Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.8.1/, 2.6.32/, 3.8.0/, 3.2.39/
Date: Sat, 02 Mar 2013 15:31:50
Message-Id: 1362238231.f073d69f9356c708891d8c939bce531b5cd82aa0.blueness@gentoo
1 commit: f073d69f9356c708891d8c939bce531b5cd82aa0
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Sat Mar 2 15:30:31 2013 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Sat Mar 2 15:30:31 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=f073d69f
7
8 Grsec/PaX: 2.9.1-{2.6.32.60,3.2.39,3.8.1}-201303012253
9
10 ---
11 ..._grsecurity-2.9.1-2.6.32.60-201303012253.patch} | 196 +++++-
12 3.2.39/0000_README | 2 +-
13 ...420_grsecurity-2.9.1-3.2.39-201303012254.patch} | 301 +++++++--
14 {3.8.0 => 3.8.1}/0000_README | 2 +-
15 .../4420_grsecurity-2.9.1-3.8.1-201303012255.patch | 672 +++++++++-----------
16 {3.8.0 => 3.8.1}/4425_grsec_remove_EI_PAX.patch | 0
17 .../4430_grsec-remove-localversion-grsec.patch | 0
18 {3.8.0 => 3.8.1}/4435_grsec-mute-warnings.patch | 0
19 .../4440_grsec-remove-protected-paths.patch | 0
20 .../4450_grsec-kconfig-default-gids.patch | 0
21 .../4465_selinux-avc_audit-log-curr_ip.patch | 0
22 {3.8.0 => 3.8.1}/4470_disable-compat_vdso.patch | 0
23 12 files changed, 701 insertions(+), 472 deletions(-)
24
25 diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302271816.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303012253.patch
26 similarity index 99%
27 rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302271816.patch
28 rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303012253.patch
29 index ee04841..ee59351 100644
30 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302271816.patch
31 +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303012253.patch
32 @@ -19276,6 +19276,91 @@ index 9dbb527..9fe4f21 100644
33 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
34 return -EFAULT;
35
36 +diff --git a/arch/x86/kernel/head.c b/arch/x86/kernel/head.c
37 +index 3e66bd3..6d6adbe 100644
38 +--- a/arch/x86/kernel/head.c
39 ++++ b/arch/x86/kernel/head.c
40 +@@ -4,8 +4,6 @@
41 + #include <asm/setup.h>
42 + #include <asm/bios_ebda.h>
43 +
44 +-#define BIOS_LOWMEM_KILOBYTES 0x413
45 +-
46 + /*
47 + * The BIOS places the EBDA/XBDA at the top of conventional
48 + * memory, and usually decreases the reported amount of
49 +@@ -15,17 +13,30 @@
50 + * chipset: reserve a page before VGA to prevent PCI prefetch
51 + * into it (errata #56). Usually the page is reserved anyways,
52 + * unless you have no PS/2 mouse plugged in.
53 ++ *
54 ++ * This functions is deliberately very conservative. Losing
55 ++ * memory in the bottom megabyte is rarely a problem, as long
56 ++ * as we have enough memory to install the trampoline. Using
57 ++ * memory that is in use by the BIOS or by some DMA device
58 ++ * the BIOS didn't shut down *is* a big problem.
59 + */
60 ++
61 ++#define BIOS_LOWMEM_KILOBYTES 0x413
62 ++#define LOWMEM_CAP 0x9f000U /* Absolute maximum */
63 ++#define INSANE_CUTOFF 0x20000U /* Less than this = insane */
64 ++
65 + void __init reserve_ebda_region(void)
66 + {
67 + unsigned int lowmem, ebda_addr;
68 +
69 +- /* To determine the position of the EBDA and the */
70 +- /* end of conventional memory, we need to look at */
71 +- /* the BIOS data area. In a paravirtual environment */
72 +- /* that area is absent. We'll just have to assume */
73 +- /* that the paravirt case can handle memory setup */
74 +- /* correctly, without our help. */
75 ++ /*
76 ++ * To determine the position of the EBDA and the
77 ++ * end of conventional memory, we need to look at
78 ++ * the BIOS data area. In a paravirtual environment
79 ++ * that area is absent. We'll just have to assume
80 ++ * that the paravirt case can handle memory setup
81 ++ * correctly, without our help.
82 ++ */
83 + if (paravirt_enabled())
84 + return;
85 +
86 +@@ -36,19 +47,23 @@ void __init reserve_ebda_region(void)
87 + /* start of EBDA area */
88 + ebda_addr = get_bios_ebda();
89 +
90 +- /* Fixup: bios puts an EBDA in the top 64K segment */
91 +- /* of conventional memory, but does not adjust lowmem. */
92 +- if ((lowmem - ebda_addr) <= 0x10000)
93 +- lowmem = ebda_addr;
94 ++ /*
95 ++ * Note: some old Dells seem to need 4k EBDA without
96 ++ * reporting so, so just consider the memory above 0x9f000
97 ++ * to be off limits (bugzilla 2990).
98 ++ */
99 +
100 +- /* Fixup: bios does not report an EBDA at all. */
101 +- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */
102 +- if ((ebda_addr == 0) && (lowmem >= 0x9f000))
103 +- lowmem = 0x9f000;
104 ++ /* If the EBDA address is below 128K, assume it is bogus */
105 ++ if (ebda_addr < INSANE_CUTOFF)
106 ++ ebda_addr = LOWMEM_CAP;
107 +
108 +- /* Paranoia: should never happen, but... */
109 +- if ((lowmem == 0) || (lowmem >= 0x100000))
110 +- lowmem = 0x9f000;
111 ++ /* If lowmem is less than 128K, assume it is bogus */
112 ++ if (lowmem < INSANE_CUTOFF)
113 ++ lowmem = LOWMEM_CAP;
114 ++
115 ++ /* Use the lower of the lowmem and EBDA markers as the cutoff */
116 ++ lowmem = min(lowmem, ebda_addr);
117 ++ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */
118 +
119 + /* reserve all memory between lowmem and the 1MB mark */
120 + reserve_early_overlap_ok(lowmem, 0x100000, "BIOS reserved");
121 diff --git a/arch/x86/kernel/head32.c b/arch/x86/kernel/head32.c
122 index 4f8e250..df24706 100644
123 --- a/arch/x86/kernel/head32.c
124 @@ -100702,10 +100787,18 @@ index 0000000..3891139
125 +
126 +#endif /* _LINUX_SYSLOG_H */
127 diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
128 -index 99adcdc..09207eb 100644
129 +index 99adcdc..377249a 100644
130 --- a/include/linux/sysrq.h
131 +++ b/include/linux/sysrq.h
132 -@@ -35,7 +35,7 @@ struct sysrq_key_op {
133 +@@ -15,6 +15,7 @@
134 + #define _LINUX_SYSRQ_H
135 +
136 + #include <linux/errno.h>
137 ++#include <linux/compiler.h>
138 +
139 + struct pt_regs;
140 + struct tty_struct;
141 +@@ -35,7 +36,7 @@ struct sysrq_key_op {
142 char *help_msg;
143 char *action_msg;
144 int enable_mask;
145 @@ -110252,7 +110345,7 @@ index 2d846cf..8d5cdd8 100644
146 capable(CAP_IPC_LOCK))
147 ret = do_mlockall(flags);
148 diff --git a/mm/mmap.c b/mm/mmap.c
149 -index 4b80cbf..1415bd8 100644
150 +index 4b80cbf..89f7b42 100644
151 --- a/mm/mmap.c
152 +++ b/mm/mmap.c
153 @@ -29,6 +29,7 @@
154 @@ -111136,7 +111229,7 @@ index 4b80cbf..1415bd8 100644
155 size = vma->vm_end - address;
156 grow = (vma->vm_start - address) >> PAGE_SHIFT;
157
158 -@@ -1689,10 +1982,22 @@ static int expand_downwards(struct vm_area_struct *vma,
159 +@@ -1689,21 +1982,60 @@ static int expand_downwards(struct vm_area_struct *vma,
160 if (!error) {
161 vma->vm_start = address;
162 vma->vm_pgoff -= grow;
163 @@ -111159,7 +111252,60 @@ index 4b80cbf..1415bd8 100644
164 return error;
165 }
166
167 -@@ -1768,6 +2073,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
168 + int expand_stack_downwards(struct vm_area_struct *vma, unsigned long address)
169 + {
170 ++ struct vm_area_struct *prev;
171 ++
172 ++ address &= PAGE_MASK;
173 ++ prev = vma->vm_prev;
174 ++ if (prev && prev->vm_end == address) {
175 ++ if (!(prev->vm_flags & VM_GROWSDOWN))
176 ++ return -ENOMEM;
177 ++ }
178 + return expand_downwards(vma, address);
179 + }
180 +
181 ++/*
182 ++ * Note how expand_stack() refuses to expand the stack all the way to
183 ++ * abut the next virtual mapping, *unless* that mapping itself is also
184 ++ * a stack mapping. We want to leave room for a guard page, after all
185 ++ * (the guard page itself is not added here, that is done by the
186 ++ * actual page faulting logic)
187 ++ *
188 ++ * This matches the behavior of the guard page logic (see mm/memory.c:
189 ++ * check_stack_guard_page()), which only allows the guard page to be
190 ++ * removed under these circumstances.
191 ++ */
192 + #ifdef CONFIG_STACK_GROWSUP
193 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
194 + {
195 ++ struct vm_area_struct *next;
196 ++
197 ++ address &= PAGE_MASK;
198 ++ next = vma->vm_next;
199 ++ if (next && next->vm_start == address + PAGE_SIZE) {
200 ++ if (!(next->vm_flags & VM_GROWSUP))
201 ++ return -ENOMEM;
202 ++ }
203 + return expand_upwards(vma, address);
204 + }
205 +
206 +@@ -1727,6 +2059,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
207 + #else
208 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
209 + {
210 ++ struct vm_area_struct *prev;
211 ++
212 ++ address &= PAGE_MASK;
213 ++ prev = vma->vm_prev;
214 ++ if (prev && prev->vm_end == address) {
215 ++ if (!(prev->vm_flags & VM_GROWSDOWN))
216 ++ return -ENOMEM;
217 ++ }
218 + return expand_downwards(vma, address);
219 + }
220 +
221 +@@ -1768,6 +2108,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
222 do {
223 long nrpages = vma_pages(vma);
224
225 @@ -111173,7 +111319,7 @@ index 4b80cbf..1415bd8 100644
226 mm->total_vm -= nrpages;
227 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
228 vma = remove_vma(vma);
229 -@@ -1813,6 +2125,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
230 +@@ -1813,6 +2160,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
231 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
232 vma->vm_prev = NULL;
233 do {
234 @@ -111190,7 +111336,7 @@ index 4b80cbf..1415bd8 100644
235 rb_erase(&vma->vm_rb, &mm->mm_rb);
236 mm->map_count--;
237 tail_vma = vma;
238 -@@ -1840,10 +2162,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
239 +@@ -1840,10 +2197,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
240 struct mempolicy *pol;
241 struct vm_area_struct *new;
242
243 @@ -111216,7 +111362,7 @@ index 4b80cbf..1415bd8 100644
244 if (mm->map_count >= sysctl_max_map_count)
245 return -ENOMEM;
246
247 -@@ -1851,6 +2188,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
248 +@@ -1851,6 +2223,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
249 if (!new)
250 return -ENOMEM;
251
252 @@ -111233,7 +111379,7 @@ index 4b80cbf..1415bd8 100644
253 /* most fields are the same, copy all, and then fixup */
254 *new = *vma;
255
256 -@@ -1861,8 +2208,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
257 +@@ -1861,8 +2243,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
258 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
259 }
260
261 @@ -111263,7 +111409,7 @@ index 4b80cbf..1415bd8 100644
262 kmem_cache_free(vm_area_cachep, new);
263 return PTR_ERR(pol);
264 }
265 -@@ -1883,6 +2251,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
266 +@@ -1883,6 +2286,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
267 else
268 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
269
270 @@ -111292,7 +111438,7 @@ index 4b80cbf..1415bd8 100644
271 return 0;
272 }
273
274 -@@ -1891,11 +2281,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
275 +@@ -1891,11 +2316,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
276 * work. This now handles partial unmappings.
277 * Jeremy Fitzhardinge <jeremy@××××.org>
278 */
279 @@ -111323,7 +111469,7 @@ index 4b80cbf..1415bd8 100644
280 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
281 return -EINVAL;
282
283 -@@ -1959,6 +2368,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
284 +@@ -1959,6 +2403,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
285 /* Fix up all other VM information */
286 remove_vma_list(mm, vma);
287
288 @@ -111332,7 +111478,7 @@ index 4b80cbf..1415bd8 100644
289 return 0;
290 }
291
292 -@@ -1971,22 +2382,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
293 +@@ -1971,22 +2417,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
294
295 profile_munmap(addr);
296
297 @@ -111361,7 +111507,7 @@ index 4b80cbf..1415bd8 100644
298 /*
299 * this is really a simplified "do_mmap". it only handles
300 * anonymous maps. eventually we may be able to do some
301 -@@ -2000,6 +2407,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
302 +@@ -2000,6 +2442,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
303 struct rb_node ** rb_link, * rb_parent;
304 pgoff_t pgoff = addr >> PAGE_SHIFT;
305 int error;
306 @@ -111369,7 +111515,7 @@ index 4b80cbf..1415bd8 100644
307
308 len = PAGE_ALIGN(len);
309 if (!len)
310 -@@ -2011,16 +2419,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
311 +@@ -2011,16 +2454,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
312
313 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
314
315 @@ -111401,7 +111547,7 @@ index 4b80cbf..1415bd8 100644
316 locked += mm->locked_vm;
317 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
318 lock_limit >>= PAGE_SHIFT;
319 -@@ -2037,22 +2459,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
320 +@@ -2037,22 +2494,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
321 /*
322 * Clear old maps. this also does some error checking for us
323 */
324 @@ -111428,7 +111574,7 @@ index 4b80cbf..1415bd8 100644
325 return -ENOMEM;
326
327 /* Can we just expand an old private anonymous mapping? */
328 -@@ -2066,7 +2488,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
329 +@@ -2066,7 +2523,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
330 */
331 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
332 if (!vma) {
333 @@ -111437,7 +111583,7 @@ index 4b80cbf..1415bd8 100644
334 return -ENOMEM;
335 }
336
337 -@@ -2078,11 +2500,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
338 +@@ -2078,11 +2535,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
339 vma->vm_page_prot = vm_get_page_prot(flags);
340 vma_link(mm, vma, prev, rb_link, rb_parent);
341 out:
342 @@ -111452,7 +111598,7 @@ index 4b80cbf..1415bd8 100644
343 return addr;
344 }
345
346 -@@ -2129,8 +2552,10 @@ void exit_mmap(struct mm_struct *mm)
347 +@@ -2129,8 +2587,10 @@ void exit_mmap(struct mm_struct *mm)
348 * Walk the list again, actually closing and freeing it,
349 * with preemption enabled, without holding any MM locks.
350 */
351 @@ -111464,7 +111610,7 @@ index 4b80cbf..1415bd8 100644
352
353 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
354 }
355 -@@ -2144,6 +2569,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
356 +@@ -2144,6 +2604,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
357 struct vm_area_struct * __vma, * prev;
358 struct rb_node ** rb_link, * rb_parent;
359
360 @@ -111475,7 +111621,7 @@ index 4b80cbf..1415bd8 100644
361 /*
362 * The vm_pgoff of a purely anonymous vma should be irrelevant
363 * until its first write fault, when page's anon_vma and index
364 -@@ -2166,7 +2595,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
365 +@@ -2166,7 +2630,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
366 if ((vma->vm_flags & VM_ACCOUNT) &&
367 security_vm_enough_memory_mm(mm, vma_pages(vma)))
368 return -ENOMEM;
369 @@ -111498,7 +111644,7 @@ index 4b80cbf..1415bd8 100644
370 return 0;
371 }
372
373 -@@ -2184,6 +2628,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
374 +@@ -2184,6 +2663,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
375 struct rb_node **rb_link, *rb_parent;
376 struct mempolicy *pol;
377
378 @@ -111507,7 +111653,7 @@ index 4b80cbf..1415bd8 100644
379 /*
380 * If anonymous vma has not yet been faulted, update new pgoff
381 * to match new location, to increase its chance of merging.
382 -@@ -2227,6 +2673,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
383 +@@ -2227,6 +2708,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
384 return new_vma;
385 }
386
387 @@ -111543,7 +111689,7 @@ index 4b80cbf..1415bd8 100644
388 /*
389 * Return true if the calling process may expand its vm space by the passed
390 * number of pages
391 -@@ -2238,6 +2713,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
392 +@@ -2238,6 +2748,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
393
394 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
395
396 @@ -111556,7 +111702,7 @@ index 4b80cbf..1415bd8 100644
397 if (cur + npages > lim)
398 return 0;
399 return 1;
400 -@@ -2307,6 +2788,22 @@ int install_special_mapping(struct mm_struct *mm,
401 +@@ -2307,6 +2823,22 @@ int install_special_mapping(struct mm_struct *mm,
402 vma->vm_start = addr;
403 vma->vm_end = addr + len;
404
405
406 diff --git a/3.2.39/0000_README b/3.2.39/0000_README
407 index b8fcdf1..2831c66 100644
408 --- a/3.2.39/0000_README
409 +++ b/3.2.39/0000_README
410 @@ -74,7 +74,7 @@ Patch: 1039_linux-3.2.39.patch
411 From: http://www.kernel.org
412 Desc: Linux 3.2.39
413
414 -Patch: 4420_grsecurity-2.9.1-3.2.39-201302271819.patch
415 +Patch: 4420_grsecurity-2.9.1-3.2.39-201303012254.patch
416 From: http://www.grsecurity.net
417 Desc: hardened-sources base patch from upstream grsecurity
418
419
420 diff --git a/3.2.39/4420_grsecurity-2.9.1-3.2.39-201302271819.patch b/3.2.39/4420_grsecurity-2.9.1-3.2.39-201303012254.patch
421 similarity index 99%
422 rename from 3.2.39/4420_grsecurity-2.9.1-3.2.39-201302271819.patch
423 rename to 3.2.39/4420_grsecurity-2.9.1-3.2.39-201303012254.patch
424 index b220f78..12bbb30 100644
425 --- a/3.2.39/4420_grsecurity-2.9.1-3.2.39-201302271819.patch
426 +++ b/3.2.39/4420_grsecurity-2.9.1-3.2.39-201303012254.patch
427 @@ -17637,6 +17637,91 @@ index c9a281f..3658fbe 100644
428 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
429 return -EFAULT;
430
431 +diff --git a/arch/x86/kernel/head.c b/arch/x86/kernel/head.c
432 +index af0699b..f6c4674 100644
433 +--- a/arch/x86/kernel/head.c
434 ++++ b/arch/x86/kernel/head.c
435 +@@ -5,8 +5,6 @@
436 + #include <asm/setup.h>
437 + #include <asm/bios_ebda.h>
438 +
439 +-#define BIOS_LOWMEM_KILOBYTES 0x413
440 +-
441 + /*
442 + * The BIOS places the EBDA/XBDA at the top of conventional
443 + * memory, and usually decreases the reported amount of
444 +@@ -16,17 +14,30 @@
445 + * chipset: reserve a page before VGA to prevent PCI prefetch
446 + * into it (errata #56). Usually the page is reserved anyways,
447 + * unless you have no PS/2 mouse plugged in.
448 ++ *
449 ++ * This functions is deliberately very conservative. Losing
450 ++ * memory in the bottom megabyte is rarely a problem, as long
451 ++ * as we have enough memory to install the trampoline. Using
452 ++ * memory that is in use by the BIOS or by some DMA device
453 ++ * the BIOS didn't shut down *is* a big problem.
454 + */
455 ++
456 ++#define BIOS_LOWMEM_KILOBYTES 0x413
457 ++#define LOWMEM_CAP 0x9f000U /* Absolute maximum */
458 ++#define INSANE_CUTOFF 0x20000U /* Less than this = insane */
459 ++
460 + void __init reserve_ebda_region(void)
461 + {
462 + unsigned int lowmem, ebda_addr;
463 +
464 +- /* To determine the position of the EBDA and the */
465 +- /* end of conventional memory, we need to look at */
466 +- /* the BIOS data area. In a paravirtual environment */
467 +- /* that area is absent. We'll just have to assume */
468 +- /* that the paravirt case can handle memory setup */
469 +- /* correctly, without our help. */
470 ++ /*
471 ++ * To determine the position of the EBDA and the
472 ++ * end of conventional memory, we need to look at
473 ++ * the BIOS data area. In a paravirtual environment
474 ++ * that area is absent. We'll just have to assume
475 ++ * that the paravirt case can handle memory setup
476 ++ * correctly, without our help.
477 ++ */
478 + if (paravirt_enabled())
479 + return;
480 +
481 +@@ -37,19 +48,23 @@ void __init reserve_ebda_region(void)
482 + /* start of EBDA area */
483 + ebda_addr = get_bios_ebda();
484 +
485 +- /* Fixup: bios puts an EBDA in the top 64K segment */
486 +- /* of conventional memory, but does not adjust lowmem. */
487 +- if ((lowmem - ebda_addr) <= 0x10000)
488 +- lowmem = ebda_addr;
489 ++ /*
490 ++ * Note: some old Dells seem to need 4k EBDA without
491 ++ * reporting so, so just consider the memory above 0x9f000
492 ++ * to be off limits (bugzilla 2990).
493 ++ */
494 +
495 +- /* Fixup: bios does not report an EBDA at all. */
496 +- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */
497 +- if ((ebda_addr == 0) && (lowmem >= 0x9f000))
498 +- lowmem = 0x9f000;
499 ++ /* If the EBDA address is below 128K, assume it is bogus */
500 ++ if (ebda_addr < INSANE_CUTOFF)
501 ++ ebda_addr = LOWMEM_CAP;
502 +
503 +- /* Paranoia: should never happen, but... */
504 +- if ((lowmem == 0) || (lowmem >= 0x100000))
505 +- lowmem = 0x9f000;
506 ++ /* If lowmem is less than 128K, assume it is bogus */
507 ++ if (lowmem < INSANE_CUTOFF)
508 ++ lowmem = LOWMEM_CAP;
509 ++
510 ++ /* Use the lower of the lowmem and EBDA markers as the cutoff */
511 ++ lowmem = min(lowmem, ebda_addr);
512 ++ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */
513 +
514 + /* reserve all memory between lowmem and the 1MB mark */
515 + memblock_x86_reserve_range(lowmem, 0x100000, "* BIOS reserved");
516 diff --git a/arch/x86/kernel/head32.c b/arch/x86/kernel/head32.c
517 index 3bb0850..55a56f4 100644
518 --- a/arch/x86/kernel/head32.c
519 @@ -36501,6 +36586,27 @@ index a0895bf..b451f5b 100644
520 .owner = THIS_MODULE,
521 .open = timblogiw_open,
522 .release = timblogiw_close,
523 +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c
524 +index 668f5c6..65df5f2 100644
525 +--- a/drivers/memstick/host/r592.c
526 ++++ b/drivers/memstick/host/r592.c
527 +@@ -454,7 +454,7 @@ static int r592_transfer_fifo_pio(struct r592_device *dev)
528 + /* Executes one TPC (data is read/written from small or large fifo) */
529 + static void r592_execute_tpc(struct r592_device *dev)
530 + {
531 +- bool is_write = dev->req->tpc >= MS_TPC_SET_RW_REG_ADRS;
532 ++ bool is_write;
533 + int len, error;
534 + u32 status, reg;
535 +
536 +@@ -463,6 +463,7 @@ static void r592_execute_tpc(struct r592_device *dev)
537 + return;
538 + }
539 +
540 ++ is_write = dev->req->tpc >= MS_TPC_SET_RW_REG_ADRS;
541 + len = dev->req->long_data ?
542 + dev->req->sg.length : dev->req->data_len;
543 +
544 diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
545 index e9c6a60..daf6a33 100644
546 --- a/drivers/message/fusion/mptbase.c
547 @@ -50020,7 +50126,7 @@ index 8392cb8..80d6193 100644
548 memcpy(c->data, &cookie, 4);
549 c->len=4;
550 diff --git a/fs/locks.c b/fs/locks.c
551 -index fcc50ab..c3dacf2 100644
552 +index fcc50ab..c3dacf26 100644
553 --- a/fs/locks.c
554 +++ b/fs/locks.c
555 @@ -2075,16 +2075,16 @@ void locks_remove_flock(struct file *filp)
556 @@ -50045,7 +50151,7 @@ index fcc50ab..c3dacf2 100644
557
558 lock_flocks();
559 diff --git a/fs/namei.c b/fs/namei.c
560 -index 9680cef..d098ba0 100644
561 +index 9680cef..d943724 100644
562 --- a/fs/namei.c
563 +++ b/fs/namei.c
564 @@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask)
565 @@ -50138,21 +50244,19 @@ index 9680cef..d098ba0 100644
566 put_link(nd, &link, cookie);
567 }
568 }
569 -@@ -1624,6 +1644,21 @@ static int path_lookupat(int dfd, const char *name,
570 +@@ -1624,6 +1644,19 @@ static int path_lookupat(int dfd, const char *name,
571 if (!err)
572 err = complete_walk(nd);
573
574 -+ if (!(nd->flags & LOOKUP_PARENT)) {
575 ++ if (!err && !(nd->flags & LOOKUP_PARENT)) {
576 +#ifdef CONFIG_GRKERNSEC
577 + if (flags & LOOKUP_RCU) {
578 -+ if (!err)
579 -+ path_put(&nd->path);
580 ++ path_put(&nd->path);
581 + err = -ECHILD;
582 + } else
583 +#endif
584 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
585 -+ if (!err)
586 -+ path_put(&nd->path);
587 ++ path_put(&nd->path);
588 + err = -ENOENT;
589 + }
590 + }
591 @@ -50160,7 +50264,7 @@ index 9680cef..d098ba0 100644
592 if (!err && nd->flags & LOOKUP_DIRECTORY) {
593 if (!nd->inode->i_op->lookup) {
594 path_put(&nd->path);
595 -@@ -1651,6 +1686,15 @@ static int do_path_lookup(int dfd, const char *name,
596 +@@ -1651,6 +1684,15 @@ static int do_path_lookup(int dfd, const char *name,
597 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
598
599 if (likely(!retval)) {
600 @@ -50176,7 +50280,7 @@ index 9680cef..d098ba0 100644
601 if (unlikely(!audit_dummy_context())) {
602 if (nd->path.dentry && nd->inode)
603 audit_inode(name, nd->path.dentry);
604 -@@ -1784,7 +1828,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
605 +@@ -1784,7 +1826,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
606 if (!len)
607 return ERR_PTR(-EACCES);
608
609 @@ -50190,7 +50294,7 @@ index 9680cef..d098ba0 100644
610 while (len--) {
611 c = *(const unsigned char *)name++;
612 if (c == '/' || c == '\0')
613 -@@ -2048,6 +2098,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
614 +@@ -2048,6 +2096,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
615 if (flag & O_NOATIME && !inode_owner_or_capable(inode))
616 return -EPERM;
617
618 @@ -50204,7 +50308,7 @@ index 9680cef..d098ba0 100644
619 return 0;
620 }
621
622 -@@ -2083,7 +2140,7 @@ static inline int open_to_namei_flags(int flag)
623 +@@ -2083,7 +2138,7 @@ static inline int open_to_namei_flags(int flag)
624 /*
625 * Handle the last step of open()
626 */
627 @@ -50213,7 +50317,7 @@ index 9680cef..d098ba0 100644
628 const struct open_flags *op, const char *pathname)
629 {
630 struct dentry *dir = nd->path.dentry;
631 -@@ -2109,16 +2166,44 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
632 +@@ -2109,16 +2164,44 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
633 error = complete_walk(nd);
634 if (error)
635 return ERR_PTR(error);
636 @@ -50258,7 +50362,7 @@ index 9680cef..d098ba0 100644
637 audit_inode(pathname, dir);
638 goto ok;
639 }
640 -@@ -2134,18 +2219,37 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
641 +@@ -2134,18 +2217,37 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
642 !symlink_ok);
643 if (error < 0)
644 return ERR_PTR(error);
645 @@ -50297,7 +50401,7 @@ index 9680cef..d098ba0 100644
646 audit_inode(pathname, nd->path.dentry);
647 goto ok;
648 }
649 -@@ -2180,6 +2284,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
650 +@@ -2180,6 +2282,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
651 /* Negative dentry, just create the file */
652 if (!dentry->d_inode) {
653 int mode = op->mode;
654 @@ -50315,7 +50419,7 @@ index 9680cef..d098ba0 100644
655 if (!IS_POSIXACL(dir->d_inode))
656 mode &= ~current_umask();
657 /*
658 -@@ -2203,6 +2318,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
659 +@@ -2203,6 +2316,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
660 error = vfs_create(dir->d_inode, dentry, mode, nd);
661 if (error)
662 goto exit_mutex_unlock;
663 @@ -50324,7 +50428,7 @@ index 9680cef..d098ba0 100644
664 mutex_unlock(&dir->d_inode->i_mutex);
665 dput(nd->path.dentry);
666 nd->path.dentry = dentry;
667 -@@ -2212,6 +2329,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
668 +@@ -2212,6 +2327,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
669 /*
670 * It already exists.
671 */
672 @@ -50344,7 +50448,7 @@ index 9680cef..d098ba0 100644
673 mutex_unlock(&dir->d_inode->i_mutex);
674 audit_inode(pathname, path->dentry);
675
676 -@@ -2230,11 +2360,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
677 +@@ -2230,11 +2358,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
678 if (!path->dentry->d_inode)
679 goto exit_dput;
680
681 @@ -50363,7 +50467,7 @@ index 9680cef..d098ba0 100644
682 /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
683 error = complete_walk(nd);
684 if (error)
685 -@@ -2242,6 +2378,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
686 +@@ -2242,6 +2376,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
687 error = -EISDIR;
688 if (S_ISDIR(nd->inode->i_mode))
689 goto exit;
690 @@ -50376,7 +50480,7 @@ index 9680cef..d098ba0 100644
691 ok:
692 if (!S_ISREG(nd->inode->i_mode))
693 will_truncate = 0;
694 -@@ -2314,7 +2456,7 @@ static struct file *path_openat(int dfd, const char *pathname,
695 +@@ -2314,7 +2454,7 @@ static struct file *path_openat(int dfd, const char *pathname,
696 if (unlikely(error))
697 goto out_filp;
698
699 @@ -50385,7 +50489,7 @@ index 9680cef..d098ba0 100644
700 while (unlikely(!filp)) { /* trailing symlink */
701 struct path link = path;
702 void *cookie;
703 -@@ -2329,8 +2471,9 @@ static struct file *path_openat(int dfd, const char *pathname,
704 +@@ -2329,8 +2469,9 @@ static struct file *path_openat(int dfd, const char *pathname,
705 error = follow_link(&link, nd, &cookie);
706 if (unlikely(error))
707 filp = ERR_PTR(error);
708 @@ -50397,7 +50501,7 @@ index 9680cef..d098ba0 100644
709 put_link(nd, &link, cookie);
710 }
711 out:
712 -@@ -2424,6 +2567,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path
713 +@@ -2424,6 +2565,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path
714 *path = nd.path;
715 return dentry;
716 eexist:
717 @@ -50409,7 +50513,7 @@ index 9680cef..d098ba0 100644
718 dput(dentry);
719 dentry = ERR_PTR(-EEXIST);
720 fail:
721 -@@ -2446,6 +2594,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat
722 +@@ -2446,6 +2592,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat
723 }
724 EXPORT_SYMBOL(user_path_create);
725
726 @@ -50430,7 +50534,7 @@ index 9680cef..d098ba0 100644
727 int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
728 {
729 int error = may_create(dir, dentry);
730 -@@ -2513,6 +2675,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
731 +@@ -2513,6 +2673,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
732 error = mnt_want_write(path.mnt);
733 if (error)
734 goto out_dput;
735 @@ -50448,7 +50552,7 @@ index 9680cef..d098ba0 100644
736 error = security_path_mknod(&path, dentry, mode, dev);
737 if (error)
738 goto out_drop_write;
739 -@@ -2530,6 +2703,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
740 +@@ -2530,6 +2701,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode,
741 }
742 out_drop_write:
743 mnt_drop_write(path.mnt);
744 @@ -50458,7 +50562,7 @@ index 9680cef..d098ba0 100644
745 out_dput:
746 dput(dentry);
747 mutex_unlock(&path.dentry->d_inode->i_mutex);
748 -@@ -2579,12 +2755,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
749 +@@ -2579,12 +2753,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode)
750 error = mnt_want_write(path.mnt);
751 if (error)
752 goto out_dput;
753 @@ -50480,7 +50584,7 @@ index 9680cef..d098ba0 100644
754 out_dput:
755 dput(dentry);
756 mutex_unlock(&path.dentry->d_inode->i_mutex);
757 -@@ -2664,6 +2849,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
758 +@@ -2664,6 +2847,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
759 char * name;
760 struct dentry *dentry;
761 struct nameidata nd;
762 @@ -50489,7 +50593,7 @@ index 9680cef..d098ba0 100644
763
764 error = user_path_parent(dfd, pathname, &nd, &name);
765 if (error)
766 -@@ -2692,6 +2879,15 @@ static long do_rmdir(int dfd, const char __user *pathname)
767 +@@ -2692,6 +2877,15 @@ static long do_rmdir(int dfd, const char __user *pathname)
768 error = -ENOENT;
769 goto exit3;
770 }
771 @@ -50505,7 +50609,7 @@ index 9680cef..d098ba0 100644
772 error = mnt_want_write(nd.path.mnt);
773 if (error)
774 goto exit3;
775 -@@ -2699,6 +2895,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
776 +@@ -2699,6 +2893,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
777 if (error)
778 goto exit4;
779 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
780 @@ -50514,7 +50618,7 @@ index 9680cef..d098ba0 100644
781 exit4:
782 mnt_drop_write(nd.path.mnt);
783 exit3:
784 -@@ -2761,6 +2959,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
785 +@@ -2761,6 +2957,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
786 struct dentry *dentry;
787 struct nameidata nd;
788 struct inode *inode = NULL;
789 @@ -50523,7 +50627,7 @@ index 9680cef..d098ba0 100644
790
791 error = user_path_parent(dfd, pathname, &nd, &name);
792 if (error)
793 -@@ -2783,6 +2983,16 @@ static long do_unlinkat(int dfd, const char __user *pathname)
794 +@@ -2783,6 +2981,16 @@ static long do_unlinkat(int dfd, const char __user *pathname)
795 if (!inode)
796 goto slashes;
797 ihold(inode);
798 @@ -50540,7 +50644,7 @@ index 9680cef..d098ba0 100644
799 error = mnt_want_write(nd.path.mnt);
800 if (error)
801 goto exit2;
802 -@@ -2790,6 +3000,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
803 +@@ -2790,6 +2998,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
804 if (error)
805 goto exit3;
806 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
807 @@ -50549,7 +50653,7 @@ index 9680cef..d098ba0 100644
808 exit3:
809 mnt_drop_write(nd.path.mnt);
810 exit2:
811 -@@ -2865,10 +3077,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
812 +@@ -2865,10 +3075,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
813 error = mnt_want_write(path.mnt);
814 if (error)
815 goto out_dput;
816 @@ -50568,7 +50672,7 @@ index 9680cef..d098ba0 100644
817 out_drop_write:
818 mnt_drop_write(path.mnt);
819 out_dput:
820 -@@ -2940,6 +3160,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
821 +@@ -2940,6 +3158,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
822 {
823 struct dentry *new_dentry;
824 struct path old_path, new_path;
825 @@ -50576,7 +50680,7 @@ index 9680cef..d098ba0 100644
826 int how = 0;
827 int error;
828
829 -@@ -2963,7 +3184,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
830 +@@ -2963,7 +3182,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
831 if (error)
832 return error;
833
834 @@ -50585,7 +50689,7 @@ index 9680cef..d098ba0 100644
835 error = PTR_ERR(new_dentry);
836 if (IS_ERR(new_dentry))
837 goto out;
838 -@@ -2974,13 +3195,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
839 +@@ -2974,13 +3193,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
840 error = mnt_want_write(new_path.mnt);
841 if (error)
842 goto out_dput;
843 @@ -50616,7 +50720,7 @@ index 9680cef..d098ba0 100644
844 dput(new_dentry);
845 mutex_unlock(&new_path.dentry->d_inode->i_mutex);
846 path_put(&new_path);
847 -@@ -3208,6 +3446,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
848 +@@ -3208,6 +3444,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
849 if (new_dentry == trap)
850 goto exit5;
851
852 @@ -50629,7 +50733,7 @@ index 9680cef..d098ba0 100644
853 error = mnt_want_write(oldnd.path.mnt);
854 if (error)
855 goto exit5;
856 -@@ -3217,6 +3461,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
857 +@@ -3217,6 +3459,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
858 goto exit6;
859 error = vfs_rename(old_dir->d_inode, old_dentry,
860 new_dir->d_inode, new_dentry);
861 @@ -50639,7 +50743,7 @@ index 9680cef..d098ba0 100644
862 exit6:
863 mnt_drop_write(oldnd.path.mnt);
864 exit5:
865 -@@ -3242,6 +3489,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
866 +@@ -3242,6 +3487,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
867
868 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
869 {
870 @@ -50648,7 +50752,7 @@ index 9680cef..d098ba0 100644
871 int len;
872
873 len = PTR_ERR(link);
874 -@@ -3251,7 +3500,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
875 +@@ -3251,7 +3498,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
876 len = strlen(link);
877 if (len > (unsigned) buflen)
878 len = buflen;
879 @@ -68145,10 +68249,18 @@ index 703cfa33..0b8ca72ac 100644
880 void __user *, size_t *, loff_t *);
881 extern int proc_dointvec_minmax(struct ctl_table *, int,
882 diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
883 -index 7faf933..eb6f5e3 100644
884 +index 7faf933..c1ad32c 100644
885 --- a/include/linux/sysrq.h
886 +++ b/include/linux/sysrq.h
887 -@@ -36,7 +36,7 @@ struct sysrq_key_op {
888 +@@ -15,6 +15,7 @@
889 + #define _LINUX_SYSRQ_H
890 +
891 + #include <linux/errno.h>
892 ++#include <linux/compiler.h>
893 + #include <linux/types.h>
894 +
895 + /* Enable/disable SYSRQ support by default (0==no, 1==yes). */
896 +@@ -36,7 +37,7 @@ struct sysrq_key_op {
897 char *help_msg;
898 char *action_msg;
899 int enable_mask;
900 @@ -74209,7 +74321,7 @@ index ea7ec7f..23d4094 100644
901 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
902 EXPORT_SYMBOL(register_sysctl_table);
903 diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c
904 -index a650694..aaeeb20 100644
905 +index a650694..d0c4f42 100644
906 --- a/kernel/sysctl_binary.c
907 +++ b/kernel/sysctl_binary.c
908 @@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *file,
909 @@ -74266,7 +74378,19 @@ index a650694..aaeeb20 100644
910 set_fs(old_fs);
911 if (result < 0)
912 goto out;
913 -@@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struct file *file,
914 +@@ -1194,9 +1194,10 @@ static ssize_t bin_dn_node_address(struct file *file,
915 +
916 + /* Convert the decnet address to binary */
917 + result = -EIO;
918 +- nodep = strchr(buf, '.') + 1;
919 ++ nodep = strchr(buf, '.');
920 + if (!nodep)
921 + goto out;
922 ++ ++nodep;
923 +
924 + area = simple_strtoul(buf, NULL, 10);
925 + node = simple_strtoul(nodep, NULL, 10);
926 +@@ -1233,7 +1234,7 @@ static ssize_t bin_dn_node_address(struct file *file,
927 le16_to_cpu(dnaddr) & 0x3ff);
928
929 set_fs(KERNEL_DS);
930 @@ -76968,7 +77092,7 @@ index 4f4f53b..de8e432 100644
931 capable(CAP_IPC_LOCK))
932 ret = do_mlockall(flags);
933 diff --git a/mm/mmap.c b/mm/mmap.c
934 -index eae90af..09d8f77 100644
935 +index eae90af..0704837 100644
936 --- a/mm/mmap.c
937 +++ b/mm/mmap.c
938 @@ -30,6 +30,7 @@
939 @@ -77851,7 +77975,7 @@ index eae90af..09d8f77 100644
940 size = vma->vm_end - address;
941 grow = (vma->vm_start - address) >> PAGE_SHIFT;
942
943 -@@ -1786,11 +2080,22 @@ int expand_downwards(struct vm_area_struct *vma,
944 +@@ -1786,18 +2080,48 @@ int expand_downwards(struct vm_area_struct *vma,
945 if (!error) {
946 vma->vm_start = address;
947 vma->vm_pgoff -= grow;
948 @@ -77874,7 +77998,48 @@ index eae90af..09d8f77 100644
949 khugepaged_enter_vma_merge(vma);
950 return error;
951 }
952 -@@ -1860,6 +2165,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
953 +
954 ++/*
955 ++ * Note how expand_stack() refuses to expand the stack all the way to
956 ++ * abut the next virtual mapping, *unless* that mapping itself is also
957 ++ * a stack mapping. We want to leave room for a guard page, after all
958 ++ * (the guard page itself is not added here, that is done by the
959 ++ * actual page faulting logic)
960 ++ *
961 ++ * This matches the behavior of the guard page logic (see mm/memory.c:
962 ++ * check_stack_guard_page()), which only allows the guard page to be
963 ++ * removed under these circumstances.
964 ++ */
965 + #ifdef CONFIG_STACK_GROWSUP
966 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
967 + {
968 ++ struct vm_area_struct *next;
969 ++
970 ++ address &= PAGE_MASK;
971 ++ next = vma->vm_next;
972 ++ if (next && next->vm_start == address + PAGE_SIZE) {
973 ++ if (!(next->vm_flags & VM_GROWSUP))
974 ++ return -ENOMEM;
975 ++ }
976 + return expand_upwards(vma, address);
977 + }
978 +
979 +@@ -1820,6 +2144,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
980 + #else
981 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
982 + {
983 ++ struct vm_area_struct *prev;
984 ++
985 ++ address &= PAGE_MASK;
986 ++ prev = vma->vm_prev;
987 ++ if (prev && prev->vm_end == address) {
988 ++ if (!(prev->vm_flags & VM_GROWSDOWN))
989 ++ return -ENOMEM;
990 ++ }
991 + return expand_downwards(vma, address);
992 + }
993 +
994 +@@ -1860,6 +2192,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
995 do {
996 long nrpages = vma_pages(vma);
997
998 @@ -77888,7 +78053,7 @@ index eae90af..09d8f77 100644
999 mm->total_vm -= nrpages;
1000 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
1001 vma = remove_vma(vma);
1002 -@@ -1905,6 +2217,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
1003 +@@ -1905,6 +2244,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
1004 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
1005 vma->vm_prev = NULL;
1006 do {
1007 @@ -77905,7 +78070,7 @@ index eae90af..09d8f77 100644
1008 rb_erase(&vma->vm_rb, &mm->mm_rb);
1009 mm->map_count--;
1010 tail_vma = vma;
1011 -@@ -1933,14 +2255,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1012 +@@ -1933,14 +2282,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1013 struct vm_area_struct *new;
1014 int err = -ENOMEM;
1015
1016 @@ -77939,7 +78104,7 @@ index eae90af..09d8f77 100644
1017 /* most fields are the same, copy all, and then fixup */
1018 *new = *vma;
1019
1020 -@@ -1953,6 +2294,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1021 +@@ -1953,6 +2321,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1022 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
1023 }
1024
1025 @@ -77962,7 +78127,7 @@ index eae90af..09d8f77 100644
1026 pol = mpol_dup(vma_policy(vma));
1027 if (IS_ERR(pol)) {
1028 err = PTR_ERR(pol);
1029 -@@ -1978,6 +2335,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1030 +@@ -1978,6 +2362,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1031 else
1032 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
1033
1034 @@ -78005,7 +78170,7 @@ index eae90af..09d8f77 100644
1035 /* Success. */
1036 if (!err)
1037 return 0;
1038 -@@ -1990,10 +2383,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1039 +@@ -1990,10 +2410,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1040 removed_exe_file_vma(mm);
1041 fput(new->vm_file);
1042 }
1043 @@ -78025,7 +78190,7 @@ index eae90af..09d8f77 100644
1044 kmem_cache_free(vm_area_cachep, new);
1045 out_err:
1046 return err;
1047 -@@ -2006,6 +2407,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1048 +@@ -2006,6 +2434,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
1049 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
1050 unsigned long addr, int new_below)
1051 {
1052 @@ -78041,7 +78206,7 @@ index eae90af..09d8f77 100644
1053 if (mm->map_count >= sysctl_max_map_count)
1054 return -ENOMEM;
1055
1056 -@@ -2017,11 +2427,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
1057 +@@ -2017,11 +2454,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
1058 * work. This now handles partial unmappings.
1059 * Jeremy Fitzhardinge <jeremy@××××.org>
1060 */
1061 @@ -78072,7 +78237,7 @@ index eae90af..09d8f77 100644
1062 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
1063 return -EINVAL;
1064
1065 -@@ -2096,6 +2525,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
1066 +@@ -2096,6 +2552,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
1067 /* Fix up all other VM information */
1068 remove_vma_list(mm, vma);
1069
1070 @@ -78081,7 +78246,7 @@ index eae90af..09d8f77 100644
1071 return 0;
1072 }
1073
1074 -@@ -2108,22 +2539,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
1075 +@@ -2108,22 +2566,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
1076
1077 profile_munmap(addr);
1078
1079 @@ -78110,7 +78275,7 @@ index eae90af..09d8f77 100644
1080 /*
1081 * this is really a simplified "do_mmap". it only handles
1082 * anonymous maps. eventually we may be able to do some
1083 -@@ -2137,6 +2564,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1084 +@@ -2137,6 +2591,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1085 struct rb_node ** rb_link, * rb_parent;
1086 pgoff_t pgoff = addr >> PAGE_SHIFT;
1087 int error;
1088 @@ -78118,7 +78283,7 @@ index eae90af..09d8f77 100644
1089
1090 len = PAGE_ALIGN(len);
1091 if (!len)
1092 -@@ -2148,16 +2576,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1093 +@@ -2148,16 +2603,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1094
1095 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
1096
1097 @@ -78150,7 +78315,7 @@ index eae90af..09d8f77 100644
1098 locked += mm->locked_vm;
1099 lock_limit = rlimit(RLIMIT_MEMLOCK);
1100 lock_limit >>= PAGE_SHIFT;
1101 -@@ -2174,22 +2616,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1102 +@@ -2174,22 +2643,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1103 /*
1104 * Clear old maps. this also does some error checking for us
1105 */
1106 @@ -78177,7 +78342,7 @@ index eae90af..09d8f77 100644
1107 return -ENOMEM;
1108
1109 /* Can we just expand an old private anonymous mapping? */
1110 -@@ -2203,7 +2645,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1111 +@@ -2203,7 +2672,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1112 */
1113 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
1114 if (!vma) {
1115 @@ -78186,7 +78351,7 @@ index eae90af..09d8f77 100644
1116 return -ENOMEM;
1117 }
1118
1119 -@@ -2217,11 +2659,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1120 +@@ -2217,11 +2686,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
1121 vma_link(mm, vma, prev, rb_link, rb_parent);
1122 out:
1123 perf_event_mmap(vma);
1124 @@ -78201,7 +78366,7 @@ index eae90af..09d8f77 100644
1125 return addr;
1126 }
1127
1128 -@@ -2268,8 +2711,10 @@ void exit_mmap(struct mm_struct *mm)
1129 +@@ -2268,8 +2738,10 @@ void exit_mmap(struct mm_struct *mm)
1130 * Walk the list again, actually closing and freeing it,
1131 * with preemption enabled, without holding any MM locks.
1132 */
1133 @@ -78213,7 +78378,7 @@ index eae90af..09d8f77 100644
1134
1135 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
1136 }
1137 -@@ -2283,6 +2728,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
1138 +@@ -2283,6 +2755,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
1139 struct vm_area_struct * __vma, * prev;
1140 struct rb_node ** rb_link, * rb_parent;
1141
1142 @@ -78227,7 +78392,7 @@ index eae90af..09d8f77 100644
1143 /*
1144 * The vm_pgoff of a purely anonymous vma should be irrelevant
1145 * until its first write fault, when page's anon_vma and index
1146 -@@ -2305,7 +2757,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
1147 +@@ -2305,7 +2784,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
1148 if ((vma->vm_flags & VM_ACCOUNT) &&
1149 security_vm_enough_memory_mm(mm, vma_pages(vma)))
1150 return -ENOMEM;
1151 @@ -78250,7 +78415,7 @@ index eae90af..09d8f77 100644
1152 return 0;
1153 }
1154
1155 -@@ -2323,6 +2790,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
1156 +@@ -2323,6 +2817,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
1157 struct rb_node **rb_link, *rb_parent;
1158 struct mempolicy *pol;
1159
1160 @@ -78259,7 +78424,7 @@ index eae90af..09d8f77 100644
1161 /*
1162 * If anonymous vma has not yet been faulted, update new pgoff
1163 * to match new location, to increase its chance of merging.
1164 -@@ -2373,6 +2842,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
1165 +@@ -2373,6 +2869,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
1166 return NULL;
1167 }
1168
1169 @@ -78299,7 +78464,7 @@ index eae90af..09d8f77 100644
1170 /*
1171 * Return true if the calling process may expand its vm space by the passed
1172 * number of pages
1173 -@@ -2384,6 +2886,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
1174 +@@ -2384,6 +2913,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
1175
1176 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
1177
1178 @@ -78312,7 +78477,7 @@ index eae90af..09d8f77 100644
1179 if (cur + npages > lim)
1180 return 0;
1181 return 1;
1182 -@@ -2454,6 +2962,22 @@ int install_special_mapping(struct mm_struct *mm,
1183 +@@ -2454,6 +2989,22 @@ int install_special_mapping(struct mm_struct *mm,
1184 vma->vm_start = addr;
1185 vma->vm_end = addr + len;
1186
1187
1188 diff --git a/3.8.0/0000_README b/3.8.1/0000_README
1189 similarity index 96%
1190 rename from 3.8.0/0000_README
1191 rename to 3.8.1/0000_README
1192 index a9cab40..517c0e6 100644
1193 --- a/3.8.0/0000_README
1194 +++ b/3.8.1/0000_README
1195 @@ -2,7 +2,7 @@ README
1196 -----------------------------------------------------------------------------
1197 Individual Patch Descriptions:
1198 -----------------------------------------------------------------------------
1199 -Patch: 4420_grsecurity-2.9.1-3.8.0-201302271810.patch
1200 +Patch: 4420_grsecurity-2.9.1-3.8.1-201303012255.patch
1201 From: http://www.grsecurity.net
1202 Desc: hardened-sources base patch from upstream grsecurity
1203
1204
1205 diff --git a/3.8.0/4420_grsecurity-2.9.1-3.8.0-201302271810.patch b/3.8.1/4420_grsecurity-2.9.1-3.8.1-201303012255.patch
1206 similarity index 99%
1207 rename from 3.8.0/4420_grsecurity-2.9.1-3.8.0-201302271810.patch
1208 rename to 3.8.1/4420_grsecurity-2.9.1-3.8.1-201303012255.patch
1209 index 24c501f..b69296b 100644
1210 --- a/3.8.0/4420_grsecurity-2.9.1-3.8.0-201302271810.patch
1211 +++ b/3.8.1/4420_grsecurity-2.9.1-3.8.1-201303012255.patch
1212 @@ -252,7 +252,7 @@ index 6c72381..2fe9ae4 100644
1213
1214 pcd. [PARIDE]
1215 diff --git a/Makefile b/Makefile
1216 -index d69266c..e4f6593 100644
1217 +index 746c856..c014cfa 100644
1218 --- a/Makefile
1219 +++ b/Makefile
1220 @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
1221 @@ -5494,10 +5494,10 @@ index fc987a1..6e068ef 100644
1222 #endif
1223
1224 diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
1225 -index ee99f23..802b0a1 100644
1226 +index 7df49fa..38b62bf 100644
1227 --- a/arch/parisc/include/asm/pgtable.h
1228 +++ b/arch/parisc/include/asm/pgtable.h
1229 -@@ -212,6 +212,17 @@ struct vm_area_struct;
1230 +@@ -218,6 +218,17 @@ extern void purge_tlb_entries(struct mm_struct *, unsigned long);
1231 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1232 #define PAGE_COPY PAGE_EXECREAD
1233 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1234 @@ -9071,7 +9071,7 @@ index e98bfda..ea8d221 100644
1235 if (!(vma->vm_flags & (VM_READ | VM_EXEC)))
1236 goto bad_area;
1237 diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
1238 -index 097aee7..5ca6697 100644
1239 +index 5062ff3..e0b75f3 100644
1240 --- a/arch/sparc/mm/fault_64.c
1241 +++ b/arch/sparc/mm/fault_64.c
1242 @@ -21,6 +21,9 @@
1243 @@ -9827,7 +9827,7 @@ index ad8f795..2c7eec6 100644
1244 /*
1245 * Memory returned by kmalloc() may be used for DMA, so we must make
1246 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
1247 -index 225543b..f12405b 100644
1248 +index 0694d09..b58b3aa 100644
1249 --- a/arch/x86/Kconfig
1250 +++ b/arch/x86/Kconfig
1251 @@ -238,7 +238,7 @@ config X86_HT
1252 @@ -9874,7 +9874,7 @@ index 225543b..f12405b 100644
1253 default 0x40000000 if VMSPLIT_1G
1254 default 0xC0000000
1255 depends on X86_32
1256 -@@ -1546,6 +1547,7 @@ config SECCOMP
1257 +@@ -1542,6 +1543,7 @@ config SECCOMP
1258
1259 config CC_STACKPROTECTOR
1260 bool "Enable -fstack-protector buffer overflow detection"
1261 @@ -9882,7 +9882,7 @@ index 225543b..f12405b 100644
1262 ---help---
1263 This option turns on the -fstack-protector GCC feature. This
1264 feature puts, at the beginning of functions, a canary value on
1265 -@@ -1603,6 +1605,7 @@ config KEXEC_JUMP
1266 +@@ -1599,6 +1601,7 @@ config KEXEC_JUMP
1267 config PHYSICAL_START
1268 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
1269 default "0x1000000"
1270 @@ -9890,7 +9890,7 @@ index 225543b..f12405b 100644
1271 ---help---
1272 This gives the physical address where the kernel is loaded.
1273
1274 -@@ -1666,6 +1669,7 @@ config X86_NEED_RELOCS
1275 +@@ -1662,6 +1665,7 @@ config X86_NEED_RELOCS
1276 config PHYSICAL_ALIGN
1277 hex "Alignment value to which kernel should be aligned" if X86_32
1278 default "0x1000000"
1279 @@ -9898,7 +9898,7 @@ index 225543b..f12405b 100644
1280 range 0x2000 0x1000000
1281 ---help---
1282 This value puts the alignment restrictions on physical address
1283 -@@ -1741,9 +1745,10 @@ config DEBUG_HOTPLUG_CPU0
1284 +@@ -1737,9 +1741,10 @@ config DEBUG_HOTPLUG_CPU0
1285 If unsure, say N.
1286
1287 config COMPAT_VDSO
1288 @@ -19375,6 +19375,91 @@ index 1d41402..af9a46a 100644
1289 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
1290 return -EFAULT;
1291
1292 +diff --git a/arch/x86/kernel/head.c b/arch/x86/kernel/head.c
1293 +index 48d9d4e..992f442 100644
1294 +--- a/arch/x86/kernel/head.c
1295 ++++ b/arch/x86/kernel/head.c
1296 +@@ -5,8 +5,6 @@
1297 + #include <asm/setup.h>
1298 + #include <asm/bios_ebda.h>
1299 +
1300 +-#define BIOS_LOWMEM_KILOBYTES 0x413
1301 +-
1302 + /*
1303 + * The BIOS places the EBDA/XBDA at the top of conventional
1304 + * memory, and usually decreases the reported amount of
1305 +@@ -16,17 +14,30 @@
1306 + * chipset: reserve a page before VGA to prevent PCI prefetch
1307 + * into it (errata #56). Usually the page is reserved anyways,
1308 + * unless you have no PS/2 mouse plugged in.
1309 ++ *
1310 ++ * This functions is deliberately very conservative. Losing
1311 ++ * memory in the bottom megabyte is rarely a problem, as long
1312 ++ * as we have enough memory to install the trampoline. Using
1313 ++ * memory that is in use by the BIOS or by some DMA device
1314 ++ * the BIOS didn't shut down *is* a big problem.
1315 + */
1316 ++
1317 ++#define BIOS_LOWMEM_KILOBYTES 0x413
1318 ++#define LOWMEM_CAP 0x9f000U /* Absolute maximum */
1319 ++#define INSANE_CUTOFF 0x20000U /* Less than this = insane */
1320 ++
1321 + void __init reserve_ebda_region(void)
1322 + {
1323 + unsigned int lowmem, ebda_addr;
1324 +
1325 +- /* To determine the position of the EBDA and the */
1326 +- /* end of conventional memory, we need to look at */
1327 +- /* the BIOS data area. In a paravirtual environment */
1328 +- /* that area is absent. We'll just have to assume */
1329 +- /* that the paravirt case can handle memory setup */
1330 +- /* correctly, without our help. */
1331 ++ /*
1332 ++ * To determine the position of the EBDA and the
1333 ++ * end of conventional memory, we need to look at
1334 ++ * the BIOS data area. In a paravirtual environment
1335 ++ * that area is absent. We'll just have to assume
1336 ++ * that the paravirt case can handle memory setup
1337 ++ * correctly, without our help.
1338 ++ */
1339 + if (paravirt_enabled())
1340 + return;
1341 +
1342 +@@ -37,19 +48,23 @@ void __init reserve_ebda_region(void)
1343 + /* start of EBDA area */
1344 + ebda_addr = get_bios_ebda();
1345 +
1346 +- /* Fixup: bios puts an EBDA in the top 64K segment */
1347 +- /* of conventional memory, but does not adjust lowmem. */
1348 +- if ((lowmem - ebda_addr) <= 0x10000)
1349 +- lowmem = ebda_addr;
1350 ++ /*
1351 ++ * Note: some old Dells seem to need 4k EBDA without
1352 ++ * reporting so, so just consider the memory above 0x9f000
1353 ++ * to be off limits (bugzilla 2990).
1354 ++ */
1355 +
1356 +- /* Fixup: bios does not report an EBDA at all. */
1357 +- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */
1358 +- if ((ebda_addr == 0) && (lowmem >= 0x9f000))
1359 +- lowmem = 0x9f000;
1360 ++ /* If the EBDA address is below 128K, assume it is bogus */
1361 ++ if (ebda_addr < INSANE_CUTOFF)
1362 ++ ebda_addr = LOWMEM_CAP;
1363 +
1364 +- /* Paranoia: should never happen, but... */
1365 +- if ((lowmem == 0) || (lowmem >= 0x100000))
1366 +- lowmem = 0x9f000;
1367 ++ /* If lowmem is less than 128K, assume it is bogus */
1368 ++ if (lowmem < INSANE_CUTOFF)
1369 ++ lowmem = LOWMEM_CAP;
1370 ++
1371 ++ /* Use the lower of the lowmem and EBDA markers as the cutoff */
1372 ++ lowmem = min(lowmem, ebda_addr);
1373 ++ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */
1374 +
1375 + /* reserve all memory between lowmem and the 1MB mark */
1376 + memblock_reserve(lowmem, 0x100000 - lowmem);
1377 diff --git a/arch/x86/kernel/head32.c b/arch/x86/kernel/head32.c
1378 index c18f59d..9c0c9f6 100644
1379 --- a/arch/x86/kernel/head32.c
1380 @@ -33144,7 +33229,7 @@ index 9d7732b..0b1a793 100644
1381 .priority = 1,
1382 };
1383 diff --git a/drivers/dma/sh/shdma.c b/drivers/dma/sh/shdma.c
1384 -index 3315e4b..fc38316 100644
1385 +index b70709b..1d8d02a 100644
1386 --- a/drivers/dma/sh/shdma.c
1387 +++ b/drivers/dma/sh/shdma.c
1388 @@ -476,7 +476,7 @@ static int sh_dmae_nmi_handler(struct notifier_block *self,
1389 @@ -33683,7 +33768,7 @@ index 6e0acad..93c8289 100644
1390 int front_offset;
1391 } drm_i810_private_t;
1392 diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
1393 -index 9d4a2c2..32a119f 100644
1394 +index 8a7c48b..72effc2 100644
1395 --- a/drivers/gpu/drm/i915/i915_debugfs.c
1396 +++ b/drivers/gpu/drm/i915/i915_debugfs.c
1397 @@ -496,7 +496,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data)
1398 @@ -33709,7 +33794,7 @@ index 99daa89..84ebd44 100644
1399 return can_switch;
1400 }
1401 diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
1402 -index 12ab3bd..b3bed3b 100644
1403 +index 7339a4b..445aaba 100644
1404 --- a/drivers/gpu/drm/i915/i915_drv.h
1405 +++ b/drivers/gpu/drm/i915/i915_drv.h
1406 @@ -656,7 +656,7 @@ typedef struct drm_i915_private {
1407 @@ -33868,10 +33953,10 @@ index fe84338..a863190 100644
1408 iir = I915_READ(IIR);
1409
1410 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
1411 -index da1ad9c..10d368b 100644
1412 +index 80aa1fc..1ede041 100644
1413 --- a/drivers/gpu/drm/i915/intel_display.c
1414 +++ b/drivers/gpu/drm/i915/intel_display.c
1415 -@@ -2244,7 +2244,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb)
1416 +@@ -2255,7 +2255,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb)
1417
1418 wait_event(dev_priv->pending_flip_queue,
1419 atomic_read(&dev_priv->mm.wedged) ||
1420 @@ -33880,7 +33965,7 @@ index da1ad9c..10d368b 100644
1421
1422 /* Big Hammer, we also need to ensure that any pending
1423 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
1424 -@@ -7109,8 +7109,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
1425 +@@ -7122,8 +7122,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
1426
1427 obj = work->old_fb_obj;
1428
1429 @@ -33890,7 +33975,7 @@ index da1ad9c..10d368b 100644
1430 wake_up(&dev_priv->pending_flip_queue);
1431
1432 queue_work(dev_priv->wq, &work->work);
1433 -@@ -7477,7 +7476,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
1434 +@@ -7490,7 +7489,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
1435 /* Block clients from rendering to the new back buffer until
1436 * the flip occurs and the object is no longer visible.
1437 */
1438 @@ -33899,7 +33984,7 @@ index da1ad9c..10d368b 100644
1439 atomic_inc(&intel_crtc->unpin_work_count);
1440
1441 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
1442 -@@ -7494,7 +7493,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
1443 +@@ -7507,7 +7506,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
1444
1445 cleanup_pending:
1446 atomic_dec(&intel_crtc->unpin_work_count);
1447 @@ -36566,6 +36651,27 @@ index 9382895..ac8093c 100644
1448
1449 /* debug */
1450 static int dvb_usb_dw2102_debug;
1451 +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c
1452 +index 29b2172..a7c5b31 100644
1453 +--- a/drivers/memstick/host/r592.c
1454 ++++ b/drivers/memstick/host/r592.c
1455 +@@ -454,7 +454,7 @@ static int r592_transfer_fifo_pio(struct r592_device *dev)
1456 + /* Executes one TPC (data is read/written from small or large fifo) */
1457 + static void r592_execute_tpc(struct r592_device *dev)
1458 + {
1459 +- bool is_write = dev->req->tpc >= MS_TPC_SET_RW_REG_ADRS;
1460 ++ bool is_write;
1461 + int len, error;
1462 + u32 status, reg;
1463 +
1464 +@@ -463,6 +463,7 @@ static void r592_execute_tpc(struct r592_device *dev)
1465 + return;
1466 + }
1467 +
1468 ++ is_write = dev->req->tpc >= MS_TPC_SET_RW_REG_ADRS;
1469 + len = dev->req->long_data ?
1470 + dev->req->sg.length : dev->req->data_len;
1471 +
1472 diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
1473 index fb69baa..cf7ad22 100644
1474 --- a/drivers/message/fusion/mptbase.c
1475 @@ -37609,7 +37715,7 @@ index daec9b0..6428fcb 100644
1476 }
1477 EXPORT_SYMBOL(free_mdio_bitbang);
1478 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
1479 -index 0b2706a..ba1430d 100644
1480 +index 508570e..f706dc7 100644
1481 --- a/drivers/net/ppp/ppp_generic.c
1482 +++ b/drivers/net/ppp/ppp_generic.c
1483 @@ -999,7 +999,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
1484 @@ -40670,7 +40776,7 @@ index f9d2850..b006f04 100644
1485 tty_port_tty_set(&ch->port, tty);
1486 mutex_lock(&ch->port.mutex);
1487 diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
1488 -index dcc0430..040bef9 100644
1489 +index bfd6771..e0d93c4 100644
1490 --- a/drivers/tty/n_gsm.c
1491 +++ b/drivers/tty/n_gsm.c
1492 @@ -1636,7 +1636,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr)
1493 @@ -40682,7 +40788,7 @@ index dcc0430..040bef9 100644
1494 kfree(dlci);
1495 return NULL;
1496 }
1497 -@@ -2924,7 +2924,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp)
1498 +@@ -2936,7 +2936,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp)
1499 struct gsm_dlci *dlci = tty->driver_data;
1500 struct tty_port *port = &dlci->port;
1501
1502 @@ -41521,19 +41627,6 @@ index 681765b..d3ccdf2 100644
1503 if (!perm) {
1504 ret = -EPERM;
1505 goto reterr;
1506 -diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
1507 -index 8fd8968..3614c9c 100644
1508 ---- a/drivers/tty/vt/vt.c
1509 -+++ b/drivers/tty/vt/vt.c
1510 -@@ -539,7 +539,7 @@ static void insert_char(struct vc_data *vc, unsigned int nr)
1511 - {
1512 - unsigned short *p = (unsigned short *) vc->vc_pos;
1513 -
1514 -- scr_memmovew(p + nr, p, (vc->vc_cols - vc->vc_x) * 2);
1515 -+ scr_memmovew(p + nr, p, (vc->vc_cols - vc->vc_x - nr) * 2);
1516 - scr_memsetw(p, vc->vc_video_erase_char, nr * 2);
1517 - vc->vc_need_wrap = 0;
1518 - if (DO_UPDATE(vc))
1519 diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
1520 index 5110f36..8dc0a74 100644
1521 --- a/drivers/uio/uio.c
1522 @@ -42024,7 +42117,7 @@ index 5c3960d..15cf8fc 100644
1523 goto out1;
1524 }
1525 diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c
1526 -index 3ff0105..7589d98 100644
1527 +index dc61c12..e29796e 100644
1528 --- a/drivers/video/fbmem.c
1529 +++ b/drivers/video/fbmem.c
1530 @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
1531 @@ -46262,7 +46355,7 @@ index b96fc6c..431d628 100644
1532 __bio_for_each_segment(bvec, bio, i, 0) {
1533 char *addr = page_address(bvec->bv_page);
1534 diff --git a/fs/block_dev.c b/fs/block_dev.c
1535 -index 172f849..6efbf24 100644
1536 +index 78333a3..23dcb4d 100644
1537 --- a/fs/block_dev.c
1538 +++ b/fs/block_dev.c
1539 @@ -651,7 +651,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole,
1540 @@ -50192,7 +50285,7 @@ index 916da8c..1588998 100644
1541 next->d_inode->i_ino,
1542 dt_type(next->d_inode)) < 0)
1543 diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
1544 -index 54f9e6c..9ed908c 100644
1545 +index 52e5120..808936e 100644
1546 --- a/fs/lockd/clntproc.c
1547 +++ b/fs/lockd/clntproc.c
1548 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops;
1549 @@ -50235,7 +50328,7 @@ index a94e331..060bce3 100644
1550
1551 lock_flocks();
1552 diff --git a/fs/namei.c b/fs/namei.c
1553 -index 43a97ee..117e7e4 100644
1554 +index 43a97ee..4e585fd 100644
1555 --- a/fs/namei.c
1556 +++ b/fs/namei.c
1557 @@ -319,16 +319,32 @@ int generic_permission(struct inode *inode, int mask)
1558 @@ -50338,21 +50431,19 @@ index 43a97ee..117e7e4 100644
1559 put_link(nd, &link, cookie);
1560 }
1561 }
1562 -@@ -1986,6 +2004,21 @@ static int path_lookupat(int dfd, const char *name,
1563 +@@ -1986,6 +2004,19 @@ static int path_lookupat(int dfd, const char *name,
1564 if (!err)
1565 err = complete_walk(nd);
1566
1567 -+ if (!(nd->flags & LOOKUP_PARENT)) {
1568 ++ if (!err && !(nd->flags & LOOKUP_PARENT)) {
1569 +#ifdef CONFIG_GRKERNSEC
1570 + if (flags & LOOKUP_RCU) {
1571 -+ if (!err)
1572 -+ path_put(&nd->path);
1573 ++ path_put(&nd->path);
1574 + err = -ECHILD;
1575 + } else
1576 +#endif
1577 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
1578 -+ if (!err)
1579 -+ path_put(&nd->path);
1580 ++ path_put(&nd->path);
1581 + err = -ENOENT;
1582 + }
1583 + }
1584 @@ -50360,7 +50451,7 @@ index 43a97ee..117e7e4 100644
1585 if (!err && nd->flags & LOOKUP_DIRECTORY) {
1586 if (!nd->inode->i_op->lookup) {
1587 path_put(&nd->path);
1588 -@@ -2013,8 +2046,17 @@ static int filename_lookup(int dfd, struct filename *name,
1589 +@@ -2013,8 +2044,17 @@ static int filename_lookup(int dfd, struct filename *name,
1590 retval = path_lookupat(dfd, name->name,
1591 flags | LOOKUP_REVAL, nd);
1592
1593 @@ -50379,7 +50470,7 @@ index 43a97ee..117e7e4 100644
1594 return retval;
1595 }
1596
1597 -@@ -2392,6 +2434,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
1598 +@@ -2392,6 +2432,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
1599 if (flag & O_NOATIME && !inode_owner_or_capable(inode))
1600 return -EPERM;
1601
1602 @@ -50393,7 +50484,7 @@ index 43a97ee..117e7e4 100644
1603 return 0;
1604 }
1605
1606 -@@ -2613,7 +2662,7 @@ looked_up:
1607 +@@ -2613,7 +2660,7 @@ looked_up:
1608 * cleared otherwise prior to returning.
1609 */
1610 static int lookup_open(struct nameidata *nd, struct path *path,
1611 @@ -50402,7 +50493,7 @@ index 43a97ee..117e7e4 100644
1612 const struct open_flags *op,
1613 bool got_write, int *opened)
1614 {
1615 -@@ -2648,6 +2697,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
1616 +@@ -2648,6 +2695,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
1617 /* Negative dentry, just create the file */
1618 if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
1619 umode_t mode = op->mode;
1620 @@ -50420,7 +50511,7 @@ index 43a97ee..117e7e4 100644
1621 if (!IS_POSIXACL(dir->d_inode))
1622 mode &= ~current_umask();
1623 /*
1624 -@@ -2669,6 +2729,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
1625 +@@ -2669,6 +2727,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
1626 nd->flags & LOOKUP_EXCL);
1627 if (error)
1628 goto out_dput;
1629 @@ -50429,7 +50520,7 @@ index 43a97ee..117e7e4 100644
1630 }
1631 out_no_open:
1632 path->dentry = dentry;
1633 -@@ -2683,7 +2745,7 @@ out_dput:
1634 +@@ -2683,7 +2743,7 @@ out_dput:
1635 /*
1636 * Handle the last step of open()
1637 */
1638 @@ -50438,7 +50529,7 @@ index 43a97ee..117e7e4 100644
1639 struct file *file, const struct open_flags *op,
1640 int *opened, struct filename *name)
1641 {
1642 -@@ -2712,16 +2774,44 @@ static int do_last(struct nameidata *nd, struct path *path,
1643 +@@ -2712,16 +2772,44 @@ static int do_last(struct nameidata *nd, struct path *path,
1644 error = complete_walk(nd);
1645 if (error)
1646 return error;
1647 @@ -50483,7 +50574,7 @@ index 43a97ee..117e7e4 100644
1648 audit_inode(name, dir, 0);
1649 goto finish_open;
1650 }
1651 -@@ -2770,7 +2860,7 @@ retry_lookup:
1652 +@@ -2770,7 +2858,7 @@ retry_lookup:
1653 */
1654 }
1655 mutex_lock(&dir->d_inode->i_mutex);
1656 @@ -50492,7 +50583,7 @@ index 43a97ee..117e7e4 100644
1657 mutex_unlock(&dir->d_inode->i_mutex);
1658
1659 if (error <= 0) {
1660 -@@ -2794,11 +2884,28 @@ retry_lookup:
1661 +@@ -2794,11 +2882,28 @@ retry_lookup:
1662 goto finish_open_created;
1663 }
1664
1665 @@ -50522,7 +50613,7 @@ index 43a97ee..117e7e4 100644
1666
1667 /*
1668 * If atomic_open() acquired write access it is dropped now due to
1669 -@@ -2839,6 +2946,11 @@ finish_lookup:
1670 +@@ -2839,6 +2944,11 @@ finish_lookup:
1671 }
1672 }
1673 BUG_ON(inode != path->dentry->d_inode);
1674 @@ -50534,7 +50625,7 @@ index 43a97ee..117e7e4 100644
1675 return 1;
1676 }
1677
1678 -@@ -2848,7 +2960,6 @@ finish_lookup:
1679 +@@ -2848,7 +2958,6 @@ finish_lookup:
1680 save_parent.dentry = nd->path.dentry;
1681 save_parent.mnt = mntget(path->mnt);
1682 nd->path.dentry = path->dentry;
1683 @@ -50542,7 +50633,7 @@ index 43a97ee..117e7e4 100644
1684 }
1685 nd->inode = inode;
1686 /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
1687 -@@ -2857,6 +2968,22 @@ finish_lookup:
1688 +@@ -2857,6 +2966,22 @@ finish_lookup:
1689 path_put(&save_parent);
1690 return error;
1691 }
1692 @@ -50565,7 +50656,7 @@ index 43a97ee..117e7e4 100644
1693 error = -EISDIR;
1694 if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode))
1695 goto out;
1696 -@@ -2955,7 +3082,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
1697 +@@ -2955,7 +3080,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
1698 if (unlikely(error))
1699 goto out;
1700
1701 @@ -50574,7 +50665,7 @@ index 43a97ee..117e7e4 100644
1702 while (unlikely(error > 0)) { /* trailing symlink */
1703 struct path link = path;
1704 void *cookie;
1705 -@@ -2973,7 +3100,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
1706 +@@ -2973,7 +3098,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
1707 error = follow_link(&link, nd, &cookie);
1708 if (unlikely(error))
1709 break;
1710 @@ -50583,7 +50674,7 @@ index 43a97ee..117e7e4 100644
1711 put_link(nd, &link, cookie);
1712 }
1713 out:
1714 -@@ -3073,8 +3200,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
1715 +@@ -3073,8 +3198,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
1716 goto unlock;
1717
1718 error = -EEXIST;
1719 @@ -50597,7 +50688,7 @@ index 43a97ee..117e7e4 100644
1720 /*
1721 * Special case - lookup gave negative, but... we had foo/bar/
1722 * From the vfs_mknod() POV we just have a negative dentry -
1723 -@@ -3126,6 +3257,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
1724 +@@ -3126,6 +3255,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
1725 }
1726 EXPORT_SYMBOL(user_path_create);
1727
1728 @@ -50618,7 +50709,7 @@ index 43a97ee..117e7e4 100644
1729 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
1730 {
1731 int error = may_create(dir, dentry);
1732 -@@ -3188,6 +3333,17 @@ retry:
1733 +@@ -3188,6 +3331,17 @@ retry:
1734
1735 if (!IS_POSIXACL(path.dentry->d_inode))
1736 mode &= ~current_umask();
1737 @@ -50636,7 +50727,7 @@ index 43a97ee..117e7e4 100644
1738 error = security_path_mknod(&path, dentry, mode, dev);
1739 if (error)
1740 goto out;
1741 -@@ -3204,6 +3360,8 @@ retry:
1742 +@@ -3204,6 +3358,8 @@ retry:
1743 break;
1744 }
1745 out:
1746 @@ -50645,7 +50736,7 @@ index 43a97ee..117e7e4 100644
1747 done_path_create(&path, dentry);
1748 if (retry_estale(error, lookup_flags)) {
1749 lookup_flags |= LOOKUP_REVAL;
1750 -@@ -3256,9 +3414,16 @@ retry:
1751 +@@ -3256,9 +3412,16 @@ retry:
1752
1753 if (!IS_POSIXACL(path.dentry->d_inode))
1754 mode &= ~current_umask();
1755 @@ -50662,7 +50753,7 @@ index 43a97ee..117e7e4 100644
1756 done_path_create(&path, dentry);
1757 if (retry_estale(error, lookup_flags)) {
1758 lookup_flags |= LOOKUP_REVAL;
1759 -@@ -3339,6 +3504,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
1760 +@@ -3339,6 +3502,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
1761 struct filename *name;
1762 struct dentry *dentry;
1763 struct nameidata nd;
1764 @@ -50671,7 +50762,7 @@ index 43a97ee..117e7e4 100644
1765 unsigned int lookup_flags = 0;
1766 retry:
1767 name = user_path_parent(dfd, pathname, &nd, lookup_flags);
1768 -@@ -3371,10 +3538,21 @@ retry:
1769 +@@ -3371,10 +3536,21 @@ retry:
1770 error = -ENOENT;
1771 goto exit3;
1772 }
1773 @@ -50693,7 +50784,7 @@ index 43a97ee..117e7e4 100644
1774 exit3:
1775 dput(dentry);
1776 exit2:
1777 -@@ -3440,6 +3618,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
1778 +@@ -3440,6 +3616,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
1779 struct dentry *dentry;
1780 struct nameidata nd;
1781 struct inode *inode = NULL;
1782 @@ -50702,7 +50793,7 @@ index 43a97ee..117e7e4 100644
1783 unsigned int lookup_flags = 0;
1784 retry:
1785 name = user_path_parent(dfd, pathname, &nd, lookup_flags);
1786 -@@ -3466,10 +3646,22 @@ retry:
1787 +@@ -3466,10 +3644,22 @@ retry:
1788 if (!inode)
1789 goto slashes;
1790 ihold(inode);
1791 @@ -50725,7 +50816,7 @@ index 43a97ee..117e7e4 100644
1792 exit2:
1793 dput(dentry);
1794 }
1795 -@@ -3547,9 +3739,17 @@ retry:
1796 +@@ -3547,9 +3737,17 @@ retry:
1797 if (IS_ERR(dentry))
1798 goto out_putname;
1799
1800 @@ -50743,7 +50834,7 @@ index 43a97ee..117e7e4 100644
1801 done_path_create(&path, dentry);
1802 if (retry_estale(error, lookup_flags)) {
1803 lookup_flags |= LOOKUP_REVAL;
1804 -@@ -3623,6 +3823,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
1805 +@@ -3623,6 +3821,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
1806 {
1807 struct dentry *new_dentry;
1808 struct path old_path, new_path;
1809 @@ -50751,7 +50842,7 @@ index 43a97ee..117e7e4 100644
1810 int how = 0;
1811 int error;
1812
1813 -@@ -3646,7 +3847,7 @@ retry:
1814 +@@ -3646,7 +3845,7 @@ retry:
1815 if (error)
1816 return error;
1817
1818 @@ -50760,7 +50851,7 @@ index 43a97ee..117e7e4 100644
1819 (how & LOOKUP_REVAL));
1820 error = PTR_ERR(new_dentry);
1821 if (IS_ERR(new_dentry))
1822 -@@ -3658,11 +3859,28 @@ retry:
1823 +@@ -3658,11 +3857,28 @@ retry:
1824 error = may_linkat(&old_path);
1825 if (unlikely(error))
1826 goto out_dput;
1827 @@ -50789,7 +50880,7 @@ index 43a97ee..117e7e4 100644
1828 done_path_create(&new_path, new_dentry);
1829 if (retry_estale(error, how)) {
1830 how |= LOOKUP_REVAL;
1831 -@@ -3908,12 +4126,21 @@ retry:
1832 +@@ -3908,12 +4124,21 @@ retry:
1833 if (new_dentry == trap)
1834 goto exit5;
1835
1836 @@ -50811,7 +50902,7 @@ index 43a97ee..117e7e4 100644
1837 exit5:
1838 dput(new_dentry);
1839 exit4:
1840 -@@ -3945,6 +4172,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
1841 +@@ -3945,6 +4170,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
1842
1843 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
1844 {
1845 @@ -50820,7 +50911,7 @@ index 43a97ee..117e7e4 100644
1846 int len;
1847
1848 len = PTR_ERR(link);
1849 -@@ -3954,7 +4183,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
1850 +@@ -3954,7 +4181,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
1851 len = strlen(link);
1852 if (len > (unsigned) buflen)
1853 len = buflen;
1854 @@ -50837,7 +50928,7 @@ index 43a97ee..117e7e4 100644
1855 out:
1856 return len;
1857 diff --git a/fs/namespace.c b/fs/namespace.c
1858 -index 55605c5..f2908c8 100644
1859 +index a51054f..f9b53e5 100644
1860 --- a/fs/namespace.c
1861 +++ b/fs/namespace.c
1862 @@ -1215,6 +1215,9 @@ static int do_umount(struct mount *mnt, int flags)
1863 @@ -50850,7 +50941,7 @@ index 55605c5..f2908c8 100644
1864 return retval;
1865 }
1866
1867 -@@ -1234,9 +1237,20 @@ static int do_umount(struct mount *mnt, int flags)
1868 +@@ -1234,6 +1237,9 @@ static int do_umount(struct mount *mnt, int flags)
1869 br_write_unlock(&vfsmount_lock);
1870 up_write(&namespace_sem);
1871 release_mounts(&umount_list);
1872 @@ -50860,85 +50951,7 @@ index 55605c5..f2908c8 100644
1873 return retval;
1874 }
1875
1876 -+/*
1877 -+ * Is the caller allowed to modify his namespace?
1878 -+ */
1879 -+static inline bool may_mount(void)
1880 -+{
1881 -+ return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN);
1882 -+}
1883 -+
1884 - /*
1885 - * Now umount can handle mount points as well as block devices.
1886 - * This is important for filesystems which use unnamed block devices.
1887 -@@ -1255,6 +1269,9 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
1888 - if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))
1889 - return -EINVAL;
1890 -
1891 -+ if (!may_mount())
1892 -+ return -EPERM;
1893 -+
1894 - if (!(flags & UMOUNT_NOFOLLOW))
1895 - lookup_flags |= LOOKUP_FOLLOW;
1896 -
1897 -@@ -1268,10 +1285,6 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
1898 - if (!check_mnt(mnt))
1899 - goto dput_and_out;
1900 -
1901 -- retval = -EPERM;
1902 -- if (!ns_capable(mnt->mnt_ns->user_ns, CAP_SYS_ADMIN))
1903 -- goto dput_and_out;
1904 --
1905 - retval = do_umount(mnt, flags);
1906 - dput_and_out:
1907 - /* we mustn't call path_put() as that would clear mnt_expiry_mark */
1908 -@@ -1295,7 +1308,7 @@ SYSCALL_DEFINE1(oldumount, char __user *, name)
1909 -
1910 - static int mount_is_safe(struct path *path)
1911 - {
1912 -- if (ns_capable(real_mount(path->mnt)->mnt_ns->user_ns, CAP_SYS_ADMIN))
1913 -+ if (may_mount())
1914 - return 0;
1915 - return -EPERM;
1916 - #ifdef notyet
1917 -@@ -1633,7 +1646,7 @@ static int do_change_type(struct path *path, int flag)
1918 - int type;
1919 - int err = 0;
1920 -
1921 -- if (!ns_capable(mnt->mnt_ns->user_ns, CAP_SYS_ADMIN))
1922 -+ if (!may_mount())
1923 - return -EPERM;
1924 -
1925 - if (path->dentry != path->mnt->mnt_root)
1926 -@@ -1797,7 +1810,7 @@ static int do_move_mount(struct path *path, const char *old_name)
1927 - struct mount *p;
1928 - struct mount *old;
1929 - int err = 0;
1930 -- if (!ns_capable(real_mount(path->mnt)->mnt_ns->user_ns, CAP_SYS_ADMIN))
1931 -+ if (!may_mount())
1932 - return -EPERM;
1933 - if (!old_name || !*old_name)
1934 - return -EINVAL;
1935 -@@ -1933,16 +1946,14 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
1936 - int mnt_flags, const char *name, void *data)
1937 - {
1938 - struct file_system_type *type;
1939 -- struct user_namespace *user_ns;
1940 -+ struct user_namespace *user_ns = current->nsproxy->mnt_ns->user_ns;
1941 - struct vfsmount *mnt;
1942 - int err;
1943 -
1944 - if (!fstype)
1945 - return -EINVAL;
1946 -
1947 -- /* we need capabilities... */
1948 -- user_ns = real_mount(path->mnt)->mnt_ns->user_ns;
1949 -- if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1950 -+ if (!may_mount())
1951 - return -EPERM;
1952 -
1953 - type = get_fs_type(fstype);
1954 -@@ -2282,6 +2293,16 @@ long do_mount(const char *dev_name, const char *dir_name,
1955 +@@ -2287,6 +2293,16 @@ long do_mount(const char *dev_name, const char *dir_name,
1956 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
1957 MS_STRICTATIME);
1958
1959 @@ -50955,7 +50968,7 @@ index 55605c5..f2908c8 100644
1960 if (flags & MS_REMOUNT)
1961 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
1962 data_page);
1963 -@@ -2296,6 +2317,9 @@ long do_mount(const char *dev_name, const char *dir_name,
1964 +@@ -2301,6 +2317,9 @@ long do_mount(const char *dev_name, const char *dir_name,
1965 dev_name, data_page);
1966 dput_out:
1967 path_put(&path);
1968 @@ -50965,16 +50978,7 @@ index 55605c5..f2908c8 100644
1969 return retval;
1970 }
1971
1972 -@@ -2567,7 +2591,7 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
1973 - struct mount *new_mnt, *root_mnt;
1974 - int error;
1975 -
1976 -- if (!ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN))
1977 -+ if (!may_mount())
1978 - return -EPERM;
1979 -
1980 - error = user_path_dir(new_root, &new);
1981 -@@ -2582,6 +2606,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
1982 +@@ -2587,6 +2606,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
1983 if (error)
1984 goto out2;
1985
1986 @@ -50986,7 +50990,7 @@ index 55605c5..f2908c8 100644
1987 get_fs_root(current->fs, &root);
1988 error = lock_mount(&old);
1989 if (error)
1990 -@@ -2785,7 +2814,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
1991 +@@ -2790,7 +2814,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
1992 !nsown_capable(CAP_SYS_ADMIN))
1993 return -EPERM;
1994
1995 @@ -67510,10 +67514,18 @@ index 14a8ff2..21fe4c7 100644
1996 void __user *, size_t *, loff_t *);
1997 extern int proc_dointvec_minmax(struct ctl_table *, int,
1998 diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
1999 -index 7faf933..eb6f5e3 100644
2000 +index 7faf933..c1ad32c 100644
2001 --- a/include/linux/sysrq.h
2002 +++ b/include/linux/sysrq.h
2003 -@@ -36,7 +36,7 @@ struct sysrq_key_op {
2004 +@@ -15,6 +15,7 @@
2005 + #define _LINUX_SYSRQ_H
2006 +
2007 + #include <linux/errno.h>
2008 ++#include <linux/compiler.h>
2009 + #include <linux/types.h>
2010 +
2011 + /* Enable/disable SYSRQ support by default (0==no, 1==yes). */
2012 +@@ -36,7 +37,7 @@ struct sysrq_key_op {
2013 char *help_msg;
2014 char *action_msg;
2015 int enable_mask;
2016 @@ -68218,7 +68230,7 @@ index fdeb85a..0c554d5 100644
2017
2018 /* Structure to track chunk fragments that have been acked, but peer
2019 diff --git a/include/net/sock.h b/include/net/sock.h
2020 -index 182ca99..b7dc290 100644
2021 +index 25afaa0..8bb0070 100644
2022 --- a/include/net/sock.h
2023 +++ b/include/net/sock.h
2024 @@ -322,7 +322,7 @@ struct sock {
2025 @@ -70501,7 +70513,7 @@ index c535f33..1d768f9 100644
2026 else
2027 new_fs = fs;
2028 diff --git a/kernel/futex.c b/kernel/futex.c
2029 -index 19eb089..b8c65ea 100644
2030 +index 8879430..31696f1 100644
2031 --- a/kernel/futex.c
2032 +++ b/kernel/futex.c
2033 @@ -54,6 +54,7 @@
2034 @@ -70524,7 +70536,7 @@ index 19eb089..b8c65ea 100644
2035 /*
2036 * The futex address must be "naturally" aligned.
2037 */
2038 -@@ -2733,6 +2739,7 @@ static int __init futex_init(void)
2039 +@@ -2731,6 +2737,7 @@ static int __init futex_init(void)
2040 {
2041 u32 curval;
2042 int i;
2043 @@ -70532,7 +70544,7 @@ index 19eb089..b8c65ea 100644
2044
2045 /*
2046 * This will fail and we want it. Some arch implementations do
2047 -@@ -2744,8 +2751,11 @@ static int __init futex_init(void)
2048 +@@ -2742,8 +2749,11 @@ static int __init futex_init(void)
2049 * implementation, the non-functional ones will return
2050 * -ENOSYS.
2051 */
2052 @@ -70570,7 +70582,7 @@ index 9b22d03..6295b62 100644
2053 prev->next = info->next;
2054 else
2055 diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
2056 -index 6db7a5e..0d600bd 100644
2057 +index cdd5607..c3fc919 100644
2058 --- a/kernel/hrtimer.c
2059 +++ b/kernel/hrtimer.c
2060 @@ -1407,7 +1407,7 @@ void hrtimer_peek_ahead_timers(void)
2061 @@ -72054,10 +72066,10 @@ index f2c6a68..4922d97 100644
2062 {
2063 struct pid *pid;
2064 diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
2065 -index a278cad..bff5bd3 100644
2066 +index 942ca27..111e609 100644
2067 --- a/kernel/posix-cpu-timers.c
2068 +++ b/kernel/posix-cpu-timers.c
2069 -@@ -1557,14 +1557,14 @@ struct k_clock clock_posix_cpu = {
2070 +@@ -1576,14 +1576,14 @@ struct k_clock clock_posix_cpu = {
2071
2072 static __init int init_posix_cpu_timers(void)
2073 {
2074 @@ -73884,7 +73896,7 @@ index c88878d..99d321b 100644
2075 EXPORT_SYMBOL(proc_doulongvec_minmax);
2076 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
2077 diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c
2078 -index 5a63844..25dfc5c 100644
2079 +index 5a63844..a199f50 100644
2080 --- a/kernel/sysctl_binary.c
2081 +++ b/kernel/sysctl_binary.c
2082 @@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *file,
2083 @@ -73941,7 +73953,19 @@ index 5a63844..25dfc5c 100644
2084 set_fs(old_fs);
2085 if (result < 0)
2086 goto out;
2087 -@@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struct file *file,
2088 +@@ -1194,9 +1194,10 @@ static ssize_t bin_dn_node_address(struct file *file,
2089 +
2090 + /* Convert the decnet address to binary */
2091 + result = -EIO;
2092 +- nodep = strchr(buf, '.') + 1;
2093 ++ nodep = strchr(buf, '.');
2094 + if (!nodep)
2095 + goto out;
2096 ++ ++nodep;
2097 +
2098 + area = simple_strtoul(buf, NULL, 10);
2099 + node = simple_strtoul(nodep, NULL, 10);
2100 +@@ -1233,7 +1234,7 @@ static ssize_t bin_dn_node_address(struct file *file,
2101 le16_to_cpu(dnaddr) & 0x3ff);
2102
2103 set_fs(KERNEL_DS);
2104 @@ -74931,6 +74955,26 @@ index 5e396ac..58d5de1 100644
2105 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
2106 "stack [addr=%p]\n", addr);
2107 }
2108 +diff --git a/lib/idr.c b/lib/idr.c
2109 +index 6482390..ca5aa00 100644
2110 +--- a/lib/idr.c
2111 ++++ b/lib/idr.c
2112 +@@ -625,7 +625,14 @@ void *idr_get_next(struct idr *idp, int *nextidp)
2113 + return p;
2114 + }
2115 +
2116 +- id += 1 << n;
2117 ++ /*
2118 ++ * Proceed to the next layer at the current level. Unlike
2119 ++ * idr_for_each(), @id isn't guaranteed to be aligned to
2120 ++ * layer boundary at this point and adding 1 << n may
2121 ++ * incorrectly skip IDs. Make sure we jump to the
2122 ++ * beginning of the next layer using round_up().
2123 ++ */
2124 ++ id = round_up(id + 1, 1 << n);
2125 + while (n < fls(id)) {
2126 + n += IDR_BITS;
2127 + p = *--paa;
2128 diff --git a/lib/inflate.c b/lib/inflate.c
2129 index 013a761..c28f3fc 100644
2130 --- a/lib/inflate.c
2131 @@ -76511,7 +76555,7 @@ index c9bd528..da8d069 100644
2132 capable(CAP_IPC_LOCK))
2133 ret = do_mlockall(flags);
2134 diff --git a/mm/mmap.c b/mm/mmap.c
2135 -index d1e4124..32a6988 100644
2136 +index d1e4124..7d36e4f 100644
2137 --- a/mm/mmap.c
2138 +++ b/mm/mmap.c
2139 @@ -32,6 +32,7 @@
2140 @@ -77257,7 +77301,51 @@ index d1e4124..32a6988 100644
2141 spin_unlock(&vma->vm_mm->page_table_lock);
2142
2143 perf_event_mmap(vma);
2144 -@@ -2236,6 +2544,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
2145 +@@ -2169,9 +2477,28 @@ int expand_downwards(struct vm_area_struct *vma,
2146 + return error;
2147 + }
2148 +
2149 ++/*
2150 ++ * Note how expand_stack() refuses to expand the stack all the way to
2151 ++ * abut the next virtual mapping, *unless* that mapping itself is also
2152 ++ * a stack mapping. We want to leave room for a guard page, after all
2153 ++ * (the guard page itself is not added here, that is done by the
2154 ++ * actual page faulting logic)
2155 ++ *
2156 ++ * This matches the behavior of the guard page logic (see mm/memory.c:
2157 ++ * check_stack_guard_page()), which only allows the guard page to be
2158 ++ * removed under these circumstances.
2159 ++ */
2160 + #ifdef CONFIG_STACK_GROWSUP
2161 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
2162 + {
2163 ++ struct vm_area_struct *next;
2164 ++
2165 ++ address &= PAGE_MASK;
2166 ++ next = vma->vm_next;
2167 ++ if (next && next->vm_start == address + PAGE_SIZE) {
2168 ++ if (!(next->vm_flags & VM_GROWSUP))
2169 ++ return -ENOMEM;
2170 ++ }
2171 + return expand_upwards(vma, address);
2172 + }
2173 +
2174 +@@ -2194,6 +2521,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
2175 + #else
2176 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
2177 + {
2178 ++ struct vm_area_struct *prev;
2179 ++
2180 ++ address &= PAGE_MASK;
2181 ++ prev = vma->vm_prev;
2182 ++ if (prev && prev->vm_end == address) {
2183 ++ if (!(prev->vm_flags & VM_GROWSDOWN))
2184 ++ return -ENOMEM;
2185 ++ }
2186 + return expand_downwards(vma, address);
2187 + }
2188 +
2189 +@@ -2236,6 +2571,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
2190 do {
2191 long nrpages = vma_pages(vma);
2192
2193 @@ -77271,7 +77359,7 @@ index d1e4124..32a6988 100644
2194 if (vma->vm_flags & VM_ACCOUNT)
2195 nr_accounted += nrpages;
2196 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
2197 -@@ -2281,6 +2596,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
2198 +@@ -2281,6 +2623,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
2199 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
2200 vma->vm_prev = NULL;
2201 do {
2202 @@ -77288,7 +77376,7 @@ index d1e4124..32a6988 100644
2203 vma_rb_erase(vma, &mm->mm_rb);
2204 mm->map_count--;
2205 tail_vma = vma;
2206 -@@ -2312,14 +2637,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2207 +@@ -2312,14 +2664,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2208 struct vm_area_struct *new;
2209 int err = -ENOMEM;
2210
2211 @@ -77322,7 +77410,7 @@ index d1e4124..32a6988 100644
2212 /* most fields are the same, copy all, and then fixup */
2213 *new = *vma;
2214
2215 -@@ -2332,6 +2676,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2216 +@@ -2332,6 +2703,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2217 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
2218 }
2219
2220 @@ -77345,7 +77433,7 @@ index d1e4124..32a6988 100644
2221 pol = mpol_dup(vma_policy(vma));
2222 if (IS_ERR(pol)) {
2223 err = PTR_ERR(pol);
2224 -@@ -2354,6 +2714,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2225 +@@ -2354,6 +2741,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2226 else
2227 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
2228
2229 @@ -77382,7 +77470,7 @@ index d1e4124..32a6988 100644
2230 /* Success. */
2231 if (!err)
2232 return 0;
2233 -@@ -2363,10 +2753,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2234 +@@ -2363,10 +2780,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2235 new->vm_ops->close(new);
2236 if (new->vm_file)
2237 fput(new->vm_file);
2238 @@ -77402,7 +77490,7 @@ index d1e4124..32a6988 100644
2239 kmem_cache_free(vm_area_cachep, new);
2240 out_err:
2241 return err;
2242 -@@ -2379,6 +2777,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2243 +@@ -2379,6 +2804,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
2244 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
2245 unsigned long addr, int new_below)
2246 {
2247 @@ -77418,7 +77506,7 @@ index d1e4124..32a6988 100644
2248 if (mm->map_count >= sysctl_max_map_count)
2249 return -ENOMEM;
2250
2251 -@@ -2390,11 +2797,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
2252 +@@ -2390,11 +2824,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
2253 * work. This now handles partial unmappings.
2254 * Jeremy Fitzhardinge <jeremy@××××.org>
2255 */
2256 @@ -77449,7 +77537,7 @@ index d1e4124..32a6988 100644
2257 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
2258 return -EINVAL;
2259
2260 -@@ -2469,6 +2895,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
2261 +@@ -2469,6 +2922,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
2262 /* Fix up all other VM information */
2263 remove_vma_list(mm, vma);
2264
2265 @@ -77458,7 +77546,7 @@ index d1e4124..32a6988 100644
2266 return 0;
2267 }
2268
2269 -@@ -2477,6 +2905,13 @@ int vm_munmap(unsigned long start, size_t len)
2270 +@@ -2477,6 +2932,13 @@ int vm_munmap(unsigned long start, size_t len)
2271 int ret;
2272 struct mm_struct *mm = current->mm;
2273
2274 @@ -77472,7 +77560,7 @@ index d1e4124..32a6988 100644
2275 down_write(&mm->mmap_sem);
2276 ret = do_munmap(mm, start, len);
2277 up_write(&mm->mmap_sem);
2278 -@@ -2490,16 +2925,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
2279 +@@ -2490,16 +2952,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
2280 return vm_munmap(addr, len);
2281 }
2282
2283 @@ -77489,7 +77577,7 @@ index d1e4124..32a6988 100644
2284 /*
2285 * this is really a simplified "do_mmap". it only handles
2286 * anonymous maps. eventually we may be able to do some
2287 -@@ -2513,6 +2938,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2288 +@@ -2513,6 +2965,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2289 struct rb_node ** rb_link, * rb_parent;
2290 pgoff_t pgoff = addr >> PAGE_SHIFT;
2291 int error;
2292 @@ -77497,7 +77585,7 @@ index d1e4124..32a6988 100644
2293
2294 len = PAGE_ALIGN(len);
2295 if (!len)
2296 -@@ -2520,16 +2946,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2297 +@@ -2520,16 +2973,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2298
2299 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
2300
2301 @@ -77529,7 +77617,7 @@ index d1e4124..32a6988 100644
2302 locked += mm->locked_vm;
2303 lock_limit = rlimit(RLIMIT_MEMLOCK);
2304 lock_limit >>= PAGE_SHIFT;
2305 -@@ -2546,21 +2986,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2306 +@@ -2546,21 +3013,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2307 /*
2308 * Clear old maps. this also does some error checking for us
2309 */
2310 @@ -77554,7 +77642,7 @@ index d1e4124..32a6988 100644
2311 return -ENOMEM;
2312
2313 /* Can we just expand an old private anonymous mapping? */
2314 -@@ -2574,7 +3013,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2315 +@@ -2574,7 +3040,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2316 */
2317 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
2318 if (!vma) {
2319 @@ -77563,7 +77651,7 @@ index d1e4124..32a6988 100644
2320 return -ENOMEM;
2321 }
2322
2323 -@@ -2588,11 +3027,12 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2324 +@@ -2588,11 +3054,12 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
2325 vma_link(mm, vma, prev, rb_link, rb_parent);
2326 out:
2327 perf_event_mmap(vma);
2328 @@ -77578,7 +77666,7 @@ index d1e4124..32a6988 100644
2329 return addr;
2330 }
2331
2332 -@@ -2650,6 +3090,7 @@ void exit_mmap(struct mm_struct *mm)
2333 +@@ -2650,6 +3117,7 @@ void exit_mmap(struct mm_struct *mm)
2334 while (vma) {
2335 if (vma->vm_flags & VM_ACCOUNT)
2336 nr_accounted += vma_pages(vma);
2337 @@ -77586,7 +77674,7 @@ index d1e4124..32a6988 100644
2338 vma = remove_vma(vma);
2339 }
2340 vm_unacct_memory(nr_accounted);
2341 -@@ -2666,6 +3107,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
2342 +@@ -2666,6 +3134,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
2343 struct vm_area_struct *prev;
2344 struct rb_node **rb_link, *rb_parent;
2345
2346 @@ -77600,7 +77688,7 @@ index d1e4124..32a6988 100644
2347 /*
2348 * The vm_pgoff of a purely anonymous vma should be irrelevant
2349 * until its first write fault, when page's anon_vma and index
2350 -@@ -2689,7 +3137,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
2351 +@@ -2689,7 +3164,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
2352 security_vm_enough_memory_mm(mm, vma_pages(vma)))
2353 return -ENOMEM;
2354
2355 @@ -77622,7 +77710,7 @@ index d1e4124..32a6988 100644
2356 return 0;
2357 }
2358
2359 -@@ -2709,6 +3171,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
2360 +@@ -2709,6 +3198,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
2361 struct mempolicy *pol;
2362 bool faulted_in_anon_vma = true;
2363
2364 @@ -77631,7 +77719,7 @@ index d1e4124..32a6988 100644
2365 /*
2366 * If anonymous vma has not yet been faulted, update new pgoff
2367 * to match new location, to increase its chance of merging.
2368 -@@ -2775,6 +3239,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
2369 +@@ -2775,6 +3266,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
2370 return NULL;
2371 }
2372
2373 @@ -77671,7 +77759,7 @@ index d1e4124..32a6988 100644
2374 /*
2375 * Return true if the calling process may expand its vm space by the passed
2376 * number of pages
2377 -@@ -2786,6 +3283,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
2378 +@@ -2786,6 +3310,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
2379
2380 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
2381
2382 @@ -77684,7 +77772,7 @@ index d1e4124..32a6988 100644
2383 if (cur + npages > lim)
2384 return 0;
2385 return 1;
2386 -@@ -2856,6 +3359,22 @@ int install_special_mapping(struct mm_struct *mm,
2387 +@@ -2856,6 +3386,22 @@ int install_special_mapping(struct mm_struct *mm,
2388 vma->vm_start = addr;
2389 vma->vm_end = addr + len;
2390
2391 @@ -77707,136 +77795,6 @@ index d1e4124..32a6988 100644
2392 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
2393 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
2394
2395 -diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c
2396 -index 8a5ac8c..f5c3d96 100644
2397 ---- a/mm/mmu_notifier.c
2398 -+++ b/mm/mmu_notifier.c
2399 -@@ -37,49 +37,51 @@ static struct srcu_struct srcu;
2400 - void __mmu_notifier_release(struct mm_struct *mm)
2401 - {
2402 - struct mmu_notifier *mn;
2403 -- struct hlist_node *n;
2404 - int id;
2405 -
2406 - /*
2407 -- * SRCU here will block mmu_notifier_unregister until
2408 -- * ->release returns.
2409 -+ * srcu_read_lock() here will block synchronize_srcu() in
2410 -+ * mmu_notifier_unregister() until all registered
2411 -+ * ->release() callouts this function makes have
2412 -+ * returned.
2413 - */
2414 - id = srcu_read_lock(&srcu);
2415 -- hlist_for_each_entry_rcu(mn, n, &mm->mmu_notifier_mm->list, hlist)
2416 -- /*
2417 -- * if ->release runs before mmu_notifier_unregister it
2418 -- * must be handled as it's the only way for the driver
2419 -- * to flush all existing sptes and stop the driver
2420 -- * from establishing any more sptes before all the
2421 -- * pages in the mm are freed.
2422 -- */
2423 -- if (mn->ops->release)
2424 -- mn->ops->release(mn, mm);
2425 -- srcu_read_unlock(&srcu, id);
2426 --
2427 - spin_lock(&mm->mmu_notifier_mm->lock);
2428 - while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) {
2429 - mn = hlist_entry(mm->mmu_notifier_mm->list.first,
2430 - struct mmu_notifier,
2431 - hlist);
2432 -+
2433 - /*
2434 -- * We arrived before mmu_notifier_unregister so
2435 -- * mmu_notifier_unregister will do nothing other than
2436 -- * to wait ->release to finish and
2437 -- * mmu_notifier_unregister to return.
2438 -+ * Unlink. This will prevent mmu_notifier_unregister()
2439 -+ * from also making the ->release() callout.
2440 - */
2441 - hlist_del_init_rcu(&mn->hlist);
2442 -+ spin_unlock(&mm->mmu_notifier_mm->lock);
2443 -+
2444 -+ /*
2445 -+ * Clear sptes. (see 'release' description in mmu_notifier.h)
2446 -+ */
2447 -+ if (mn->ops->release)
2448 -+ mn->ops->release(mn, mm);
2449 -+
2450 -+ spin_lock(&mm->mmu_notifier_mm->lock);
2451 - }
2452 - spin_unlock(&mm->mmu_notifier_mm->lock);
2453 -
2454 - /*
2455 -- * synchronize_srcu here prevents mmu_notifier_release to
2456 -- * return to exit_mmap (which would proceed freeing all pages
2457 -- * in the mm) until the ->release method returns, if it was
2458 -- * invoked by mmu_notifier_unregister.
2459 -- *
2460 -- * The mmu_notifier_mm can't go away from under us because one
2461 -- * mm_count is hold by exit_mmap.
2462 -+ * All callouts to ->release() which we have done are complete.
2463 -+ * Allow synchronize_srcu() in mmu_notifier_unregister() to complete
2464 -+ */
2465 -+ srcu_read_unlock(&srcu, id);
2466 -+
2467 -+ /*
2468 -+ * mmu_notifier_unregister() may have unlinked a notifier and may
2469 -+ * still be calling out to it. Additionally, other notifiers
2470 -+ * may have been active via vmtruncate() et. al. Block here
2471 -+ * to ensure that all notifier callouts for this mm have been
2472 -+ * completed and the sptes are really cleaned up before returning
2473 -+ * to exit_mmap().
2474 - */
2475 - synchronize_srcu(&srcu);
2476 - }
2477 -@@ -294,31 +296,31 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
2478 - {
2479 - BUG_ON(atomic_read(&mm->mm_count) <= 0);
2480 -
2481 -+ spin_lock(&mm->mmu_notifier_mm->lock);
2482 - if (!hlist_unhashed(&mn->hlist)) {
2483 -- /*
2484 -- * SRCU here will force exit_mmap to wait ->release to finish
2485 -- * before freeing the pages.
2486 -- */
2487 - int id;
2488 -
2489 -+ /*
2490 -+ * Ensure we synchronize up with __mmu_notifier_release().
2491 -+ */
2492 - id = srcu_read_lock(&srcu);
2493 -- /*
2494 -- * exit_mmap will block in mmu_notifier_release to
2495 -- * guarantee ->release is called before freeing the
2496 -- * pages.
2497 -- */
2498 -- if (mn->ops->release)
2499 -- mn->ops->release(mn, mm);
2500 -- srcu_read_unlock(&srcu, id);
2501 -
2502 -- spin_lock(&mm->mmu_notifier_mm->lock);
2503 - hlist_del_rcu(&mn->hlist);
2504 - spin_unlock(&mm->mmu_notifier_mm->lock);
2505 -- }
2506 -+
2507 -+ if (mn->ops->release)
2508 -+ mn->ops->release(mn, mm);
2509 -+
2510 -+ /*
2511 -+ * Allow __mmu_notifier_release() to complete.
2512 -+ */
2513 -+ srcu_read_unlock(&srcu, id);
2514 -+ } else
2515 -+ spin_unlock(&mm->mmu_notifier_mm->lock);
2516 -
2517 - /*
2518 -- * Wait any running method to finish, of course including
2519 -- * ->release if it was run by mmu_notifier_relase instead of us.
2520 -+ * Wait for any running method to finish, including ->release() if it
2521 -+ * was run by __mmu_notifier_release() instead of us.
2522 - */
2523 - synchronize_srcu(&srcu);
2524 -
2525 diff --git a/mm/mprotect.c b/mm/mprotect.c
2526 index 94722a4..9837984 100644
2527 --- a/mm/mprotect.c
2528 @@ -78441,7 +78399,7 @@ index 2c78f8c..9e9c624 100644
2529 struct anon_vma_chain *avc;
2530 struct anon_vma *anon_vma;
2531 diff --git a/mm/shmem.c b/mm/shmem.c
2532 -index 5dd56f6..994b702 100644
2533 +index efd0b3a..994b702 100644
2534 --- a/mm/shmem.c
2535 +++ b/mm/shmem.c
2536 @@ -31,7 +31,7 @@
2537 @@ -78490,31 +78448,7 @@ index 5dd56f6..994b702 100644
2538 return simple_xattr_set(&info->xattrs, name, value, size, flags);
2539 }
2540
2541 -@@ -2487,6 +2501,7 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data)
2542 - unsigned long inodes;
2543 - int error = -EINVAL;
2544 -
2545 -+ config.mpol = NULL;
2546 - if (shmem_parse_options(data, &config, true))
2547 - return error;
2548 -
2549 -@@ -2511,8 +2526,13 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data)
2550 - sbinfo->max_inodes = config.max_inodes;
2551 - sbinfo->free_inodes = config.max_inodes - inodes;
2552 -
2553 -- mpol_put(sbinfo->mpol);
2554 -- sbinfo->mpol = config.mpol; /* transfers initial ref */
2555 -+ /*
2556 -+ * Preserve previous mempolicy unless mpol remount option was specified.
2557 -+ */
2558 -+ if (config.mpol) {
2559 -+ mpol_put(sbinfo->mpol);
2560 -+ sbinfo->mpol = config.mpol; /* transfers initial ref */
2561 -+ }
2562 - out:
2563 - spin_unlock(&sbinfo->stat_lock);
2564 - return error;
2565 -@@ -2556,8 +2576,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
2566 +@@ -2562,8 +2576,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
2567 int err = -ENOMEM;
2568
2569 /* Round up to L1_CACHE_BYTES to resist false sharing */
2570 @@ -80788,7 +80722,7 @@ index bc131d4..029e378 100644
2571 EXPORT_SYMBOL(sock_init_data);
2572
2573 diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
2574 -index 602cd63..0a699b1 100644
2575 +index 750f44f..0a699b1 100644
2576 --- a/net/core/sock_diag.c
2577 +++ b/net/core/sock_diag.c
2578 @@ -15,20 +15,27 @@ static DEFINE_MUTEX(sock_diag_table_mutex);
2579 @@ -80841,14 +80775,11 @@ index 602cd63..0a699b1 100644
2580 static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2581 {
2582 int err;
2583 -@@ -121,12 +113,20 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2584 - if (nlmsg_len(nlh) < sizeof(*req))
2585 +@@ -124,12 +116,17 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2586 + if (req->sdiag_family >= AF_MAX)
2587 return -EINVAL;
2588
2589 - hndl = sock_diag_lock_handler(req->sdiag_family);
2590 -+ if (req->sdiag_family >= AF_MAX)
2591 -+ return -EINVAL;
2592 -+
2593 + if (sock_diag_handlers[req->sdiag_family] == NULL)
2594 + request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
2595 + NETLINK_SOCK_DIAG, req->sdiag_family);
2596 @@ -81176,7 +81107,7 @@ index 17c5e06..1b91206 100644
2597
2598 case IPT_SO_GET_ENTRIES:
2599 diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
2600 -index 6f9c072..38ea6c6 100644
2601 +index dc454cc..5bb917f 100644
2602 --- a/net/ipv4/ping.c
2603 +++ b/net/ipv4/ping.c
2604 @@ -844,7 +844,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f,
2605 @@ -85360,19 +85291,6 @@ index 6ece7f2..ecdb55c 100644
2606 goto error;
2607
2608 buflen -= tmp;
2609 -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
2610 -index 20e4bf5..58dfe08 100644
2611 ---- a/security/keys/process_keys.c
2612 -+++ b/security/keys/process_keys.c
2613 -@@ -367,6 +367,8 @@ key_ref_t search_my_process_keyrings(struct key_type *type,
2614 -
2615 - switch (PTR_ERR(key_ref)) {
2616 - case -EAGAIN: /* no key */
2617 -+ if (ret)
2618 -+ break;
2619 - case -ENOKEY: /* negative key */
2620 - ret = key_ref;
2621 - break;
2622 diff --git a/security/min_addr.c b/security/min_addr.c
2623 index f728728..6457a0c 100644
2624 --- a/security/min_addr.c
2625
2626 diff --git a/3.8.0/4425_grsec_remove_EI_PAX.patch b/3.8.1/4425_grsec_remove_EI_PAX.patch
2627 similarity index 100%
2628 rename from 3.8.0/4425_grsec_remove_EI_PAX.patch
2629 rename to 3.8.1/4425_grsec_remove_EI_PAX.patch
2630
2631 diff --git a/3.8.0/4430_grsec-remove-localversion-grsec.patch b/3.8.1/4430_grsec-remove-localversion-grsec.patch
2632 similarity index 100%
2633 rename from 3.8.0/4430_grsec-remove-localversion-grsec.patch
2634 rename to 3.8.1/4430_grsec-remove-localversion-grsec.patch
2635
2636 diff --git a/3.8.0/4435_grsec-mute-warnings.patch b/3.8.1/4435_grsec-mute-warnings.patch
2637 similarity index 100%
2638 rename from 3.8.0/4435_grsec-mute-warnings.patch
2639 rename to 3.8.1/4435_grsec-mute-warnings.patch
2640
2641 diff --git a/3.8.0/4440_grsec-remove-protected-paths.patch b/3.8.1/4440_grsec-remove-protected-paths.patch
2642 similarity index 100%
2643 rename from 3.8.0/4440_grsec-remove-protected-paths.patch
2644 rename to 3.8.1/4440_grsec-remove-protected-paths.patch
2645
2646 diff --git a/3.8.0/4450_grsec-kconfig-default-gids.patch b/3.8.1/4450_grsec-kconfig-default-gids.patch
2647 similarity index 100%
2648 rename from 3.8.0/4450_grsec-kconfig-default-gids.patch
2649 rename to 3.8.1/4450_grsec-kconfig-default-gids.patch
2650
2651 diff --git a/3.8.0/4465_selinux-avc_audit-log-curr_ip.patch b/3.8.1/4465_selinux-avc_audit-log-curr_ip.patch
2652 similarity index 100%
2653 rename from 3.8.0/4465_selinux-avc_audit-log-curr_ip.patch
2654 rename to 3.8.1/4465_selinux-avc_audit-log-curr_ip.patch
2655
2656 diff --git a/3.8.0/4470_disable-compat_vdso.patch b/3.8.1/4470_disable-compat_vdso.patch
2657 similarity index 100%
2658 rename from 3.8.0/4470_disable-compat_vdso.patch
2659 rename to 3.8.1/4470_disable-compat_vdso.patch
Report Message
Find on MARC Find on Google Groups