1 |
commit: f073d69f9356c708891d8c939bce531b5cd82aa0 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Mar 2 15:30:31 2013 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Mar 2 15:30:31 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=f073d69f |
7 |
|
8 |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.39,3.8.1}-201303012253 |
9 |
|
10 |
--- |
11 |
..._grsecurity-2.9.1-2.6.32.60-201303012253.patch} | 196 +++++- |
12 |
3.2.39/0000_README | 2 +- |
13 |
...420_grsecurity-2.9.1-3.2.39-201303012254.patch} | 301 +++++++-- |
14 |
{3.8.0 => 3.8.1}/0000_README | 2 +- |
15 |
.../4420_grsecurity-2.9.1-3.8.1-201303012255.patch | 672 +++++++++----------- |
16 |
{3.8.0 => 3.8.1}/4425_grsec_remove_EI_PAX.patch | 0 |
17 |
.../4430_grsec-remove-localversion-grsec.patch | 0 |
18 |
{3.8.0 => 3.8.1}/4435_grsec-mute-warnings.patch | 0 |
19 |
.../4440_grsec-remove-protected-paths.patch | 0 |
20 |
.../4450_grsec-kconfig-default-gids.patch | 0 |
21 |
.../4465_selinux-avc_audit-log-curr_ip.patch | 0 |
22 |
{3.8.0 => 3.8.1}/4470_disable-compat_vdso.patch | 0 |
23 |
12 files changed, 701 insertions(+), 472 deletions(-) |
24 |
|
25 |
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302271816.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303012253.patch |
26 |
similarity index 99% |
27 |
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302271816.patch |
28 |
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303012253.patch |
29 |
index ee04841..ee59351 100644 |
30 |
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201302271816.patch |
31 |
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303012253.patch |
32 |
@@ -19276,6 +19276,91 @@ index 9dbb527..9fe4f21 100644 |
33 |
if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE)) |
34 |
return -EFAULT; |
35 |
|
36 |
+diff --git a/arch/x86/kernel/head.c b/arch/x86/kernel/head.c |
37 |
+index 3e66bd3..6d6adbe 100644 |
38 |
+--- a/arch/x86/kernel/head.c |
39 |
++++ b/arch/x86/kernel/head.c |
40 |
+@@ -4,8 +4,6 @@ |
41 |
+ #include <asm/setup.h> |
42 |
+ #include <asm/bios_ebda.h> |
43 |
+ |
44 |
+-#define BIOS_LOWMEM_KILOBYTES 0x413 |
45 |
+- |
46 |
+ /* |
47 |
+ * The BIOS places the EBDA/XBDA at the top of conventional |
48 |
+ * memory, and usually decreases the reported amount of |
49 |
+@@ -15,17 +13,30 @@ |
50 |
+ * chipset: reserve a page before VGA to prevent PCI prefetch |
51 |
+ * into it (errata #56). Usually the page is reserved anyways, |
52 |
+ * unless you have no PS/2 mouse plugged in. |
53 |
++ * |
54 |
++ * This functions is deliberately very conservative. Losing |
55 |
++ * memory in the bottom megabyte is rarely a problem, as long |
56 |
++ * as we have enough memory to install the trampoline. Using |
57 |
++ * memory that is in use by the BIOS or by some DMA device |
58 |
++ * the BIOS didn't shut down *is* a big problem. |
59 |
+ */ |
60 |
++ |
61 |
++#define BIOS_LOWMEM_KILOBYTES 0x413 |
62 |
++#define LOWMEM_CAP 0x9f000U /* Absolute maximum */ |
63 |
++#define INSANE_CUTOFF 0x20000U /* Less than this = insane */ |
64 |
++ |
65 |
+ void __init reserve_ebda_region(void) |
66 |
+ { |
67 |
+ unsigned int lowmem, ebda_addr; |
68 |
+ |
69 |
+- /* To determine the position of the EBDA and the */ |
70 |
+- /* end of conventional memory, we need to look at */ |
71 |
+- /* the BIOS data area. In a paravirtual environment */ |
72 |
+- /* that area is absent. We'll just have to assume */ |
73 |
+- /* that the paravirt case can handle memory setup */ |
74 |
+- /* correctly, without our help. */ |
75 |
++ /* |
76 |
++ * To determine the position of the EBDA and the |
77 |
++ * end of conventional memory, we need to look at |
78 |
++ * the BIOS data area. In a paravirtual environment |
79 |
++ * that area is absent. We'll just have to assume |
80 |
++ * that the paravirt case can handle memory setup |
81 |
++ * correctly, without our help. |
82 |
++ */ |
83 |
+ if (paravirt_enabled()) |
84 |
+ return; |
85 |
+ |
86 |
+@@ -36,19 +47,23 @@ void __init reserve_ebda_region(void) |
87 |
+ /* start of EBDA area */ |
88 |
+ ebda_addr = get_bios_ebda(); |
89 |
+ |
90 |
+- /* Fixup: bios puts an EBDA in the top 64K segment */ |
91 |
+- /* of conventional memory, but does not adjust lowmem. */ |
92 |
+- if ((lowmem - ebda_addr) <= 0x10000) |
93 |
+- lowmem = ebda_addr; |
94 |
++ /* |
95 |
++ * Note: some old Dells seem to need 4k EBDA without |
96 |
++ * reporting so, so just consider the memory above 0x9f000 |
97 |
++ * to be off limits (bugzilla 2990). |
98 |
++ */ |
99 |
+ |
100 |
+- /* Fixup: bios does not report an EBDA at all. */ |
101 |
+- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */ |
102 |
+- if ((ebda_addr == 0) && (lowmem >= 0x9f000)) |
103 |
+- lowmem = 0x9f000; |
104 |
++ /* If the EBDA address is below 128K, assume it is bogus */ |
105 |
++ if (ebda_addr < INSANE_CUTOFF) |
106 |
++ ebda_addr = LOWMEM_CAP; |
107 |
+ |
108 |
+- /* Paranoia: should never happen, but... */ |
109 |
+- if ((lowmem == 0) || (lowmem >= 0x100000)) |
110 |
+- lowmem = 0x9f000; |
111 |
++ /* If lowmem is less than 128K, assume it is bogus */ |
112 |
++ if (lowmem < INSANE_CUTOFF) |
113 |
++ lowmem = LOWMEM_CAP; |
114 |
++ |
115 |
++ /* Use the lower of the lowmem and EBDA markers as the cutoff */ |
116 |
++ lowmem = min(lowmem, ebda_addr); |
117 |
++ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */ |
118 |
+ |
119 |
+ /* reserve all memory between lowmem and the 1MB mark */ |
120 |
+ reserve_early_overlap_ok(lowmem, 0x100000, "BIOS reserved"); |
121 |
diff --git a/arch/x86/kernel/head32.c b/arch/x86/kernel/head32.c |
122 |
index 4f8e250..df24706 100644 |
123 |
--- a/arch/x86/kernel/head32.c |
124 |
@@ -100702,10 +100787,18 @@ index 0000000..3891139 |
125 |
+ |
126 |
+#endif /* _LINUX_SYSLOG_H */ |
127 |
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h |
128 |
-index 99adcdc..09207eb 100644 |
129 |
+index 99adcdc..377249a 100644 |
130 |
--- a/include/linux/sysrq.h |
131 |
+++ b/include/linux/sysrq.h |
132 |
-@@ -35,7 +35,7 @@ struct sysrq_key_op { |
133 |
+@@ -15,6 +15,7 @@ |
134 |
+ #define _LINUX_SYSRQ_H |
135 |
+ |
136 |
+ #include <linux/errno.h> |
137 |
++#include <linux/compiler.h> |
138 |
+ |
139 |
+ struct pt_regs; |
140 |
+ struct tty_struct; |
141 |
+@@ -35,7 +36,7 @@ struct sysrq_key_op { |
142 |
char *help_msg; |
143 |
char *action_msg; |
144 |
int enable_mask; |
145 |
@@ -110252,7 +110345,7 @@ index 2d846cf..8d5cdd8 100644 |
146 |
capable(CAP_IPC_LOCK)) |
147 |
ret = do_mlockall(flags); |
148 |
diff --git a/mm/mmap.c b/mm/mmap.c |
149 |
-index 4b80cbf..1415bd8 100644 |
150 |
+index 4b80cbf..89f7b42 100644 |
151 |
--- a/mm/mmap.c |
152 |
+++ b/mm/mmap.c |
153 |
@@ -29,6 +29,7 @@ |
154 |
@@ -111136,7 +111229,7 @@ index 4b80cbf..1415bd8 100644 |
155 |
size = vma->vm_end - address; |
156 |
grow = (vma->vm_start - address) >> PAGE_SHIFT; |
157 |
|
158 |
-@@ -1689,10 +1982,22 @@ static int expand_downwards(struct vm_area_struct *vma, |
159 |
+@@ -1689,21 +1982,60 @@ static int expand_downwards(struct vm_area_struct *vma, |
160 |
if (!error) { |
161 |
vma->vm_start = address; |
162 |
vma->vm_pgoff -= grow; |
163 |
@@ -111159,7 +111252,60 @@ index 4b80cbf..1415bd8 100644 |
164 |
return error; |
165 |
} |
166 |
|
167 |
-@@ -1768,6 +2073,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) |
168 |
+ int expand_stack_downwards(struct vm_area_struct *vma, unsigned long address) |
169 |
+ { |
170 |
++ struct vm_area_struct *prev; |
171 |
++ |
172 |
++ address &= PAGE_MASK; |
173 |
++ prev = vma->vm_prev; |
174 |
++ if (prev && prev->vm_end == address) { |
175 |
++ if (!(prev->vm_flags & VM_GROWSDOWN)) |
176 |
++ return -ENOMEM; |
177 |
++ } |
178 |
+ return expand_downwards(vma, address); |
179 |
+ } |
180 |
+ |
181 |
++/* |
182 |
++ * Note how expand_stack() refuses to expand the stack all the way to |
183 |
++ * abut the next virtual mapping, *unless* that mapping itself is also |
184 |
++ * a stack mapping. We want to leave room for a guard page, after all |
185 |
++ * (the guard page itself is not added here, that is done by the |
186 |
++ * actual page faulting logic) |
187 |
++ * |
188 |
++ * This matches the behavior of the guard page logic (see mm/memory.c: |
189 |
++ * check_stack_guard_page()), which only allows the guard page to be |
190 |
++ * removed under these circumstances. |
191 |
++ */ |
192 |
+ #ifdef CONFIG_STACK_GROWSUP |
193 |
+ int expand_stack(struct vm_area_struct *vma, unsigned long address) |
194 |
+ { |
195 |
++ struct vm_area_struct *next; |
196 |
++ |
197 |
++ address &= PAGE_MASK; |
198 |
++ next = vma->vm_next; |
199 |
++ if (next && next->vm_start == address + PAGE_SIZE) { |
200 |
++ if (!(next->vm_flags & VM_GROWSUP)) |
201 |
++ return -ENOMEM; |
202 |
++ } |
203 |
+ return expand_upwards(vma, address); |
204 |
+ } |
205 |
+ |
206 |
+@@ -1727,6 +2059,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) |
207 |
+ #else |
208 |
+ int expand_stack(struct vm_area_struct *vma, unsigned long address) |
209 |
+ { |
210 |
++ struct vm_area_struct *prev; |
211 |
++ |
212 |
++ address &= PAGE_MASK; |
213 |
++ prev = vma->vm_prev; |
214 |
++ if (prev && prev->vm_end == address) { |
215 |
++ if (!(prev->vm_flags & VM_GROWSDOWN)) |
216 |
++ return -ENOMEM; |
217 |
++ } |
218 |
+ return expand_downwards(vma, address); |
219 |
+ } |
220 |
+ |
221 |
+@@ -1768,6 +2108,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) |
222 |
do { |
223 |
long nrpages = vma_pages(vma); |
224 |
|
225 |
@@ -111173,7 +111319,7 @@ index 4b80cbf..1415bd8 100644 |
226 |
mm->total_vm -= nrpages; |
227 |
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); |
228 |
vma = remove_vma(vma); |
229 |
-@@ -1813,6 +2125,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, |
230 |
+@@ -1813,6 +2160,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, |
231 |
insertion_point = (prev ? &prev->vm_next : &mm->mmap); |
232 |
vma->vm_prev = NULL; |
233 |
do { |
234 |
@@ -111190,7 +111336,7 @@ index 4b80cbf..1415bd8 100644 |
235 |
rb_erase(&vma->vm_rb, &mm->mm_rb); |
236 |
mm->map_count--; |
237 |
tail_vma = vma; |
238 |
-@@ -1840,10 +2162,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
239 |
+@@ -1840,10 +2197,25 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
240 |
struct mempolicy *pol; |
241 |
struct vm_area_struct *new; |
242 |
|
243 |
@@ -111216,7 +111362,7 @@ index 4b80cbf..1415bd8 100644 |
244 |
if (mm->map_count >= sysctl_max_map_count) |
245 |
return -ENOMEM; |
246 |
|
247 |
-@@ -1851,6 +2188,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
248 |
+@@ -1851,6 +2223,16 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
249 |
if (!new) |
250 |
return -ENOMEM; |
251 |
|
252 |
@@ -111233,7 +111379,7 @@ index 4b80cbf..1415bd8 100644 |
253 |
/* most fields are the same, copy all, and then fixup */ |
254 |
*new = *vma; |
255 |
|
256 |
-@@ -1861,8 +2208,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
257 |
+@@ -1861,8 +2243,29 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
258 |
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); |
259 |
} |
260 |
|
261 |
@@ -111263,7 +111409,7 @@ index 4b80cbf..1415bd8 100644 |
262 |
kmem_cache_free(vm_area_cachep, new); |
263 |
return PTR_ERR(pol); |
264 |
} |
265 |
-@@ -1883,6 +2251,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
266 |
+@@ -1883,6 +2286,28 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
267 |
else |
268 |
vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); |
269 |
|
270 |
@@ -111292,7 +111438,7 @@ index 4b80cbf..1415bd8 100644 |
271 |
return 0; |
272 |
} |
273 |
|
274 |
-@@ -1891,11 +2281,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
275 |
+@@ -1891,11 +2316,30 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
276 |
* work. This now handles partial unmappings. |
277 |
* Jeremy Fitzhardinge <jeremy@××××.org> |
278 |
*/ |
279 |
@@ -111323,7 +111469,7 @@ index 4b80cbf..1415bd8 100644 |
280 |
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) |
281 |
return -EINVAL; |
282 |
|
283 |
-@@ -1959,6 +2368,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
284 |
+@@ -1959,6 +2403,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
285 |
/* Fix up all other VM information */ |
286 |
remove_vma_list(mm, vma); |
287 |
|
288 |
@@ -111332,7 +111478,7 @@ index 4b80cbf..1415bd8 100644 |
289 |
return 0; |
290 |
} |
291 |
|
292 |
-@@ -1971,22 +2382,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) |
293 |
+@@ -1971,22 +2417,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) |
294 |
|
295 |
profile_munmap(addr); |
296 |
|
297 |
@@ -111361,7 +111507,7 @@ index 4b80cbf..1415bd8 100644 |
298 |
/* |
299 |
* this is really a simplified "do_mmap". it only handles |
300 |
* anonymous maps. eventually we may be able to do some |
301 |
-@@ -2000,6 +2407,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
302 |
+@@ -2000,6 +2442,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
303 |
struct rb_node ** rb_link, * rb_parent; |
304 |
pgoff_t pgoff = addr >> PAGE_SHIFT; |
305 |
int error; |
306 |
@@ -111369,7 +111515,7 @@ index 4b80cbf..1415bd8 100644 |
307 |
|
308 |
len = PAGE_ALIGN(len); |
309 |
if (!len) |
310 |
-@@ -2011,16 +2419,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
311 |
+@@ -2011,16 +2454,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
312 |
|
313 |
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; |
314 |
|
315 |
@@ -111401,7 +111547,7 @@ index 4b80cbf..1415bd8 100644 |
316 |
locked += mm->locked_vm; |
317 |
lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; |
318 |
lock_limit >>= PAGE_SHIFT; |
319 |
-@@ -2037,22 +2459,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
320 |
+@@ -2037,22 +2494,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
321 |
/* |
322 |
* Clear old maps. this also does some error checking for us |
323 |
*/ |
324 |
@@ -111428,7 +111574,7 @@ index 4b80cbf..1415bd8 100644 |
325 |
return -ENOMEM; |
326 |
|
327 |
/* Can we just expand an old private anonymous mapping? */ |
328 |
-@@ -2066,7 +2488,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
329 |
+@@ -2066,7 +2523,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
330 |
*/ |
331 |
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); |
332 |
if (!vma) { |
333 |
@@ -111437,7 +111583,7 @@ index 4b80cbf..1415bd8 100644 |
334 |
return -ENOMEM; |
335 |
} |
336 |
|
337 |
-@@ -2078,11 +2500,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
338 |
+@@ -2078,11 +2535,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
339 |
vma->vm_page_prot = vm_get_page_prot(flags); |
340 |
vma_link(mm, vma, prev, rb_link, rb_parent); |
341 |
out: |
342 |
@@ -111452,7 +111598,7 @@ index 4b80cbf..1415bd8 100644 |
343 |
return addr; |
344 |
} |
345 |
|
346 |
-@@ -2129,8 +2552,10 @@ void exit_mmap(struct mm_struct *mm) |
347 |
+@@ -2129,8 +2587,10 @@ void exit_mmap(struct mm_struct *mm) |
348 |
* Walk the list again, actually closing and freeing it, |
349 |
* with preemption enabled, without holding any MM locks. |
350 |
*/ |
351 |
@@ -111464,7 +111610,7 @@ index 4b80cbf..1415bd8 100644 |
352 |
|
353 |
BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); |
354 |
} |
355 |
-@@ -2144,6 +2569,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) |
356 |
+@@ -2144,6 +2604,10 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) |
357 |
struct vm_area_struct * __vma, * prev; |
358 |
struct rb_node ** rb_link, * rb_parent; |
359 |
|
360 |
@@ -111475,7 +111621,7 @@ index 4b80cbf..1415bd8 100644 |
361 |
/* |
362 |
* The vm_pgoff of a purely anonymous vma should be irrelevant |
363 |
* until its first write fault, when page's anon_vma and index |
364 |
-@@ -2166,7 +2595,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) |
365 |
+@@ -2166,7 +2630,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) |
366 |
if ((vma->vm_flags & VM_ACCOUNT) && |
367 |
security_vm_enough_memory_mm(mm, vma_pages(vma))) |
368 |
return -ENOMEM; |
369 |
@@ -111498,7 +111644,7 @@ index 4b80cbf..1415bd8 100644 |
370 |
return 0; |
371 |
} |
372 |
|
373 |
-@@ -2184,6 +2628,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
374 |
+@@ -2184,6 +2663,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
375 |
struct rb_node **rb_link, *rb_parent; |
376 |
struct mempolicy *pol; |
377 |
|
378 |
@@ -111507,7 +111653,7 @@ index 4b80cbf..1415bd8 100644 |
379 |
/* |
380 |
* If anonymous vma has not yet been faulted, update new pgoff |
381 |
* to match new location, to increase its chance of merging. |
382 |
-@@ -2227,6 +2673,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
383 |
+@@ -2227,6 +2708,35 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
384 |
return new_vma; |
385 |
} |
386 |
|
387 |
@@ -111543,7 +111689,7 @@ index 4b80cbf..1415bd8 100644 |
388 |
/* |
389 |
* Return true if the calling process may expand its vm space by the passed |
390 |
* number of pages |
391 |
-@@ -2238,6 +2713,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) |
392 |
+@@ -2238,6 +2748,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) |
393 |
|
394 |
lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT; |
395 |
|
396 |
@@ -111556,7 +111702,7 @@ index 4b80cbf..1415bd8 100644 |
397 |
if (cur + npages > lim) |
398 |
return 0; |
399 |
return 1; |
400 |
-@@ -2307,6 +2788,22 @@ int install_special_mapping(struct mm_struct *mm, |
401 |
+@@ -2307,6 +2823,22 @@ int install_special_mapping(struct mm_struct *mm, |
402 |
vma->vm_start = addr; |
403 |
vma->vm_end = addr + len; |
404 |
|
405 |
|
406 |
diff --git a/3.2.39/0000_README b/3.2.39/0000_README |
407 |
index b8fcdf1..2831c66 100644 |
408 |
--- a/3.2.39/0000_README |
409 |
+++ b/3.2.39/0000_README |
410 |
@@ -74,7 +74,7 @@ Patch: 1039_linux-3.2.39.patch |
411 |
From: http://www.kernel.org |
412 |
Desc: Linux 3.2.39 |
413 |
|
414 |
-Patch: 4420_grsecurity-2.9.1-3.2.39-201302271819.patch |
415 |
+Patch: 4420_grsecurity-2.9.1-3.2.39-201303012254.patch |
416 |
From: http://www.grsecurity.net |
417 |
Desc: hardened-sources base patch from upstream grsecurity |
418 |
|
419 |
|
420 |
diff --git a/3.2.39/4420_grsecurity-2.9.1-3.2.39-201302271819.patch b/3.2.39/4420_grsecurity-2.9.1-3.2.39-201303012254.patch |
421 |
similarity index 99% |
422 |
rename from 3.2.39/4420_grsecurity-2.9.1-3.2.39-201302271819.patch |
423 |
rename to 3.2.39/4420_grsecurity-2.9.1-3.2.39-201303012254.patch |
424 |
index b220f78..12bbb30 100644 |
425 |
--- a/3.2.39/4420_grsecurity-2.9.1-3.2.39-201302271819.patch |
426 |
+++ b/3.2.39/4420_grsecurity-2.9.1-3.2.39-201303012254.patch |
427 |
@@ -17637,6 +17637,91 @@ index c9a281f..3658fbe 100644 |
428 |
if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE)) |
429 |
return -EFAULT; |
430 |
|
431 |
+diff --git a/arch/x86/kernel/head.c b/arch/x86/kernel/head.c |
432 |
+index af0699b..f6c4674 100644 |
433 |
+--- a/arch/x86/kernel/head.c |
434 |
++++ b/arch/x86/kernel/head.c |
435 |
+@@ -5,8 +5,6 @@ |
436 |
+ #include <asm/setup.h> |
437 |
+ #include <asm/bios_ebda.h> |
438 |
+ |
439 |
+-#define BIOS_LOWMEM_KILOBYTES 0x413 |
440 |
+- |
441 |
+ /* |
442 |
+ * The BIOS places the EBDA/XBDA at the top of conventional |
443 |
+ * memory, and usually decreases the reported amount of |
444 |
+@@ -16,17 +14,30 @@ |
445 |
+ * chipset: reserve a page before VGA to prevent PCI prefetch |
446 |
+ * into it (errata #56). Usually the page is reserved anyways, |
447 |
+ * unless you have no PS/2 mouse plugged in. |
448 |
++ * |
449 |
++ * This functions is deliberately very conservative. Losing |
450 |
++ * memory in the bottom megabyte is rarely a problem, as long |
451 |
++ * as we have enough memory to install the trampoline. Using |
452 |
++ * memory that is in use by the BIOS or by some DMA device |
453 |
++ * the BIOS didn't shut down *is* a big problem. |
454 |
+ */ |
455 |
++ |
456 |
++#define BIOS_LOWMEM_KILOBYTES 0x413 |
457 |
++#define LOWMEM_CAP 0x9f000U /* Absolute maximum */ |
458 |
++#define INSANE_CUTOFF 0x20000U /* Less than this = insane */ |
459 |
++ |
460 |
+ void __init reserve_ebda_region(void) |
461 |
+ { |
462 |
+ unsigned int lowmem, ebda_addr; |
463 |
+ |
464 |
+- /* To determine the position of the EBDA and the */ |
465 |
+- /* end of conventional memory, we need to look at */ |
466 |
+- /* the BIOS data area. In a paravirtual environment */ |
467 |
+- /* that area is absent. We'll just have to assume */ |
468 |
+- /* that the paravirt case can handle memory setup */ |
469 |
+- /* correctly, without our help. */ |
470 |
++ /* |
471 |
++ * To determine the position of the EBDA and the |
472 |
++ * end of conventional memory, we need to look at |
473 |
++ * the BIOS data area. In a paravirtual environment |
474 |
++ * that area is absent. We'll just have to assume |
475 |
++ * that the paravirt case can handle memory setup |
476 |
++ * correctly, without our help. |
477 |
++ */ |
478 |
+ if (paravirt_enabled()) |
479 |
+ return; |
480 |
+ |
481 |
+@@ -37,19 +48,23 @@ void __init reserve_ebda_region(void) |
482 |
+ /* start of EBDA area */ |
483 |
+ ebda_addr = get_bios_ebda(); |
484 |
+ |
485 |
+- /* Fixup: bios puts an EBDA in the top 64K segment */ |
486 |
+- /* of conventional memory, but does not adjust lowmem. */ |
487 |
+- if ((lowmem - ebda_addr) <= 0x10000) |
488 |
+- lowmem = ebda_addr; |
489 |
++ /* |
490 |
++ * Note: some old Dells seem to need 4k EBDA without |
491 |
++ * reporting so, so just consider the memory above 0x9f000 |
492 |
++ * to be off limits (bugzilla 2990). |
493 |
++ */ |
494 |
+ |
495 |
+- /* Fixup: bios does not report an EBDA at all. */ |
496 |
+- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */ |
497 |
+- if ((ebda_addr == 0) && (lowmem >= 0x9f000)) |
498 |
+- lowmem = 0x9f000; |
499 |
++ /* If the EBDA address is below 128K, assume it is bogus */ |
500 |
++ if (ebda_addr < INSANE_CUTOFF) |
501 |
++ ebda_addr = LOWMEM_CAP; |
502 |
+ |
503 |
+- /* Paranoia: should never happen, but... */ |
504 |
+- if ((lowmem == 0) || (lowmem >= 0x100000)) |
505 |
+- lowmem = 0x9f000; |
506 |
++ /* If lowmem is less than 128K, assume it is bogus */ |
507 |
++ if (lowmem < INSANE_CUTOFF) |
508 |
++ lowmem = LOWMEM_CAP; |
509 |
++ |
510 |
++ /* Use the lower of the lowmem and EBDA markers as the cutoff */ |
511 |
++ lowmem = min(lowmem, ebda_addr); |
512 |
++ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */ |
513 |
+ |
514 |
+ /* reserve all memory between lowmem and the 1MB mark */ |
515 |
+ memblock_x86_reserve_range(lowmem, 0x100000, "* BIOS reserved"); |
516 |
diff --git a/arch/x86/kernel/head32.c b/arch/x86/kernel/head32.c |
517 |
index 3bb0850..55a56f4 100644 |
518 |
--- a/arch/x86/kernel/head32.c |
519 |
@@ -36501,6 +36586,27 @@ index a0895bf..b451f5b 100644 |
520 |
.owner = THIS_MODULE, |
521 |
.open = timblogiw_open, |
522 |
.release = timblogiw_close, |
523 |
+diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c |
524 |
+index 668f5c6..65df5f2 100644 |
525 |
+--- a/drivers/memstick/host/r592.c |
526 |
++++ b/drivers/memstick/host/r592.c |
527 |
+@@ -454,7 +454,7 @@ static int r592_transfer_fifo_pio(struct r592_device *dev) |
528 |
+ /* Executes one TPC (data is read/written from small or large fifo) */ |
529 |
+ static void r592_execute_tpc(struct r592_device *dev) |
530 |
+ { |
531 |
+- bool is_write = dev->req->tpc >= MS_TPC_SET_RW_REG_ADRS; |
532 |
++ bool is_write; |
533 |
+ int len, error; |
534 |
+ u32 status, reg; |
535 |
+ |
536 |
+@@ -463,6 +463,7 @@ static void r592_execute_tpc(struct r592_device *dev) |
537 |
+ return; |
538 |
+ } |
539 |
+ |
540 |
++ is_write = dev->req->tpc >= MS_TPC_SET_RW_REG_ADRS; |
541 |
+ len = dev->req->long_data ? |
542 |
+ dev->req->sg.length : dev->req->data_len; |
543 |
+ |
544 |
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c |
545 |
index e9c6a60..daf6a33 100644 |
546 |
--- a/drivers/message/fusion/mptbase.c |
547 |
@@ -50020,7 +50126,7 @@ index 8392cb8..80d6193 100644 |
548 |
memcpy(c->data, &cookie, 4); |
549 |
c->len=4; |
550 |
diff --git a/fs/locks.c b/fs/locks.c |
551 |
-index fcc50ab..c3dacf2 100644 |
552 |
+index fcc50ab..c3dacf26 100644 |
553 |
--- a/fs/locks.c |
554 |
+++ b/fs/locks.c |
555 |
@@ -2075,16 +2075,16 @@ void locks_remove_flock(struct file *filp) |
556 |
@@ -50045,7 +50151,7 @@ index fcc50ab..c3dacf2 100644 |
557 |
|
558 |
lock_flocks(); |
559 |
diff --git a/fs/namei.c b/fs/namei.c |
560 |
-index 9680cef..d098ba0 100644 |
561 |
+index 9680cef..d943724 100644 |
562 |
--- a/fs/namei.c |
563 |
+++ b/fs/namei.c |
564 |
@@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask) |
565 |
@@ -50138,21 +50244,19 @@ index 9680cef..d098ba0 100644 |
566 |
put_link(nd, &link, cookie); |
567 |
} |
568 |
} |
569 |
-@@ -1624,6 +1644,21 @@ static int path_lookupat(int dfd, const char *name, |
570 |
+@@ -1624,6 +1644,19 @@ static int path_lookupat(int dfd, const char *name, |
571 |
if (!err) |
572 |
err = complete_walk(nd); |
573 |
|
574 |
-+ if (!(nd->flags & LOOKUP_PARENT)) { |
575 |
++ if (!err && !(nd->flags & LOOKUP_PARENT)) { |
576 |
+#ifdef CONFIG_GRKERNSEC |
577 |
+ if (flags & LOOKUP_RCU) { |
578 |
-+ if (!err) |
579 |
-+ path_put(&nd->path); |
580 |
++ path_put(&nd->path); |
581 |
+ err = -ECHILD; |
582 |
+ } else |
583 |
+#endif |
584 |
+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) { |
585 |
-+ if (!err) |
586 |
-+ path_put(&nd->path); |
587 |
++ path_put(&nd->path); |
588 |
+ err = -ENOENT; |
589 |
+ } |
590 |
+ } |
591 |
@@ -50160,7 +50264,7 @@ index 9680cef..d098ba0 100644 |
592 |
if (!err && nd->flags & LOOKUP_DIRECTORY) { |
593 |
if (!nd->inode->i_op->lookup) { |
594 |
path_put(&nd->path); |
595 |
-@@ -1651,6 +1686,15 @@ static int do_path_lookup(int dfd, const char *name, |
596 |
+@@ -1651,6 +1684,15 @@ static int do_path_lookup(int dfd, const char *name, |
597 |
retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd); |
598 |
|
599 |
if (likely(!retval)) { |
600 |
@@ -50176,7 +50280,7 @@ index 9680cef..d098ba0 100644 |
601 |
if (unlikely(!audit_dummy_context())) { |
602 |
if (nd->path.dentry && nd->inode) |
603 |
audit_inode(name, nd->path.dentry); |
604 |
-@@ -1784,7 +1828,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) |
605 |
+@@ -1784,7 +1826,13 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) |
606 |
if (!len) |
607 |
return ERR_PTR(-EACCES); |
608 |
|
609 |
@@ -50190,7 +50294,7 @@ index 9680cef..d098ba0 100644 |
610 |
while (len--) { |
611 |
c = *(const unsigned char *)name++; |
612 |
if (c == '/' || c == '\0') |
613 |
-@@ -2048,6 +2098,13 @@ static int may_open(struct path *path, int acc_mode, int flag) |
614 |
+@@ -2048,6 +2096,13 @@ static int may_open(struct path *path, int acc_mode, int flag) |
615 |
if (flag & O_NOATIME && !inode_owner_or_capable(inode)) |
616 |
return -EPERM; |
617 |
|
618 |
@@ -50204,7 +50308,7 @@ index 9680cef..d098ba0 100644 |
619 |
return 0; |
620 |
} |
621 |
|
622 |
-@@ -2083,7 +2140,7 @@ static inline int open_to_namei_flags(int flag) |
623 |
+@@ -2083,7 +2138,7 @@ static inline int open_to_namei_flags(int flag) |
624 |
/* |
625 |
* Handle the last step of open() |
626 |
*/ |
627 |
@@ -50213,7 +50317,7 @@ index 9680cef..d098ba0 100644 |
628 |
const struct open_flags *op, const char *pathname) |
629 |
{ |
630 |
struct dentry *dir = nd->path.dentry; |
631 |
-@@ -2109,16 +2166,44 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
632 |
+@@ -2109,16 +2164,44 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
633 |
error = complete_walk(nd); |
634 |
if (error) |
635 |
return ERR_PTR(error); |
636 |
@@ -50258,7 +50362,7 @@ index 9680cef..d098ba0 100644 |
637 |
audit_inode(pathname, dir); |
638 |
goto ok; |
639 |
} |
640 |
-@@ -2134,18 +2219,37 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
641 |
+@@ -2134,18 +2217,37 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
642 |
!symlink_ok); |
643 |
if (error < 0) |
644 |
return ERR_PTR(error); |
645 |
@@ -50297,7 +50401,7 @@ index 9680cef..d098ba0 100644 |
646 |
audit_inode(pathname, nd->path.dentry); |
647 |
goto ok; |
648 |
} |
649 |
-@@ -2180,6 +2284,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
650 |
+@@ -2180,6 +2282,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
651 |
/* Negative dentry, just create the file */ |
652 |
if (!dentry->d_inode) { |
653 |
int mode = op->mode; |
654 |
@@ -50315,7 +50419,7 @@ index 9680cef..d098ba0 100644 |
655 |
if (!IS_POSIXACL(dir->d_inode)) |
656 |
mode &= ~current_umask(); |
657 |
/* |
658 |
-@@ -2203,6 +2318,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
659 |
+@@ -2203,6 +2316,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
660 |
error = vfs_create(dir->d_inode, dentry, mode, nd); |
661 |
if (error) |
662 |
goto exit_mutex_unlock; |
663 |
@@ -50324,7 +50428,7 @@ index 9680cef..d098ba0 100644 |
664 |
mutex_unlock(&dir->d_inode->i_mutex); |
665 |
dput(nd->path.dentry); |
666 |
nd->path.dentry = dentry; |
667 |
-@@ -2212,6 +2329,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
668 |
+@@ -2212,6 +2327,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
669 |
/* |
670 |
* It already exists. |
671 |
*/ |
672 |
@@ -50344,7 +50448,7 @@ index 9680cef..d098ba0 100644 |
673 |
mutex_unlock(&dir->d_inode->i_mutex); |
674 |
audit_inode(pathname, path->dentry); |
675 |
|
676 |
-@@ -2230,11 +2360,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
677 |
+@@ -2230,11 +2358,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
678 |
if (!path->dentry->d_inode) |
679 |
goto exit_dput; |
680 |
|
681 |
@@ -50363,7 +50467,7 @@ index 9680cef..d098ba0 100644 |
682 |
/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ |
683 |
error = complete_walk(nd); |
684 |
if (error) |
685 |
-@@ -2242,6 +2378,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
686 |
+@@ -2242,6 +2376,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
687 |
error = -EISDIR; |
688 |
if (S_ISDIR(nd->inode->i_mode)) |
689 |
goto exit; |
690 |
@@ -50376,7 +50480,7 @@ index 9680cef..d098ba0 100644 |
691 |
ok: |
692 |
if (!S_ISREG(nd->inode->i_mode)) |
693 |
will_truncate = 0; |
694 |
-@@ -2314,7 +2456,7 @@ static struct file *path_openat(int dfd, const char *pathname, |
695 |
+@@ -2314,7 +2454,7 @@ static struct file *path_openat(int dfd, const char *pathname, |
696 |
if (unlikely(error)) |
697 |
goto out_filp; |
698 |
|
699 |
@@ -50385,7 +50489,7 @@ index 9680cef..d098ba0 100644 |
700 |
while (unlikely(!filp)) { /* trailing symlink */ |
701 |
struct path link = path; |
702 |
void *cookie; |
703 |
-@@ -2329,8 +2471,9 @@ static struct file *path_openat(int dfd, const char *pathname, |
704 |
+@@ -2329,8 +2469,9 @@ static struct file *path_openat(int dfd, const char *pathname, |
705 |
error = follow_link(&link, nd, &cookie); |
706 |
if (unlikely(error)) |
707 |
filp = ERR_PTR(error); |
708 |
@@ -50397,7 +50501,7 @@ index 9680cef..d098ba0 100644 |
709 |
put_link(nd, &link, cookie); |
710 |
} |
711 |
out: |
712 |
-@@ -2424,6 +2567,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path |
713 |
+@@ -2424,6 +2565,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path |
714 |
*path = nd.path; |
715 |
return dentry; |
716 |
eexist: |
717 |
@@ -50409,7 +50513,7 @@ index 9680cef..d098ba0 100644 |
718 |
dput(dentry); |
719 |
dentry = ERR_PTR(-EEXIST); |
720 |
fail: |
721 |
-@@ -2446,6 +2594,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat |
722 |
+@@ -2446,6 +2592,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat |
723 |
} |
724 |
EXPORT_SYMBOL(user_path_create); |
725 |
|
726 |
@@ -50430,7 +50534,7 @@ index 9680cef..d098ba0 100644 |
727 |
int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) |
728 |
{ |
729 |
int error = may_create(dir, dentry); |
730 |
-@@ -2513,6 +2675,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, |
731 |
+@@ -2513,6 +2673,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, |
732 |
error = mnt_want_write(path.mnt); |
733 |
if (error) |
734 |
goto out_dput; |
735 |
@@ -50448,7 +50552,7 @@ index 9680cef..d098ba0 100644 |
736 |
error = security_path_mknod(&path, dentry, mode, dev); |
737 |
if (error) |
738 |
goto out_drop_write; |
739 |
-@@ -2530,6 +2703,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, |
740 |
+@@ -2530,6 +2701,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, |
741 |
} |
742 |
out_drop_write: |
743 |
mnt_drop_write(path.mnt); |
744 |
@@ -50458,7 +50562,7 @@ index 9680cef..d098ba0 100644 |
745 |
out_dput: |
746 |
dput(dentry); |
747 |
mutex_unlock(&path.dentry->d_inode->i_mutex); |
748 |
-@@ -2579,12 +2755,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) |
749 |
+@@ -2579,12 +2753,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) |
750 |
error = mnt_want_write(path.mnt); |
751 |
if (error) |
752 |
goto out_dput; |
753 |
@@ -50480,7 +50584,7 @@ index 9680cef..d098ba0 100644 |
754 |
out_dput: |
755 |
dput(dentry); |
756 |
mutex_unlock(&path.dentry->d_inode->i_mutex); |
757 |
-@@ -2664,6 +2849,8 @@ static long do_rmdir(int dfd, const char __user *pathname) |
758 |
+@@ -2664,6 +2847,8 @@ static long do_rmdir(int dfd, const char __user *pathname) |
759 |
char * name; |
760 |
struct dentry *dentry; |
761 |
struct nameidata nd; |
762 |
@@ -50489,7 +50593,7 @@ index 9680cef..d098ba0 100644 |
763 |
|
764 |
error = user_path_parent(dfd, pathname, &nd, &name); |
765 |
if (error) |
766 |
-@@ -2692,6 +2879,15 @@ static long do_rmdir(int dfd, const char __user *pathname) |
767 |
+@@ -2692,6 +2877,15 @@ static long do_rmdir(int dfd, const char __user *pathname) |
768 |
error = -ENOENT; |
769 |
goto exit3; |
770 |
} |
771 |
@@ -50505,7 +50609,7 @@ index 9680cef..d098ba0 100644 |
772 |
error = mnt_want_write(nd.path.mnt); |
773 |
if (error) |
774 |
goto exit3; |
775 |
-@@ -2699,6 +2895,8 @@ static long do_rmdir(int dfd, const char __user *pathname) |
776 |
+@@ -2699,6 +2893,8 @@ static long do_rmdir(int dfd, const char __user *pathname) |
777 |
if (error) |
778 |
goto exit4; |
779 |
error = vfs_rmdir(nd.path.dentry->d_inode, dentry); |
780 |
@@ -50514,7 +50618,7 @@ index 9680cef..d098ba0 100644 |
781 |
exit4: |
782 |
mnt_drop_write(nd.path.mnt); |
783 |
exit3: |
784 |
-@@ -2761,6 +2959,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) |
785 |
+@@ -2761,6 +2957,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) |
786 |
struct dentry *dentry; |
787 |
struct nameidata nd; |
788 |
struct inode *inode = NULL; |
789 |
@@ -50523,7 +50627,7 @@ index 9680cef..d098ba0 100644 |
790 |
|
791 |
error = user_path_parent(dfd, pathname, &nd, &name); |
792 |
if (error) |
793 |
-@@ -2783,6 +2983,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) |
794 |
+@@ -2783,6 +2981,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) |
795 |
if (!inode) |
796 |
goto slashes; |
797 |
ihold(inode); |
798 |
@@ -50540,7 +50644,7 @@ index 9680cef..d098ba0 100644 |
799 |
error = mnt_want_write(nd.path.mnt); |
800 |
if (error) |
801 |
goto exit2; |
802 |
-@@ -2790,6 +3000,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) |
803 |
+@@ -2790,6 +2998,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) |
804 |
if (error) |
805 |
goto exit3; |
806 |
error = vfs_unlink(nd.path.dentry->d_inode, dentry); |
807 |
@@ -50549,7 +50653,7 @@ index 9680cef..d098ba0 100644 |
808 |
exit3: |
809 |
mnt_drop_write(nd.path.mnt); |
810 |
exit2: |
811 |
-@@ -2865,10 +3077,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, |
812 |
+@@ -2865,10 +3075,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, |
813 |
error = mnt_want_write(path.mnt); |
814 |
if (error) |
815 |
goto out_dput; |
816 |
@@ -50568,7 +50672,7 @@ index 9680cef..d098ba0 100644 |
817 |
out_drop_write: |
818 |
mnt_drop_write(path.mnt); |
819 |
out_dput: |
820 |
-@@ -2940,6 +3160,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, |
821 |
+@@ -2940,6 +3158,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, |
822 |
{ |
823 |
struct dentry *new_dentry; |
824 |
struct path old_path, new_path; |
825 |
@@ -50576,7 +50680,7 @@ index 9680cef..d098ba0 100644 |
826 |
int how = 0; |
827 |
int error; |
828 |
|
829 |
-@@ -2963,7 +3184,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, |
830 |
+@@ -2963,7 +3182,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, |
831 |
if (error) |
832 |
return error; |
833 |
|
834 |
@@ -50585,7 +50689,7 @@ index 9680cef..d098ba0 100644 |
835 |
error = PTR_ERR(new_dentry); |
836 |
if (IS_ERR(new_dentry)) |
837 |
goto out; |
838 |
-@@ -2974,13 +3195,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, |
839 |
+@@ -2974,13 +3193,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, |
840 |
error = mnt_want_write(new_path.mnt); |
841 |
if (error) |
842 |
goto out_dput; |
843 |
@@ -50616,7 +50720,7 @@ index 9680cef..d098ba0 100644 |
844 |
dput(new_dentry); |
845 |
mutex_unlock(&new_path.dentry->d_inode->i_mutex); |
846 |
path_put(&new_path); |
847 |
-@@ -3208,6 +3446,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, |
848 |
+@@ -3208,6 +3444,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, |
849 |
if (new_dentry == trap) |
850 |
goto exit5; |
851 |
|
852 |
@@ -50629,7 +50733,7 @@ index 9680cef..d098ba0 100644 |
853 |
error = mnt_want_write(oldnd.path.mnt); |
854 |
if (error) |
855 |
goto exit5; |
856 |
-@@ -3217,6 +3461,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, |
857 |
+@@ -3217,6 +3459,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, |
858 |
goto exit6; |
859 |
error = vfs_rename(old_dir->d_inode, old_dentry, |
860 |
new_dir->d_inode, new_dentry); |
861 |
@@ -50639,7 +50743,7 @@ index 9680cef..d098ba0 100644 |
862 |
exit6: |
863 |
mnt_drop_write(oldnd.path.mnt); |
864 |
exit5: |
865 |
-@@ -3242,6 +3489,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna |
866 |
+@@ -3242,6 +3487,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna |
867 |
|
868 |
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) |
869 |
{ |
870 |
@@ -50648,7 +50752,7 @@ index 9680cef..d098ba0 100644 |
871 |
int len; |
872 |
|
873 |
len = PTR_ERR(link); |
874 |
-@@ -3251,7 +3500,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c |
875 |
+@@ -3251,7 +3498,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c |
876 |
len = strlen(link); |
877 |
if (len > (unsigned) buflen) |
878 |
len = buflen; |
879 |
@@ -68145,10 +68249,18 @@ index 703cfa33..0b8ca72ac 100644 |
880 |
void __user *, size_t *, loff_t *); |
881 |
extern int proc_dointvec_minmax(struct ctl_table *, int, |
882 |
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h |
883 |
-index 7faf933..eb6f5e3 100644 |
884 |
+index 7faf933..c1ad32c 100644 |
885 |
--- a/include/linux/sysrq.h |
886 |
+++ b/include/linux/sysrq.h |
887 |
-@@ -36,7 +36,7 @@ struct sysrq_key_op { |
888 |
+@@ -15,6 +15,7 @@ |
889 |
+ #define _LINUX_SYSRQ_H |
890 |
+ |
891 |
+ #include <linux/errno.h> |
892 |
++#include <linux/compiler.h> |
893 |
+ #include <linux/types.h> |
894 |
+ |
895 |
+ /* Enable/disable SYSRQ support by default (0==no, 1==yes). */ |
896 |
+@@ -36,7 +37,7 @@ struct sysrq_key_op { |
897 |
char *help_msg; |
898 |
char *action_msg; |
899 |
int enable_mask; |
900 |
@@ -74209,7 +74321,7 @@ index ea7ec7f..23d4094 100644 |
901 |
EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax); |
902 |
EXPORT_SYMBOL(register_sysctl_table); |
903 |
diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c |
904 |
-index a650694..aaeeb20 100644 |
905 |
+index a650694..d0c4f42 100644 |
906 |
--- a/kernel/sysctl_binary.c |
907 |
+++ b/kernel/sysctl_binary.c |
908 |
@@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *file, |
909 |
@@ -74266,7 +74378,19 @@ index a650694..aaeeb20 100644 |
910 |
set_fs(old_fs); |
911 |
if (result < 0) |
912 |
goto out; |
913 |
-@@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struct file *file, |
914 |
+@@ -1194,9 +1194,10 @@ static ssize_t bin_dn_node_address(struct file *file, |
915 |
+ |
916 |
+ /* Convert the decnet address to binary */ |
917 |
+ result = -EIO; |
918 |
+- nodep = strchr(buf, '.') + 1; |
919 |
++ nodep = strchr(buf, '.'); |
920 |
+ if (!nodep) |
921 |
+ goto out; |
922 |
++ ++nodep; |
923 |
+ |
924 |
+ area = simple_strtoul(buf, NULL, 10); |
925 |
+ node = simple_strtoul(nodep, NULL, 10); |
926 |
+@@ -1233,7 +1234,7 @@ static ssize_t bin_dn_node_address(struct file *file, |
927 |
le16_to_cpu(dnaddr) & 0x3ff); |
928 |
|
929 |
set_fs(KERNEL_DS); |
930 |
@@ -76968,7 +77092,7 @@ index 4f4f53b..de8e432 100644 |
931 |
capable(CAP_IPC_LOCK)) |
932 |
ret = do_mlockall(flags); |
933 |
diff --git a/mm/mmap.c b/mm/mmap.c |
934 |
-index eae90af..09d8f77 100644 |
935 |
+index eae90af..0704837 100644 |
936 |
--- a/mm/mmap.c |
937 |
+++ b/mm/mmap.c |
938 |
@@ -30,6 +30,7 @@ |
939 |
@@ -77851,7 +77975,7 @@ index eae90af..09d8f77 100644 |
940 |
size = vma->vm_end - address; |
941 |
grow = (vma->vm_start - address) >> PAGE_SHIFT; |
942 |
|
943 |
-@@ -1786,11 +2080,22 @@ int expand_downwards(struct vm_area_struct *vma, |
944 |
+@@ -1786,18 +2080,48 @@ int expand_downwards(struct vm_area_struct *vma, |
945 |
if (!error) { |
946 |
vma->vm_start = address; |
947 |
vma->vm_pgoff -= grow; |
948 |
@@ -77874,7 +77998,48 @@ index eae90af..09d8f77 100644 |
949 |
khugepaged_enter_vma_merge(vma); |
950 |
return error; |
951 |
} |
952 |
-@@ -1860,6 +2165,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) |
953 |
+ |
954 |
++/* |
955 |
++ * Note how expand_stack() refuses to expand the stack all the way to |
956 |
++ * abut the next virtual mapping, *unless* that mapping itself is also |
957 |
++ * a stack mapping. We want to leave room for a guard page, after all |
958 |
++ * (the guard page itself is not added here, that is done by the |
959 |
++ * actual page faulting logic) |
960 |
++ * |
961 |
++ * This matches the behavior of the guard page logic (see mm/memory.c: |
962 |
++ * check_stack_guard_page()), which only allows the guard page to be |
963 |
++ * removed under these circumstances. |
964 |
++ */ |
965 |
+ #ifdef CONFIG_STACK_GROWSUP |
966 |
+ int expand_stack(struct vm_area_struct *vma, unsigned long address) |
967 |
+ { |
968 |
++ struct vm_area_struct *next; |
969 |
++ |
970 |
++ address &= PAGE_MASK; |
971 |
++ next = vma->vm_next; |
972 |
++ if (next && next->vm_start == address + PAGE_SIZE) { |
973 |
++ if (!(next->vm_flags & VM_GROWSUP)) |
974 |
++ return -ENOMEM; |
975 |
++ } |
976 |
+ return expand_upwards(vma, address); |
977 |
+ } |
978 |
+ |
979 |
+@@ -1820,6 +2144,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) |
980 |
+ #else |
981 |
+ int expand_stack(struct vm_area_struct *vma, unsigned long address) |
982 |
+ { |
983 |
++ struct vm_area_struct *prev; |
984 |
++ |
985 |
++ address &= PAGE_MASK; |
986 |
++ prev = vma->vm_prev; |
987 |
++ if (prev && prev->vm_end == address) { |
988 |
++ if (!(prev->vm_flags & VM_GROWSDOWN)) |
989 |
++ return -ENOMEM; |
990 |
++ } |
991 |
+ return expand_downwards(vma, address); |
992 |
+ } |
993 |
+ |
994 |
+@@ -1860,6 +2192,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) |
995 |
do { |
996 |
long nrpages = vma_pages(vma); |
997 |
|
998 |
@@ -77888,7 +78053,7 @@ index eae90af..09d8f77 100644 |
999 |
mm->total_vm -= nrpages; |
1000 |
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); |
1001 |
vma = remove_vma(vma); |
1002 |
-@@ -1905,6 +2217,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, |
1003 |
+@@ -1905,6 +2244,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, |
1004 |
insertion_point = (prev ? &prev->vm_next : &mm->mmap); |
1005 |
vma->vm_prev = NULL; |
1006 |
do { |
1007 |
@@ -77905,7 +78070,7 @@ index eae90af..09d8f77 100644 |
1008 |
rb_erase(&vma->vm_rb, &mm->mm_rb); |
1009 |
mm->map_count--; |
1010 |
tail_vma = vma; |
1011 |
-@@ -1933,14 +2255,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1012 |
+@@ -1933,14 +2282,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1013 |
struct vm_area_struct *new; |
1014 |
int err = -ENOMEM; |
1015 |
|
1016 |
@@ -77939,7 +78104,7 @@ index eae90af..09d8f77 100644 |
1017 |
/* most fields are the same, copy all, and then fixup */ |
1018 |
*new = *vma; |
1019 |
|
1020 |
-@@ -1953,6 +2294,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1021 |
+@@ -1953,6 +2321,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1022 |
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); |
1023 |
} |
1024 |
|
1025 |
@@ -77962,7 +78127,7 @@ index eae90af..09d8f77 100644 |
1026 |
pol = mpol_dup(vma_policy(vma)); |
1027 |
if (IS_ERR(pol)) { |
1028 |
err = PTR_ERR(pol); |
1029 |
-@@ -1978,6 +2335,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1030 |
+@@ -1978,6 +2362,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1031 |
else |
1032 |
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); |
1033 |
|
1034 |
@@ -78005,7 +78170,7 @@ index eae90af..09d8f77 100644 |
1035 |
/* Success. */ |
1036 |
if (!err) |
1037 |
return 0; |
1038 |
-@@ -1990,10 +2383,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1039 |
+@@ -1990,10 +2410,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1040 |
removed_exe_file_vma(mm); |
1041 |
fput(new->vm_file); |
1042 |
} |
1043 |
@@ -78025,7 +78190,7 @@ index eae90af..09d8f77 100644 |
1044 |
kmem_cache_free(vm_area_cachep, new); |
1045 |
out_err: |
1046 |
return err; |
1047 |
-@@ -2006,6 +2407,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1048 |
+@@ -2006,6 +2434,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
1049 |
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, |
1050 |
unsigned long addr, int new_below) |
1051 |
{ |
1052 |
@@ -78041,7 +78206,7 @@ index eae90af..09d8f77 100644 |
1053 |
if (mm->map_count >= sysctl_max_map_count) |
1054 |
return -ENOMEM; |
1055 |
|
1056 |
-@@ -2017,11 +2427,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, |
1057 |
+@@ -2017,11 +2454,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, |
1058 |
* work. This now handles partial unmappings. |
1059 |
* Jeremy Fitzhardinge <jeremy@××××.org> |
1060 |
*/ |
1061 |
@@ -78072,7 +78237,7 @@ index eae90af..09d8f77 100644 |
1062 |
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) |
1063 |
return -EINVAL; |
1064 |
|
1065 |
-@@ -2096,6 +2525,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
1066 |
+@@ -2096,6 +2552,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
1067 |
/* Fix up all other VM information */ |
1068 |
remove_vma_list(mm, vma); |
1069 |
|
1070 |
@@ -78081,7 +78246,7 @@ index eae90af..09d8f77 100644 |
1071 |
return 0; |
1072 |
} |
1073 |
|
1074 |
-@@ -2108,22 +2539,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) |
1075 |
+@@ -2108,22 +2566,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) |
1076 |
|
1077 |
profile_munmap(addr); |
1078 |
|
1079 |
@@ -78110,7 +78275,7 @@ index eae90af..09d8f77 100644 |
1080 |
/* |
1081 |
* this is really a simplified "do_mmap". it only handles |
1082 |
* anonymous maps. eventually we may be able to do some |
1083 |
-@@ -2137,6 +2564,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1084 |
+@@ -2137,6 +2591,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1085 |
struct rb_node ** rb_link, * rb_parent; |
1086 |
pgoff_t pgoff = addr >> PAGE_SHIFT; |
1087 |
int error; |
1088 |
@@ -78118,7 +78283,7 @@ index eae90af..09d8f77 100644 |
1089 |
|
1090 |
len = PAGE_ALIGN(len); |
1091 |
if (!len) |
1092 |
-@@ -2148,16 +2576,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1093 |
+@@ -2148,16 +2603,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1094 |
|
1095 |
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; |
1096 |
|
1097 |
@@ -78150,7 +78315,7 @@ index eae90af..09d8f77 100644 |
1098 |
locked += mm->locked_vm; |
1099 |
lock_limit = rlimit(RLIMIT_MEMLOCK); |
1100 |
lock_limit >>= PAGE_SHIFT; |
1101 |
-@@ -2174,22 +2616,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1102 |
+@@ -2174,22 +2643,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1103 |
/* |
1104 |
* Clear old maps. this also does some error checking for us |
1105 |
*/ |
1106 |
@@ -78177,7 +78342,7 @@ index eae90af..09d8f77 100644 |
1107 |
return -ENOMEM; |
1108 |
|
1109 |
/* Can we just expand an old private anonymous mapping? */ |
1110 |
-@@ -2203,7 +2645,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1111 |
+@@ -2203,7 +2672,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1112 |
*/ |
1113 |
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); |
1114 |
if (!vma) { |
1115 |
@@ -78186,7 +78351,7 @@ index eae90af..09d8f77 100644 |
1116 |
return -ENOMEM; |
1117 |
} |
1118 |
|
1119 |
-@@ -2217,11 +2659,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1120 |
+@@ -2217,11 +2686,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len) |
1121 |
vma_link(mm, vma, prev, rb_link, rb_parent); |
1122 |
out: |
1123 |
perf_event_mmap(vma); |
1124 |
@@ -78201,7 +78366,7 @@ index eae90af..09d8f77 100644 |
1125 |
return addr; |
1126 |
} |
1127 |
|
1128 |
-@@ -2268,8 +2711,10 @@ void exit_mmap(struct mm_struct *mm) |
1129 |
+@@ -2268,8 +2738,10 @@ void exit_mmap(struct mm_struct *mm) |
1130 |
* Walk the list again, actually closing and freeing it, |
1131 |
* with preemption enabled, without holding any MM locks. |
1132 |
*/ |
1133 |
@@ -78213,7 +78378,7 @@ index eae90af..09d8f77 100644 |
1134 |
|
1135 |
BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); |
1136 |
} |
1137 |
-@@ -2283,6 +2728,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) |
1138 |
+@@ -2283,6 +2755,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) |
1139 |
struct vm_area_struct * __vma, * prev; |
1140 |
struct rb_node ** rb_link, * rb_parent; |
1141 |
|
1142 |
@@ -78227,7 +78392,7 @@ index eae90af..09d8f77 100644 |
1143 |
/* |
1144 |
* The vm_pgoff of a purely anonymous vma should be irrelevant |
1145 |
* until its first write fault, when page's anon_vma and index |
1146 |
-@@ -2305,7 +2757,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) |
1147 |
+@@ -2305,7 +2784,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) |
1148 |
if ((vma->vm_flags & VM_ACCOUNT) && |
1149 |
security_vm_enough_memory_mm(mm, vma_pages(vma))) |
1150 |
return -ENOMEM; |
1151 |
@@ -78250,7 +78415,7 @@ index eae90af..09d8f77 100644 |
1152 |
return 0; |
1153 |
} |
1154 |
|
1155 |
-@@ -2323,6 +2790,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
1156 |
+@@ -2323,6 +2817,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
1157 |
struct rb_node **rb_link, *rb_parent; |
1158 |
struct mempolicy *pol; |
1159 |
|
1160 |
@@ -78259,7 +78424,7 @@ index eae90af..09d8f77 100644 |
1161 |
/* |
1162 |
* If anonymous vma has not yet been faulted, update new pgoff |
1163 |
* to match new location, to increase its chance of merging. |
1164 |
-@@ -2373,6 +2842,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
1165 |
+@@ -2373,6 +2869,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
1166 |
return NULL; |
1167 |
} |
1168 |
|
1169 |
@@ -78299,7 +78464,7 @@ index eae90af..09d8f77 100644 |
1170 |
/* |
1171 |
* Return true if the calling process may expand its vm space by the passed |
1172 |
* number of pages |
1173 |
-@@ -2384,6 +2886,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) |
1174 |
+@@ -2384,6 +2913,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) |
1175 |
|
1176 |
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; |
1177 |
|
1178 |
@@ -78312,7 +78477,7 @@ index eae90af..09d8f77 100644 |
1179 |
if (cur + npages > lim) |
1180 |
return 0; |
1181 |
return 1; |
1182 |
-@@ -2454,6 +2962,22 @@ int install_special_mapping(struct mm_struct *mm, |
1183 |
+@@ -2454,6 +2989,22 @@ int install_special_mapping(struct mm_struct *mm, |
1184 |
vma->vm_start = addr; |
1185 |
vma->vm_end = addr + len; |
1186 |
|
1187 |
|
1188 |
diff --git a/3.8.0/0000_README b/3.8.1/0000_README |
1189 |
similarity index 96% |
1190 |
rename from 3.8.0/0000_README |
1191 |
rename to 3.8.1/0000_README |
1192 |
index a9cab40..517c0e6 100644 |
1193 |
--- a/3.8.0/0000_README |
1194 |
+++ b/3.8.1/0000_README |
1195 |
@@ -2,7 +2,7 @@ README |
1196 |
----------------------------------------------------------------------------- |
1197 |
Individual Patch Descriptions: |
1198 |
----------------------------------------------------------------------------- |
1199 |
-Patch: 4420_grsecurity-2.9.1-3.8.0-201302271810.patch |
1200 |
+Patch: 4420_grsecurity-2.9.1-3.8.1-201303012255.patch |
1201 |
From: http://www.grsecurity.net |
1202 |
Desc: hardened-sources base patch from upstream grsecurity |
1203 |
|
1204 |
|
1205 |
diff --git a/3.8.0/4420_grsecurity-2.9.1-3.8.0-201302271810.patch b/3.8.1/4420_grsecurity-2.9.1-3.8.1-201303012255.patch |
1206 |
similarity index 99% |
1207 |
rename from 3.8.0/4420_grsecurity-2.9.1-3.8.0-201302271810.patch |
1208 |
rename to 3.8.1/4420_grsecurity-2.9.1-3.8.1-201303012255.patch |
1209 |
index 24c501f..b69296b 100644 |
1210 |
--- a/3.8.0/4420_grsecurity-2.9.1-3.8.0-201302271810.patch |
1211 |
+++ b/3.8.1/4420_grsecurity-2.9.1-3.8.1-201303012255.patch |
1212 |
@@ -252,7 +252,7 @@ index 6c72381..2fe9ae4 100644 |
1213 |
|
1214 |
pcd. [PARIDE] |
1215 |
diff --git a/Makefile b/Makefile |
1216 |
-index d69266c..e4f6593 100644 |
1217 |
+index 746c856..c014cfa 100644 |
1218 |
--- a/Makefile |
1219 |
+++ b/Makefile |
1220 |
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ |
1221 |
@@ -5494,10 +5494,10 @@ index fc987a1..6e068ef 100644 |
1222 |
#endif |
1223 |
|
1224 |
diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h |
1225 |
-index ee99f23..802b0a1 100644 |
1226 |
+index 7df49fa..38b62bf 100644 |
1227 |
--- a/arch/parisc/include/asm/pgtable.h |
1228 |
+++ b/arch/parisc/include/asm/pgtable.h |
1229 |
-@@ -212,6 +212,17 @@ struct vm_area_struct; |
1230 |
+@@ -218,6 +218,17 @@ extern void purge_tlb_entries(struct mm_struct *, unsigned long); |
1231 |
#define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED) |
1232 |
#define PAGE_COPY PAGE_EXECREAD |
1233 |
#define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED) |
1234 |
@@ -9071,7 +9071,7 @@ index e98bfda..ea8d221 100644 |
1235 |
if (!(vma->vm_flags & (VM_READ | VM_EXEC))) |
1236 |
goto bad_area; |
1237 |
diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c |
1238 |
-index 097aee7..5ca6697 100644 |
1239 |
+index 5062ff3..e0b75f3 100644 |
1240 |
--- a/arch/sparc/mm/fault_64.c |
1241 |
+++ b/arch/sparc/mm/fault_64.c |
1242 |
@@ -21,6 +21,9 @@ |
1243 |
@@ -9827,7 +9827,7 @@ index ad8f795..2c7eec6 100644 |
1244 |
/* |
1245 |
* Memory returned by kmalloc() may be used for DMA, so we must make |
1246 |
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig |
1247 |
-index 225543b..f12405b 100644 |
1248 |
+index 0694d09..b58b3aa 100644 |
1249 |
--- a/arch/x86/Kconfig |
1250 |
+++ b/arch/x86/Kconfig |
1251 |
@@ -238,7 +238,7 @@ config X86_HT |
1252 |
@@ -9874,7 +9874,7 @@ index 225543b..f12405b 100644 |
1253 |
default 0x40000000 if VMSPLIT_1G |
1254 |
default 0xC0000000 |
1255 |
depends on X86_32 |
1256 |
-@@ -1546,6 +1547,7 @@ config SECCOMP |
1257 |
+@@ -1542,6 +1543,7 @@ config SECCOMP |
1258 |
|
1259 |
config CC_STACKPROTECTOR |
1260 |
bool "Enable -fstack-protector buffer overflow detection" |
1261 |
@@ -9882,7 +9882,7 @@ index 225543b..f12405b 100644 |
1262 |
---help--- |
1263 |
This option turns on the -fstack-protector GCC feature. This |
1264 |
feature puts, at the beginning of functions, a canary value on |
1265 |
-@@ -1603,6 +1605,7 @@ config KEXEC_JUMP |
1266 |
+@@ -1599,6 +1601,7 @@ config KEXEC_JUMP |
1267 |
config PHYSICAL_START |
1268 |
hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP) |
1269 |
default "0x1000000" |
1270 |
@@ -9890,7 +9890,7 @@ index 225543b..f12405b 100644 |
1271 |
---help--- |
1272 |
This gives the physical address where the kernel is loaded. |
1273 |
|
1274 |
-@@ -1666,6 +1669,7 @@ config X86_NEED_RELOCS |
1275 |
+@@ -1662,6 +1665,7 @@ config X86_NEED_RELOCS |
1276 |
config PHYSICAL_ALIGN |
1277 |
hex "Alignment value to which kernel should be aligned" if X86_32 |
1278 |
default "0x1000000" |
1279 |
@@ -9898,7 +9898,7 @@ index 225543b..f12405b 100644 |
1280 |
range 0x2000 0x1000000 |
1281 |
---help--- |
1282 |
This value puts the alignment restrictions on physical address |
1283 |
-@@ -1741,9 +1745,10 @@ config DEBUG_HOTPLUG_CPU0 |
1284 |
+@@ -1737,9 +1741,10 @@ config DEBUG_HOTPLUG_CPU0 |
1285 |
If unsure, say N. |
1286 |
|
1287 |
config COMPAT_VDSO |
1288 |
@@ -19375,6 +19375,91 @@ index 1d41402..af9a46a 100644 |
1289 |
if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE)) |
1290 |
return -EFAULT; |
1291 |
|
1292 |
+diff --git a/arch/x86/kernel/head.c b/arch/x86/kernel/head.c |
1293 |
+index 48d9d4e..992f442 100644 |
1294 |
+--- a/arch/x86/kernel/head.c |
1295 |
++++ b/arch/x86/kernel/head.c |
1296 |
+@@ -5,8 +5,6 @@ |
1297 |
+ #include <asm/setup.h> |
1298 |
+ #include <asm/bios_ebda.h> |
1299 |
+ |
1300 |
+-#define BIOS_LOWMEM_KILOBYTES 0x413 |
1301 |
+- |
1302 |
+ /* |
1303 |
+ * The BIOS places the EBDA/XBDA at the top of conventional |
1304 |
+ * memory, and usually decreases the reported amount of |
1305 |
+@@ -16,17 +14,30 @@ |
1306 |
+ * chipset: reserve a page before VGA to prevent PCI prefetch |
1307 |
+ * into it (errata #56). Usually the page is reserved anyways, |
1308 |
+ * unless you have no PS/2 mouse plugged in. |
1309 |
++ * |
1310 |
++ * This functions is deliberately very conservative. Losing |
1311 |
++ * memory in the bottom megabyte is rarely a problem, as long |
1312 |
++ * as we have enough memory to install the trampoline. Using |
1313 |
++ * memory that is in use by the BIOS or by some DMA device |
1314 |
++ * the BIOS didn't shut down *is* a big problem. |
1315 |
+ */ |
1316 |
++ |
1317 |
++#define BIOS_LOWMEM_KILOBYTES 0x413 |
1318 |
++#define LOWMEM_CAP 0x9f000U /* Absolute maximum */ |
1319 |
++#define INSANE_CUTOFF 0x20000U /* Less than this = insane */ |
1320 |
++ |
1321 |
+ void __init reserve_ebda_region(void) |
1322 |
+ { |
1323 |
+ unsigned int lowmem, ebda_addr; |
1324 |
+ |
1325 |
+- /* To determine the position of the EBDA and the */ |
1326 |
+- /* end of conventional memory, we need to look at */ |
1327 |
+- /* the BIOS data area. In a paravirtual environment */ |
1328 |
+- /* that area is absent. We'll just have to assume */ |
1329 |
+- /* that the paravirt case can handle memory setup */ |
1330 |
+- /* correctly, without our help. */ |
1331 |
++ /* |
1332 |
++ * To determine the position of the EBDA and the |
1333 |
++ * end of conventional memory, we need to look at |
1334 |
++ * the BIOS data area. In a paravirtual environment |
1335 |
++ * that area is absent. We'll just have to assume |
1336 |
++ * that the paravirt case can handle memory setup |
1337 |
++ * correctly, without our help. |
1338 |
++ */ |
1339 |
+ if (paravirt_enabled()) |
1340 |
+ return; |
1341 |
+ |
1342 |
+@@ -37,19 +48,23 @@ void __init reserve_ebda_region(void) |
1343 |
+ /* start of EBDA area */ |
1344 |
+ ebda_addr = get_bios_ebda(); |
1345 |
+ |
1346 |
+- /* Fixup: bios puts an EBDA in the top 64K segment */ |
1347 |
+- /* of conventional memory, but does not adjust lowmem. */ |
1348 |
+- if ((lowmem - ebda_addr) <= 0x10000) |
1349 |
+- lowmem = ebda_addr; |
1350 |
++ /* |
1351 |
++ * Note: some old Dells seem to need 4k EBDA without |
1352 |
++ * reporting so, so just consider the memory above 0x9f000 |
1353 |
++ * to be off limits (bugzilla 2990). |
1354 |
++ */ |
1355 |
+ |
1356 |
+- /* Fixup: bios does not report an EBDA at all. */ |
1357 |
+- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */ |
1358 |
+- if ((ebda_addr == 0) && (lowmem >= 0x9f000)) |
1359 |
+- lowmem = 0x9f000; |
1360 |
++ /* If the EBDA address is below 128K, assume it is bogus */ |
1361 |
++ if (ebda_addr < INSANE_CUTOFF) |
1362 |
++ ebda_addr = LOWMEM_CAP; |
1363 |
+ |
1364 |
+- /* Paranoia: should never happen, but... */ |
1365 |
+- if ((lowmem == 0) || (lowmem >= 0x100000)) |
1366 |
+- lowmem = 0x9f000; |
1367 |
++ /* If lowmem is less than 128K, assume it is bogus */ |
1368 |
++ if (lowmem < INSANE_CUTOFF) |
1369 |
++ lowmem = LOWMEM_CAP; |
1370 |
++ |
1371 |
++ /* Use the lower of the lowmem and EBDA markers as the cutoff */ |
1372 |
++ lowmem = min(lowmem, ebda_addr); |
1373 |
++ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */ |
1374 |
+ |
1375 |
+ /* reserve all memory between lowmem and the 1MB mark */ |
1376 |
+ memblock_reserve(lowmem, 0x100000 - lowmem); |
1377 |
diff --git a/arch/x86/kernel/head32.c b/arch/x86/kernel/head32.c |
1378 |
index c18f59d..9c0c9f6 100644 |
1379 |
--- a/arch/x86/kernel/head32.c |
1380 |
@@ -33144,7 +33229,7 @@ index 9d7732b..0b1a793 100644 |
1381 |
.priority = 1, |
1382 |
}; |
1383 |
diff --git a/drivers/dma/sh/shdma.c b/drivers/dma/sh/shdma.c |
1384 |
-index 3315e4b..fc38316 100644 |
1385 |
+index b70709b..1d8d02a 100644 |
1386 |
--- a/drivers/dma/sh/shdma.c |
1387 |
+++ b/drivers/dma/sh/shdma.c |
1388 |
@@ -476,7 +476,7 @@ static int sh_dmae_nmi_handler(struct notifier_block *self, |
1389 |
@@ -33683,7 +33768,7 @@ index 6e0acad..93c8289 100644 |
1390 |
int front_offset; |
1391 |
} drm_i810_private_t; |
1392 |
diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c |
1393 |
-index 9d4a2c2..32a119f 100644 |
1394 |
+index 8a7c48b..72effc2 100644 |
1395 |
--- a/drivers/gpu/drm/i915/i915_debugfs.c |
1396 |
+++ b/drivers/gpu/drm/i915/i915_debugfs.c |
1397 |
@@ -496,7 +496,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data) |
1398 |
@@ -33709,7 +33794,7 @@ index 99daa89..84ebd44 100644 |
1399 |
return can_switch; |
1400 |
} |
1401 |
diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h |
1402 |
-index 12ab3bd..b3bed3b 100644 |
1403 |
+index 7339a4b..445aaba 100644 |
1404 |
--- a/drivers/gpu/drm/i915/i915_drv.h |
1405 |
+++ b/drivers/gpu/drm/i915/i915_drv.h |
1406 |
@@ -656,7 +656,7 @@ typedef struct drm_i915_private { |
1407 |
@@ -33868,10 +33953,10 @@ index fe84338..a863190 100644 |
1408 |
iir = I915_READ(IIR); |
1409 |
|
1410 |
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c |
1411 |
-index da1ad9c..10d368b 100644 |
1412 |
+index 80aa1fc..1ede041 100644 |
1413 |
--- a/drivers/gpu/drm/i915/intel_display.c |
1414 |
+++ b/drivers/gpu/drm/i915/intel_display.c |
1415 |
-@@ -2244,7 +2244,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb) |
1416 |
+@@ -2255,7 +2255,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb) |
1417 |
|
1418 |
wait_event(dev_priv->pending_flip_queue, |
1419 |
atomic_read(&dev_priv->mm.wedged) || |
1420 |
@@ -33880,7 +33965,7 @@ index da1ad9c..10d368b 100644 |
1421 |
|
1422 |
/* Big Hammer, we also need to ensure that any pending |
1423 |
* MI_WAIT_FOR_EVENT inside a user batch buffer on the |
1424 |
-@@ -7109,8 +7109,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev, |
1425 |
+@@ -7122,8 +7122,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev, |
1426 |
|
1427 |
obj = work->old_fb_obj; |
1428 |
|
1429 |
@@ -33890,7 +33975,7 @@ index da1ad9c..10d368b 100644 |
1430 |
wake_up(&dev_priv->pending_flip_queue); |
1431 |
|
1432 |
queue_work(dev_priv->wq, &work->work); |
1433 |
-@@ -7477,7 +7476,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, |
1434 |
+@@ -7490,7 +7489,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, |
1435 |
/* Block clients from rendering to the new back buffer until |
1436 |
* the flip occurs and the object is no longer visible. |
1437 |
*/ |
1438 |
@@ -33899,7 +33984,7 @@ index da1ad9c..10d368b 100644 |
1439 |
atomic_inc(&intel_crtc->unpin_work_count); |
1440 |
|
1441 |
ret = dev_priv->display.queue_flip(dev, crtc, fb, obj); |
1442 |
-@@ -7494,7 +7493,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, |
1443 |
+@@ -7507,7 +7506,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, |
1444 |
|
1445 |
cleanup_pending: |
1446 |
atomic_dec(&intel_crtc->unpin_work_count); |
1447 |
@@ -36566,6 +36651,27 @@ index 9382895..ac8093c 100644 |
1448 |
|
1449 |
/* debug */ |
1450 |
static int dvb_usb_dw2102_debug; |
1451 |
+diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c |
1452 |
+index 29b2172..a7c5b31 100644 |
1453 |
+--- a/drivers/memstick/host/r592.c |
1454 |
++++ b/drivers/memstick/host/r592.c |
1455 |
+@@ -454,7 +454,7 @@ static int r592_transfer_fifo_pio(struct r592_device *dev) |
1456 |
+ /* Executes one TPC (data is read/written from small or large fifo) */ |
1457 |
+ static void r592_execute_tpc(struct r592_device *dev) |
1458 |
+ { |
1459 |
+- bool is_write = dev->req->tpc >= MS_TPC_SET_RW_REG_ADRS; |
1460 |
++ bool is_write; |
1461 |
+ int len, error; |
1462 |
+ u32 status, reg; |
1463 |
+ |
1464 |
+@@ -463,6 +463,7 @@ static void r592_execute_tpc(struct r592_device *dev) |
1465 |
+ return; |
1466 |
+ } |
1467 |
+ |
1468 |
++ is_write = dev->req->tpc >= MS_TPC_SET_RW_REG_ADRS; |
1469 |
+ len = dev->req->long_data ? |
1470 |
+ dev->req->sg.length : dev->req->data_len; |
1471 |
+ |
1472 |
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c |
1473 |
index fb69baa..cf7ad22 100644 |
1474 |
--- a/drivers/message/fusion/mptbase.c |
1475 |
@@ -37609,7 +37715,7 @@ index daec9b0..6428fcb 100644 |
1476 |
} |
1477 |
EXPORT_SYMBOL(free_mdio_bitbang); |
1478 |
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c |
1479 |
-index 0b2706a..ba1430d 100644 |
1480 |
+index 508570e..f706dc7 100644 |
1481 |
--- a/drivers/net/ppp/ppp_generic.c |
1482 |
+++ b/drivers/net/ppp/ppp_generic.c |
1483 |
@@ -999,7 +999,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) |
1484 |
@@ -40670,7 +40776,7 @@ index f9d2850..b006f04 100644 |
1485 |
tty_port_tty_set(&ch->port, tty); |
1486 |
mutex_lock(&ch->port.mutex); |
1487 |
diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c |
1488 |
-index dcc0430..040bef9 100644 |
1489 |
+index bfd6771..e0d93c4 100644 |
1490 |
--- a/drivers/tty/n_gsm.c |
1491 |
+++ b/drivers/tty/n_gsm.c |
1492 |
@@ -1636,7 +1636,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr) |
1493 |
@@ -40682,7 +40788,7 @@ index dcc0430..040bef9 100644 |
1494 |
kfree(dlci); |
1495 |
return NULL; |
1496 |
} |
1497 |
-@@ -2924,7 +2924,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp) |
1498 |
+@@ -2936,7 +2936,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp) |
1499 |
struct gsm_dlci *dlci = tty->driver_data; |
1500 |
struct tty_port *port = &dlci->port; |
1501 |
|
1502 |
@@ -41521,19 +41627,6 @@ index 681765b..d3ccdf2 100644 |
1503 |
if (!perm) { |
1504 |
ret = -EPERM; |
1505 |
goto reterr; |
1506 |
-diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c |
1507 |
-index 8fd8968..3614c9c 100644 |
1508 |
---- a/drivers/tty/vt/vt.c |
1509 |
-+++ b/drivers/tty/vt/vt.c |
1510 |
-@@ -539,7 +539,7 @@ static void insert_char(struct vc_data *vc, unsigned int nr) |
1511 |
- { |
1512 |
- unsigned short *p = (unsigned short *) vc->vc_pos; |
1513 |
- |
1514 |
-- scr_memmovew(p + nr, p, (vc->vc_cols - vc->vc_x) * 2); |
1515 |
-+ scr_memmovew(p + nr, p, (vc->vc_cols - vc->vc_x - nr) * 2); |
1516 |
- scr_memsetw(p, vc->vc_video_erase_char, nr * 2); |
1517 |
- vc->vc_need_wrap = 0; |
1518 |
- if (DO_UPDATE(vc)) |
1519 |
diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c |
1520 |
index 5110f36..8dc0a74 100644 |
1521 |
--- a/drivers/uio/uio.c |
1522 |
@@ -42024,7 +42117,7 @@ index 5c3960d..15cf8fc 100644 |
1523 |
goto out1; |
1524 |
} |
1525 |
diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c |
1526 |
-index 3ff0105..7589d98 100644 |
1527 |
+index dc61c12..e29796e 100644 |
1528 |
--- a/drivers/video/fbmem.c |
1529 |
+++ b/drivers/video/fbmem.c |
1530 |
@@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, |
1531 |
@@ -46262,7 +46355,7 @@ index b96fc6c..431d628 100644 |
1532 |
__bio_for_each_segment(bvec, bio, i, 0) { |
1533 |
char *addr = page_address(bvec->bv_page); |
1534 |
diff --git a/fs/block_dev.c b/fs/block_dev.c |
1535 |
-index 172f849..6efbf24 100644 |
1536 |
+index 78333a3..23dcb4d 100644 |
1537 |
--- a/fs/block_dev.c |
1538 |
+++ b/fs/block_dev.c |
1539 |
@@ -651,7 +651,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole, |
1540 |
@@ -50192,7 +50285,7 @@ index 916da8c..1588998 100644 |
1541 |
next->d_inode->i_ino, |
1542 |
dt_type(next->d_inode)) < 0) |
1543 |
diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c |
1544 |
-index 54f9e6c..9ed908c 100644 |
1545 |
+index 52e5120..808936e 100644 |
1546 |
--- a/fs/lockd/clntproc.c |
1547 |
+++ b/fs/lockd/clntproc.c |
1548 |
@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops; |
1549 |
@@ -50235,7 +50328,7 @@ index a94e331..060bce3 100644 |
1550 |
|
1551 |
lock_flocks(); |
1552 |
diff --git a/fs/namei.c b/fs/namei.c |
1553 |
-index 43a97ee..117e7e4 100644 |
1554 |
+index 43a97ee..4e585fd 100644 |
1555 |
--- a/fs/namei.c |
1556 |
+++ b/fs/namei.c |
1557 |
@@ -319,16 +319,32 @@ int generic_permission(struct inode *inode, int mask) |
1558 |
@@ -50338,21 +50431,19 @@ index 43a97ee..117e7e4 100644 |
1559 |
put_link(nd, &link, cookie); |
1560 |
} |
1561 |
} |
1562 |
-@@ -1986,6 +2004,21 @@ static int path_lookupat(int dfd, const char *name, |
1563 |
+@@ -1986,6 +2004,19 @@ static int path_lookupat(int dfd, const char *name, |
1564 |
if (!err) |
1565 |
err = complete_walk(nd); |
1566 |
|
1567 |
-+ if (!(nd->flags & LOOKUP_PARENT)) { |
1568 |
++ if (!err && !(nd->flags & LOOKUP_PARENT)) { |
1569 |
+#ifdef CONFIG_GRKERNSEC |
1570 |
+ if (flags & LOOKUP_RCU) { |
1571 |
-+ if (!err) |
1572 |
-+ path_put(&nd->path); |
1573 |
++ path_put(&nd->path); |
1574 |
+ err = -ECHILD; |
1575 |
+ } else |
1576 |
+#endif |
1577 |
+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) { |
1578 |
-+ if (!err) |
1579 |
-+ path_put(&nd->path); |
1580 |
++ path_put(&nd->path); |
1581 |
+ err = -ENOENT; |
1582 |
+ } |
1583 |
+ } |
1584 |
@@ -50360,7 +50451,7 @@ index 43a97ee..117e7e4 100644 |
1585 |
if (!err && nd->flags & LOOKUP_DIRECTORY) { |
1586 |
if (!nd->inode->i_op->lookup) { |
1587 |
path_put(&nd->path); |
1588 |
-@@ -2013,8 +2046,17 @@ static int filename_lookup(int dfd, struct filename *name, |
1589 |
+@@ -2013,8 +2044,17 @@ static int filename_lookup(int dfd, struct filename *name, |
1590 |
retval = path_lookupat(dfd, name->name, |
1591 |
flags | LOOKUP_REVAL, nd); |
1592 |
|
1593 |
@@ -50379,7 +50470,7 @@ index 43a97ee..117e7e4 100644 |
1594 |
return retval; |
1595 |
} |
1596 |
|
1597 |
-@@ -2392,6 +2434,13 @@ static int may_open(struct path *path, int acc_mode, int flag) |
1598 |
+@@ -2392,6 +2432,13 @@ static int may_open(struct path *path, int acc_mode, int flag) |
1599 |
if (flag & O_NOATIME && !inode_owner_or_capable(inode)) |
1600 |
return -EPERM; |
1601 |
|
1602 |
@@ -50393,7 +50484,7 @@ index 43a97ee..117e7e4 100644 |
1603 |
return 0; |
1604 |
} |
1605 |
|
1606 |
-@@ -2613,7 +2662,7 @@ looked_up: |
1607 |
+@@ -2613,7 +2660,7 @@ looked_up: |
1608 |
* cleared otherwise prior to returning. |
1609 |
*/ |
1610 |
static int lookup_open(struct nameidata *nd, struct path *path, |
1611 |
@@ -50402,7 +50493,7 @@ index 43a97ee..117e7e4 100644 |
1612 |
const struct open_flags *op, |
1613 |
bool got_write, int *opened) |
1614 |
{ |
1615 |
-@@ -2648,6 +2697,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, |
1616 |
+@@ -2648,6 +2695,17 @@ static int lookup_open(struct nameidata *nd, struct path *path, |
1617 |
/* Negative dentry, just create the file */ |
1618 |
if (!dentry->d_inode && (op->open_flag & O_CREAT)) { |
1619 |
umode_t mode = op->mode; |
1620 |
@@ -50420,7 +50511,7 @@ index 43a97ee..117e7e4 100644 |
1621 |
if (!IS_POSIXACL(dir->d_inode)) |
1622 |
mode &= ~current_umask(); |
1623 |
/* |
1624 |
-@@ -2669,6 +2729,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, |
1625 |
+@@ -2669,6 +2727,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, |
1626 |
nd->flags & LOOKUP_EXCL); |
1627 |
if (error) |
1628 |
goto out_dput; |
1629 |
@@ -50429,7 +50520,7 @@ index 43a97ee..117e7e4 100644 |
1630 |
} |
1631 |
out_no_open: |
1632 |
path->dentry = dentry; |
1633 |
-@@ -2683,7 +2745,7 @@ out_dput: |
1634 |
+@@ -2683,7 +2743,7 @@ out_dput: |
1635 |
/* |
1636 |
* Handle the last step of open() |
1637 |
*/ |
1638 |
@@ -50438,7 +50529,7 @@ index 43a97ee..117e7e4 100644 |
1639 |
struct file *file, const struct open_flags *op, |
1640 |
int *opened, struct filename *name) |
1641 |
{ |
1642 |
-@@ -2712,16 +2774,44 @@ static int do_last(struct nameidata *nd, struct path *path, |
1643 |
+@@ -2712,16 +2772,44 @@ static int do_last(struct nameidata *nd, struct path *path, |
1644 |
error = complete_walk(nd); |
1645 |
if (error) |
1646 |
return error; |
1647 |
@@ -50483,7 +50574,7 @@ index 43a97ee..117e7e4 100644 |
1648 |
audit_inode(name, dir, 0); |
1649 |
goto finish_open; |
1650 |
} |
1651 |
-@@ -2770,7 +2860,7 @@ retry_lookup: |
1652 |
+@@ -2770,7 +2858,7 @@ retry_lookup: |
1653 |
*/ |
1654 |
} |
1655 |
mutex_lock(&dir->d_inode->i_mutex); |
1656 |
@@ -50492,7 +50583,7 @@ index 43a97ee..117e7e4 100644 |
1657 |
mutex_unlock(&dir->d_inode->i_mutex); |
1658 |
|
1659 |
if (error <= 0) { |
1660 |
-@@ -2794,11 +2884,28 @@ retry_lookup: |
1661 |
+@@ -2794,11 +2882,28 @@ retry_lookup: |
1662 |
goto finish_open_created; |
1663 |
} |
1664 |
|
1665 |
@@ -50522,7 +50613,7 @@ index 43a97ee..117e7e4 100644 |
1666 |
|
1667 |
/* |
1668 |
* If atomic_open() acquired write access it is dropped now due to |
1669 |
-@@ -2839,6 +2946,11 @@ finish_lookup: |
1670 |
+@@ -2839,6 +2944,11 @@ finish_lookup: |
1671 |
} |
1672 |
} |
1673 |
BUG_ON(inode != path->dentry->d_inode); |
1674 |
@@ -50534,7 +50625,7 @@ index 43a97ee..117e7e4 100644 |
1675 |
return 1; |
1676 |
} |
1677 |
|
1678 |
-@@ -2848,7 +2960,6 @@ finish_lookup: |
1679 |
+@@ -2848,7 +2958,6 @@ finish_lookup: |
1680 |
save_parent.dentry = nd->path.dentry; |
1681 |
save_parent.mnt = mntget(path->mnt); |
1682 |
nd->path.dentry = path->dentry; |
1683 |
@@ -50542,7 +50633,7 @@ index 43a97ee..117e7e4 100644 |
1684 |
} |
1685 |
nd->inode = inode; |
1686 |
/* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ |
1687 |
-@@ -2857,6 +2968,22 @@ finish_lookup: |
1688 |
+@@ -2857,6 +2966,22 @@ finish_lookup: |
1689 |
path_put(&save_parent); |
1690 |
return error; |
1691 |
} |
1692 |
@@ -50565,7 +50656,7 @@ index 43a97ee..117e7e4 100644 |
1693 |
error = -EISDIR; |
1694 |
if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode)) |
1695 |
goto out; |
1696 |
-@@ -2955,7 +3082,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, |
1697 |
+@@ -2955,7 +3080,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, |
1698 |
if (unlikely(error)) |
1699 |
goto out; |
1700 |
|
1701 |
@@ -50574,7 +50665,7 @@ index 43a97ee..117e7e4 100644 |
1702 |
while (unlikely(error > 0)) { /* trailing symlink */ |
1703 |
struct path link = path; |
1704 |
void *cookie; |
1705 |
-@@ -2973,7 +3100,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, |
1706 |
+@@ -2973,7 +3098,7 @@ static struct file *path_openat(int dfd, struct filename *pathname, |
1707 |
error = follow_link(&link, nd, &cookie); |
1708 |
if (unlikely(error)) |
1709 |
break; |
1710 |
@@ -50583,7 +50674,7 @@ index 43a97ee..117e7e4 100644 |
1711 |
put_link(nd, &link, cookie); |
1712 |
} |
1713 |
out: |
1714 |
-@@ -3073,8 +3200,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, |
1715 |
+@@ -3073,8 +3198,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname, |
1716 |
goto unlock; |
1717 |
|
1718 |
error = -EEXIST; |
1719 |
@@ -50597,7 +50688,7 @@ index 43a97ee..117e7e4 100644 |
1720 |
/* |
1721 |
* Special case - lookup gave negative, but... we had foo/bar/ |
1722 |
* From the vfs_mknod() POV we just have a negative dentry - |
1723 |
-@@ -3126,6 +3257,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, |
1724 |
+@@ -3126,6 +3255,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, |
1725 |
} |
1726 |
EXPORT_SYMBOL(user_path_create); |
1727 |
|
1728 |
@@ -50618,7 +50709,7 @@ index 43a97ee..117e7e4 100644 |
1729 |
int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) |
1730 |
{ |
1731 |
int error = may_create(dir, dentry); |
1732 |
-@@ -3188,6 +3333,17 @@ retry: |
1733 |
+@@ -3188,6 +3331,17 @@ retry: |
1734 |
|
1735 |
if (!IS_POSIXACL(path.dentry->d_inode)) |
1736 |
mode &= ~current_umask(); |
1737 |
@@ -50636,7 +50727,7 @@ index 43a97ee..117e7e4 100644 |
1738 |
error = security_path_mknod(&path, dentry, mode, dev); |
1739 |
if (error) |
1740 |
goto out; |
1741 |
-@@ -3204,6 +3360,8 @@ retry: |
1742 |
+@@ -3204,6 +3358,8 @@ retry: |
1743 |
break; |
1744 |
} |
1745 |
out: |
1746 |
@@ -50645,7 +50736,7 @@ index 43a97ee..117e7e4 100644 |
1747 |
done_path_create(&path, dentry); |
1748 |
if (retry_estale(error, lookup_flags)) { |
1749 |
lookup_flags |= LOOKUP_REVAL; |
1750 |
-@@ -3256,9 +3414,16 @@ retry: |
1751 |
+@@ -3256,9 +3412,16 @@ retry: |
1752 |
|
1753 |
if (!IS_POSIXACL(path.dentry->d_inode)) |
1754 |
mode &= ~current_umask(); |
1755 |
@@ -50662,7 +50753,7 @@ index 43a97ee..117e7e4 100644 |
1756 |
done_path_create(&path, dentry); |
1757 |
if (retry_estale(error, lookup_flags)) { |
1758 |
lookup_flags |= LOOKUP_REVAL; |
1759 |
-@@ -3339,6 +3504,8 @@ static long do_rmdir(int dfd, const char __user *pathname) |
1760 |
+@@ -3339,6 +3502,8 @@ static long do_rmdir(int dfd, const char __user *pathname) |
1761 |
struct filename *name; |
1762 |
struct dentry *dentry; |
1763 |
struct nameidata nd; |
1764 |
@@ -50671,7 +50762,7 @@ index 43a97ee..117e7e4 100644 |
1765 |
unsigned int lookup_flags = 0; |
1766 |
retry: |
1767 |
name = user_path_parent(dfd, pathname, &nd, lookup_flags); |
1768 |
-@@ -3371,10 +3538,21 @@ retry: |
1769 |
+@@ -3371,10 +3536,21 @@ retry: |
1770 |
error = -ENOENT; |
1771 |
goto exit3; |
1772 |
} |
1773 |
@@ -50693,7 +50784,7 @@ index 43a97ee..117e7e4 100644 |
1774 |
exit3: |
1775 |
dput(dentry); |
1776 |
exit2: |
1777 |
-@@ -3440,6 +3618,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) |
1778 |
+@@ -3440,6 +3616,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) |
1779 |
struct dentry *dentry; |
1780 |
struct nameidata nd; |
1781 |
struct inode *inode = NULL; |
1782 |
@@ -50702,7 +50793,7 @@ index 43a97ee..117e7e4 100644 |
1783 |
unsigned int lookup_flags = 0; |
1784 |
retry: |
1785 |
name = user_path_parent(dfd, pathname, &nd, lookup_flags); |
1786 |
-@@ -3466,10 +3646,22 @@ retry: |
1787 |
+@@ -3466,10 +3644,22 @@ retry: |
1788 |
if (!inode) |
1789 |
goto slashes; |
1790 |
ihold(inode); |
1791 |
@@ -50725,7 +50816,7 @@ index 43a97ee..117e7e4 100644 |
1792 |
exit2: |
1793 |
dput(dentry); |
1794 |
} |
1795 |
-@@ -3547,9 +3739,17 @@ retry: |
1796 |
+@@ -3547,9 +3737,17 @@ retry: |
1797 |
if (IS_ERR(dentry)) |
1798 |
goto out_putname; |
1799 |
|
1800 |
@@ -50743,7 +50834,7 @@ index 43a97ee..117e7e4 100644 |
1801 |
done_path_create(&path, dentry); |
1802 |
if (retry_estale(error, lookup_flags)) { |
1803 |
lookup_flags |= LOOKUP_REVAL; |
1804 |
-@@ -3623,6 +3823,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, |
1805 |
+@@ -3623,6 +3821,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, |
1806 |
{ |
1807 |
struct dentry *new_dentry; |
1808 |
struct path old_path, new_path; |
1809 |
@@ -50751,7 +50842,7 @@ index 43a97ee..117e7e4 100644 |
1810 |
int how = 0; |
1811 |
int error; |
1812 |
|
1813 |
-@@ -3646,7 +3847,7 @@ retry: |
1814 |
+@@ -3646,7 +3845,7 @@ retry: |
1815 |
if (error) |
1816 |
return error; |
1817 |
|
1818 |
@@ -50760,7 +50851,7 @@ index 43a97ee..117e7e4 100644 |
1819 |
(how & LOOKUP_REVAL)); |
1820 |
error = PTR_ERR(new_dentry); |
1821 |
if (IS_ERR(new_dentry)) |
1822 |
-@@ -3658,11 +3859,28 @@ retry: |
1823 |
+@@ -3658,11 +3857,28 @@ retry: |
1824 |
error = may_linkat(&old_path); |
1825 |
if (unlikely(error)) |
1826 |
goto out_dput; |
1827 |
@@ -50789,7 +50880,7 @@ index 43a97ee..117e7e4 100644 |
1828 |
done_path_create(&new_path, new_dentry); |
1829 |
if (retry_estale(error, how)) { |
1830 |
how |= LOOKUP_REVAL; |
1831 |
-@@ -3908,12 +4126,21 @@ retry: |
1832 |
+@@ -3908,12 +4124,21 @@ retry: |
1833 |
if (new_dentry == trap) |
1834 |
goto exit5; |
1835 |
|
1836 |
@@ -50811,7 +50902,7 @@ index 43a97ee..117e7e4 100644 |
1837 |
exit5: |
1838 |
dput(new_dentry); |
1839 |
exit4: |
1840 |
-@@ -3945,6 +4172,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna |
1841 |
+@@ -3945,6 +4170,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna |
1842 |
|
1843 |
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) |
1844 |
{ |
1845 |
@@ -50820,7 +50911,7 @@ index 43a97ee..117e7e4 100644 |
1846 |
int len; |
1847 |
|
1848 |
len = PTR_ERR(link); |
1849 |
-@@ -3954,7 +4183,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c |
1850 |
+@@ -3954,7 +4181,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c |
1851 |
len = strlen(link); |
1852 |
if (len > (unsigned) buflen) |
1853 |
len = buflen; |
1854 |
@@ -50837,7 +50928,7 @@ index 43a97ee..117e7e4 100644 |
1855 |
out: |
1856 |
return len; |
1857 |
diff --git a/fs/namespace.c b/fs/namespace.c |
1858 |
-index 55605c5..f2908c8 100644 |
1859 |
+index a51054f..f9b53e5 100644 |
1860 |
--- a/fs/namespace.c |
1861 |
+++ b/fs/namespace.c |
1862 |
@@ -1215,6 +1215,9 @@ static int do_umount(struct mount *mnt, int flags) |
1863 |
@@ -50850,7 +50941,7 @@ index 55605c5..f2908c8 100644 |
1864 |
return retval; |
1865 |
} |
1866 |
|
1867 |
-@@ -1234,9 +1237,20 @@ static int do_umount(struct mount *mnt, int flags) |
1868 |
+@@ -1234,6 +1237,9 @@ static int do_umount(struct mount *mnt, int flags) |
1869 |
br_write_unlock(&vfsmount_lock); |
1870 |
up_write(&namespace_sem); |
1871 |
release_mounts(&umount_list); |
1872 |
@@ -50860,85 +50951,7 @@ index 55605c5..f2908c8 100644 |
1873 |
return retval; |
1874 |
} |
1875 |
|
1876 |
-+/* |
1877 |
-+ * Is the caller allowed to modify his namespace? |
1878 |
-+ */ |
1879 |
-+static inline bool may_mount(void) |
1880 |
-+{ |
1881 |
-+ return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN); |
1882 |
-+} |
1883 |
-+ |
1884 |
- /* |
1885 |
- * Now umount can handle mount points as well as block devices. |
1886 |
- * This is important for filesystems which use unnamed block devices. |
1887 |
-@@ -1255,6 +1269,9 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags) |
1888 |
- if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW)) |
1889 |
- return -EINVAL; |
1890 |
- |
1891 |
-+ if (!may_mount()) |
1892 |
-+ return -EPERM; |
1893 |
-+ |
1894 |
- if (!(flags & UMOUNT_NOFOLLOW)) |
1895 |
- lookup_flags |= LOOKUP_FOLLOW; |
1896 |
- |
1897 |
-@@ -1268,10 +1285,6 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags) |
1898 |
- if (!check_mnt(mnt)) |
1899 |
- goto dput_and_out; |
1900 |
- |
1901 |
-- retval = -EPERM; |
1902 |
-- if (!ns_capable(mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) |
1903 |
-- goto dput_and_out; |
1904 |
-- |
1905 |
- retval = do_umount(mnt, flags); |
1906 |
- dput_and_out: |
1907 |
- /* we mustn't call path_put() as that would clear mnt_expiry_mark */ |
1908 |
-@@ -1295,7 +1308,7 @@ SYSCALL_DEFINE1(oldumount, char __user *, name) |
1909 |
- |
1910 |
- static int mount_is_safe(struct path *path) |
1911 |
- { |
1912 |
-- if (ns_capable(real_mount(path->mnt)->mnt_ns->user_ns, CAP_SYS_ADMIN)) |
1913 |
-+ if (may_mount()) |
1914 |
- return 0; |
1915 |
- return -EPERM; |
1916 |
- #ifdef notyet |
1917 |
-@@ -1633,7 +1646,7 @@ static int do_change_type(struct path *path, int flag) |
1918 |
- int type; |
1919 |
- int err = 0; |
1920 |
- |
1921 |
-- if (!ns_capable(mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) |
1922 |
-+ if (!may_mount()) |
1923 |
- return -EPERM; |
1924 |
- |
1925 |
- if (path->dentry != path->mnt->mnt_root) |
1926 |
-@@ -1797,7 +1810,7 @@ static int do_move_mount(struct path *path, const char *old_name) |
1927 |
- struct mount *p; |
1928 |
- struct mount *old; |
1929 |
- int err = 0; |
1930 |
-- if (!ns_capable(real_mount(path->mnt)->mnt_ns->user_ns, CAP_SYS_ADMIN)) |
1931 |
-+ if (!may_mount()) |
1932 |
- return -EPERM; |
1933 |
- if (!old_name || !*old_name) |
1934 |
- return -EINVAL; |
1935 |
-@@ -1933,16 +1946,14 @@ static int do_new_mount(struct path *path, const char *fstype, int flags, |
1936 |
- int mnt_flags, const char *name, void *data) |
1937 |
- { |
1938 |
- struct file_system_type *type; |
1939 |
-- struct user_namespace *user_ns; |
1940 |
-+ struct user_namespace *user_ns = current->nsproxy->mnt_ns->user_ns; |
1941 |
- struct vfsmount *mnt; |
1942 |
- int err; |
1943 |
- |
1944 |
- if (!fstype) |
1945 |
- return -EINVAL; |
1946 |
- |
1947 |
-- /* we need capabilities... */ |
1948 |
-- user_ns = real_mount(path->mnt)->mnt_ns->user_ns; |
1949 |
-- if (!ns_capable(user_ns, CAP_SYS_ADMIN)) |
1950 |
-+ if (!may_mount()) |
1951 |
- return -EPERM; |
1952 |
- |
1953 |
- type = get_fs_type(fstype); |
1954 |
-@@ -2282,6 +2293,16 @@ long do_mount(const char *dev_name, const char *dir_name, |
1955 |
+@@ -2287,6 +2293,16 @@ long do_mount(const char *dev_name, const char *dir_name, |
1956 |
MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | |
1957 |
MS_STRICTATIME); |
1958 |
|
1959 |
@@ -50955,7 +50968,7 @@ index 55605c5..f2908c8 100644 |
1960 |
if (flags & MS_REMOUNT) |
1961 |
retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags, |
1962 |
data_page); |
1963 |
-@@ -2296,6 +2317,9 @@ long do_mount(const char *dev_name, const char *dir_name, |
1964 |
+@@ -2301,6 +2317,9 @@ long do_mount(const char *dev_name, const char *dir_name, |
1965 |
dev_name, data_page); |
1966 |
dput_out: |
1967 |
path_put(&path); |
1968 |
@@ -50965,16 +50978,7 @@ index 55605c5..f2908c8 100644 |
1969 |
return retval; |
1970 |
} |
1971 |
|
1972 |
-@@ -2567,7 +2591,7 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, |
1973 |
- struct mount *new_mnt, *root_mnt; |
1974 |
- int error; |
1975 |
- |
1976 |
-- if (!ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN)) |
1977 |
-+ if (!may_mount()) |
1978 |
- return -EPERM; |
1979 |
- |
1980 |
- error = user_path_dir(new_root, &new); |
1981 |
-@@ -2582,6 +2606,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, |
1982 |
+@@ -2587,6 +2606,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, |
1983 |
if (error) |
1984 |
goto out2; |
1985 |
|
1986 |
@@ -50986,7 +50990,7 @@ index 55605c5..f2908c8 100644 |
1987 |
get_fs_root(current->fs, &root); |
1988 |
error = lock_mount(&old); |
1989 |
if (error) |
1990 |
-@@ -2785,7 +2814,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) |
1991 |
+@@ -2790,7 +2814,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns) |
1992 |
!nsown_capable(CAP_SYS_ADMIN)) |
1993 |
return -EPERM; |
1994 |
|
1995 |
@@ -67510,10 +67514,18 @@ index 14a8ff2..21fe4c7 100644 |
1996 |
void __user *, size_t *, loff_t *); |
1997 |
extern int proc_dointvec_minmax(struct ctl_table *, int, |
1998 |
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h |
1999 |
-index 7faf933..eb6f5e3 100644 |
2000 |
+index 7faf933..c1ad32c 100644 |
2001 |
--- a/include/linux/sysrq.h |
2002 |
+++ b/include/linux/sysrq.h |
2003 |
-@@ -36,7 +36,7 @@ struct sysrq_key_op { |
2004 |
+@@ -15,6 +15,7 @@ |
2005 |
+ #define _LINUX_SYSRQ_H |
2006 |
+ |
2007 |
+ #include <linux/errno.h> |
2008 |
++#include <linux/compiler.h> |
2009 |
+ #include <linux/types.h> |
2010 |
+ |
2011 |
+ /* Enable/disable SYSRQ support by default (0==no, 1==yes). */ |
2012 |
+@@ -36,7 +37,7 @@ struct sysrq_key_op { |
2013 |
char *help_msg; |
2014 |
char *action_msg; |
2015 |
int enable_mask; |
2016 |
@@ -68218,7 +68230,7 @@ index fdeb85a..0c554d5 100644 |
2017 |
|
2018 |
/* Structure to track chunk fragments that have been acked, but peer |
2019 |
diff --git a/include/net/sock.h b/include/net/sock.h |
2020 |
-index 182ca99..b7dc290 100644 |
2021 |
+index 25afaa0..8bb0070 100644 |
2022 |
--- a/include/net/sock.h |
2023 |
+++ b/include/net/sock.h |
2024 |
@@ -322,7 +322,7 @@ struct sock { |
2025 |
@@ -70501,7 +70513,7 @@ index c535f33..1d768f9 100644 |
2026 |
else |
2027 |
new_fs = fs; |
2028 |
diff --git a/kernel/futex.c b/kernel/futex.c |
2029 |
-index 19eb089..b8c65ea 100644 |
2030 |
+index 8879430..31696f1 100644 |
2031 |
--- a/kernel/futex.c |
2032 |
+++ b/kernel/futex.c |
2033 |
@@ -54,6 +54,7 @@ |
2034 |
@@ -70524,7 +70536,7 @@ index 19eb089..b8c65ea 100644 |
2035 |
/* |
2036 |
* The futex address must be "naturally" aligned. |
2037 |
*/ |
2038 |
-@@ -2733,6 +2739,7 @@ static int __init futex_init(void) |
2039 |
+@@ -2731,6 +2737,7 @@ static int __init futex_init(void) |
2040 |
{ |
2041 |
u32 curval; |
2042 |
int i; |
2043 |
@@ -70532,7 +70544,7 @@ index 19eb089..b8c65ea 100644 |
2044 |
|
2045 |
/* |
2046 |
* This will fail and we want it. Some arch implementations do |
2047 |
-@@ -2744,8 +2751,11 @@ static int __init futex_init(void) |
2048 |
+@@ -2742,8 +2749,11 @@ static int __init futex_init(void) |
2049 |
* implementation, the non-functional ones will return |
2050 |
* -ENOSYS. |
2051 |
*/ |
2052 |
@@ -70570,7 +70582,7 @@ index 9b22d03..6295b62 100644 |
2053 |
prev->next = info->next; |
2054 |
else |
2055 |
diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c |
2056 |
-index 6db7a5e..0d600bd 100644 |
2057 |
+index cdd5607..c3fc919 100644 |
2058 |
--- a/kernel/hrtimer.c |
2059 |
+++ b/kernel/hrtimer.c |
2060 |
@@ -1407,7 +1407,7 @@ void hrtimer_peek_ahead_timers(void) |
2061 |
@@ -72054,10 +72066,10 @@ index f2c6a68..4922d97 100644 |
2062 |
{ |
2063 |
struct pid *pid; |
2064 |
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c |
2065 |
-index a278cad..bff5bd3 100644 |
2066 |
+index 942ca27..111e609 100644 |
2067 |
--- a/kernel/posix-cpu-timers.c |
2068 |
+++ b/kernel/posix-cpu-timers.c |
2069 |
-@@ -1557,14 +1557,14 @@ struct k_clock clock_posix_cpu = { |
2070 |
+@@ -1576,14 +1576,14 @@ struct k_clock clock_posix_cpu = { |
2071 |
|
2072 |
static __init int init_posix_cpu_timers(void) |
2073 |
{ |
2074 |
@@ -73884,7 +73896,7 @@ index c88878d..99d321b 100644 |
2075 |
EXPORT_SYMBOL(proc_doulongvec_minmax); |
2076 |
EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax); |
2077 |
diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c |
2078 |
-index 5a63844..25dfc5c 100644 |
2079 |
+index 5a63844..a199f50 100644 |
2080 |
--- a/kernel/sysctl_binary.c |
2081 |
+++ b/kernel/sysctl_binary.c |
2082 |
@@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *file, |
2083 |
@@ -73941,7 +73953,19 @@ index 5a63844..25dfc5c 100644 |
2084 |
set_fs(old_fs); |
2085 |
if (result < 0) |
2086 |
goto out; |
2087 |
-@@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struct file *file, |
2088 |
+@@ -1194,9 +1194,10 @@ static ssize_t bin_dn_node_address(struct file *file, |
2089 |
+ |
2090 |
+ /* Convert the decnet address to binary */ |
2091 |
+ result = -EIO; |
2092 |
+- nodep = strchr(buf, '.') + 1; |
2093 |
++ nodep = strchr(buf, '.'); |
2094 |
+ if (!nodep) |
2095 |
+ goto out; |
2096 |
++ ++nodep; |
2097 |
+ |
2098 |
+ area = simple_strtoul(buf, NULL, 10); |
2099 |
+ node = simple_strtoul(nodep, NULL, 10); |
2100 |
+@@ -1233,7 +1234,7 @@ static ssize_t bin_dn_node_address(struct file *file, |
2101 |
le16_to_cpu(dnaddr) & 0x3ff); |
2102 |
|
2103 |
set_fs(KERNEL_DS); |
2104 |
@@ -74931,6 +74955,26 @@ index 5e396ac..58d5de1 100644 |
2105 |
err_printk(dev, NULL, "DMA-API: device driver maps memory from" |
2106 |
"stack [addr=%p]\n", addr); |
2107 |
} |
2108 |
+diff --git a/lib/idr.c b/lib/idr.c |
2109 |
+index 6482390..ca5aa00 100644 |
2110 |
+--- a/lib/idr.c |
2111 |
++++ b/lib/idr.c |
2112 |
+@@ -625,7 +625,14 @@ void *idr_get_next(struct idr *idp, int *nextidp) |
2113 |
+ return p; |
2114 |
+ } |
2115 |
+ |
2116 |
+- id += 1 << n; |
2117 |
++ /* |
2118 |
++ * Proceed to the next layer at the current level. Unlike |
2119 |
++ * idr_for_each(), @id isn't guaranteed to be aligned to |
2120 |
++ * layer boundary at this point and adding 1 << n may |
2121 |
++ * incorrectly skip IDs. Make sure we jump to the |
2122 |
++ * beginning of the next layer using round_up(). |
2123 |
++ */ |
2124 |
++ id = round_up(id + 1, 1 << n); |
2125 |
+ while (n < fls(id)) { |
2126 |
+ n += IDR_BITS; |
2127 |
+ p = *--paa; |
2128 |
diff --git a/lib/inflate.c b/lib/inflate.c |
2129 |
index 013a761..c28f3fc 100644 |
2130 |
--- a/lib/inflate.c |
2131 |
@@ -76511,7 +76555,7 @@ index c9bd528..da8d069 100644 |
2132 |
capable(CAP_IPC_LOCK)) |
2133 |
ret = do_mlockall(flags); |
2134 |
diff --git a/mm/mmap.c b/mm/mmap.c |
2135 |
-index d1e4124..32a6988 100644 |
2136 |
+index d1e4124..7d36e4f 100644 |
2137 |
--- a/mm/mmap.c |
2138 |
+++ b/mm/mmap.c |
2139 |
@@ -32,6 +32,7 @@ |
2140 |
@@ -77257,7 +77301,51 @@ index d1e4124..32a6988 100644 |
2141 |
spin_unlock(&vma->vm_mm->page_table_lock); |
2142 |
|
2143 |
perf_event_mmap(vma); |
2144 |
-@@ -2236,6 +2544,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) |
2145 |
+@@ -2169,9 +2477,28 @@ int expand_downwards(struct vm_area_struct *vma, |
2146 |
+ return error; |
2147 |
+ } |
2148 |
+ |
2149 |
++/* |
2150 |
++ * Note how expand_stack() refuses to expand the stack all the way to |
2151 |
++ * abut the next virtual mapping, *unless* that mapping itself is also |
2152 |
++ * a stack mapping. We want to leave room for a guard page, after all |
2153 |
++ * (the guard page itself is not added here, that is done by the |
2154 |
++ * actual page faulting logic) |
2155 |
++ * |
2156 |
++ * This matches the behavior of the guard page logic (see mm/memory.c: |
2157 |
++ * check_stack_guard_page()), which only allows the guard page to be |
2158 |
++ * removed under these circumstances. |
2159 |
++ */ |
2160 |
+ #ifdef CONFIG_STACK_GROWSUP |
2161 |
+ int expand_stack(struct vm_area_struct *vma, unsigned long address) |
2162 |
+ { |
2163 |
++ struct vm_area_struct *next; |
2164 |
++ |
2165 |
++ address &= PAGE_MASK; |
2166 |
++ next = vma->vm_next; |
2167 |
++ if (next && next->vm_start == address + PAGE_SIZE) { |
2168 |
++ if (!(next->vm_flags & VM_GROWSUP)) |
2169 |
++ return -ENOMEM; |
2170 |
++ } |
2171 |
+ return expand_upwards(vma, address); |
2172 |
+ } |
2173 |
+ |
2174 |
+@@ -2194,6 +2521,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) |
2175 |
+ #else |
2176 |
+ int expand_stack(struct vm_area_struct *vma, unsigned long address) |
2177 |
+ { |
2178 |
++ struct vm_area_struct *prev; |
2179 |
++ |
2180 |
++ address &= PAGE_MASK; |
2181 |
++ prev = vma->vm_prev; |
2182 |
++ if (prev && prev->vm_end == address) { |
2183 |
++ if (!(prev->vm_flags & VM_GROWSDOWN)) |
2184 |
++ return -ENOMEM; |
2185 |
++ } |
2186 |
+ return expand_downwards(vma, address); |
2187 |
+ } |
2188 |
+ |
2189 |
+@@ -2236,6 +2571,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) |
2190 |
do { |
2191 |
long nrpages = vma_pages(vma); |
2192 |
|
2193 |
@@ -77271,7 +77359,7 @@ index d1e4124..32a6988 100644 |
2194 |
if (vma->vm_flags & VM_ACCOUNT) |
2195 |
nr_accounted += nrpages; |
2196 |
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); |
2197 |
-@@ -2281,6 +2596,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, |
2198 |
+@@ -2281,6 +2623,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, |
2199 |
insertion_point = (prev ? &prev->vm_next : &mm->mmap); |
2200 |
vma->vm_prev = NULL; |
2201 |
do { |
2202 |
@@ -77288,7 +77376,7 @@ index d1e4124..32a6988 100644 |
2203 |
vma_rb_erase(vma, &mm->mm_rb); |
2204 |
mm->map_count--; |
2205 |
tail_vma = vma; |
2206 |
-@@ -2312,14 +2637,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2207 |
+@@ -2312,14 +2664,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2208 |
struct vm_area_struct *new; |
2209 |
int err = -ENOMEM; |
2210 |
|
2211 |
@@ -77322,7 +77410,7 @@ index d1e4124..32a6988 100644 |
2212 |
/* most fields are the same, copy all, and then fixup */ |
2213 |
*new = *vma; |
2214 |
|
2215 |
-@@ -2332,6 +2676,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2216 |
+@@ -2332,6 +2703,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2217 |
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); |
2218 |
} |
2219 |
|
2220 |
@@ -77345,7 +77433,7 @@ index d1e4124..32a6988 100644 |
2221 |
pol = mpol_dup(vma_policy(vma)); |
2222 |
if (IS_ERR(pol)) { |
2223 |
err = PTR_ERR(pol); |
2224 |
-@@ -2354,6 +2714,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2225 |
+@@ -2354,6 +2741,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2226 |
else |
2227 |
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); |
2228 |
|
2229 |
@@ -77382,7 +77470,7 @@ index d1e4124..32a6988 100644 |
2230 |
/* Success. */ |
2231 |
if (!err) |
2232 |
return 0; |
2233 |
-@@ -2363,10 +2753,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2234 |
+@@ -2363,10 +2780,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2235 |
new->vm_ops->close(new); |
2236 |
if (new->vm_file) |
2237 |
fput(new->vm_file); |
2238 |
@@ -77402,7 +77490,7 @@ index d1e4124..32a6988 100644 |
2239 |
kmem_cache_free(vm_area_cachep, new); |
2240 |
out_err: |
2241 |
return err; |
2242 |
-@@ -2379,6 +2777,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2243 |
+@@ -2379,6 +2804,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, |
2244 |
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, |
2245 |
unsigned long addr, int new_below) |
2246 |
{ |
2247 |
@@ -77418,7 +77506,7 @@ index d1e4124..32a6988 100644 |
2248 |
if (mm->map_count >= sysctl_max_map_count) |
2249 |
return -ENOMEM; |
2250 |
|
2251 |
-@@ -2390,11 +2797,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, |
2252 |
+@@ -2390,11 +2824,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, |
2253 |
* work. This now handles partial unmappings. |
2254 |
* Jeremy Fitzhardinge <jeremy@××××.org> |
2255 |
*/ |
2256 |
@@ -77449,7 +77537,7 @@ index d1e4124..32a6988 100644 |
2257 |
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) |
2258 |
return -EINVAL; |
2259 |
|
2260 |
-@@ -2469,6 +2895,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
2261 |
+@@ -2469,6 +2922,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
2262 |
/* Fix up all other VM information */ |
2263 |
remove_vma_list(mm, vma); |
2264 |
|
2265 |
@@ -77458,7 +77546,7 @@ index d1e4124..32a6988 100644 |
2266 |
return 0; |
2267 |
} |
2268 |
|
2269 |
-@@ -2477,6 +2905,13 @@ int vm_munmap(unsigned long start, size_t len) |
2270 |
+@@ -2477,6 +2932,13 @@ int vm_munmap(unsigned long start, size_t len) |
2271 |
int ret; |
2272 |
struct mm_struct *mm = current->mm; |
2273 |
|
2274 |
@@ -77472,7 +77560,7 @@ index d1e4124..32a6988 100644 |
2275 |
down_write(&mm->mmap_sem); |
2276 |
ret = do_munmap(mm, start, len); |
2277 |
up_write(&mm->mmap_sem); |
2278 |
-@@ -2490,16 +2925,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) |
2279 |
+@@ -2490,16 +2952,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) |
2280 |
return vm_munmap(addr, len); |
2281 |
} |
2282 |
|
2283 |
@@ -77489,7 +77577,7 @@ index d1e4124..32a6988 100644 |
2284 |
/* |
2285 |
* this is really a simplified "do_mmap". it only handles |
2286 |
* anonymous maps. eventually we may be able to do some |
2287 |
-@@ -2513,6 +2938,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2288 |
+@@ -2513,6 +2965,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2289 |
struct rb_node ** rb_link, * rb_parent; |
2290 |
pgoff_t pgoff = addr >> PAGE_SHIFT; |
2291 |
int error; |
2292 |
@@ -77497,7 +77585,7 @@ index d1e4124..32a6988 100644 |
2293 |
|
2294 |
len = PAGE_ALIGN(len); |
2295 |
if (!len) |
2296 |
-@@ -2520,16 +2946,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2297 |
+@@ -2520,16 +2973,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2298 |
|
2299 |
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; |
2300 |
|
2301 |
@@ -77529,7 +77617,7 @@ index d1e4124..32a6988 100644 |
2302 |
locked += mm->locked_vm; |
2303 |
lock_limit = rlimit(RLIMIT_MEMLOCK); |
2304 |
lock_limit >>= PAGE_SHIFT; |
2305 |
-@@ -2546,21 +2986,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2306 |
+@@ -2546,21 +3013,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2307 |
/* |
2308 |
* Clear old maps. this also does some error checking for us |
2309 |
*/ |
2310 |
@@ -77554,7 +77642,7 @@ index d1e4124..32a6988 100644 |
2311 |
return -ENOMEM; |
2312 |
|
2313 |
/* Can we just expand an old private anonymous mapping? */ |
2314 |
-@@ -2574,7 +3013,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2315 |
+@@ -2574,7 +3040,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2316 |
*/ |
2317 |
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); |
2318 |
if (!vma) { |
2319 |
@@ -77563,7 +77651,7 @@ index d1e4124..32a6988 100644 |
2320 |
return -ENOMEM; |
2321 |
} |
2322 |
|
2323 |
-@@ -2588,11 +3027,12 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2324 |
+@@ -2588,11 +3054,12 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) |
2325 |
vma_link(mm, vma, prev, rb_link, rb_parent); |
2326 |
out: |
2327 |
perf_event_mmap(vma); |
2328 |
@@ -77578,7 +77666,7 @@ index d1e4124..32a6988 100644 |
2329 |
return addr; |
2330 |
} |
2331 |
|
2332 |
-@@ -2650,6 +3090,7 @@ void exit_mmap(struct mm_struct *mm) |
2333 |
+@@ -2650,6 +3117,7 @@ void exit_mmap(struct mm_struct *mm) |
2334 |
while (vma) { |
2335 |
if (vma->vm_flags & VM_ACCOUNT) |
2336 |
nr_accounted += vma_pages(vma); |
2337 |
@@ -77586,7 +77674,7 @@ index d1e4124..32a6988 100644 |
2338 |
vma = remove_vma(vma); |
2339 |
} |
2340 |
vm_unacct_memory(nr_accounted); |
2341 |
-@@ -2666,6 +3107,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) |
2342 |
+@@ -2666,6 +3134,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) |
2343 |
struct vm_area_struct *prev; |
2344 |
struct rb_node **rb_link, *rb_parent; |
2345 |
|
2346 |
@@ -77600,7 +77688,7 @@ index d1e4124..32a6988 100644 |
2347 |
/* |
2348 |
* The vm_pgoff of a purely anonymous vma should be irrelevant |
2349 |
* until its first write fault, when page's anon_vma and index |
2350 |
-@@ -2689,7 +3137,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) |
2351 |
+@@ -2689,7 +3164,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) |
2352 |
security_vm_enough_memory_mm(mm, vma_pages(vma))) |
2353 |
return -ENOMEM; |
2354 |
|
2355 |
@@ -77622,7 +77710,7 @@ index d1e4124..32a6988 100644 |
2356 |
return 0; |
2357 |
} |
2358 |
|
2359 |
-@@ -2709,6 +3171,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
2360 |
+@@ -2709,6 +3198,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
2361 |
struct mempolicy *pol; |
2362 |
bool faulted_in_anon_vma = true; |
2363 |
|
2364 |
@@ -77631,7 +77719,7 @@ index d1e4124..32a6988 100644 |
2365 |
/* |
2366 |
* If anonymous vma has not yet been faulted, update new pgoff |
2367 |
* to match new location, to increase its chance of merging. |
2368 |
-@@ -2775,6 +3239,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
2369 |
+@@ -2775,6 +3266,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, |
2370 |
return NULL; |
2371 |
} |
2372 |
|
2373 |
@@ -77671,7 +77759,7 @@ index d1e4124..32a6988 100644 |
2374 |
/* |
2375 |
* Return true if the calling process may expand its vm space by the passed |
2376 |
* number of pages |
2377 |
-@@ -2786,6 +3283,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) |
2378 |
+@@ -2786,6 +3310,12 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) |
2379 |
|
2380 |
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; |
2381 |
|
2382 |
@@ -77684,7 +77772,7 @@ index d1e4124..32a6988 100644 |
2383 |
if (cur + npages > lim) |
2384 |
return 0; |
2385 |
return 1; |
2386 |
-@@ -2856,6 +3359,22 @@ int install_special_mapping(struct mm_struct *mm, |
2387 |
+@@ -2856,6 +3386,22 @@ int install_special_mapping(struct mm_struct *mm, |
2388 |
vma->vm_start = addr; |
2389 |
vma->vm_end = addr + len; |
2390 |
|
2391 |
@@ -77707,136 +77795,6 @@ index d1e4124..32a6988 100644 |
2392 |
vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND; |
2393 |
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); |
2394 |
|
2395 |
-diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c |
2396 |
-index 8a5ac8c..f5c3d96 100644 |
2397 |
---- a/mm/mmu_notifier.c |
2398 |
-+++ b/mm/mmu_notifier.c |
2399 |
-@@ -37,49 +37,51 @@ static struct srcu_struct srcu; |
2400 |
- void __mmu_notifier_release(struct mm_struct *mm) |
2401 |
- { |
2402 |
- struct mmu_notifier *mn; |
2403 |
-- struct hlist_node *n; |
2404 |
- int id; |
2405 |
- |
2406 |
- /* |
2407 |
-- * SRCU here will block mmu_notifier_unregister until |
2408 |
-- * ->release returns. |
2409 |
-+ * srcu_read_lock() here will block synchronize_srcu() in |
2410 |
-+ * mmu_notifier_unregister() until all registered |
2411 |
-+ * ->release() callouts this function makes have |
2412 |
-+ * returned. |
2413 |
- */ |
2414 |
- id = srcu_read_lock(&srcu); |
2415 |
-- hlist_for_each_entry_rcu(mn, n, &mm->mmu_notifier_mm->list, hlist) |
2416 |
-- /* |
2417 |
-- * if ->release runs before mmu_notifier_unregister it |
2418 |
-- * must be handled as it's the only way for the driver |
2419 |
-- * to flush all existing sptes and stop the driver |
2420 |
-- * from establishing any more sptes before all the |
2421 |
-- * pages in the mm are freed. |
2422 |
-- */ |
2423 |
-- if (mn->ops->release) |
2424 |
-- mn->ops->release(mn, mm); |
2425 |
-- srcu_read_unlock(&srcu, id); |
2426 |
-- |
2427 |
- spin_lock(&mm->mmu_notifier_mm->lock); |
2428 |
- while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) { |
2429 |
- mn = hlist_entry(mm->mmu_notifier_mm->list.first, |
2430 |
- struct mmu_notifier, |
2431 |
- hlist); |
2432 |
-+ |
2433 |
- /* |
2434 |
-- * We arrived before mmu_notifier_unregister so |
2435 |
-- * mmu_notifier_unregister will do nothing other than |
2436 |
-- * to wait ->release to finish and |
2437 |
-- * mmu_notifier_unregister to return. |
2438 |
-+ * Unlink. This will prevent mmu_notifier_unregister() |
2439 |
-+ * from also making the ->release() callout. |
2440 |
- */ |
2441 |
- hlist_del_init_rcu(&mn->hlist); |
2442 |
-+ spin_unlock(&mm->mmu_notifier_mm->lock); |
2443 |
-+ |
2444 |
-+ /* |
2445 |
-+ * Clear sptes. (see 'release' description in mmu_notifier.h) |
2446 |
-+ */ |
2447 |
-+ if (mn->ops->release) |
2448 |
-+ mn->ops->release(mn, mm); |
2449 |
-+ |
2450 |
-+ spin_lock(&mm->mmu_notifier_mm->lock); |
2451 |
- } |
2452 |
- spin_unlock(&mm->mmu_notifier_mm->lock); |
2453 |
- |
2454 |
- /* |
2455 |
-- * synchronize_srcu here prevents mmu_notifier_release to |
2456 |
-- * return to exit_mmap (which would proceed freeing all pages |
2457 |
-- * in the mm) until the ->release method returns, if it was |
2458 |
-- * invoked by mmu_notifier_unregister. |
2459 |
-- * |
2460 |
-- * The mmu_notifier_mm can't go away from under us because one |
2461 |
-- * mm_count is hold by exit_mmap. |
2462 |
-+ * All callouts to ->release() which we have done are complete. |
2463 |
-+ * Allow synchronize_srcu() in mmu_notifier_unregister() to complete |
2464 |
-+ */ |
2465 |
-+ srcu_read_unlock(&srcu, id); |
2466 |
-+ |
2467 |
-+ /* |
2468 |
-+ * mmu_notifier_unregister() may have unlinked a notifier and may |
2469 |
-+ * still be calling out to it. Additionally, other notifiers |
2470 |
-+ * may have been active via vmtruncate() et. al. Block here |
2471 |
-+ * to ensure that all notifier callouts for this mm have been |
2472 |
-+ * completed and the sptes are really cleaned up before returning |
2473 |
-+ * to exit_mmap(). |
2474 |
- */ |
2475 |
- synchronize_srcu(&srcu); |
2476 |
- } |
2477 |
-@@ -294,31 +296,31 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm) |
2478 |
- { |
2479 |
- BUG_ON(atomic_read(&mm->mm_count) <= 0); |
2480 |
- |
2481 |
-+ spin_lock(&mm->mmu_notifier_mm->lock); |
2482 |
- if (!hlist_unhashed(&mn->hlist)) { |
2483 |
-- /* |
2484 |
-- * SRCU here will force exit_mmap to wait ->release to finish |
2485 |
-- * before freeing the pages. |
2486 |
-- */ |
2487 |
- int id; |
2488 |
- |
2489 |
-+ /* |
2490 |
-+ * Ensure we synchronize up with __mmu_notifier_release(). |
2491 |
-+ */ |
2492 |
- id = srcu_read_lock(&srcu); |
2493 |
-- /* |
2494 |
-- * exit_mmap will block in mmu_notifier_release to |
2495 |
-- * guarantee ->release is called before freeing the |
2496 |
-- * pages. |
2497 |
-- */ |
2498 |
-- if (mn->ops->release) |
2499 |
-- mn->ops->release(mn, mm); |
2500 |
-- srcu_read_unlock(&srcu, id); |
2501 |
- |
2502 |
-- spin_lock(&mm->mmu_notifier_mm->lock); |
2503 |
- hlist_del_rcu(&mn->hlist); |
2504 |
- spin_unlock(&mm->mmu_notifier_mm->lock); |
2505 |
-- } |
2506 |
-+ |
2507 |
-+ if (mn->ops->release) |
2508 |
-+ mn->ops->release(mn, mm); |
2509 |
-+ |
2510 |
-+ /* |
2511 |
-+ * Allow __mmu_notifier_release() to complete. |
2512 |
-+ */ |
2513 |
-+ srcu_read_unlock(&srcu, id); |
2514 |
-+ } else |
2515 |
-+ spin_unlock(&mm->mmu_notifier_mm->lock); |
2516 |
- |
2517 |
- /* |
2518 |
-- * Wait any running method to finish, of course including |
2519 |
-- * ->release if it was run by mmu_notifier_relase instead of us. |
2520 |
-+ * Wait for any running method to finish, including ->release() if it |
2521 |
-+ * was run by __mmu_notifier_release() instead of us. |
2522 |
- */ |
2523 |
- synchronize_srcu(&srcu); |
2524 |
- |
2525 |
diff --git a/mm/mprotect.c b/mm/mprotect.c |
2526 |
index 94722a4..9837984 100644 |
2527 |
--- a/mm/mprotect.c |
2528 |
@@ -78441,7 +78399,7 @@ index 2c78f8c..9e9c624 100644 |
2529 |
struct anon_vma_chain *avc; |
2530 |
struct anon_vma *anon_vma; |
2531 |
diff --git a/mm/shmem.c b/mm/shmem.c |
2532 |
-index 5dd56f6..994b702 100644 |
2533 |
+index efd0b3a..994b702 100644 |
2534 |
--- a/mm/shmem.c |
2535 |
+++ b/mm/shmem.c |
2536 |
@@ -31,7 +31,7 @@ |
2537 |
@@ -78490,31 +78448,7 @@ index 5dd56f6..994b702 100644 |
2538 |
return simple_xattr_set(&info->xattrs, name, value, size, flags); |
2539 |
} |
2540 |
|
2541 |
-@@ -2487,6 +2501,7 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data) |
2542 |
- unsigned long inodes; |
2543 |
- int error = -EINVAL; |
2544 |
- |
2545 |
-+ config.mpol = NULL; |
2546 |
- if (shmem_parse_options(data, &config, true)) |
2547 |
- return error; |
2548 |
- |
2549 |
-@@ -2511,8 +2526,13 @@ static int shmem_remount_fs(struct super_block *sb, int *flags, char *data) |
2550 |
- sbinfo->max_inodes = config.max_inodes; |
2551 |
- sbinfo->free_inodes = config.max_inodes - inodes; |
2552 |
- |
2553 |
-- mpol_put(sbinfo->mpol); |
2554 |
-- sbinfo->mpol = config.mpol; /* transfers initial ref */ |
2555 |
-+ /* |
2556 |
-+ * Preserve previous mempolicy unless mpol remount option was specified. |
2557 |
-+ */ |
2558 |
-+ if (config.mpol) { |
2559 |
-+ mpol_put(sbinfo->mpol); |
2560 |
-+ sbinfo->mpol = config.mpol; /* transfers initial ref */ |
2561 |
-+ } |
2562 |
- out: |
2563 |
- spin_unlock(&sbinfo->stat_lock); |
2564 |
- return error; |
2565 |
-@@ -2556,8 +2576,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) |
2566 |
+@@ -2562,8 +2576,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) |
2567 |
int err = -ENOMEM; |
2568 |
|
2569 |
/* Round up to L1_CACHE_BYTES to resist false sharing */ |
2570 |
@@ -80788,7 +80722,7 @@ index bc131d4..029e378 100644 |
2571 |
EXPORT_SYMBOL(sock_init_data); |
2572 |
|
2573 |
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c |
2574 |
-index 602cd63..0a699b1 100644 |
2575 |
+index 750f44f..0a699b1 100644 |
2576 |
--- a/net/core/sock_diag.c |
2577 |
+++ b/net/core/sock_diag.c |
2578 |
@@ -15,20 +15,27 @@ static DEFINE_MUTEX(sock_diag_table_mutex); |
2579 |
@@ -80841,14 +80775,11 @@ index 602cd63..0a699b1 100644 |
2580 |
static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) |
2581 |
{ |
2582 |
int err; |
2583 |
-@@ -121,12 +113,20 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) |
2584 |
- if (nlmsg_len(nlh) < sizeof(*req)) |
2585 |
+@@ -124,12 +116,17 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) |
2586 |
+ if (req->sdiag_family >= AF_MAX) |
2587 |
return -EINVAL; |
2588 |
|
2589 |
- hndl = sock_diag_lock_handler(req->sdiag_family); |
2590 |
-+ if (req->sdiag_family >= AF_MAX) |
2591 |
-+ return -EINVAL; |
2592 |
-+ |
2593 |
+ if (sock_diag_handlers[req->sdiag_family] == NULL) |
2594 |
+ request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, |
2595 |
+ NETLINK_SOCK_DIAG, req->sdiag_family); |
2596 |
@@ -81176,7 +81107,7 @@ index 17c5e06..1b91206 100644 |
2597 |
|
2598 |
case IPT_SO_GET_ENTRIES: |
2599 |
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c |
2600 |
-index 6f9c072..38ea6c6 100644 |
2601 |
+index dc454cc..5bb917f 100644 |
2602 |
--- a/net/ipv4/ping.c |
2603 |
+++ b/net/ipv4/ping.c |
2604 |
@@ -844,7 +844,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f, |
2605 |
@@ -85360,19 +85291,6 @@ index 6ece7f2..ecdb55c 100644 |
2606 |
goto error; |
2607 |
|
2608 |
buflen -= tmp; |
2609 |
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c |
2610 |
-index 20e4bf5..58dfe08 100644 |
2611 |
---- a/security/keys/process_keys.c |
2612 |
-+++ b/security/keys/process_keys.c |
2613 |
-@@ -367,6 +367,8 @@ key_ref_t search_my_process_keyrings(struct key_type *type, |
2614 |
- |
2615 |
- switch (PTR_ERR(key_ref)) { |
2616 |
- case -EAGAIN: /* no key */ |
2617 |
-+ if (ret) |
2618 |
-+ break; |
2619 |
- case -ENOKEY: /* negative key */ |
2620 |
- ret = key_ref; |
2621 |
- break; |
2622 |
diff --git a/security/min_addr.c b/security/min_addr.c |
2623 |
index f728728..6457a0c 100644 |
2624 |
--- a/security/min_addr.c |
2625 |
|
2626 |
diff --git a/3.8.0/4425_grsec_remove_EI_PAX.patch b/3.8.1/4425_grsec_remove_EI_PAX.patch |
2627 |
similarity index 100% |
2628 |
rename from 3.8.0/4425_grsec_remove_EI_PAX.patch |
2629 |
rename to 3.8.1/4425_grsec_remove_EI_PAX.patch |
2630 |
|
2631 |
diff --git a/3.8.0/4430_grsec-remove-localversion-grsec.patch b/3.8.1/4430_grsec-remove-localversion-grsec.patch |
2632 |
similarity index 100% |
2633 |
rename from 3.8.0/4430_grsec-remove-localversion-grsec.patch |
2634 |
rename to 3.8.1/4430_grsec-remove-localversion-grsec.patch |
2635 |
|
2636 |
diff --git a/3.8.0/4435_grsec-mute-warnings.patch b/3.8.1/4435_grsec-mute-warnings.patch |
2637 |
similarity index 100% |
2638 |
rename from 3.8.0/4435_grsec-mute-warnings.patch |
2639 |
rename to 3.8.1/4435_grsec-mute-warnings.patch |
2640 |
|
2641 |
diff --git a/3.8.0/4440_grsec-remove-protected-paths.patch b/3.8.1/4440_grsec-remove-protected-paths.patch |
2642 |
similarity index 100% |
2643 |
rename from 3.8.0/4440_grsec-remove-protected-paths.patch |
2644 |
rename to 3.8.1/4440_grsec-remove-protected-paths.patch |
2645 |
|
2646 |
diff --git a/3.8.0/4450_grsec-kconfig-default-gids.patch b/3.8.1/4450_grsec-kconfig-default-gids.patch |
2647 |
similarity index 100% |
2648 |
rename from 3.8.0/4450_grsec-kconfig-default-gids.patch |
2649 |
rename to 3.8.1/4450_grsec-kconfig-default-gids.patch |
2650 |
|
2651 |
diff --git a/3.8.0/4465_selinux-avc_audit-log-curr_ip.patch b/3.8.1/4465_selinux-avc_audit-log-curr_ip.patch |
2652 |
similarity index 100% |
2653 |
rename from 3.8.0/4465_selinux-avc_audit-log-curr_ip.patch |
2654 |
rename to 3.8.1/4465_selinux-avc_audit-log-curr_ip.patch |
2655 |
|
2656 |
diff --git a/3.8.0/4470_disable-compat_vdso.patch b/3.8.1/4470_disable-compat_vdso.patch |
2657 |
similarity index 100% |
2658 |
rename from 3.8.0/4470_disable-compat_vdso.patch |
2659 |
rename to 3.8.1/4470_disable-compat_vdso.patch |