2311 +@@ -401,19 +422,19 @@ static inline void alloc_system_vector(int vector)
2312 /*
2313 * This routine sets up an interrupt gate at directory privilege level 3.
2314 */
2315 @@ -16733,7 +16762,7 @@ index 50d033a..37deb26 100644
2316 {
2317 BUG_ON((unsigned)n > 0xFF);
2318 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
2319 -@@ -422,16 +435,16 @@ static inline void set_trap_gate(unsigned int n, void *addr)
2320 +@@ -422,16 +443,16 @@ static inline void set_trap_gate(unsigned int n, void *addr)
2321 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
2322 {
2323 BUG_ON((unsigned)n > 0xFF);
2324 @@ -16753,7 +16782,7 @@ index 50d033a..37deb26 100644
2325 {
2326 BUG_ON((unsigned)n > 0xFF);
2327 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
2328 -@@ -503,4 +516,17 @@ static inline void load_current_idt(void)
2329 +@@ -503,4 +524,17 @@ static inline void load_current_idt(void)
2330 else
2331 load_idt((const struct desc_ptr *)&idt_descr);
2332 }
2333 @@ -21115,7 +21144,7 @@ index e7c798b..2b2019b 100644
2334 BLANK();
2335
2336 diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
2337 -index e27b49d..85b106c 100644
2338 +index 80091ae..0c5184f 100644
2339 --- a/arch/x86/kernel/cpu/Makefile
2340 +++ b/arch/x86/kernel/cpu/Makefile
2341 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
2342 @@ -25536,7 +25565,7 @@ index 7ec1d5f..5a7d130 100644
2343 }
2344
2345 diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
2346 -index 67e6d19..731ed28 100644
2347 +index 93d2c04..36d0e94 100644
2348 --- a/arch/x86/kernel/kprobes/core.c
2349 +++ b/arch/x86/kernel/kprobes/core.c
2350 @@ -120,9 +120,12 @@ __synthesize_relative_insn(void *from, void *to, u8 op)
2351 @@ -27816,10 +27845,49 @@ index 0fa2960..91eabbe 100644
2352 return pc;
2353 }
2354 diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
2355 -index 4e942f3..d0f623f 100644
2356 +index 4e942f3..c6e445a 100644
2357 --- a/arch/x86/kernel/tls.c
2358 +++ b/arch/x86/kernel/tls.c
2359 -@@ -118,6 +118,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
2360 +@@ -29,7 +29,28 @@ static int get_free_idx(void)
2361 +
2362 + static bool tls_desc_okay(const struct user_desc *info)
2363 + {
2364 +- if (LDT_empty(info))
2365 ++ /*
2366 ++ * For historical reasons (i.e. no one ever documented how any
2367 ++ * of the segmentation APIs work), user programs can and do
2368 ++ * assume that a struct user_desc that's all zeros except for
2369 ++ * entry_number means "no segment at all". This never actually
2370 ++ * worked. In fact, up to Linux 3.19, a struct user_desc like
2371 ++ * this would create a 16-bit read-write segment with base and
2372 ++ * limit both equal to zero.
2373 ++ *
2374 ++ * That was close enough to "no segment at all" until we
2375 ++ * hardened this function to disallow 16-bit TLS segments. Fix
2376 ++ * it up by interpreting these zeroed segments the way that they
2377 ++ * were almost certainly intended to be interpreted.
2378 ++ *
2379 ++ * The correct way to ask for "no segment at all" is to specify
2380 ++ * a user_desc that satisfies LDT_empty. To keep everything
2381 ++ * working, we accept both.
2382 ++ *
2383 ++ * Note that there's a similar kludge in modify_ldt -- look at
2384 ++ * the distinction between modes 1 and 0x11.
2385 ++ */
2386 ++ if (LDT_empty(info) || LDT_zero(info))
2387 + return true;
2388 +
2389 + /*
2390 +@@ -71,7 +92,7 @@ static void set_tls_desc(struct task_struct *p, int idx,
2391 + cpu = get_cpu();
2392 +
2393 + while (n-- > 0) {
2394 +- if (LDT_empty(info))
2395 ++ if (LDT_empty(info) || LDT_zero(info))
2396 + desc->a = desc->b = 0;
2397 + else
2398 + fill_ldt(desc, info);
2399 +@@ -118,6 +139,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
2400 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
2401 return -EINVAL;
2402
2403 @@ -27831,7 +27899,7 @@ index 4e942f3..d0f623f 100644
2404 set_tls_desc(p, idx, &info, 1);
2405
2406 return 0;
2407 -@@ -235,7 +240,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
2408 +@@ -235,7 +261,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
2409
2410 if (kbuf)
2411 info = kbuf;
2412 @@ -28626,10 +28694,63 @@ index 88f9201..0e7f1a3 100644
2413
2414 out:
2415 diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
2416 -index 22e7ed9..e03a378 100644
2417 +index 22e7ed9..c3e2419 100644
2418 --- a/arch/x86/kvm/emulate.c
2419 +++ b/arch/x86/kvm/emulate.c
2420 -@@ -3519,7 +3519,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
2421 +@@ -2345,7 +2345,7 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2422 + * Not recognized on AMD in compat mode (but is recognized in legacy
2423 + * mode).
2424 + */
2425 +- if ((ctxt->mode == X86EMUL_MODE_PROT32) && (efer & EFER_LMA)
2426 ++ if ((ctxt->mode != X86EMUL_MODE_PROT64) && (efer & EFER_LMA)
2427 + && !vendor_intel(ctxt))
2428 + return emulate_ud(ctxt);
2429 +
2430 +@@ -2358,25 +2358,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2431 + setup_syscalls_segments(ctxt, &cs, &ss);
2432 +
2433 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
2434 +- switch (ctxt->mode) {
2435 +- case X86EMUL_MODE_PROT32:
2436 +- if ((msr_data & 0xfffc) == 0x0)
2437 +- return emulate_gp(ctxt, 0);
2438 +- break;
2439 +- case X86EMUL_MODE_PROT64:
2440 +- if (msr_data == 0x0)
2441 +- return emulate_gp(ctxt, 0);
2442 +- break;
2443 +- default:
2444 +- break;
2445 +- }
2446 ++ if ((msr_data & 0xfffc) == 0x0)
2447 ++ return emulate_gp(ctxt, 0);
2448 +
2449 + ctxt->eflags &= ~(EFLG_VM | EFLG_IF);
2450 +- cs_sel = (u16)msr_data;
2451 +- cs_sel &= ~SELECTOR_RPL_MASK;
2452 ++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
2453 + ss_sel = cs_sel + 8;
2454 +- ss_sel &= ~SELECTOR_RPL_MASK;
2455 +- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
2456 ++ if (efer & EFER_LMA) {
2457 + cs.d = 0;
2458 + cs.l = 1;
2459 + }
2460 +@@ -2385,10 +2373,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
2461 + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
2462 +
2463 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
2464 +- ctxt->_eip = msr_data;
2465 ++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
2466 +
2467 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
2468 +- *reg_write(ctxt, VCPU_REGS_RSP) = msr_data;
2469 ++ *reg_write(ctxt, VCPU_REGS_RSP) = (efer & EFER_LMA) ? msr_data :
2470 ++ (u32)msr_data;
2471 +
2472 + return X86EMUL_CONTINUE;
2473 + }
2474 +@@ -3519,7 +3508,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
2475 int cr = ctxt->modrm_reg;
2476 u64 efer = 0;
2477
2478 @@ -28638,7 +28759,7 @@ index 22e7ed9..e03a378 100644
2479 0xffffffff00000000ULL,
2480 0, 0, 0, /* CR3 checked later */
2481 CR4_RESERVED_BITS,
2482 -@@ -3554,7 +3554,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
2483 +@@ -3554,7 +3543,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
2484
2485 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
2486 if (efer & EFER_LMA)
2487 @@ -28647,6 +28768,17 @@ index 22e7ed9..e03a378 100644
2488
2489 if (new_val & rsvd)
2490 return emulate_gp(ctxt, 0);
2491 +@@ -3788,8 +3777,8 @@ static const struct opcode group5[] = {
2492 + };
2493 +
2494 + static const struct opcode group6[] = {
2495 +- DI(Prot, sldt),
2496 +- DI(Prot, str),
2497 ++ DI(Prot | DstMem, sldt),
2498 ++ DI(Prot | DstMem, str),
2499 + II(Prot | Priv | SrcMem16, em_lldt, lldt),
2500 + II(Prot | Priv | SrcMem16, em_ltr, ltr),
2501 + N, N, N, N,
2502 diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
2503 index b8345dd..f225d71 100644
2504 --- a/arch/x86/kvm/lapic.c
2505 @@ -28701,7 +28833,7 @@ index 7527cef..c63a838e 100644
2506
2507 local_irq_disable();
2508 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
2509 -index 3e556c6..08bbf7f 100644
2510 +index ed70394..c629a68 100644
2511 --- a/arch/x86/kvm/vmx.c
2512 +++ b/arch/x86/kvm/vmx.c
2513 @@ -1366,12 +1366,12 @@ static void vmcs_write64(unsigned long field, u64 value)
2514 @@ -40155,10 +40287,10 @@ index dbf28fa..04dad4e 100644
2515 return -EINVAL;
2516 }
2517 diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
2518 -index e8e98ca..10f416e 100644
2519 +index c81bda0..a8ccd9f 100644
2520 --- a/drivers/gpio/gpiolib.c
2521 +++ b/drivers/gpio/gpiolib.c
2522 -@@ -537,8 +537,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip)
2523 +@@ -539,8 +539,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip)
2524 }
2525
2526 if (gpiochip->irqchip) {
2527 @@ -40171,7 +40303,7 @@ index e8e98ca..10f416e 100644
2528 gpiochip->irqchip = NULL;
2529 }
2530 }
2531 -@@ -604,8 +606,11 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip,
2532 +@@ -606,8 +608,11 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip,
2533 gpiochip->irqchip = NULL;
2534 return -EINVAL;
2535 }
2536 @@ -40212,10 +40344,10 @@ index bc3da32..7289357 100644
2537 }
2538 mutex_unlock(&drm_global_mutex);
2539 diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
2540 -index 0c0c39b..70dd2f4 100644
2541 +index ef757f7..98f720c 100644
2542 --- a/drivers/gpu/drm/drm_fb_helper.c
2543 +++ b/drivers/gpu/drm/drm_fb_helper.c
2544 -@@ -732,7 +732,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info)
2545 +@@ -741,7 +741,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info)
2546 int i, j, rc = 0;
2547 int start;
2548
2549 @@ -40226,7 +40358,7 @@ index 0c0c39b..70dd2f4 100644
2550 if (!drm_fb_helper_is_bound(fb_helper)) {
2551 drm_modeset_unlock_all(dev);
2552 return -EBUSY;
2553 -@@ -910,7 +912,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var,
2554 +@@ -915,7 +917,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var,
2555 int ret = 0;
2556 int i;
2557
2558 @@ -40530,7 +40662,7 @@ index 2e0613e..a8b94d9 100644
2559
2560 return ret;
2561 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
2562 -index 9cb5c95..9228666 100644
2563 +index cadc3bc..1bfccfe 100644
2564 --- a/drivers/gpu/drm/i915/intel_display.c
2565 +++ b/drivers/gpu/drm/i915/intel_display.c
2566 @@ -12811,13 +12811,13 @@ struct intel_quirk {
2567 @@ -41243,7 +41375,7 @@ index 535403e..5dd655b 100644
2568 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
2569
2570 diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
2571 -index 8624979..65e5243 100644
2572 +index d2510cf..63bd4ed 100644
2573 --- a/drivers/gpu/drm/radeon/radeon_ttm.c
2574 +++ b/drivers/gpu/drm/radeon/radeon_ttm.c
2575 @@ -936,7 +936,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size)
2576 @@ -41348,7 +41480,7 @@ index a1803fb..c53f6b0 100644
2577 kobject_put(&zone->kobj);
2578 return ret;
2579 diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
2580 -index 09874d6..d6da1de 100644
2581 +index 025c429..314062f 100644
2582 --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
2583 +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
2584 @@ -54,7 +54,7 @@
2585 @@ -41360,14 +41492,15 @@ index 09874d6..d6da1de 100644
2586 /* times are in msecs */
2587 #define PAGE_FREE_INTERVAL 1000
2588
2589 -@@ -299,14 +299,13 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
2590 +@@ -299,15 +299,14 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
2591 * @free_all: If set to true will free all pages in pool
2592 - * @gfp: GFP flags.
2593 + * @use_static: Safe to use static buffer
2594 **/
2595 -static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free,
2596 +static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free,
2597 - gfp_t gfp)
2598 + bool use_static)
2599 {
2600 + static struct page *static_buf[NUM_PAGES_TO_ALLOC];
2601 unsigned long irq_flags;
2602 struct page *p;
2603 struct page **pages_to_free;
2604 @@ -41377,7 +41510,7 @@ index 09874d6..d6da1de 100644
2605
2606 if (NUM_PAGES_TO_ALLOC < nr_free)
2607 npages_to_free = NUM_PAGES_TO_ALLOC;
2608 -@@ -366,7 +365,8 @@ restart:
2609 +@@ -371,7 +370,8 @@ restart:
2610 __list_del(&p->lru, &pool->list);
2611
2612 ttm_pool_update_free_locked(pool, freed_pages);
2613 @@ -41387,7 +41520,7 @@ index 09874d6..d6da1de 100644
2614 }
2615
2616 spin_unlock_irqrestore(&pool->lock, irq_flags);
2617 -@@ -395,7 +395,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2618 +@@ -399,7 +399,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2619 unsigned i;
2620 unsigned pool_offset;
2621 struct ttm_page_pool *pool;
2622 @@ -41396,7 +41529,7 @@ index 09874d6..d6da1de 100644
2623 unsigned long freed = 0;
2624
2625 if (!mutex_trylock(&lock))
2626 -@@ -403,7 +403,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2627 +@@ -407,7 +407,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2628 pool_offset = ++start_pool % NUM_POOLS;
2629 /* select start pool in round robin fashion */
2630 for (i = 0; i < NUM_POOLS; ++i) {
2631 @@ -41405,7 +41538,7 @@ index 09874d6..d6da1de 100644
2632 if (shrink_pages == 0)
2633 break;
2634 pool = &_manager->pools[(i + pool_offset)%NUM_POOLS];
2635 -@@ -669,7 +669,7 @@ out:
2636 +@@ -673,7 +673,7 @@ out:
2637 }
2638
2639 /* Put all pages in pages list to correct pool to wait for reuse */
2640 @@ -41414,7 +41547,7 @@ index 09874d6..d6da1de 100644
2641 enum ttm_caching_state cstate)
2642 {
2643 unsigned long irq_flags;
2644 -@@ -724,7 +724,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
2645 +@@ -728,7 +728,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
2646 struct list_head plist;
2647 struct page *p = NULL;
2648 gfp_t gfp_flags = GFP_USER;
2649 @@ -41424,7 +41557,7 @@ index 09874d6..d6da1de 100644
2650
2651 /* set zero flag for page allocation if required */
2652 diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
2653 -index c96db43..c367557 100644
2654 +index 01e1d27..aaa018a 100644
2655 --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
2656 +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
2657 @@ -56,7 +56,7 @@
2658 @@ -41436,15 +41569,16 @@ index c96db43..c367557 100644
2659 /* times are in msecs */
2660 #define IS_UNDEFINED (0)
2661 #define IS_WC (1<<1)
2662 -@@ -413,15 +413,14 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page)
2663 +@@ -413,7 +413,7 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page)
2664 * @nr_free: If set to true will free all pages in pool
2665 - * @gfp: GFP flags.
2666 + * @use_static: Safe to use static buffer
2667 **/
2668 -static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
2669 +static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free,
2670 - gfp_t gfp)
2671 + bool use_static)
2672 {
2673 - unsigned long irq_flags;
2674 + static struct page *static_buf[NUM_PAGES_TO_ALLOC];
2675 +@@ -421,8 +421,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
2676 struct dma_page *dma_p, *tmp;
2677 struct page **pages_to_free;
2678 struct list_head d_pages;
2679 @@ -41454,7 +41588,7 @@ index c96db43..c367557 100644
2680
2681 if (NUM_PAGES_TO_ALLOC < nr_free)
2682 npages_to_free = NUM_PAGES_TO_ALLOC;
2683 -@@ -494,7 +493,8 @@ restart:
2684 +@@ -499,7 +498,8 @@ restart:
2685 /* remove range of pages from the pool */
2686 if (freed_pages) {
2687 ttm_pool_update_free_locked(pool, freed_pages);
2688 @@ -41464,7 +41598,7 @@ index c96db43..c367557 100644
2689 }
2690
2691 spin_unlock_irqrestore(&pool->lock, irq_flags);
2692 -@@ -929,7 +929,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev)
2693 +@@ -936,7 +936,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev)
2694 struct dma_page *d_page, *next;
2695 enum pool_type type;
2696 bool is_cached = false;
2697 @@ -41473,7 +41607,7 @@ index c96db43..c367557 100644
2698 unsigned long irq_flags;
2699
2700 type = ttm_to_type(ttm->page_flags, ttm->caching_state);
2701 -@@ -1007,7 +1007,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2702 +@@ -1012,7 +1012,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2703 static unsigned start_pool;
2704 unsigned idx = 0;
2705 unsigned pool_offset;
2706 @@ -41482,7 +41616,7 @@ index c96db43..c367557 100644
2707 struct device_pools *p;
2708 unsigned long freed = 0;
2709
2710 -@@ -1020,7 +1020,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2711 +@@ -1025,7 +1025,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2712 goto out;
2713 pool_offset = ++start_pool % _manager->npools;
2714 list_for_each_entry(p, &_manager->pools, pools) {
2715 @@ -41491,8 +41625,8 @@ index c96db43..c367557 100644
2716
2717 if (!p->dev)
2718 continue;
2719 -@@ -1034,7 +1034,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2720 - sc->gfp_mask);
2721 +@@ -1039,7 +1039,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
2722 + shrink_pages = ttm_dma_page_pool_free(p->pool, nr_free, true);
2723 freed += nr_free - shrink_pages;
2724
2725 - pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n",
2726 @@ -44554,7 +44688,7 @@ index e9d33ad..dae9880d 100644
2727 pmd->bl_info.value_type.inc = data_block_inc;
2728 pmd->bl_info.value_type.dec = data_block_dec;
2729 diff --git a/drivers/md/dm.c b/drivers/md/dm.c
2730 -index 58f3927..bfbad3e 100644
2731 +index 62c5136..aede7f1 100644
2732 --- a/drivers/md/dm.c
2733 +++ b/drivers/md/dm.c
2734 @@ -183,9 +183,9 @@ struct mapped_device {
2735 @@ -48053,7 +48187,7 @@ index cf8b6ff..274271e 100644
2736 break;
2737 }
2738 diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
2739 -index 597c463..5cc1a7f 100644
2740 +index d2975fa..8aaec07 100644
2741 --- a/drivers/net/ethernet/emulex/benet/be_main.c
2742 +++ b/drivers/net/ethernet/emulex/benet/be_main.c
2743 @@ -537,7 +537,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val)
2744 @@ -48118,7 +48252,7 @@ index 5fd4b52..87aa34b 100644
2745
2746 /* need lock to prevent incorrect read while modifying cyclecounter */
2747 diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
2748 -index 454d9fe..59f0f0b 100644
2749 +index 11ff28b..375d659 100644
2750 --- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
2751 +++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
2752 @@ -458,8 +458,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev,
2753 @@ -48497,10 +48631,10 @@ index 079f7ad..b2a2bfa7 100644
2754
2755 /* We've got a compressed packet; read the change byte */
2756 diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
2757 -index 2368395..bf6fe96 100644
2758 +index 9c505c4..5d0c879 100644
2759 --- a/drivers/net/team/team.c
2760 +++ b/drivers/net/team/team.c
2761 -@@ -2090,7 +2090,7 @@ static unsigned int team_get_num_rx_queues(void)
2762 +@@ -2102,7 +2102,7 @@ static unsigned int team_get_num_rx_queues(void)
2763 return TEAM_DEFAULT_NUM_RX_QUEUES;
2764 }
2765
2766 @@ -48509,7 +48643,7 @@ index 2368395..bf6fe96 100644
2767 .kind = DRV_NAME,
2768 .priv_size = sizeof(struct team),
2769 .setup = team_setup,
2770 -@@ -2880,7 +2880,7 @@ static int team_device_event(struct notifier_block *unused,
2771 +@@ -2892,7 +2892,7 @@ static int team_device_event(struct notifier_block *unused,
2772 return NOTIFY_DONE;
2773 }
2774
2775 @@ -51752,7 +51886,7 @@ index 79c77b4..ef6ec0b 100644
2776 /* check if the device is still usable */
2777 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
2778 diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
2779 -index 50a6e1a..de5252e 100644
2780 +index 17fb051..937fbbd 100644
2781 --- a/drivers/scsi/scsi_lib.c
2782 +++ b/drivers/scsi/scsi_lib.c
2783 @@ -1583,7 +1583,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q)
2784 @@ -52470,7 +52604,7 @@ index e7e9372..161f530 100644
2785 login->tgt_agt = sbp_target_agent_register(login);
2786 if (IS_ERR(login->tgt_agt)) {
2787 diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
2788 -index c45f9e9..00e85f0 100644
2789 +index 24fa5d1..fae56f1 100644
2790 --- a/drivers/target/target_core_device.c
2791 +++ b/drivers/target/target_core_device.c
2792 @@ -1532,7 +1532,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
2793 @@ -53278,7 +53412,7 @@ index 587d63b..48423a6 100644
2794
2795 if (cfg->uart_flags & UPF_CONS_FLOW) {
2796 diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
2797 -index eaeb9a0..01a238c 100644
2798 +index a28dee9..168ba47 100644
2799 --- a/drivers/tty/serial/serial_core.c
2800 +++ b/drivers/tty/serial/serial_core.c
2801 @@ -1339,7 +1339,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
2802 @@ -54471,10 +54605,10 @@ index b3d245e..99549ed 100644
2803 props.type = BACKLIGHT_RAW;
2804 props.max_brightness = 0xff;
2805 diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
2806 -index 8d7fc48..01c4986 100644
2807 +index 29fa1c3..a57b08e 100644
2808 --- a/drivers/usb/serial/console.c
2809 +++ b/drivers/usb/serial/console.c
2810 -@@ -123,7 +123,7 @@ static int usb_console_setup(struct console *co, char *options)
2811 +@@ -125,7 +125,7 @@ static int usb_console_setup(struct console *co, char *options)
2812
2813 info->port = port;
2814
2815 @@ -54483,7 +54617,7 @@ index 8d7fc48..01c4986 100644
2816 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) {
2817 if (serial->type->set_termios) {
2818 /*
2819 -@@ -167,7 +167,7 @@ static int usb_console_setup(struct console *co, char *options)
2820 +@@ -173,7 +173,7 @@ static int usb_console_setup(struct console *co, char *options)
2821 }
2822 /* Now that any required fake tty operations are completed restore
2823 * the tty port count */
2824 @@ -54492,16 +54626,16 @@ index 8d7fc48..01c4986 100644
2825 /* The console is special in terms of closing the device so
2826 * indicate this port is now acting as a system console. */
2827 port->port.console = 1;
2828 -@@ -180,7 +180,7 @@ static int usb_console_setup(struct console *co, char *options)
2829 - free_tty:
2830 - kfree(tty);
2831 +@@ -186,7 +186,7 @@ static int usb_console_setup(struct console *co, char *options)
2832 + put_tty:
2833 + tty_kref_put(tty);
2834 reset_open_count:
2835 - port->port.count = 0;
2836 + atomic_set(&port->port.count, 0);
2837 usb_autopm_put_interface(serial->interface);
2838 error_get_interface:
2839 usb_serial_put(serial);
2840 -@@ -191,7 +191,7 @@ static int usb_console_setup(struct console *co, char *options)
2841 +@@ -197,7 +197,7 @@ static int usb_console_setup(struct console *co, char *options)
2842 static void usb_console_write(struct console *co,
2843 const char *buf, unsigned count)
2844 {
2845 @@ -54782,10 +54916,10 @@ index 2fa0317..4983f2a 100644
2846 return 0;
2847 }
2848 diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
2849 -index 900aa4e..6d49418 100644
2850 +index d6cab1f..112f680 100644
2851 --- a/drivers/video/fbdev/core/fb_defio.c
2852 +++ b/drivers/video/fbdev/core/fb_defio.c
2853 -@@ -206,7 +206,9 @@ void fb_deferred_io_init(struct fb_info *info)
2854 +@@ -207,7 +207,9 @@ void fb_deferred_io_init(struct fb_info *info)
2855
2856 BUG_ON(!fbdefio);
2857 mutex_init(&fbdefio->lock);
2858 @@ -54796,7 +54930,7 @@ index 900aa4e..6d49418 100644
2859 INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
2860 INIT_LIST_HEAD(&fbdefio->pagelist);
2861 if (fbdefio->delay == 0) /* set a default of 1 s */
2862 -@@ -237,7 +239,7 @@ void fb_deferred_io_cleanup(struct fb_info *info)
2863 +@@ -238,7 +240,7 @@ void fb_deferred_io_cleanup(struct fb_info *info)
2864 page->mapping = NULL;
2865 }
2866
2867 @@ -60523,7 +60657,7 @@ index b5c86ff..0dac262 100644
2868 return 0;
2869 while (nr) {
2870 diff --git a/fs/dcache.c b/fs/dcache.c
2871 -index 03dca3c..f66c622 100644
2872 +index 03dca3c..15f326d 100644
2873 --- a/fs/dcache.c
2874 +++ b/fs/dcache.c
2875 @@ -508,7 +508,7 @@ static void __dentry_kill(struct dentry *dentry)
2876 @@ -60659,7 +60793,17 @@ index 03dca3c..f66c622 100644
2877 dentry->d_flags = 0;
2878 spin_lock_init(&dentry->d_lock);
2879 seqcount_init(&dentry->d_seq);
2880 -@@ -2183,7 +2183,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
2881 +@@ -1452,6 +1452,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
2882 + dentry->d_sb = sb;
2883 + dentry->d_op = NULL;
2884 + dentry->d_fsdata = NULL;
2885 ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
2886 ++ atomic_set(&dentry->chroot_refcnt, 0);
2887 ++#endif
2888 + INIT_HLIST_BL_NODE(&dentry->d_hash);
2889 + INIT_LIST_HEAD(&dentry->d_lru);
2890 + INIT_LIST_HEAD(&dentry->d_subdirs);
2891 +@@ -2183,7 +2186,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
2892 goto next;
2893 }
2894
2895 @@ -60668,7 +60812,7 @@ index 03dca3c..f66c622 100644
2896 found = dentry;
2897 spin_unlock(&dentry->d_lock);
2898 break;
2899 -@@ -2282,7 +2282,7 @@ again:
2900 +@@ -2282,7 +2285,7 @@ again:
2901 spin_lock(&dentry->d_lock);
2902 inode = dentry->d_inode;
2903 isdir = S_ISDIR(inode->i_mode);
2904 @@ -60677,7 +60821,7 @@ index 03dca3c..f66c622 100644
2905 if (!spin_trylock(&inode->i_lock)) {
2906 spin_unlock(&dentry->d_lock);
2907 cpu_relax();
2908 -@@ -3308,7 +3308,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
2909 +@@ -3308,7 +3311,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
2910
2911 if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
2912 dentry->d_flags |= DCACHE_GENOCIDE;
2913 @@ -60686,7 +60830,7 @@ index 03dca3c..f66c622 100644
2914 }
2915 }
2916 return D_WALK_CONTINUE;
2917 -@@ -3424,7 +3424,8 @@ void __init vfs_caches_init(unsigned long mempages)
2918 +@@ -3424,7 +3427,8 @@ void __init vfs_caches_init(unsigned long mempages)
2919 mempages -= reserve;
2920
2921 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
2922 @@ -62024,7 +62168,7 @@ index 5797d45..7d7d79a 100644
2923
2924 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
2925 diff --git a/fs/fs_struct.c b/fs/fs_struct.c
2926 -index 7dca743..543d620 100644
2927 +index 7dca743..f5e007d 100644
2928 --- a/fs/fs_struct.c
2929 +++ b/fs/fs_struct.c
2930 @@ -4,6 +4,7 @@
2931 @@ -62035,15 +62179,27 @@ index 7dca743..543d620 100644
2932 #include "internal.h"
2933
2934 /*
2935 -@@ -19,6 +20,7 @@ void set_fs_root(struct fs_struct *fs, const struct path *path)
2936 +@@ -15,14 +16,18 @@ void set_fs_root(struct fs_struct *fs, const struct path *path)
2937 + struct path old_root;
2938 +
2939 + path_get(path);
2940 ++ gr_inc_chroot_refcnts(path->dentry, path->mnt);
2941 + spin_lock(&fs->lock);
2942 write_seqcount_begin(&fs->seq);
2943 old_root = fs->root;
2944 fs->root = *path;
2945 + gr_set_chroot_entries(current, path);
2946 write_seqcount_end(&fs->seq);
2947 spin_unlock(&fs->lock);
2948 - if (old_root.dentry)
2949 -@@ -67,6 +69,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
2950 +- if (old_root.dentry)
2951 ++ if (old_root.dentry) {
2952 ++ gr_inc_chroot_refcnts(old_root.dentry, old_root.mnt);
2953 + path_put(&old_root);
2954 ++ }
2955 + }
2956 +
2957 + /*
2958 +@@ -67,6 +72,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
2959 int hits = 0;
2960 spin_lock(&fs->lock);
2961 write_seqcount_begin(&fs->seq);
2962 @@ -62054,7 +62210,15 @@ index 7dca743..543d620 100644
2963 hits += replace_path(&fs->root, old_root, new_root);
2964 hits += replace_path(&fs->pwd, old_root, new_root);
2965 write_seqcount_end(&fs->seq);
2966 -@@ -99,7 +105,8 @@ void exit_fs(struct task_struct *tsk)
2967 +@@ -85,6 +94,7 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
2968 +
2969 + void free_fs_struct(struct fs_struct *fs)
2970 + {
2971 ++ gr_dec_chroot_refcnts(fs->root.dentry, fs->root.mnt);
2972 + path_put(&fs->root);
2973 + path_put(&fs->pwd);
2974 + kmem_cache_free(fs_cachep, fs);
2975 +@@ -99,7 +109,8 @@ void exit_fs(struct task_struct *tsk)
2976 task_lock(tsk);
2977 spin_lock(&fs->lock);
2978 tsk->fs = NULL;
2979 @@ -62064,7 +62228,7 @@ index 7dca743..543d620 100644
2980 spin_unlock(&fs->lock);
2981 task_unlock(tsk);
2982 if (kill)
2983 -@@ -112,7 +119,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
2984 +@@ -112,7 +123,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
2985 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
2986 /* We don't need to lock fs - think why ;-) */
2987 if (fs) {
2988 @@ -62073,7 +62237,7 @@ index 7dca743..543d620 100644
2989 fs->in_exec = 0;
2990 spin_lock_init(&fs->lock);
2991 seqcount_init(&fs->seq);
2992 -@@ -121,6 +128,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
2993 +@@ -121,6 +132,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
2994 spin_lock(&old->lock);
2995 fs->root = old->root;
2996 path_get(&fs->root);
2997 @@ -62083,7 +62247,7 @@ index 7dca743..543d620 100644
2998 fs->pwd = old->pwd;
2999 path_get(&fs->pwd);
3000 spin_unlock(&old->lock);
3001 -@@ -139,8 +149,9 @@ int unshare_fs_struct(void)
3002 +@@ -139,8 +153,9 @@ int unshare_fs_struct(void)
3003
3004 task_lock(current);
3005 spin_lock(&fs->lock);
3006 @@ -62094,7 +62258,7 @@ index 7dca743..543d620 100644
3007 spin_unlock(&fs->lock);
3008 task_unlock(current);
3009
3010 -@@ -153,13 +164,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
3011 +@@ -153,13 +168,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
3012
3013 int current_umask(void)
3014 {
3015 @@ -63844,7 +64008,7 @@ index acd3947..1f896e2 100644
3016 memcpy(c->data, &cookie, 4);
3017 c->len=4;
3018 diff --git a/fs/locks.c b/fs/locks.c
3019 -index 735b8d3..dfc44a2 100644
3020 +index 59e2f90..bd69071 100644
3021 --- a/fs/locks.c
3022 +++ b/fs/locks.c
3023 @@ -2374,7 +2374,7 @@ void locks_remove_file(struct file *filp)
3024 @@ -63892,7 +64056,7 @@ index f82c628..9492b99 100644
3025 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
3026
3027 diff --git a/fs/namei.c b/fs/namei.c
3028 -index db5fe86..d3dcc14 100644
3029 +index db5fe86..ac769e4 100644
3030 --- a/fs/namei.c
3031 +++ b/fs/namei.c
3032 @@ -331,17 +331,32 @@ int generic_permission(struct inode *inode, int mask)
3033 @@ -64396,10 +64560,18 @@ index db5fe86..d3dcc14 100644
3034 done_path_create(&new_path, new_dentry);
3035 if (delegated_inode) {
3036 error = break_deleg_wait(&delegated_inode);
3037 -@@ -4304,6 +4486,12 @@ retry_deleg:
3038 +@@ -4304,6 +4486,20 @@ retry_deleg:
3039 if (new_dentry == trap)
3040 goto exit5;
3041
3042 ++ if (gr_bad_chroot_rename(old_dentry, oldnd.path.mnt, new_dentry, newnd.path.mnt)) {
3043 ++ /* use EXDEV error to cause 'mv' to switch to an alternative
3044 ++ * method for usability
3045 ++ */
3046 ++ error = -EXDEV;
3047 ++ goto exit5;
3048 ++ }
3049 ++
3050 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
3051 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
3052 + to, flags);
3053 @@ -64409,7 +64581,7 @@ index db5fe86..d3dcc14 100644
3054 error = security_path_rename(&oldnd.path, old_dentry,
3055 &newnd.path, new_dentry, flags);
3056 if (error)
3057 -@@ -4311,6 +4499,9 @@ retry_deleg:
3058 +@@ -4311,6 +4507,9 @@ retry_deleg:
3059 error = vfs_rename(old_dir->d_inode, old_dentry,
3060 new_dir->d_inode, new_dentry,
3061 &delegated_inode, flags);
3062 @@ -64419,7 +64591,7 @@ index db5fe86..d3dcc14 100644
3063 exit5:
3064 dput(new_dentry);
3065 exit4:
3066 -@@ -4367,14 +4558,24 @@ EXPORT_SYMBOL(vfs_whiteout);
3067 +@@ -4367,14 +4566,24 @@ EXPORT_SYMBOL(vfs_whiteout);
3068
3069 int readlink_copy(char __user *buffer, int buflen, const char *link)
3070 {
3071 @@ -66719,7 +66891,7 @@ index 094e44d..085a877 100644
3072 }
3073
3074 diff --git a/fs/proc/stat.c b/fs/proc/stat.c
3075 -index bf2d03f..f058f9c 100644
3076 +index 510413eb..34d9a8c 100644
3077 --- a/fs/proc/stat.c
3078 +++ b/fs/proc/stat.c
3079 @@ -11,6 +11,7 @@
3080 @@ -66814,8 +66986,8 @@ index bf2d03f..f058f9c 100644
3081
3082 /* sum again ? it could be updated? */
3083 for_each_irq_nr(j)
3084 -- seq_put_decimal_ull(p, ' ', kstat_irqs(j));
3085 -+ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL);
3086 +- seq_put_decimal_ull(p, ' ', kstat_irqs_usr(j));
3087 ++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs_usr(j) : 0ULL);
3088
3089 seq_printf(p,
3090 "\nctxt %llu\n"
3091 @@ -68011,10 +68183,10 @@ index 6a51619..9592e1b 100644
3092
3093 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
3094 new file mode 100644
3095 -index 0000000..f27264e
3096 +index 0000000..31f8fe4
3097 --- /dev/null
3098 +++ b/grsecurity/Kconfig
3099 -@@ -0,0 +1,1166 @@
3100 +@@ -0,0 +1,1182 @@
3101 +#
3102 +# grecurity configuration
3103 +#
3104 @@ -68655,6 +68827,22 @@ index 0000000..f27264e
3105 + sysctl option is enabled, a sysctl option with name
3106 + "chroot_deny_sysctl" is created.
3107 +
3108 ++config GRKERNSEC_CHROOT_RENAME
3109 ++ bool "Deny bad renames"
3110 ++ default y if GRKERNSEC_CONFIG_AUTO
3111 ++ depends on GRKERNSEC_CHROOT
3112 ++ help
3113 ++ If you say Y here, an attacker in a chroot will not be able to
3114 ++ abuse the ability to create double chroots to break out of the
3115 ++ chroot by exploiting a race condition between a rename of a directory
3116 ++ within a chroot against an open of a symlink with relative path
3117 ++ components. This feature will likewise prevent an accomplice outside
3118 ++ a chroot from enabling a user inside the chroot to break out and make
3119 ++ use of their credentials on the global filesystem. Enabling this
3120 ++ feature is essential to prevent root users from breaking out of a
3121 ++ chroot. If the sysctl option is enabled, a sysctl option with name
3122 ++ "chroot_deny_bad_rename" is created.
3123 ++
3124 +config GRKERNSEC_CHROOT_CAPS
3125 + bool "Capability restrictions"
3126 + default y if GRKERNSEC_CONFIG_AUTO
3127 @@ -69243,10 +69431,10 @@ index 0000000..30ababb
3128 +endif
3129 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
3130 new file mode 100644
3131 -index 0000000..6ae3aa0
3132 +index 0000000..9c2d930
3133 --- /dev/null
3134 +++ b/grsecurity/gracl.c
3135 -@@ -0,0 +1,2703 @@
3136 +@@ -0,0 +1,2721 @@
3137 +#include <linux/kernel.h>
3138 +#include <linux/module.h>
3139 +#include <linux/sched.h>
3140 @@ -70420,9 +70608,10 @@ index 0000000..6ae3aa0
3141 + rcu_read_lock();
3142 + read_lock(&tasklist_lock);
3143 + read_lock(&grsec_exec_file_lock);
3144 ++ except in the case of gr_set_role_label() (for __gr_get_subject_for_task)
3145 +*/
3146 +
3147 -+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename)
3148 ++struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback)
3149 +{
3150 + char *tmpname;
3151 + struct acl_subject_label *tmpsubj;
3152 @@ -70464,15 +70653,15 @@ index 0000000..6ae3aa0
3153 + /* this also works for the reload case -- if we don't match a potentially inherited subject
3154 + then we fall back to a normal lookup based on the binary's ino/dev
3155 + */
3156 -+ if (tmpsubj == NULL)
3157 ++ if (tmpsubj == NULL && fallback)
3158 + tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role);
3159 +
3160 + return tmpsubj;
3161 +}
3162 +
3163 -+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename)
3164 ++static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback)
3165 +{
3166 -+ return __gr_get_subject_for_task(&running_polstate, task, filename);
3167 ++ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback);
3168 +}
3169 +
3170 +void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj)
3171 @@ -70536,7 +70725,7 @@ index 0000000..6ae3aa0
3172 + task->role = current->role;
3173 + rcu_read_lock();
3174 + read_lock(&grsec_exec_file_lock);
3175 -+ subj = gr_get_subject_for_task(task, NULL);
3176 ++ subj = gr_get_subject_for_task(task, NULL, 1);
3177 + gr_apply_subject_to_task(task, subj);
3178 + read_unlock(&grsec_exec_file_lock);
3179 + rcu_read_unlock();
3180 @@ -70946,6 +71135,7 @@ index 0000000..6ae3aa0
3181 +gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid)
3182 +{
3183 + struct acl_role_label *role = task->role;
3184 ++ struct acl_role_label *origrole = role;
3185 + struct acl_subject_label *subj = NULL;
3186 + struct acl_object_label *obj;
3187 + struct file *filp;
3188 @@ -70978,10 +71168,28 @@ index 0000000..6ae3aa0
3189 + ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID))))
3190 + return;
3191 +
3192 -+ /* perform subject lookup in possibly new role
3193 -+ we can use this result below in the case where role == task->role
3194 -+ */
3195 -+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
3196 ++ task->role = role;
3197 ++
3198 ++ if (task->inherited) {
3199 ++ /* if we reached our subject through inheritance, then first see
3200 ++ if there's a subject of the same name in the new role that has
3201 ++ an object that would result in the same inherited subject
3202 ++ */
3203 ++ subj = gr_get_subject_for_task(task, task->acl->filename, 0);
3204 ++ if (subj) {
3205 ++ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj);
3206 ++ if (!(obj->mode & GR_INHERIT))
3207 ++ subj = NULL;
3208 ++ }
3209 ++
3210 ++ }
3211 ++ if (subj == NULL) {
3212 ++ /* otherwise:
3213 ++ perform subject lookup in possibly new role
3214 ++ we can use this result below in the case where role == task->role
3215 ++ */
3216 ++ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
3217 ++ }
3218 +
3219 + /* if we changed uid/gid, but result in the same role
3220 + and are using inheritance, don't lose the inherited subject
3221 @@ -70989,14 +71197,12 @@ index 0000000..6ae3aa0
3222 + would result in, we arrived via inheritance, don't
3223 + lose subject
3224 + */
3225 -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
3226 ++ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) &&
3227 + (subj == task->acl)))
3228 + task->acl = subj;
3229 +
3230 + /* leave task->inherited unaffected */
3231 +
3232 -+ task->role = role;
3233 -+
3234 + task->is_writable = 0;
3235 +
3236 + /* ignore additional mmap checks for processes that are writable
3237 @@ -73530,7 +73736,7 @@ index 0000000..25f54ef
3238 +};
3239 diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c
3240 new file mode 100644
3241 -index 0000000..3f8ade0
3242 +index 0000000..7949dcd
3243 --- /dev/null
3244 +++ b/grsecurity/gracl_policy.c
3245 @@ -0,0 +1,1782 @@
3246 @@ -73604,7 +73810,7 @@ index 0000000..3f8ade0
3247 +extern void gr_remove_uid(uid_t uid);
3248 +extern int gr_find_uid(uid_t uid);
3249 +
3250 -+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename);
3251 ++extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback);
3252 +extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj);
3253 +extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb);
3254 +extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry);
3255 @@ -74709,8 +74915,8 @@ index 0000000..3f8ade0
3256 + }
3257 + /* this handles non-nested inherited subjects, nested subjects will still
3258 + be dropped currently */
3259 -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename);
3260 -+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL);
3261 ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
3262 ++ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1);
3263 + /* change the role back so that we've made no modifications to the policy */
3264 + task->role = rtmp;
3265 +
3266 @@ -74742,7 +74948,7 @@ index 0000000..3f8ade0
3267 + /* this handles non-nested inherited subjects, nested subjects will still
3268 + be dropped currently */
3269 + if (!reload_state->oldmode && task->inherited)
3270 -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename);
3271 ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
3272 + else {
3273 + /* looked up and tagged to the task previously */
3274 + subj = task->tmpacl;
3275 @@ -75291,7 +75497,7 @@ index 0000000..3f8ade0
3276 + if (task->exec_file) {
3277 + cred = __task_cred(task);
3278 + task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
3279 -+ subj = __gr_get_subject_for_task(polstate, task, NULL);
3280 ++ subj = __gr_get_subject_for_task(polstate, task, NULL, 1);
3281 + if (subj == NULL) {
3282 + ret = -EINVAL;
3283 + read_unlock(&grsec_exec_file_lock);
3284 @@ -75782,10 +75988,10 @@ index 0000000..bc0be01
3285 +}
3286 diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
3287 new file mode 100644
3288 -index 0000000..6d99cec
3289 +index 0000000..114ea4f
3290 --- /dev/null
3291 +++ b/grsecurity/grsec_chroot.c
3292 -@@ -0,0 +1,385 @@
3293 +@@ -0,0 +1,467 @@
3294 +#include <linux/kernel.h>
3295 +#include <linux/module.h>
3296 +#include <linux/sched.h>
3297 @@ -75801,6 +76007,88 @@ index 0000000..6d99cec
3298 +int gr_init_ran;
3299 +#endif
3300 +
3301 ++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
3302 ++{
3303 ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
3304 ++ struct dentry *tmpd = dentry;
3305 ++
3306 ++ read_seqlock_excl(&mount_lock);
3307 ++ write_seqlock(&rename_lock);
3308 ++
3309 ++ while (tmpd != mnt->mnt_root) {
3310 ++ atomic_inc(&tmpd->chroot_refcnt);
3311 ++ tmpd = tmpd->d_parent;
3312 ++ }
3313 ++ atomic_inc(&tmpd->chroot_refcnt);
3314 ++
3315 ++ write_sequnlock(&rename_lock);
3316 ++ read_sequnlock_excl(&mount_lock);
3317 ++#endif
3318 ++}
3319 ++
3320 ++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
3321 ++{
3322 ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
3323 ++ struct dentry *tmpd = dentry;
3324 ++
3325 ++ read_seqlock_excl(&mount_lock);
3326 ++ write_seqlock(&rename_lock);
3327 ++
3328 ++ while (tmpd != mnt->mnt_root) {
3329 ++ atomic_dec(&tmpd->chroot_refcnt);
3330 ++ tmpd = tmpd->d_parent;
3331 ++ }
3332 ++ atomic_dec(&tmpd->chroot_refcnt);
3333 ++
3334 ++ write_sequnlock(&rename_lock);
3335 ++ read_sequnlock_excl(&mount_lock);
3336 ++#endif
3337 ++}
3338 ++
3339 ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
3340 ++static struct dentry *get_closest_chroot(struct dentry *dentry)
3341 ++{
3342 ++ write_seqlock(&rename_lock);
3343 ++ do {
3344 ++ if (atomic_read(&dentry->chroot_refcnt)) {
3345 ++ write_sequnlock(&rename_lock);
3346 ++ return dentry;
3347 ++ }
3348 ++ dentry = dentry->d_parent;
3349 ++ } while (!IS_ROOT(dentry));
3350 ++ write_sequnlock(&rename_lock);
3351 ++ return NULL;
3352 ++}
3353 ++#endif
3354 ++
3355 ++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
3356 ++ struct dentry *newdentry, struct vfsmount *newmnt)
3357 ++{
3358 ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
3359 ++ struct dentry *chroot;
3360 ++
3361 ++ if (unlikely(!grsec_enable_chroot_rename))
3362 ++ return 0;
3363 ++
3364 ++ if (likely(!proc_is_chrooted(current) && gr_is_global_root(current_uid())))
3365 ++ return 0;
3366 ++
3367 ++ chroot = get_closest_chroot(olddentry);
3368 ++
3369 ++ if (chroot == NULL)
3370 ++ return 0;
3371 ++
3372 ++ if (is_subdir(newdentry, chroot))
3373 ++ return 0;
3374 ++
3375 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_RENAME_MSG, olddentry, oldmnt);
3376 ++
3377 ++ return 1;
3378 ++#else
3379 ++ return 0;
3380 ++#endif
3381 ++}
3382 ++
3383 +void gr_set_chroot_entries(struct task_struct *task, const struct path *path)
3384 +{
3385 +#ifdef CONFIG_GRKERNSEC
3386 @@ -76872,10 +77160,10 @@ index 0000000..8ca18bf
3387 +}
3388 diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
3389 new file mode 100644
3390 -index 0000000..b7cb191
3391 +index 0000000..4ed9e7d
3392 --- /dev/null
3393 +++ b/grsecurity/grsec_init.c
3394 -@@ -0,0 +1,286 @@
3395 +@@ -0,0 +1,290 @@
3396 +#include <linux/kernel.h>
3397 +#include <linux/sched.h>
3398 +#include <linux/mm.h>
3399 @@ -76918,6 +77206,7 @@ index 0000000..b7cb191
3400 +int grsec_enable_chroot_nice;
3401 +int grsec_enable_chroot_execlog;
3402 +int grsec_enable_chroot_caps;
3403 ++int grsec_enable_chroot_rename;
3404 +int grsec_enable_chroot_sysctl;
3405 +int grsec_enable_chroot_unix;
3406 +int grsec_enable_tpe;
3407 @@ -77129,6 +77418,9 @@ index 0000000..b7cb191
3408 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
3409 + grsec_enable_chroot_caps = 1;
3410 +#endif
3411 ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
3412 ++ grsec_enable_chroot_rename = 1;
3413 ++#endif
3414 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
3415 + grsec_enable_chroot_sysctl = 1;
3416 +#endif
3417 @@ -78359,10 +78651,10 @@ index 0000000..e3650b6
3418 +}
3419 diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
3420 new file mode 100644
3421 -index 0000000..8159888
3422 +index 0000000..cce889e
3423 --- /dev/null
3424 +++ b/grsecurity/grsec_sysctl.c
3425 -@@ -0,0 +1,479 @@
3426 +@@ -0,0 +1,488 @@
3427 +#include <linux/kernel.h>
3428 +#include <linux/sched.h>
3429 +#include <linux/sysctl.h>
3430 @@ -78632,6 +78924,15 @@ index 0000000..8159888
3431 + .proc_handler = &proc_dointvec,
3432 + },
3433 +#endif
3434 ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
3435 ++ {
3436 ++ .procname = "chroot_deny_bad_rename",
3437 ++ .data = &grsec_enable_chroot_rename,
3438 ++ .maxlen = sizeof(int),
3439 ++ .mode = 0600,
3440 ++ .proc_handler = &proc_dointvec,
3441 ++ },
3442 ++#endif
3443 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
3444 + {
3445 + .procname = "chroot_deny_sysctl",
3446 @@ -80516,10 +80817,20 @@ index 653589e..4ef254a 100644
3447 return c | 0x20;
3448 }
3449 diff --git a/include/linux/dcache.h b/include/linux/dcache.h
3450 -index 1c2f1b8..c67151e 100644
3451 +index 1c2f1b8..7b9f50c 100644
3452 --- a/include/linux/dcache.h
3453 +++ b/include/linux/dcache.h
3454 -@@ -133,7 +133,7 @@ struct dentry {
3455 +@@ -123,6 +123,9 @@ struct dentry {
3456 + unsigned long d_time; /* used by d_revalidate */
3457 + void *d_fsdata; /* fs-specific data */
3458 +
3459 ++#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
3460 ++ atomic_t chroot_refcnt; /* tracks use of directory in chroot */
3461 ++#endif
3462 + struct list_head d_lru; /* LRU list */
3463 + struct list_head d_child; /* child of parent list */
3464 + struct list_head d_subdirs; /* our children */
3465 +@@ -133,7 +136,7 @@ struct dentry {
3466 struct hlist_node d_alias; /* inode alias list */
3467 struct rcu_head d_rcu;
3468 } d_u;
3469 @@ -81643,10 +81954,10 @@ index 0000000..be66033
3470 +#endif
3471 diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
3472 new file mode 100644
3473 -index 0000000..d25522e
3474 +index 0000000..fb1de5d
3475 --- /dev/null
3476 +++ b/include/linux/grinternal.h
3477 -@@ -0,0 +1,229 @@
3478 +@@ -0,0 +1,230 @@
3479 +#ifndef __GRINTERNAL_H
3480 +#define __GRINTERNAL_H
3481 +
3482 @@ -81706,6 +82017,7 @@ index 0000000..d25522e
3483 +extern int grsec_enable_chroot_nice;
3484 +extern int grsec_enable_chroot_execlog;
3485 +extern int grsec_enable_chroot_caps;
3486 ++extern int grsec_enable_chroot_rename;
3487 +extern int grsec_enable_chroot_sysctl;
3488 +extern int grsec_enable_chroot_unix;
3489 +extern int grsec_enable_symlinkown;
3490 @@ -81878,10 +82190,10 @@ index 0000000..d25522e
3491 +#endif
3492 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
3493 new file mode 100644
3494 -index 0000000..b02ba9d
3495 +index 0000000..26ef560
3496 --- /dev/null
3497 +++ b/include/linux/grmsg.h
3498 -@@ -0,0 +1,117 @@
3499 +@@ -0,0 +1,118 @@
3500 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
3501 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
3502 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
3503 @@ -81925,6 +82237,7 @@ index 0000000..b02ba9d
3504 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
3505 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
3506 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
3507 ++#define GR_CHROOT_RENAME_MSG "denied bad rename of %.950s out of a chroot by "
3508 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
3509 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
3510 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
3511 @@ -82001,10 +82314,10 @@ index 0000000..b02ba9d
3512 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
3513 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
3514 new file mode 100644
3515 -index 0000000..c3b0738
3516 +index 0000000..6c76fcb
3517 --- /dev/null
3518 +++ b/include/linux/grsecurity.h
3519 -@@ -0,0 +1,244 @@
3520 +@@ -0,0 +1,249 @@
3521 +#ifndef GR_SECURITY_H
3522 +#define GR_SECURITY_H
3523 +#include <linux/fs.h>
3524 @@ -82216,6 +82529,11 @@ index 0000000..c3b0738
3525 +
3526 +int gr_ptrace_readexec(struct file *file, int unsafe_flags);
3527 +
3528 ++void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
3529 ++void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
3530 ++int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
3531 ++ struct dentry *newdentry, struct vfsmount *newmnt);
3532 ++
3533 +#ifdef CONFIG_GRKERNSEC_RESLOG
3534 +extern void gr_log_resource(const struct task_struct *task, const int res,
3535 + const unsigned long wanted, const int gt);
3536 @@ -83550,18 +83868,18 @@ index 17d8339..81656c0 100644
3537 struct iovec;
3538 struct kvec;
3539 diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
3540 -index 74fd5d3..86a1e4f 100644
3541 +index 22339b4..4b4d5b3 100644
3542 --- a/include/linux/netdevice.h
3543 +++ b/include/linux/netdevice.h
3544 -@@ -1156,6 +1156,7 @@ struct net_device_ops {
3545 - bool (*ndo_gso_check) (struct sk_buff *skb,
3546 - struct net_device *dev);
3547 +@@ -1160,6 +1160,7 @@ struct net_device_ops {
3548 + struct net_device *dev,
3549 + netdev_features_t features);
3550 };
3551 +typedef struct net_device_ops __no_const net_device_ops_no_const;
3552
3553 /**
3554 * enum net_device_priv_flags - &struct net_device priv_flags
3555 -@@ -1498,10 +1499,10 @@ struct net_device {
3556 +@@ -1502,10 +1503,10 @@ struct net_device {
3557
3558 struct net_device_stats stats;
3559
3560 @@ -93512,7 +93830,7 @@ index c1bd4ad..4b861dc 100644
3561
3562 ret = -EIO;
3563 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
3564 -index 31c90fe..051ce98 100644
3565 +index 124e2c7..762ca29 100644
3566 --- a/kernel/trace/ftrace.c
3567 +++ b/kernel/trace/ftrace.c
3568 @@ -2183,12 +2183,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
3569 @@ -93535,7 +93853,7 @@ index 31c90fe..051ce98 100644
3570 }
3571
3572 /*
3573 -@@ -4492,8 +4497,10 @@ static int ftrace_process_locs(struct module *mod,
3574 +@@ -4529,8 +4534,10 @@ static int ftrace_process_locs(struct module *mod,
3575 if (!count)
3576 return 0;
3577
3578 @@ -93546,7 +93864,7 @@ index 31c90fe..051ce98 100644
3579
3580 start_pg = ftrace_allocate_pages(count);
3581 if (!start_pg)
3582 -@@ -5340,7 +5347,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
3583 +@@ -5377,7 +5384,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
3584
3585 if (t->ret_stack == NULL) {
3586 atomic_set(&t->tracing_graph_pause, 0);
3587 @@ -93555,7 +93873,7 @@ index 31c90fe..051ce98 100644
3588 t->curr_ret_stack = -1;
3589 /* Make sure the tasks see the -1 first: */
3590 smp_wmb();
3591 -@@ -5553,7 +5560,7 @@ static void
3592 +@@ -5590,7 +5597,7 @@ static void
3593 graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
3594 {
3595 atomic_set(&t->tracing_graph_pause, 0);
3596 @@ -100385,18 +100703,9 @@ index 1e80539..676c37a 100644
3597 if (ogm_packet->flags & BATADV_DIRECTLINK)
3598 has_directlink_flag = true;
3599 diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
3600 -index fc1835c..42f2c2f 100644
3601 +index 00f9e14..e1c7203 100644
3602 --- a/net/batman-adv/fragmentation.c
3603 +++ b/net/batman-adv/fragmentation.c
3604 -@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb)
3605 - kfree(entry);
3606 -
3607 - /* Make room for the rest of the fragments. */
3608 -- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) {
3609 -+ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {
3610 - kfree_skb(skb_out);
3611 - skb_out = NULL;
3612 - goto free;
3613 @@ -450,7 +450,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
3614 frag_header.packet_type = BATADV_UNICAST_FRAG;
3615 frag_header.version = BATADV_COMPAT_VERSION;
3616 @@ -101008,7 +101317,7 @@ index fdbc9a8..cd6972c 100644
3617
3618 return err;
3619 diff --git a/net/core/dev.c b/net/core/dev.c
3620 -index 945bbd0..8b1a370 100644
3621 +index 8440968..d1d6bea 100644
3622 --- a/net/core/dev.c
3623 +++ b/net/core/dev.c
3624 @@ -1683,14 +1683,14 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
3625 @@ -101028,7 +101337,7 @@ index 945bbd0..8b1a370 100644
3626 kfree_skb(skb);
3627 return NET_RX_DROP;
3628 }
3629 -@@ -2985,7 +2985,7 @@ recursion_alert:
3630 +@@ -2994,7 +2994,7 @@ recursion_alert:
3631 drop:
3632 rcu_read_unlock_bh();
3633
3634 @@ -101037,7 +101346,7 @@ index 945bbd0..8b1a370 100644
3635 kfree_skb_list(skb);
3636 return rc;
3637 out:
3638 -@@ -3328,7 +3328,7 @@ enqueue:
3639 +@@ -3337,7 +3337,7 @@ enqueue:
3640
3641 local_irq_restore(flags);
3642
3643 @@ -101046,7 +101355,7 @@ index 945bbd0..8b1a370 100644
3644 kfree_skb(skb);
3645 return NET_RX_DROP;
3646 }
3647 -@@ -3405,7 +3405,7 @@ int netif_rx_ni(struct sk_buff *skb)
3648 +@@ -3414,7 +3414,7 @@ int netif_rx_ni(struct sk_buff *skb)
3649 }
3650 EXPORT_SYMBOL(netif_rx_ni);
3651
3652 @@ -101055,7 +101364,7 @@ index 945bbd0..8b1a370 100644
3653 {
3654 struct softnet_data *sd = this_cpu_ptr(&softnet_data);
3655
3656 -@@ -3738,7 +3738,7 @@ ncls:
3657 +@@ -3747,7 +3747,7 @@ ncls:
3658 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
3659 } else {
3660 drop:
3661 @@ -101064,7 +101373,7 @@ index 945bbd0..8b1a370 100644
3662 kfree_skb(skb);
3663 /* Jamal, now you will not able to escape explaining
3664 * me how you were going to use this. :-)
3665 -@@ -4502,7 +4502,7 @@ void netif_napi_del(struct napi_struct *napi)
3666 +@@ -4511,7 +4511,7 @@ void netif_napi_del(struct napi_struct *napi)
3667 }
3668 EXPORT_SYMBOL(netif_napi_del);
3669
3670 @@ -101073,7 +101382,7 @@ index 945bbd0..8b1a370 100644
3671 {
3672 struct softnet_data *sd = this_cpu_ptr(&softnet_data);
3673 unsigned long time_limit = jiffies + 2;
3674 -@@ -6548,8 +6548,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
3675 +@@ -6557,8 +6557,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
3676 } else {
3677 netdev_stats_to_stats64(storage, &dev->stats);
3678 }
3679 @@ -101441,7 +101750,7 @@ index b442e7e..6f5b5a2 100644
3680 {
3681 struct socket *sock;
3682 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
3683 -index 32e31c2..e981248 100644
3684 +index d7543d0..ff96aec 100644
3685 --- a/net/core/skbuff.c
3686 +++ b/net/core/skbuff.c
3687 @@ -2025,7 +2025,7 @@ EXPORT_SYMBOL(__skb_checksum);
3688 @@ -102082,7 +102391,7 @@ index 2811cc1..ad5a534 100644
3689 return -ENOMEM;
3690 }
3691 diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
3692 -index 12055fd..df852c4 100644
3693 +index 69aaf0a..8298c029 100644
3694 --- a/net/ipv4/ip_gre.c
3695 +++ b/net/ipv4/ip_gre.c
3696 @@ -115,7 +115,7 @@ static bool log_ecn_error = true;
3697 @@ -102094,7 +102403,7 @@ index 12055fd..df852c4 100644
3698 static int ipgre_tunnel_init(struct net_device *dev);
3699
3700 static int ipgre_net_id __read_mostly;
3701 -@@ -815,7 +815,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
3702 +@@ -816,7 +816,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
3703 [IFLA_GRE_ENCAP_DPORT] = { .type = NLA_U16 },
3704 };
3705
3706 @@ -102103,7 +102412,7 @@ index 12055fd..df852c4 100644
3707 .kind = "gre",
3708 .maxtype = IFLA_GRE_MAX,
3709 .policy = ipgre_policy,
3710 -@@ -829,7 +829,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
3711 +@@ -830,7 +830,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
3712 .fill_info = ipgre_fill_info,
3713 };
3714
3715 @@ -102366,7 +102675,7 @@ index e90f83a..3e6acca 100644
3716 pr_err("Unable to proc dir entry\n");
3717 return -ENOMEM;
3718 diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
3719 -index 5d740cc..b2842b9 100644
3720 +index 5d740cc..22c8e65 100644
3721 --- a/net/ipv4/ping.c
3722 +++ b/net/ipv4/ping.c
3723 @@ -59,7 +59,7 @@ struct ping_table {
3724 @@ -102418,7 +102727,20 @@ index 5d740cc..b2842b9 100644
3725 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags)
3726 ip_cmsg_recv(msg, skb);
3727 #endif
3728 -@@ -1105,7 +1105,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
3729 +@@ -965,8 +965,11 @@ void ping_rcv(struct sk_buff *skb)
3730 +
3731 + sk = ping_lookup(net, skb, ntohs(icmph->un.echo.id));
3732 + if (sk != NULL) {
3733 ++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
3734 ++
3735 + pr_debug("rcv on socket %p\n", sk);
3736 +- ping_queue_rcv_skb(sk, skb_get(skb));
3737 ++ if (skb2)
3738 ++ ping_queue_rcv_skb(sk, skb2);
3739 + sock_put(sk);
3740 + return;
3741 + }
3742 +@@ -1105,7 +1108,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
3743 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
3744 0, sock_i_ino(sp),
3745 atomic_read(&sp->sk_refcnt), sp,
3746 @@ -103661,7 +103983,7 @@ index c5c10fa..2577d51 100644
3747 struct ctl_table *ipv6_icmp_table;
3748 int err;
3749 diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
3750 -index c277951..c7ee5bf 100644
3751 +index c113602..0cccb46 100644
3752 --- a/net/ipv6/tcp_ipv6.c
3753 +++ b/net/ipv6/tcp_ipv6.c
3754 @@ -104,6 +104,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
3755 @@ -103685,10 +104007,10 @@ index c277951..c7ee5bf 100644
3756 tcp_v6_send_reset(sk, skb);
3757 discard:
3758 if (opt_skb)
3759 -@@ -1434,12 +1441,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
3760 +@@ -1441,12 +1448,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
3761
3762 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest,
3763 - tcp_v6_iif(skb));
3764 + inet6_iif(skb));
3765 - if (!sk)
3766 + if (!sk) {
3767 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
3768 @@ -103708,7 +104030,7 @@ index c277951..c7ee5bf 100644
3769
3770 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
3771 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
3772 -@@ -1486,6 +1501,10 @@ csum_error:
3773 +@@ -1497,6 +1512,10 @@ csum_error:
3774 bad_packet:
3775 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
3776 } else {
3777 @@ -103772,10 +104094,10 @@ index f6ba535..b41033f 100644
3778
3779 kfree_skb(skb);
3780 diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
3781 -index 5f98364..5ca982a 100644
3782 +index 5f98364..691985a 100644
3783 --- a/net/ipv6/xfrm6_policy.c
3784 +++ b/net/ipv6/xfrm6_policy.c
3785 -@@ -130,8 +130,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
3786 +@@ -130,12 +130,18 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
3787 {
3788 struct flowi6 *fl6 = &fl->u.ip6;
3789 int onlyproto = 0;
3790 @@ -103784,8 +104106,19 @@ index 5f98364..5ca982a 100644
3791 + u16 offset = sizeof(*hdr);
3792 struct ipv6_opt_hdr *exthdr;
3793 const unsigned char *nh = skb_network_header(skb);
3794 - u8 nexthdr = nh[IP6CB(skb)->nhoff];
3795 -@@ -217,11 +217,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
3796 +- u8 nexthdr = nh[IP6CB(skb)->nhoff];
3797 ++ u16 nhoff = IP6CB(skb)->nhoff;
3798 + int oif = 0;
3799 ++ u8 nexthdr;
3800 ++
3801 ++ if (!nhoff)
3802 ++ nhoff = offsetof(struct ipv6hdr, nexthdr);
3803 ++
3804 ++ nexthdr = nh[nhoff];
3805 +
3806 + if (skb_dst(skb))
3807 + oif = skb_dst(skb)->dev->ifindex;
3808 +@@ -217,11 +223,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
3809 }
3810 }
3811
3812 @@ -103799,7 +104132,7 @@ index 5f98364..5ca982a 100644
3813 return dst_entries_get_fast(ops) > ops->gc_thresh * 2;
3814 }
3815
3816 -@@ -334,19 +334,19 @@ static struct ctl_table xfrm6_policy_table[] = {
3817 +@@ -334,19 +340,19 @@ static struct ctl_table xfrm6_policy_table[] = {
3818
3819 static int __net_init xfrm6_net_init(struct net *net)
3820 {
3821 @@ -103824,7 +104157,7 @@ index 5f98364..5ca982a 100644
3822 if (!hdr)
3823 goto err_reg;
3824
3825 -@@ -354,8 +354,7 @@ static int __net_init xfrm6_net_init(struct net *net)
3826 +@@ -354,8 +360,7 @@ static int __net_init xfrm6_net_init(struct net *net)
3827 return 0;
3828
3829 err_reg:
3830 @@ -104829,7 +105162,7 @@ index 11de55e..f25e448 100644
3831 return 0;
3832 }
3833 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
3834 -index b6bf8e8..7884ddf 100644
3835 +index 79c965a..ee2b76d 100644
3836 --- a/net/netlink/af_netlink.c
3837 +++ b/net/netlink/af_netlink.c
3838 @@ -273,7 +273,7 @@ static void netlink_overrun(struct sock *sk)
3839 @@ -104841,7 +105174,7 @@ index b6bf8e8..7884ddf 100644
3840 }
3841
3842 static void netlink_rcv_wake(struct sock *sk)
3843 -@@ -3010,7 +3010,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
3844 +@@ -2990,7 +2990,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
3845 sk_wmem_alloc_get(s),
3846 nlk->cb_running,
3847 atomic_read(&s->sk_refcnt),
3848 @@ -105462,6 +105795,46 @@ index f226709..0e735a8 100644
3849 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
3850
3851 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
3852 +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
3853 +index eed49d1..ce22514 100644
3854 +--- a/net/sched/cls_bpf.c
3855 ++++ b/net/sched/cls_bpf.c
3856 +@@ -191,6 +191,11 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
3857 + }
3858 +
3859 + bpf_size = bpf_len * sizeof(*bpf_ops);
3860 ++ if (bpf_size != nla_len(tb[TCA_BPF_OPS])) {
3861 ++ ret = -EINVAL;
3862 ++ goto errout;
3863 ++ }
3864 ++
3865 + bpf_ops = kzalloc(bpf_size, GFP_KERNEL);
3866 + if (bpf_ops == NULL) {
3867 + ret = -ENOMEM;
3868 +@@ -226,15 +231,21 @@ static u32 cls_bpf_grab_new_handle(struct tcf_proto *tp,
3869 + struct cls_bpf_head *head)
3870 + {
3871 + unsigned int i = 0x80000000;
3872 ++ u32 handle;
3873 +
3874 + do {
3875 + if (++head->hgen == 0x7FFFFFFF)
3876 + head->hgen = 1;
3877 + } while (--i > 0 && cls_bpf_get(tp, head->hgen));
3878 +- if (i == 0)
3879 ++
3880 ++ if (unlikely(i == 0)) {
3881 + pr_err("Insufficient number of handles\n");
3882 ++ handle = 0;
3883 ++ } else {
3884 ++ handle = head->hgen;
3885 ++ }
3886 +
3887 +- return i;
3888 ++ return handle;
3889 + }
3890 +
3891 + static int cls_bpf_change(struct net *net, struct sk_buff *in_skb,
3892 diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
3893 index 6efca30..1259f82 100644
3894 --- a/net/sched/sch_generic.c
3895 @@ -105484,6 +105857,18 @@ index 6efca30..1259f82 100644
3896 linkwatch_fire_event(dev);
3897 }
3898 }
3899 +diff --git a/net/sctp/associola.c b/net/sctp/associola.c
3900 +index f791edd..26d06db 100644
3901 +--- a/net/sctp/associola.c
3902 ++++ b/net/sctp/associola.c
3903 +@@ -1182,7 +1182,6 @@ void sctp_assoc_update(struct sctp_association *asoc,
3904 + asoc->peer.peer_hmacs = new->peer.peer_hmacs;
3905 + new->peer.peer_hmacs = NULL;
3906 +
3907 +- sctp_auth_key_put(asoc->asoc_shared_key);
3908 + sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC);
3909 + }
3910 +
3911 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
3912 index 0e4198e..f94193e 100644
3913 --- a/net/sctp/ipv6.c
3914 @@ -106771,7 +107156,7 @@ index 649ce68..f6bc05c 100644
3915 endif
3916
3917 diff --git a/scripts/Makefile.clean b/scripts/Makefile.clean
3918 -index b1c668d..638055f 100644
3919 +index a609552..fde19cd 100644
3920 --- a/scripts/Makefile.clean
3921 +++ b/scripts/Makefile.clean
3922 @@ -41,7 +41,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subdir-ymn))
3923 @@ -117463,10 +117848,10 @@ index 0000000..4378111
3924 +}
3925 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
3926 new file mode 100644
3927 -index 0000000..f38f762
3928 +index 0000000..f2bd55d
3929 --- /dev/null
3930 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
3931 -@@ -0,0 +1,6029 @@
3932 +@@ -0,0 +1,6031 @@
3933 +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
3934 +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
3935 +compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL
3936 @@ -118442,6 +118827,7 @@ index 0000000..f38f762
3937 +rd_build_prot_space_10761 rd_build_prot_space 2-3 10761 NULL
3938 +kvm_read_guest_atomic_10765 kvm_read_guest_atomic 4 10765 NULL
3939 +__qp_memcpy_to_queue_10779 __qp_memcpy_to_queue 2-4 10779 NULL
3940 ++ttm_dma_page_pool_free_10796 ttm_dma_page_pool_free 2-0 10796 NULL
3941 +diva_set_trace_filter_10820 diva_set_trace_filter 0-1 10820 NULL
3942 +lbs_sleepparams_read_10840 lbs_sleepparams_read 3 10840 NULL
3943 +ext4_direct_IO_10843 ext4_direct_IO 4 10843 NULL
3944 @@ -119732,6 +120118,7 @@ index 0000000..f38f762
3945 +evdev_do_ioctl_24459 evdev_do_ioctl 2 24459 NULL
3946 +lbs_highsnr_write_24460 lbs_highsnr_write 3 24460 NULL
3947 +skb_copy_and_csum_datagram_iovec_24466 skb_copy_and_csum_datagram_iovec 2 24466 NULL
3948 ++ttm_page_pool_free_24486 ttm_page_pool_free 2-0 24486 NULL
3949 +dut_mode_read_24489 dut_mode_read 3 24489 NULL
3950 +read_file_spec_scan_ctl_24491 read_file_spec_scan_ctl 3 24491 NULL
3951 +pd_video_read_24510 pd_video_read 3 24510 NULL
3952
3953 diff --git a/3.14.29/4425_grsec_remove_EI_PAX.patch b/3.18.4/4425_grsec_remove_EI_PAX.patch
3954 similarity index 100%
3955 rename from 3.14.29/4425_grsec_remove_EI_PAX.patch
3956 rename to 3.18.4/4425_grsec_remove_EI_PAX.patch
3957
3958 diff --git a/3.18.3/4427_force_XATTR_PAX_tmpfs.patch b/3.18.4/4427_force_XATTR_PAX_tmpfs.patch
3959 similarity index 100%
3960 rename from 3.18.3/4427_force_XATTR_PAX_tmpfs.patch
3961 rename to 3.18.4/4427_force_XATTR_PAX_tmpfs.patch
3962
3963 diff --git a/3.14.29/4430_grsec-remove-localversion-grsec.patch b/3.18.4/4430_grsec-remove-localversion-grsec.patch
3964 similarity index 100%
3965 rename from 3.14.29/4430_grsec-remove-localversion-grsec.patch
3966 rename to 3.18.4/4430_grsec-remove-localversion-grsec.patch
3967
3968 diff --git a/3.18.3/4435_grsec-mute-warnings.patch b/3.18.4/4435_grsec-mute-warnings.patch
3969 similarity index 100%
3970 rename from 3.18.3/4435_grsec-mute-warnings.patch
3971 rename to 3.18.4/4435_grsec-mute-warnings.patch
3972
3973 diff --git a/3.14.29/4440_grsec-remove-protected-paths.patch b/3.18.4/4440_grsec-remove-protected-paths.patch
3974 similarity index 100%
3975 rename from 3.14.29/4440_grsec-remove-protected-paths.patch
3976 rename to 3.18.4/4440_grsec-remove-protected-paths.patch
3977
3978 diff --git a/3.18.3/4450_grsec-kconfig-default-gids.patch b/3.18.4/4450_grsec-kconfig-default-gids.patch
3979 similarity index 96%
3980 rename from 3.18.3/4450_grsec-kconfig-default-gids.patch
3981 rename to 3.18.4/4450_grsec-kconfig-default-gids.patch
3982 index 039bad1..5c025da 100644
3983 --- a/3.18.3/4450_grsec-kconfig-default-gids.patch
3984 +++ b/3.18.4/4450_grsec-kconfig-default-gids.patch
3985 @@ -16,7 +16,7 @@ from shooting themselves in the foot.
3986 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
3987 --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
3988 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
3989 -@@ -678,7 +678,7 @@
3990 +@@ -694,7 +694,7 @@
3991 config GRKERNSEC_AUDIT_GID
3992 int "GID for auditing"
3993 depends on GRKERNSEC_AUDIT_GROUP
3994 @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
3995
3996 config GRKERNSEC_EXECLOG
3997 bool "Exec logging"
3998 -@@ -909,7 +909,7 @@
3999 +@@ -925,7 +925,7 @@
4000 config GRKERNSEC_TPE_UNTRUSTED_GID
4001 int "GID for TPE-untrusted users"
4002 depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
4003 @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
4004 help
4005 Setting this GID determines what group TPE restrictions will be
4006 *enabled* for. If the sysctl option is enabled, a sysctl option
4007 -@@ -918,7 +918,7 @@
4008 +@@ -934,7 +934,7 @@
4009 config GRKERNSEC_TPE_TRUSTED_GID
4010 int "GID for TPE-trusted users"
4011 depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
4012 @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
4013 help
4014 Setting this GID determines what group TPE restrictions will be
4015 *disabled* for. If the sysctl option is enabled, a sysctl option
4016 -@@ -1003,7 +1003,7 @@
4017 +@@ -1019,7 +1019,7 @@
4018 config GRKERNSEC_SOCKET_ALL_GID
4019 int "GID to deny all sockets for"
4020 depends on GRKERNSEC_SOCKET_ALL
4021 @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
4022 help
4023 Here you can choose the GID to disable socket access for. Remember to
4024 add the users you want socket access disabled for to the GID
4025 -@@ -1024,7 +1024,7 @@
4026 +@@ -1040,7 +1040,7 @@
4027 config GRKERNSEC_SOCKET_CLIENT_GID
4028 int "GID to deny client sockets for"
4029 depends on GRKERNSEC_SOCKET_CLIENT
4030 @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
4031 help
4032 Here you can choose the GID to disable client socket access for.
4033 Remember to add the users you want client socket access disabled for to
4034 -@@ -1042,7 +1042,7 @@
4035 +@@ -1058,7 +1058,7 @@
4036 config GRKERNSEC_SOCKET_SERVER_GID
4037 int "GID to deny server sockets for"
4038 depends on GRKERNSEC_SOCKET_SERVER
4039
4040 diff --git a/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch b/3.18.4/4465_selinux-avc_audit-log-curr_ip.patch
4041 similarity index 99%
4042 rename from 3.18.3/4465_selinux-avc_audit-log-curr_ip.patch
4043 rename to 3.18.4/4465_selinux-avc_audit-log-curr_ip.patch
4044 index 747ac53..ba89596 100644
4045 --- a/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch
4046 +++ b/3.18.4/4465_selinux-avc_audit-log-curr_ip.patch
4047 @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
4048 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
4049 --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
4050 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
4051 -@@ -1137,6 +1137,27 @@
4052 +@@ -1153,6 +1153,27 @@
4053 menu "Logging Options"
4054 depends on GRKERNSEC
4055
4056
4057 diff --git a/3.18.3/4470_disable-compat_vdso.patch b/3.18.4/4470_disable-compat_vdso.patch
4058 similarity index 100%
4059 rename from 3.18.3/4470_disable-compat_vdso.patch
4060 rename to 3.18.4/4470_disable-compat_vdso.patch
4061
4062 diff --git a/3.14.29/4475_emutramp_default_on.patch b/3.18.4/4475_emutramp_default_on.patch
4063 similarity index 100%
4064 rename from 3.14.29/4475_emutramp_default_on.patch
4065 rename to 3.18.4/4475_emutramp_default_on.patch
4066
4067 diff --git a/3.2.66/0000_README b/3.2.66/0000_README
4068 index f9825bd..2b43bf6 100644
4069 --- a/3.2.66/0000_README
4070 +++ b/3.2.66/0000_README
4071 @@ -182,7 +182,7 @@ Patch: 1065_linux-3.2.66.patch
4072 From: http://www.kernel.org
4073 Desc: Linux 3.2.66
4074
4075 -Patch: 4420_grsecurity-3.0-3.2.66-201501211939.patch
4076 +Patch: 4420_grsecurity-3.0-3.2.66-201501272306.patch
4077 From: http://www.grsecurity.net
4078 Desc: hardened-sources base patch from upstream grsecurity
4079
4080
4081 diff --git a/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch b/3.2.66/4420_grsecurity-3.0-3.2.66-201501272306.patch
4082 similarity index 99%
4083 rename from 3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch
4084 rename to 3.2.66/4420_grsecurity-3.0-3.2.66-201501272306.patch
4085 index 89a8670..082c246 100644
4086 --- a/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch
4087 +++ b/3.2.66/4420_grsecurity-3.0-3.2.66-201501272306.patch
4088 @@ -13556,7 +13556,7 @@ index b8a5fe5..fbbe2c2 100644
4089 "4:\n"
4090 ".previous\n"
4091 diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
4092 -index 41935fa..2be7ac3 100644
4093 +index 41935fa..e0fb1f6 100644
4094 --- a/arch/x86/include/asm/desc.h
4095 +++ b/arch/x86/include/asm/desc.h
4096 @@ -4,6 +4,7 @@
4097 @@ -13650,7 +13650,7 @@ index 41935fa..2be7ac3 100644
4098 }
4099
4100 static inline void native_load_gdt(const struct desc_ptr *dtr)
4101 -@@ -244,8 +255,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
4102 +@@ -244,11 +255,14 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
4103 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
4104 unsigned int i;
4105
4106 @@ -13660,8 +13660,37 @@ index 41935fa..2be7ac3 100644
4107 + pax_close_kernel();
4108 }
4109
4110 - #define _LDT_empty(info) \
4111 -@@ -284,7 +297,7 @@ static inline void load_LDT(mm_context_t *pc)
4112 +-#define _LDT_empty(info) \
4113 ++/* This intentionally ignores lm, since 32-bit apps don't have that field. */
4114 ++#define LDT_empty(info) \
4115 + ((info)->base_addr == 0 && \
4116 + (info)->limit == 0 && \
4117 + (info)->contents == 0 && \
4118 +@@ -258,11 +272,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
4119 + (info)->seg_not_present == 1 && \
4120 + (info)->useable == 0)
4121 +
4122 +-#ifdef CONFIG_X86_64
4123 +-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0))
4124 +-#else
4125 +-#define LDT_empty(info) (_LDT_empty(info))
4126 +-#endif
4127 ++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */
4128 ++static inline bool LDT_zero(const struct user_desc *info)
4129 ++{
4130 ++ return (info->base_addr == 0 &&
4131 ++ info->limit == 0 &&
4132 ++ info->contents == 0 &&
4133 ++ info->read_exec_only == 0 &&
4134 ++ info->seg_32bit == 0 &&
4135 ++ info->limit_in_pages == 0 &&
4136 ++ info->seg_not_present == 0 &&
4137 ++ info->useable == 0);
4138 ++}
4139 +
4140 + static inline void clear_LDT(void)
4141 + {
4142 +@@ -284,7 +305,7 @@ static inline void load_LDT(mm_context_t *pc)
4143 preempt_enable();
4144 }
4145
4146 @@ -13670,7 +13699,7 @@ index 41935fa..2be7ac3 100644
4147 {
4148 return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
4149 }
4150 -@@ -307,7 +320,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
4151 +@@ -307,7 +328,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
4152 desc->limit = (limit >> 16) & 0xf;
4153 }
4154
4155 @@ -13679,7 +13708,7 @@ index 41935fa..2be7ac3 100644
4156 unsigned dpl, unsigned ist, unsigned seg)
4157 {
4158 gate_desc s;
4159 -@@ -326,7 +339,7 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
4160 +@@ -326,7 +347,7 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
4161 * Pentium F0 0F bugfix can have resulted in the mapped
4162 * IDT being write-protected.
4163 */
4164 @@ -13688,7 +13717,7 @@ index 41935fa..2be7ac3 100644
4165 {
4166 BUG_ON((unsigned)n > 0xFF);
4167 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
4168 -@@ -356,19 +369,19 @@ static inline void alloc_intr_gate(unsigned int n, void *addr)
4169 +@@ -356,19 +377,19 @@ static inline void alloc_intr_gate(unsigned int n, void *addr)
4170 /*
4171 * This routine sets up an interrupt gate at directory privilege level 3.
4172 */
4173 @@ -13711,7 +13740,7 @@ index 41935fa..2be7ac3 100644
4174 {
4175 BUG_ON((unsigned)n > 0xFF);
4176 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
4177 -@@ -377,19 +390,31 @@ static inline void set_trap_gate(unsigned int n, void *addr)
4178 +@@ -377,19 +398,31 @@ static inline void set_trap_gate(unsigned int n, void *addr)
4179 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
4180 {
4181 BUG_ON((unsigned)n > 0xFF);
4182 @@ -24361,10 +24390,40 @@ index dd5fbf4..b7f2232 100644
4183 return pc;
4184 }
4185 diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
4186 -index 7af7338..36ed955 100644
4187 +index 7af7338..79ea0e3 100644
4188 --- a/arch/x86/kernel/tls.c
4189 +++ b/arch/x86/kernel/tls.c
4190 -@@ -40,6 +40,22 @@ static bool tls_desc_okay(const struct user_desc *info)
4191 +@@ -30,7 +30,28 @@ static int get_free_idx(void)
4192 +
4193 + static bool tls_desc_okay(const struct user_desc *info)
4194 + {
4195 +- if (LDT_empty(info))
4196 ++ /*
4197 ++ * For historical reasons (i.e. no one ever documented how any
4198 ++ * of the segmentation APIs work), user programs can and do
4199 ++ * assume that a struct user_desc that's all zeros except for
4200 ++ * entry_number means "no segment at all". This never actually
4201 ++ * worked. In fact, up to Linux 3.19, a struct user_desc like
4202 ++ * this would create a 16-bit read-write segment with base and
4203 ++ * limit both equal to zero.
4204 ++ *
4205 ++ * That was close enough to "no segment at all" until we
4206 ++ * hardened this function to disallow 16-bit TLS segments. Fix
4207 ++ * it up by interpreting these zeroed segments the way that they
4208 ++ * were almost certainly intended to be interpreted.
4209 ++ *
4210 ++ * The correct way to ask for "no segment at all" is to specify
4211 ++ * a user_desc that satisfies LDT_empty. To keep everything
4212 ++ * working, we accept both.
4213 ++ *
4214 ++ * Note that there's a similar kludge in modify_ldt -- look at
4215 ++ * the distinction between modes 1 and 0x11.
4216 ++ */
4217 ++ if (LDT_empty(info) || LDT_zero(info))
4218 + return true;
4219 +
4220 + /*
4221 +@@ -40,6 +61,22 @@ static bool tls_desc_okay(const struct user_desc *info)
4222 if (!info->seg_32bit)
4223 return false;
4224
4225 @@ -24387,7 +24446,16 @@ index 7af7338..36ed955 100644
4226 return true;
4227 }
4228
4229 -@@ -103,6 +119,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
4230 +@@ -56,7 +93,7 @@ static void set_tls_desc(struct task_struct *p, int idx,
4231 + cpu = get_cpu();
4232 +
4233 + while (n-- > 0) {
4234 +- if (LDT_empty(info))
4235 ++ if (LDT_empty(info) || LDT_zero(info))
4236 + desc->a = desc->b = 0;
4237 + else
4238 + fill_ldt(desc, info);
4239 +@@ -103,6 +140,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
4240 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
4241 return -EINVAL;
4242
4243 @@ -24399,7 +24467,7 @@ index 7af7338..36ed955 100644
4244 set_tls_desc(p, idx, &info, 1);
4245
4246 return 0;
4247 -@@ -224,7 +245,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
4248 +@@ -224,7 +266,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
4249
4250 if (kbuf)
4251 info = kbuf;
4252 @@ -25116,7 +25184,7 @@ index 7110911..069da9c 100644
4253 /*
4254 * Encountered an error while doing the restore from the
4255 diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
4256 -index f0ac042..ea3fe9c 100644
4257 +index f0ac042..39c366e 100644
4258 --- a/arch/x86/kvm/emulate.c
4259 +++ b/arch/x86/kvm/emulate.c
4260 @@ -249,6 +249,7 @@ struct gprefix {
4261 @@ -25154,7 +25222,49 @@ index f0ac042..ea3fe9c 100644
4262 } while (0)
4263
4264 /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
4265 -@@ -3003,7 +3000,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
4266 +@@ -2077,23 +2074,13 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
4267 + setup_syscalls_segments(ctxt, &cs, &ss);
4268 +
4269 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
4270 +- switch (ctxt->mode) {
4271 +- case X86EMUL_MODE_PROT32:
4272 +- if ((msr_data & 0xfffc) == 0x0)
4273 +- return emulate_gp(ctxt, 0);
4274 +- break;
4275 +- case X86EMUL_MODE_PROT64:
4276 +- if (msr_data == 0x0)
4277 +- return emulate_gp(ctxt, 0);
4278 +- break;
4279 +- }
4280 ++ if ((msr_data & 0xfffc) == 0x0)
4281 ++ return emulate_gp(ctxt, 0);
4282 +
4283 + ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
4284 +- cs_sel = (u16)msr_data;
4285 +- cs_sel &= ~SELECTOR_RPL_MASK;
4286 ++ cs_sel = (u16)msr_data & ~SELECTOR_RPL_MASK;
4287 + ss_sel = cs_sel + 8;
4288 +- ss_sel &= ~SELECTOR_RPL_MASK;
4289 +- if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
4290 ++ if (efer & EFER_LMA) {
4291 + cs.d = 0;
4292 + cs.l = 1;
4293 + }
4294 +@@ -2102,10 +2089,11 @@ static int em_sysenter(struct x86_emulate_ctxt *ctxt)
4295 + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
4296 +
4297 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
4298 +- ctxt->_eip = msr_data;
4299 ++ ctxt->_eip = (efer & EFER_LMA) ? msr_data : (u32)msr_data;
4300 +
4301 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
4302 +- ctxt->regs[VCPU_REGS_RSP] = msr_data;
4303 ++ ctxt->regs[VCPU_REGS_RSP] = (efer & EFER_LMA) ? msr_data :
4304 ++ (u32)msr_data;
4305 +
4306 + return X86EMUL_CONTINUE;
4307 + }
4308 +@@ -3003,7 +2991,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
4309 int cr = ctxt->modrm_reg;
4310 u64 efer = 0;
4311
4312 @@ -25163,7 +25273,7 @@ index f0ac042..ea3fe9c 100644
4313 0xffffffff00000000ULL,
4314 0, 0, 0, /* CR3 checked later */
4315 CR4_RESERVED_BITS,
4316 -@@ -3038,7 +3035,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
4317 +@@ -3038,7 +3026,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
4318
4319 ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
4320 if (efer & EFER_LMA)
4321 @@ -68808,10 +68918,10 @@ index 0000000..30ababb
4322 +endif
4323 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
4324 new file mode 100644
4325 -index 0000000..0069a59
4326 +index 0000000..99cbce0
4327 --- /dev/null
4328 +++ b/grsecurity/gracl.c
4329 -@@ -0,0 +1,2827 @@
4330 +@@ -0,0 +1,2845 @@
4331 +#include <linux/kernel.h>
4332 +#include <linux/module.h>
4333 +#include <linux/sched.h>
4334 @@ -69970,9 +70080,10 @@ index 0000000..0069a59
4335 + rcu_read_lock();
4336 + read_lock(&tasklist_lock);
4337 + read_lock(&grsec_exec_file_lock);
4338 ++ except in the case of gr_set_role_label() (for __gr_get_subject_for_task)
4339 +*/
4340 +
4341 -+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename)
4342 ++struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback)
4343 +{
4344 + char *tmpname;
4345 + struct acl_subject_label *tmpsubj;
4346 @@ -70014,15 +70125,15 @@ index 0000000..0069a59
4347 + /* this also works for the reload case -- if we don't match a potentially inherited subject
4348 + then we fall back to a normal lookup based on the binary's ino/dev
4349 + */
4350 -+ if (tmpsubj == NULL)
4351 ++ if (tmpsubj == NULL && fallback)
4352 + tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role);
4353 +
4354 + return tmpsubj;
4355 +}
4356 +
4357 -+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename)
4358 ++static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback)
4359 +{
4360 -+ return __gr_get_subject_for_task(&running_polstate, task, filename);
4361 ++ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback);
4362 +}
4363 +
4364 +void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj)
4365 @@ -70086,7 +70197,7 @@ index 0000000..0069a59
4366 + task->role = current->role;
4367 + rcu_read_lock();
4368 + read_lock(&grsec_exec_file_lock);
4369 -+ subj = gr_get_subject_for_task(task, NULL);
4370 ++ subj = gr_get_subject_for_task(task, NULL, 1);
4371 + gr_apply_subject_to_task(task, subj);
4372 + read_unlock(&grsec_exec_file_lock);
4373 + rcu_read_unlock();
4374 @@ -70466,6 +70577,7 @@ index 0000000..0069a59
4375 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
4376 +{
4377 + struct acl_role_label *role = task->role;
4378 ++ struct acl_role_label *origrole = role;
4379 + struct acl_subject_label *subj = NULL;
4380 + struct acl_object_label *obj;
4381 + struct file *filp;
4382 @@ -70493,10 +70605,28 @@ index 0000000..0069a59
4383 + ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID))))
4384 + return;
4385 +
4386 -+ /* perform subject lookup in possibly new role
4387 -+ we can use this result below in the case where role == task->role
4388 -+ */
4389 -+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
4390 ++ task->role = role;
4391 ++
4392 ++ if (task->inherited) {
4393 ++ /* if we reached our subject through inheritance, then first see
4394 ++ if there's a subject of the same name in the new role that has
4395 ++ an object that would result in the same inherited subject
4396 ++ */
4397 ++ subj = gr_get_subject_for_task(task, task->acl->filename, 0);
4398 ++ if (subj) {
4399 ++ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj);
4400 ++ if (!(obj->mode & GR_INHERIT))
4401 ++ subj = NULL;
4402 ++ }
4403 ++
4404 ++ }
4405 ++ if (subj == NULL) {
4406 ++ /* otherwise:
4407 ++ perform subject lookup in possibly new role
4408 ++ we can use this result below in the case where role == task->role
4409 ++ */
4410 ++ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
4411 ++ }
4412 +
4413 + /* if we changed uid/gid, but result in the same role
4414 + and are using inheritance, don't lose the inherited subject
4415 @@ -70504,14 +70634,12 @@ index 0000000..0069a59
4416 + would result in, we arrived via inheritance, don't
4417 + lose subject
4418 + */
4419 -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
4420 ++ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) &&
4421 + (subj == task->acl)))
4422 + task->acl = subj;
4423 +
4424 + /* leave task->inherited unaffected */
4425 +
4426 -+ task->role = role;
4427 -+
4428 + task->is_writable = 0;
4429 +
4430 + /* ignore additional mmap checks for processes that are writable
4431 @@ -73202,7 +73330,7 @@ index 0000000..25f54ef
4432 +};
4433 diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c
4434 new file mode 100644
4435 -index 0000000..3768798
4436 +index 0000000..94ef7e60
4437 --- /dev/null
4438 +++ b/grsecurity/gracl_policy.c
4439 @@ -0,0 +1,1781 @@
4440 @@ -73275,7 +73403,7 @@ index 0000000..3768798
4441 +extern void gr_remove_uid(uid_t uid);
4442 +extern int gr_find_uid(uid_t uid);
4443 +
4444 -+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename);
4445 ++extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback);
4446 +extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj);
4447 +extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb);
4448 +extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry);
4449 @@ -74380,8 +74508,8 @@ index 0000000..3768798
4450 + }
4451 + /* this handles non-nested inherited subjects, nested subjects will still
4452 + be dropped currently */
4453 -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename);
4454 -+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL);
4455 ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
4456 ++ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1);
4457 + /* change the role back so that we've made no modifications to the policy */
4458 + task->role = rtmp;
4459 +
4460 @@ -74413,7 +74541,7 @@ index 0000000..3768798
4461 + /* this handles non-nested inherited subjects, nested subjects will still
4462 + be dropped currently */
4463 + if (!reload_state->oldmode && task->inherited)
4464 -+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename);
4465 ++ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
4466 + else {
4467 + /* looked up and tagged to the task previously */
4468 + subj = task->tmpacl;
4469 @@ -74962,7 +75090,7 @@ index 0000000..3768798
4470 + if (task->exec_file) {
4471 + cred = __task_cred(task);
4472 + task->role = __lookup_acl_role_label(polstate, task, cred->uid, cred->gid);
4473 -+ subj = __gr_get_subject_for_task(polstate, task, NULL);
4474 ++ subj = __gr_get_subject_for_task(polstate, task, NULL, 1);
4475 + if (subj == NULL) {
4476 + ret = -EINVAL;
4477 + read_unlock(&grsec_exec_file_lock);
4478 @@ -104598,10 +104726,23 @@ index a639967..8f44480 100644
4479 pr_err("Unable to proc dir entry\n");
4480 ret = -ENOMEM;
4481 diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
4482 -index d495d4b..c95851f 100644
4483 +index d495d4b..db46e69 100644
4484 --- a/net/ipv4/ping.c
4485 +++ b/net/ipv4/ping.c
4486 -@@ -842,7 +842,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f,
4487 +@@ -716,8 +716,11 @@ void ping_rcv(struct sk_buff *skb)
4488 + sk = ping_v4_lookup(net, saddr, daddr, ntohs(icmph->un.echo.id),
4489 + skb->dev->ifindex);
4490 + if (sk != NULL) {
4491 ++ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
4492 ++
4493 + pr_debug("rcv on socket %p\n", sk);
4494 +- ping_queue_rcv_skb(sk, skb_get(skb));
4495 ++ if (skb2)
4496 ++ ping_queue_rcv_skb(sk, skb2);
4497 + sock_put(sk);
4498 + return;
4499 + }
4500 +@@ -842,7 +845,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f,
4501 sk_rmem_alloc_get(sp),
4502 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
4503 atomic_read(&sp->sk_refcnt), sp,
4504 @@ -108256,6 +108397,18 @@ index 7635107..4670276 100644
4505 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
4506
4507 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
4508 +diff --git a/net/sctp/associola.c b/net/sctp/associola.c
4509 +index 5b2d8e6..d014b05 100644
4510 +--- a/net/sctp/associola.c
4511 ++++ b/net/sctp/associola.c
4512 +@@ -1272,7 +1272,6 @@ void sctp_assoc_update(struct sctp_association *asoc,
4513 + asoc->peer.peer_hmacs = new->peer.peer_hmacs;
4514 + new->peer.peer_hmacs = NULL;
4515 +
4516 +- sctp_auth_key_put(asoc->asoc_shared_key);
4517 + sctp_auth_asoc_init_active_key(asoc, GFP_ATOMIC);
4518 + }
4519 +
4520 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
4521 index 0b6a391..febcef2 100644
4522 --- a/net/sctp/ipv6.c
Report Message
Find on MARC Find on Google Groups