diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-08-18 09:41:29 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-09-03 06:21:26 +0000 |
| commit | fee8451964a1c84a82a05ac0192b2301bb28fd37 (patch) | |
| tree | ce1b9894497e645ba610bc19510e775a309fd805 /main/linux-grsec | |
| parent | f862fcee7f2eb3a39f40ea4d76c1d6b28f2e5298 (diff) | |
| download | aports-fee8451964a1c84a82a05ac0192b2301bb28fd37.tar.bz2 aports-fee8451964a1c84a82a05ac0192b2301bb28fd37.tar.xz | |
main/linux-grsec: upgrade to grsecurity-2.9.1-3.10.10-201309011630
Diffstat (limited to 'main/linux-grsec')
| -rw-r--r-- | main/linux-grsec/APKBUILD | 32 | ||||
| -rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.10.10-201309011630.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.10.5-201308052154.patch) | 7832 | ||||
| -rw-r--r-- | main/linux-grsec/kernelconfig.x86 | 7 | ||||
| -rw-r--r-- | main/linux-grsec/kernelconfig.x86_64 | 7 | ||||
| -rw-r--r-- | main/linux-grsec/net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch | 45 |
5 files changed, 6951 insertions, 972 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 68ee9f23f5..b12155b577 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,7 +2,7 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.10.5 +pkgver=3.10.10 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; @@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.10.5-201308052154.patch + grsecurity-2.9.1-3.10.10-201309011630.patch 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch @@ -25,7 +25,6 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch - net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch kernelconfig.x86 kernelconfig.x86_64 @@ -150,38 +149,35 @@ dev() { } md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -6366a8d4b0429ab6836c296ba298fb0e patch-3.10.5.xz -e214ec80b95e11df16f1b8d6a9e617fc grsecurity-2.9.1-3.10.5-201308052154.patch +d010ef17d3e577fd1bdcb6887f2b9836 patch-3.10.10.xz +93e8f4484f44dd0251ff5bb90bfa6505 grsecurity-2.9.1-3.10.10-201309011630.patch a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 2a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch -f0742f10b5e16078f9ea052a0b2665ad net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch -1a111abaeb381bf47d9e979a85fba2ee kernelconfig.x86 -1312267644d0c729bd7c7af979b29c8d kernelconfig.x86_64" +866e6c4daed45d563829804f8ad50ed9 kernelconfig.x86 +272aaddd0a19a5052208bc25551995a3 kernelconfig.x86_64" sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz -c96b69a10ef5ade798dcaa1867df156ccc9e173225d5aa427d00c6e89246e035 patch-3.10.5.xz -0fce4515e69d73d580134e8e9ac19b80e0e603315ae259b1954a62f3f444883a grsecurity-2.9.1-3.10.5-201308052154.patch +22cb9a7721bacd40d83c2d630f672e09495ce9d29f896e874ea8669bb577e193 patch-3.10.10.xz +ced13b573f77e5c17449a54fdc6252d3516a8ce2e44579cb4853a134ba2e89fb grsecurity-2.9.1-3.10.10-201309011630.patch 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch -df20f03dcc0f129f8bff6dbeefe0c0b9b8edad4906af20f6cf2d83f2dc36a40f net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch -1ef74cf3703dd26201970a2d9f043fed7e03ad2540a20f810cec8add93f81ccd kernelconfig.x86 -1c4b4a74d982fdc8d3baddcdaa674ae4b4a3390daba024fca55e85604af74507 kernelconfig.x86_64" +7fd28634998ef1fddafed5f2516e902924245d2464b9e86476bfaa55ccfc3bc3 kernelconfig.x86 +f2843ae4f9b3e3c27f3138ce4b740c2803bdab0c7a910c662d951843803b9554 kernelconfig.x86_64" sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz -583c1301ae362a2eee26253b477d78d472d7db1ff736491dcaf67a76a8badcfe103c0cfdde8cd2a0c2becb2017a11d522f417a4754f8838ed88d6f4a42dab738 patch-3.10.5.xz -e56d207163b8c17bd63564ebbe916458ebcc892016216f98f395f3e208229d6533c2cfbe1463400526cde9eed3beb153725ac98ee6dfe27b46ef28679de0a24f grsecurity-2.9.1-3.10.5-201308052154.patch +3e87e48d009f05bbaafad55b1f601dc84e6f095b14ec1ad3fe68b37d6722bf47f2482639a7e21b00e8a13f141f3f0e78bdb79e049661eef2aea1c9b93579734b patch-3.10.10.xz +6ab1b72480b91d1a8916769191051fd76a19231ad253d81aa1ed866cbb06512eb7fbee53a0d9fb0b584c0de663f1156958ca4e1194e1446ffa860c129b00ff8b grsecurity-2.9.1-3.10.10-201309011630.patch 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch -0ca9b0e140a9bdfa3c4e4958de4a6c53fff3d0d11b15cd9868baf49dfde1320e591f89c357b5a690cadb9e6ed48a1a506fea6a37b0b873f8a69f6899ba7967a8 net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch -5d2057cb27362175d85cbe1b79586a3daaa16c1b36baa0bf433b594a85284a02460b28e90ee9dc3f5a8c973a7e8316e0be83099a40a039913e6f1c7036570196 kernelconfig.x86 -89b5fe8a4930ef19deb00e18bb8a4ae4c87105bcf29b7e15c677f7e6a4d2618bb5c378da485aed573b5a2342e0cdff4d0ceae60f2b89cde603988de9f3c36929 kernelconfig.x86_64" +1721542ff111c8ec550323dae6f6174131db180668cbf14f01dc4c76ffbbb479715919a80c35d8c8ac22a6479dd3b42700be6ddc5ef2a8b6a62de811c7ae86df kernelconfig.x86 +d49bf57bd0aae17d762d87d5bf983e48219d71ca44bc0c3120db94d357192c07146a8938cef9d435218e4bb748691ec426387545837be637d47e45cdc4482d71 kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.9.1-3.10.5-201308052154.patch b/main/linux-grsec/grsecurity-2.9.1-3.10.10-201309011630.patch index f2633c140b..54e508953f 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.10.5-201308052154.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.10.10-201309011630.patch @@ -229,7 +229,7 @@ index b89a739..79768fb 100644 +zconf.lex.c zoffset.h diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 2fe6e76..df58221 100644 +index 2fe6e76..889ee23 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -976,6 +976,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. @@ -243,7 +243,18 @@ index 2fe6e76..df58221 100644 hashdist= [KNL,NUMA] Large hashes allocated during boot are distributed across NUMA nodes. Defaults on for 64-bit NUMA, off otherwise. -@@ -2195,6 +2199,22 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -1928,6 +1932,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + noexec=on: enable non-executable mappings (default) + noexec=off: disable non-executable mappings + ++ nopcid [X86-64] ++ Disable PCID (Process-Context IDentifier) even if it ++ is supported by the processor. ++ + nosmap [X86] + Disable SMAP (Supervisor Mode Access Prevention) + even if it is supported by processor. +@@ -2195,6 +2203,25 @@ bytes respectively. Such letter suffixes can also be entirely omitted. the specified number of seconds. This is to be used if your oopses keep scrolling off the screen. @@ -263,11 +274,14 @@ index 2fe6e76..df58221 100644 + from the first 4GB of memory as the bootmem allocator + passes the memory pages to the buddy allocator. + ++ pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF ++ when the processor supports PCID. ++ pcbit= [HW,ISDN] pcd. [PARIDE] diff --git a/Makefile b/Makefile -index f8349d0..563a504 100644 +index b119684..13ac256 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -815,7 +829,7 @@ index 0c4132d..88f0d53 100644 /* Allow reads even for write-only mappings */ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index 136f263..f471277 100644 +index 18a9f5e..ca910b7 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -1766,7 +1766,7 @@ config ALIGNMENT_TRAP @@ -1628,7 +1642,7 @@ index 6ddbe44..b5e38b1 100644 static inline void set_domain(unsigned val) { } static inline void modify_domain(unsigned dom, unsigned type) { } diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h -index 38050b1..9d90e8b 100644 +index 56211f2..17e8a25 100644 --- a/arch/arm/include/asm/elf.h +++ b/arch/arm/include/asm/elf.h @@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); @@ -1647,7 +1661,7 @@ index 38050b1..9d90e8b 100644 /* When the program starts, a1 contains a pointer to a function to be registered with atexit, as per the SVR4 ABI. A value of 0 means we -@@ -126,8 +133,4 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); +@@ -126,10 +133,6 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs); extern void elf_set_personality(const struct elf32_hdr *); #define SET_PERSONALITY(ex) elf_set_personality(&(ex)) @@ -1655,7 +1669,9 @@ index 38050b1..9d90e8b 100644 -extern unsigned long arch_randomize_brk(struct mm_struct *mm); -#define arch_randomize_brk arch_randomize_brk - - #endif + #ifdef CONFIG_MMU + #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 + struct linux_binprm; diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h index de53547..52b9a28 100644 --- a/arch/arm/include/asm/fncpy.h @@ -1788,7 +1804,7 @@ index 12f71a1..04e063c 100644 #ifdef CONFIG_OUTER_CACHE diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h -index 812a494..71fc0b6 100644 +index cbdc7a2..32f44fe 100644 --- a/arch/arm/include/asm/page.h +++ b/arch/arm/include/asm/page.h @@ -114,7 +114,7 @@ struct cpu_user_fns { @@ -1898,17 +1914,19 @@ index 5cfba15..f415e1a 100644 #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4) #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4) diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h -index f97ee02..07f1be5 100644 +index f97ee02..cc9fe9e 100644 --- a/arch/arm/include/asm/pgtable-2level.h +++ b/arch/arm/include/asm/pgtable-2level.h -@@ -125,6 +125,7 @@ - #define L_PTE_XN (_AT(pteval_t, 1) << 9) +@@ -126,6 +126,9 @@ #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */ #define L_PTE_NONE (_AT(pteval_t, 1) << 11) -+#define L_PTE_PXN (_AT(pteval_t, 1) << 12) /* v7*/ ++/* Two-level page tables only have PXN in the PGD, not in the PTE. */ ++#define L_PTE_PXN (_AT(pteval_t, 0)) ++ /* * These are the memory types, defined to be compatible with + * pre-ARMv6 CPUs cacheable and bufferable bits: XXCB diff --git a/arch/arm/include/asm/pgtable-3level-hwdef.h b/arch/arm/include/asm/pgtable-3level-hwdef.h index 18f5cef..25b8f43 100644 --- a/arch/arm/include/asm/pgtable-3level-hwdef.h @@ -1950,7 +1968,7 @@ index 86b8fe3..e25f975 100644 #define L_PTE_DIRTY_HIGH (1 << (55 - 32)) diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h -index 9bcd262..fba731c 100644 +index 9bcd262..1ff999b 100644 --- a/arch/arm/include/asm/pgtable.h +++ b/arch/arm/include/asm/pgtable.h @@ -30,6 +30,9 @@ @@ -1973,20 +1991,18 @@ index 9bcd262..fba731c 100644 extern void __pte_error(const char *file, int line, pte_t); extern void __pmd_error(const char *file, int line, pmd_t); extern void __pgd_error(const char *file, int line, pgd_t); -@@ -53,6 +59,50 @@ extern void __pgd_error(const char *file, int line, pgd_t); +@@ -53,6 +59,48 @@ extern void __pgd_error(const char *file, int line, pgd_t); #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd) #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd) +#define __HAVE_ARCH_PAX_OPEN_KERNEL +#define __HAVE_ARCH_PAX_CLOSE_KERNEL + -+#ifdef CONFIG_PAX_KERNEXEC ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +#include <asm/domain.h> +#include <linux/thread_info.h> +#include <linux/preempt.h> -+#endif + -+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +static inline int test_domain(int domain, int domaintype) +{ + return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype); @@ -2024,7 +2040,7 @@ index 9bcd262..fba731c 100644 /* * This is the lowest virtual address we can permit any user space * mapping to be mapped at. This is particularly important for -@@ -72,8 +122,8 @@ extern void __pgd_error(const char *file, int line, pgd_t); +@@ -72,8 +120,8 @@ extern void __pgd_error(const char *file, int line, pgd_t); /* * The pgprot_* and protection_map entries will be fixed up in runtime * to include the cachable and bufferable bits based on memory policy, @@ -2035,7 +2051,7 @@ index 9bcd262..fba731c 100644 */ #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG -@@ -257,7 +307,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; } +@@ -257,7 +305,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; } static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) { const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER | @@ -2057,22 +2073,6 @@ index f3628fb..a0672dd 100644 #ifndef MULTI_CPU extern void cpu_proc_init(void); -diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h -index 06e7d50..8a8e251 100644 ---- a/arch/arm/include/asm/processor.h -+++ b/arch/arm/include/asm/processor.h -@@ -65,9 +65,8 @@ struct thread_struct { - regs->ARM_cpsr |= PSR_ENDSTATE; \ - regs->ARM_pc = pc & ~1; /* pc */ \ - regs->ARM_sp = sp; /* sp */ \ -- regs->ARM_r2 = stack[2]; /* r2 (envp) */ \ -- regs->ARM_r1 = stack[1]; /* r1 (argv) */ \ -- regs->ARM_r0 = stack[0]; /* r0 (argc) */ \ -+ /* r2 (envp), r1 (argv), r0 (argc) */ \ -+ (void)copy_from_user(®s->ARM_r0, (const char __user *)stack, 3 * sizeof(unsigned long)); \ - nommu_start_thread(regs); \ - }) - diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h index ce0dbe7..c085b6f 100644 --- a/arch/arm/include/asm/psci.h @@ -2100,7 +2100,7 @@ index d3a22be..3a69ad5 100644 /* * set platform specific SMP operations diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h -index 1995d1a..76693a2 100644 +index f00b569..aa5bb41 100644 --- a/arch/arm/include/asm/thread_info.h +++ b/arch/arm/include/asm/thread_info.h @@ -77,9 +77,9 @@ struct thread_info { @@ -2129,7 +2129,7 @@ index 1995d1a..76693a2 100644 #define TIF_USING_IWMMXT 17 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_RESTORE_SIGMASK 20 -@@ -166,10 +170,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, +@@ -165,10 +169,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *, #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) #define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT) @@ -2143,7 +2143,7 @@ index 1995d1a..76693a2 100644 /* * Change these and you break ASM code in entry-common.S diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h -index 7e1f760..d42d7f8 100644 +index 7e1f760..de33b13 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h @@ -18,6 +18,7 @@ @@ -2154,7 +2154,7 @@ index 7e1f760..d42d7f8 100644 #define VERIFY_READ 0 #define VERIFY_WRITE 1 -@@ -63,11 +64,35 @@ extern int __put_user_bad(void); +@@ -63,11 +64,38 @@ extern int __put_user_bad(void); static inline void set_fs(mm_segment_t fs) { current_thread_info()->addr_limit = fs; @@ -2164,6 +2164,9 @@ index 7e1f760..d42d7f8 100644 #define segment_eq(a,b) ((a) == (b)) ++#define __HAVE_ARCH_PAX_OPEN_USERLAND ++#define __HAVE_ARCH_PAX_CLOSE_USERLAND ++ +static inline void pax_open_userland(void) +{ + @@ -2191,7 +2194,7 @@ index 7e1f760..d42d7f8 100644 #define __addr_ok(addr) ({ \ unsigned long flag; \ __asm__("cmp %2, %0; movlo %0, #0" \ -@@ -143,8 +168,12 @@ extern int __get_user_4(void *); +@@ -143,8 +171,12 @@ extern int __get_user_4(void *); #define get_user(x,p) \ ({ \ @@ -2205,7 +2208,7 @@ index 7e1f760..d42d7f8 100644 }) extern int __put_user_1(void *, unsigned int); -@@ -188,8 +217,12 @@ extern int __put_user_8(void *, unsigned long long); +@@ -188,8 +220,12 @@ extern int __put_user_8(void *, unsigned long long); #define put_user(x,p) \ ({ \ @@ -2219,7 +2222,7 @@ index 7e1f760..d42d7f8 100644 }) #else /* CONFIG_MMU */ -@@ -230,13 +263,17 @@ static inline void set_fs(mm_segment_t fs) +@@ -230,13 +266,17 @@ static inline void set_fs(mm_segment_t fs) #define __get_user(x,ptr) \ ({ \ long __gu_err = 0; \ @@ -2237,7 +2240,7 @@ index 7e1f760..d42d7f8 100644 (void) 0; \ }) -@@ -312,13 +349,17 @@ do { \ +@@ -312,13 +352,17 @@ do { \ #define __put_user(x,ptr) \ ({ \ long __pu_err = 0; \ @@ -2255,7 +2258,7 @@ index 7e1f760..d42d7f8 100644 (void) 0; \ }) -@@ -418,11 +459,44 @@ do { \ +@@ -418,11 +462,44 @@ do { \ #ifdef CONFIG_MMU @@ -2303,7 +2306,7 @@ index 7e1f760..d42d7f8 100644 #else #define __copy_from_user(to,from,n) (memcpy(to, (void __force *)from, n), 0) #define __copy_to_user(to,from,n) (memcpy((void __force *)to, from, n), 0) -@@ -431,6 +505,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l +@@ -431,6 +508,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) { @@ -2313,7 +2316,7 @@ index 7e1f760..d42d7f8 100644 if (access_ok(VERIFY_READ, from, n)) n = __copy_from_user(to, from, n); else /* security hole - plug it */ -@@ -440,6 +517,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u +@@ -440,6 +520,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) { @@ -2363,7 +2366,7 @@ index 60d3b73..e5a0f22 100644 EXPORT_SYMBOL(__get_user_1); EXPORT_SYMBOL(__get_user_2); diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S -index 582b405..a78366b 100644 +index d43c7e5..257c050 100644 --- a/arch/arm/kernel/entry-armv.S +++ b/arch/arm/kernel/entry-armv.S @@ -47,6 +47,87 @@ @@ -2505,7 +2508,17 @@ index 582b405..a78366b 100644 sub sp, sp, #S_FRAME_SIZE ARM( stmib sp, {r1 - r12} ) THUMB( stmia sp, {r0 - r12} ) -@@ -414,7 +511,9 @@ __und_usr: +@@ -357,7 +454,8 @@ ENDPROC(__pabt_svc) + .endm + + .macro kuser_cmpxchg_check +-#if !defined(CONFIG_CPU_32v6K) && !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG) ++#if !defined(CONFIG_CPU_32v6K) && defined(CONFIG_KUSER_HELPERS) && \ ++ !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG) + #ifndef CONFIG_MMU + #warning "NPTL on non MMU needs fixing" + #else +@@ -414,7 +512,9 @@ __und_usr: tst r3, #PSR_T_BIT @ Thumb mode? bne __und_usr_thumb sub r4, r2, #4 @ ARM instr at LR - 4 @@ -2515,7 +2528,7 @@ index 582b405..a78366b 100644 #ifdef CONFIG_CPU_ENDIAN_BE8 rev r0, r0 @ little endian instruction #endif -@@ -449,10 +548,14 @@ __und_usr_thumb: +@@ -449,10 +549,14 @@ __und_usr_thumb: */ .arch armv6t2 #endif @@ -2530,7 +2543,7 @@ index 582b405..a78366b 100644 add r2, r2, #2 @ r2 is PC + 2, make it PC + 4 str r2, [sp, #S_PC] @ it's a 2x16bit instr, update orr r0, r0, r5, lsl #16 -@@ -481,7 +584,8 @@ ENDPROC(__und_usr) +@@ -481,7 +585,8 @@ ENDPROC(__und_usr) */ .pushsection .fixup, "ax" .align 2 @@ -2540,7 +2553,7 @@ index 582b405..a78366b 100644 .popsection .pushsection __ex_table,"a" .long 1b, 4b -@@ -690,7 +794,7 @@ ENTRY(__switch_to) +@@ -690,7 +795,7 @@ ENTRY(__switch_to) THUMB( stmia ip!, {r4 - sl, fp} ) @ Store most regs on stack THUMB( str sp, [ip], #4 ) THUMB( str lr, [ip], #4 ) @@ -2549,7 +2562,7 @@ index 582b405..a78366b 100644 ldr r6, [r2, #TI_CPU_DOMAIN] #endif set_tls r3, r4, r5 -@@ -699,7 +803,7 @@ ENTRY(__switch_to) +@@ -699,7 +804,7 @@ ENTRY(__switch_to) ldr r8, =__stack_chk_guard ldr r7, [r7, #TSK_STACK_CANARY] #endif @@ -2719,19 +2732,32 @@ index 160f337..db67ee4 100644 ldrd r0, r1, [sp, #S_LR] @ calling lr and pc clrex @ clear the exclusive monitor diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c -index 2adda11..7fbe958 100644 +index 25442f4..d4948fc 100644 --- a/arch/arm/kernel/fiq.c +++ b/arch/arm/kernel/fiq.c -@@ -82,7 +82,9 @@ void set_fiq_handler(void *start, unsigned int length) - #if defined(CONFIG_CPU_USE_DOMAINS) - memcpy((void *)0xffff001c, start, length); - #else +@@ -84,17 +84,16 @@ int show_fiq_list(struct seq_file *p, int prec) + + void set_fiq_handler(void *start, unsigned int length) + { +-#if defined(CONFIG_CPU_USE_DOMAINS) +- void *base = (void *)0xffff0000; +-#else + void *base = vectors_page; +-#endif + unsigned offset = FIQ_OFFSET; + + pax_open_kernel(); - memcpy(vectors_page + 0x1c, start, length); + memcpy(base + offset, start, length); + pax_close_kernel(); - #endif - flush_icache_range(0xffff001c, 0xffff001c + length); - if (!vectors_high()) ++ ++ if (!cache_is_vipt_nonaliasing()) ++ flush_icache_range(base + offset, offset + length); + flush_icache_range(0xffff0000 + offset, 0xffff0000 + offset + length); +- if (!vectors_high()) +- flush_icache_range(offset, offset + length); + } + + int claim_fiq(struct fiq_handler *f) diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S index 8bac553..caee108 100644 --- a/arch/arm/kernel/head.S @@ -2833,6 +2859,19 @@ index 07314af..c46655c 100644 flush_icache_range((uintptr_t)(addr), (uintptr_t)(addr) + size); +diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c +index e19edc6..e186ee1 100644 +--- a/arch/arm/kernel/perf_event.c ++++ b/arch/arm/kernel/perf_event.c +@@ -56,7 +56,7 @@ armpmu_map_hw_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config) + int mapping; + + if (config >= PERF_COUNT_HW_MAX) +- return -ENOENT; ++ return -EINVAL; + + mapping = (*event_map)[config]; + return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping; diff --git a/arch/arm/kernel/perf_event_cpu.c b/arch/arm/kernel/perf_event_cpu.c index 1f2740e..b36e225 100644 --- a/arch/arm/kernel/perf_event_cpu.c @@ -2847,18 +2886,10 @@ index 1f2740e..b36e225 100644 }; diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index 6e8931c..82ec6a5 100644 +index 5bc2615..dcd439f 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c -@@ -28,7 +28,6 @@ - #include <linux/tick.h> - #include <linux/utsname.h> - #include <linux/uaccess.h> --#include <linux/random.h> - #include <linux/hw_breakpoint.h> - #include <linux/cpuidle.h> - #include <linux/leds.h> -@@ -223,6 +222,7 @@ void machine_power_off(void) +@@ -223,6 +223,7 @@ void machine_power_off(void) if (pm_power_off) pm_power_off(); @@ -2866,7 +2897,7 @@ index 6e8931c..82ec6a5 100644 } /* -@@ -236,7 +236,7 @@ void machine_power_off(void) +@@ -236,7 +237,7 @@ void machine_power_off(void) * executing pre-reset code, and using RAM that the primary CPU's code wishes * to use. Implementing such co-ordination would be essentially impossible. */ @@ -2875,18 +2906,18 @@ index 6e8931c..82ec6a5 100644 { smp_send_stop(); -@@ -258,8 +258,8 @@ void __show_regs(struct pt_regs *regs) +@@ -258,8 +259,8 @@ void __show_regs(struct pt_regs *regs) show_regs_print_info(KERN_DEFAULT); - print_symbol("PC is at %s\n", instruction_pointer(regs)); - print_symbol("LR is at %s\n", regs->ARM_lr); -+ printk("PC is at %pA\n", instruction_pointer(regs)); -+ printk("LR is at %pA\n", regs->ARM_lr); ++ printk("PC is at %pA\n", (void *)instruction_pointer(regs)); ++ printk("LR is at %pA\n", (void *)regs->ARM_lr); printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n" "sp : %08lx ip : %08lx fp : %08lx\n", regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr, -@@ -426,12 +426,6 @@ unsigned long get_wchan(struct task_struct *p) +@@ -426,12 +427,6 @@ unsigned long get_wchan(struct task_struct *p) return 0; } @@ -2897,23 +2928,70 @@ index 6e8931c..82ec6a5 100644 -} - #ifdef CONFIG_MMU + #ifdef CONFIG_KUSER_HELPERS /* - * The vectors page is always readable from user space for the -@@ -441,12 +435,12 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) - static struct vm_area_struct gate_vma = { - .vm_start = 0xffff0000, - .vm_end = 0xffff0000 + PAGE_SIZE, -- .vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC, -+ .vm_flags = VM_NONE, - }; +@@ -447,7 +442,7 @@ static struct vm_area_struct gate_vma = { static int __init gate_vma_init(void) { - gate_vma.vm_page_prot = PAGE_READONLY_EXEC; -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags); ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags); return 0; } arch_initcall(gate_vma_init); +@@ -466,48 +461,23 @@ int in_gate_area_no_mm(unsigned long addr) + { + return in_gate_area(NULL, addr); + } +-#define is_gate_vma(vma) ((vma) = &gate_vma) ++#define is_gate_vma(vma) ((vma) == &gate_vma) + #else + #define is_gate_vma(vma) 0 + #endif + + const char *arch_vma_name(struct vm_area_struct *vma) + { +- return is_gate_vma(vma) ? "[vectors]" : +- (vma->vm_mm && vma->vm_start == vma->vm_mm->context.sigpage) ? +- "[sigpage]" : NULL; ++ return is_gate_vma(vma) ? "[vectors]" : NULL; + } + +-static struct page *signal_page; +-extern struct page *get_signal_page(void); +- + int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) + { + struct mm_struct *mm = current->mm; +- unsigned long addr; +- int ret; +- +- if (!signal_page) +- signal_page = get_signal_page(); +- if (!signal_page) +- return -ENOMEM; + + down_write(&mm->mmap_sem); +- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0); +- if (IS_ERR_VALUE(addr)) { +- ret = addr; +- goto up_fail; +- } +- +- ret = install_special_mapping(mm, addr, PAGE_SIZE, +- VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC, +- &signal_page); +- +- if (ret == 0) +- mm->context.sigpage = addr; +- +- up_fail: ++ mm->context.sigpage = (PAGE_OFFSET + (get_random_int() % 0x3FFEFFE0)) & 0xFFFFFFFC; + up_write(&mm->mmap_sem); +- return ret; ++ return 0; + } + #endif diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c index 3653164..d83e55d 100644 --- a/arch/arm/kernel/psci.c @@ -3010,39 +3088,62 @@ index b4b1d39..efdc9be 100644 #ifdef MULTI_TLB cpu_tlb = *list->tlb; diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c -index 296786b..a8d4dd5 100644 +index 5a42c12..a2bb7c6 100644 --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c -@@ -396,22 +396,14 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig, - __put_user(sigreturn_codes[idx+1], rc+1)) - return 1; - -- if (cpsr & MODE32_BIT) { -- /* -- * 32-bit code can use the new high-page -- * signal return code support. -- */ -- retcode = KERN_SIGRETURN_CODE + (idx << 2) + thumb; -- } else { -- /* -- * Ensure that the instruction cache sees -- * the return code written onto the stack. -- */ -- flush_icache_range((unsigned long)rc, -- (unsigned long)(rc + 2)); -+ /* -+ * Ensure that the instruction cache sees -+ * the return code written onto the stack. -+ */ -+ flush_icache_range((unsigned long)rc, -+ (unsigned long)(rc + 2)); - -- retcode = ((unsigned long)rc) + thumb; -- } -+ retcode = ((unsigned long)rc) + thumb; - } +@@ -45,8 +45,6 @@ static const unsigned long sigreturn_codes[7] = { + MOV_R7_NR_RT_SIGRETURN, SWI_SYS_RT_SIGRETURN, SWI_THUMB_RT_SIGRETURN, + }; - regs->ARM_r0 = map_sig(ksig->sig); +-static unsigned long signal_return_offset; +- + #ifdef CONFIG_CRUNCH + static int preserve_crunch_context(struct crunch_sigframe __user *frame) + { +@@ -406,8 +404,7 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig, + * except when the MPU has protected the vectors + * page from PL0 + */ +- retcode = mm->context.sigpage + signal_return_offset + +- (idx << 2) + thumb; ++ retcode = mm->context.sigpage + (idx << 2) + thumb; + } else + #endif + { +@@ -611,33 +608,3 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall) + } while (thread_flags & _TIF_WORK_MASK); + return 0; + } +- +-struct page *get_signal_page(void) +-{ +- unsigned long ptr; +- unsigned offset; +- struct page *page; +- void *addr; +- +- page = alloc_pages(GFP_KERNEL, 0); +- +- if (!page) +- return NULL; +- +- addr = page_address(page); +- +- /* Give the signal return code some randomness */ +- offset = 0x200 + (get_random_int() & 0x7fc); +- signal_return_offset = offset; +- +- /* +- * Copy signal return handlers into the vector page, and +- * set sigreturn to be a pointer to these. +- */ +- memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes)); +- +- ptr = (unsigned long)addr + offset; +- flush_icache_range(ptr, ptr + sizeof(sigreturn_codes)); +- +- return page; +-} diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c index 5919eb4..b5d6dfe 100644 --- a/arch/arm/kernel/smp.c @@ -3057,10 +3158,10 @@ index 5919eb4..b5d6dfe 100644 void __init smp_set_ops(struct smp_operations *ops) { diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c -index 18b32e8..b0c8dca 100644 +index 6b9567e..b8af2d6 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c -@@ -57,7 +57,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); +@@ -55,7 +55,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame) { #ifdef CONFIG_KALLSYMS @@ -3069,7 +3170,7 @@ index 18b32e8..b0c8dca 100644 #else printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from); #endif -@@ -259,6 +259,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED; +@@ -257,6 +257,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED; static int die_owner = -1; static unsigned int die_nest_count; @@ -3078,7 +3179,7 @@ index 18b32e8..b0c8dca 100644 static unsigned long oops_begin(void) { int cpu; -@@ -301,6 +303,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr) +@@ -299,6 +301,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr) panic("Fatal exception in interrupt"); if (panic_on_oops) panic("Fatal exception"); @@ -3088,7 +3189,7 @@ index 18b32e8..b0c8dca 100644 if (signr) do_exit(signr); } -@@ -594,7 +599,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs) +@@ -592,7 +597,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs) * The user helper at 0xffff0fe0 must be used instead. * (see entry-armv.S for details) */ @@ -3098,18 +3199,10 @@ index 18b32e8..b0c8dca 100644 } return 0; -@@ -834,13 +841,10 @@ void __init early_trap_init(void *vectors_base) - */ - kuser_get_tls_init(vectors); +@@ -848,5 +855,9 @@ void __init early_trap_init(void *vectors_base) + kuser_init(vectors_base); -- /* -- * Copy signal return handlers into the vector page, and -- * set sigreturn to be a pointer to these. -- */ -- memcpy((void *)(vectors + KERN_SIGRETURN_CODE - CONFIG_VECTORS_BASE), -- sigreturn_codes, sizeof(sigreturn_codes)); -- - flush_icache_range(vectors, vectors + PAGE_SIZE); + flush_icache_range(vectors, vectors + PAGE_SIZE * 2); - modify_domain(DOMAIN_USER, DOMAIN_CLIENT); + +#ifndef CONFIG_PAX_MEMORY_UDEREF @@ -3118,7 +3211,7 @@ index 18b32e8..b0c8dca 100644 + } diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S -index a871b8e..123b00a 100644 +index 33f2ea3..0b91824 100644 --- a/arch/arm/kernel/vmlinux.lds.S +++ b/arch/arm/kernel/vmlinux.lds.S @@ -8,7 +8,11 @@ @@ -3166,7 +3259,7 @@ index a871b8e..123b00a 100644 #ifndef CONFIG_XIP_KERNEL . = ALIGN(PAGE_SIZE); -@@ -207,6 +220,11 @@ SECTIONS +@@ -224,6 +237,11 @@ SECTIONS . = PAGE_OFFSET + TEXT_OFFSET; #else __init_end = .; @@ -3178,6 +3271,46 @@ index a871b8e..123b00a 100644 . = ALIGN(THREAD_SIZE); __data_loc = .; #endif +diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c +index ef1703b..46b77f3 100644 +--- a/arch/arm/kvm/arm.c ++++ b/arch/arm/kvm/arm.c +@@ -56,7 +56,7 @@ static unsigned long hyp_default_vectors; + static DEFINE_PER_CPU(struct kvm_vcpu *, kvm_arm_running_vcpu); + + /* The VMID used in the VTTBR */ +-static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1); ++static atomic64_unchecked_t kvm_vmid_gen = ATOMIC64_INIT(1); + static u8 kvm_next_vmid; + static DEFINE_SPINLOCK(kvm_vmid_lock); + +@@ -392,7 +392,7 @@ void force_vm_exit(const cpumask_t *mask) + */ + static bool need_new_vmid_gen(struct kvm *kvm) + { +- return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen)); ++ return unlikely(kvm->arch.vmid_gen != atomic64_read_unchecked(&kvm_vmid_gen)); + } + + /** +@@ -425,7 +425,7 @@ static void update_vttbr(struct kvm *kvm) + + /* First user of a new VMID generation? */ + if (unlikely(kvm_next_vmid == 0)) { +- atomic64_inc(&kvm_vmid_gen); ++ atomic64_inc_unchecked(&kvm_vmid_gen); + kvm_next_vmid = 1; + + /* +@@ -442,7 +442,7 @@ static void update_vttbr(struct kvm *kvm) + kvm_call_hyp(__kvm_flush_vm_context); + } + +- kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen); ++ kvm->arch.vmid_gen = atomic64_read_unchecked(&kvm_vmid_gen); + kvm->arch.vmid = kvm_next_vmid; + kvm_next_vmid++; + diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S index 14a0d98..7771a7d 100644 --- a/arch/arm/lib/clear_user.S @@ -3539,10 +3672,10 @@ index cad3ca86..1d79e0f 100644 extern void ux500_cpu_die(unsigned int cpu); diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig -index 35955b5..b475042 100644 +index 08c9fe9..191320c 100644 --- a/arch/arm/mm/Kconfig +++ b/arch/arm/mm/Kconfig -@@ -432,7 +432,7 @@ config CPU_32v5 +@@ -436,7 +436,7 @@ config CPU_32v5 config CPU_32v6 bool @@ -3551,7 +3684,7 @@ index 35955b5..b475042 100644 select TLS_REG_EMUL if !CPU_32v6K && !MMU config CPU_32v6K -@@ -581,6 +581,7 @@ config CPU_CP15_MPU +@@ -585,6 +585,7 @@ config CPU_CP15_MPU config CPU_USE_DOMAINS bool @@ -3559,6 +3692,23 @@ index 35955b5..b475042 100644 help This option enables or disables the use of domain switching via the set_fs() function. +@@ -780,6 +781,7 @@ config NEED_KUSER_HELPERS + config KUSER_HELPERS + bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS + default y ++ depends on !(CPU_V6 || CPU_V6K || CPU_V7) + help + Warning: disabling this option may break user programs. + +@@ -792,7 +794,7 @@ config KUSER_HELPERS + See Documentation/arm/kernel_user_helpers.txt for details. + + However, the fixed address nature of these helpers can be used +- by ROP (return orientated programming) authors when creating ++ by ROP (Return Oriented Programming) authors when creating + exploits. + + If all of the binaries and libraries which run on your platform diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c index 6f4585b..7b6f52b 100644 --- a/arch/arm/mm/alignment.c @@ -3624,8 +3774,56 @@ index 6f4585b..7b6f52b 100644 if (err) \ goto fault; \ } while (0) +diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c +index eeab06e..2638dc2 100644 +--- a/arch/arm/mm/context.c ++++ b/arch/arm/mm/context.c +@@ -42,7 +42,7 @@ + #define NUM_USER_ASIDS ASID_FIRST_VERSION + + static DEFINE_RAW_SPINLOCK(cpu_asid_lock); +-static atomic64_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION); ++static atomic64_unchecked_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION); + static DECLARE_BITMAP(asid_map, NUM_USER_ASIDS); + + static DEFINE_PER_CPU(atomic64_t, active_asids); +@@ -188,7 +188,7 @@ static int is_reserved_asid(u64 asid) + static u64 new_context(struct mm_struct *mm, unsigned int cpu) + { + u64 asid = atomic64_read(&mm->context.id); +- u64 generation = atomic64_read(&asid_generation); ++ u64 generation = atomic64_read_unchecked(&asid_generation); + + if (asid != 0 && is_reserved_asid(asid)) { + /* +@@ -206,7 +206,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu) + */ + asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1); + if (asid == NUM_USER_ASIDS) { +- generation = atomic64_add_return(ASID_FIRST_VERSION, ++ generation = atomic64_add_return_unchecked(ASID_FIRST_VERSION, + &asid_generation); + flush_context(cpu); + asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1); +@@ -235,14 +235,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk) + cpu_set_reserved_ttbr0(); + + asid = atomic64_read(&mm->context.id); +- if (!((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) ++ if (!((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS) + && atomic64_xchg(&per_cpu(active_asids, cpu), asid)) + goto switch_mm_fastpath; + + raw_spin_lock_irqsave(&cpu_asid_lock, flags); + /* Check that our ASID belongs to the current generation. */ + asid = atomic64_read(&mm->context.id); +- if ((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) { ++ if ((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS) { + asid = new_context(mm, cpu); + atomic64_set(&mm->context.id, asid); + } diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c -index 5dbf13f..1a60561 100644 +index 5dbf13f..a2d1876 100644 --- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -25,6 +25,7 @@ @@ -3728,12 +3926,31 @@ index 5dbf13f..1a60561 100644 printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n", inf->name, fsr, addr); -@@ -575,9 +637,49 @@ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) +@@ -569,15 +631,68 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs * + ifsr_info[nr].name = name; + } + ++asmlinkage int sys_sigreturn(struct pt_regs *regs); ++asmlinkage int sys_rt_sigreturn(struct pt_regs *regs); ++ + asmlinkage void __exception + do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs) + { const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr); struct siginfo info; - ++ unsigned long pc = instruction_pointer(regs); ++ + if (user_mode(regs)) { -+ if (addr == 0xffff0fe0UL) { ++ unsigned long sigpage = current->mm->context.sigpage; ++ ++ if (sigpage <= pc && pc < sigpage + 7*4) { ++ if (pc < sigpage + 3*4) ++ sys_sigreturn(regs); ++ else ++ sys_rt_sigreturn(regs); ++ return; ++ } ++ if (pc == 0xffff0fe0UL) { + /* + * PaX: __kuser_get_tls emulation + */ @@ -3748,11 +3965,11 @@ index 5dbf13f..1a60561 100644 + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), -+ addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr); ++ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc); + else + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current), + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), -+ addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr); ++ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc); + goto die; + } +#endif @@ -3761,7 +3978,7 @@ index 5dbf13f..1a60561 100644 + if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) { + unsigned int bkpt; + -+ if (!probe_kernel_address((unsigned int *)addr, bkpt) && bkpt == 0xe12f1073) { ++ if (!probe_kernel_address((unsigned int *)pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) { + current->thread.error_code = ifsr; + current->thread.trap_no = 0; + pax_report_refcount_overflow(regs); @@ -3770,7 +3987,7 @@ index 5dbf13f..1a60561 100644 + } + } +#endif -+ + if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs)) return; @@ -3997,7 +4214,7 @@ index 10062ce..8695745 100644 mm->unmap_area = arch_unmap_area_topdown; } diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c -index 4d409e6..f375351 100644 +index daf336f..4e6392c 100644 --- a/arch/arm/mm/mmu.c +++ b/arch/arm/mm/mmu.c @@ -36,6 +36,22 @@ @@ -4064,7 +4281,7 @@ index 4d409e6..f375351 100644 .domain = DOMAIN_KERNEL, }, #endif -@@ -277,36 +301,65 @@ static struct mem_type mem_types[] = { +@@ -277,36 +301,54 @@ static struct mem_type mem_types[] = { .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | L_PTE_RDONLY, .prot_l1 = PMD_TYPE_TABLE, @@ -4072,21 +4289,8 @@ index 4d409e6..f375351 100644 + .domain = DOMAIN_VECTORS, }, [MT_HIGH_VECTORS] = { -- .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | -- L_PTE_USER | L_PTE_RDONLY, -+ /* we always want the vector page to be noaccess for userland on archs with -+ XN where we can enforce some reasonable measure of security -+ therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY -+ which turns into supervisor rwx, userland rx, we instead omit that entirely, -+ leaving it as supervisor rwx only -+ */ -+#ifdef CONFIG_PAX_KERNEXEC -+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | L_PTE_RDONLY, -+#elif __LINUX_ARM_ARCH__ >= 6 -+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY, -+#else -+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | L_PTE_USER | L_PTE_RDONLY, -+#endif + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | + L_PTE_USER | L_PTE_RDONLY, .prot_l1 = PMD_TYPE_TABLE, - .domain = DOMAIN_USER, + .domain = DOMAIN_VECTORS, @@ -4140,7 +4344,7 @@ index 4d409e6..f375351 100644 .domain = DOMAIN_KERNEL, }, [MT_MEMORY_ITCM] = { -@@ -316,10 +369,10 @@ static struct mem_type mem_types[] = { +@@ -316,10 +358,10 @@ static struct mem_type mem_types[] = { }, [MT_MEMORY_SO] = { .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | @@ -4153,7 +4357,7 @@ index 4d409e6..f375351 100644 .domain = DOMAIN_KERNEL, }, [MT_MEMORY_DMA_READY] = { -@@ -405,9 +458,35 @@ static void __init build_mem_type_table(void) +@@ -405,9 +447,35 @@ static void __init build_mem_type_table(void) * to prevent speculative instruction fetches. */ mem_types[MT_DEVICE].prot_sect |= PMD_SECT_XN; @@ -4189,7 +4393,7 @@ index 4d409e6..f375351 100644 } if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { /* -@@ -468,6 +547,9 @@ static void __init build_mem_type_table(void) +@@ -468,6 +536,9 @@ static void __init build_mem_type_table(void) * from SVC mode and no access from userspace. */ mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; @@ -4199,7 +4403,7 @@ index 4d409e6..f375351 100644 mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE; #endif -@@ -485,11 +567,17 @@ static void __init build_mem_type_table(void) +@@ -485,11 +556,17 @@ static void __init build_mem_type_table(void) mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED; mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S; mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED; @@ -4221,7 +4425,7 @@ index 4d409e6..f375351 100644 } } -@@ -500,15 +588,20 @@ static void __init build_mem_type_table(void) +@@ -500,15 +577,20 @@ static void __init build_mem_type_table(void) if (cpu_arch >= CPU_ARCH_ARMv6) { if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) { /* Non-cacheable Normal is XCB = 001 */ @@ -4245,7 +4449,7 @@ index 4d409e6..f375351 100644 } #ifdef CONFIG_ARM_LPAE -@@ -524,6 +617,8 @@ static void __init build_mem_type_table(void) +@@ -524,6 +606,8 @@ static void __init build_mem_type_table(void) vecs_pgprot |= PTE_EXT_AF; #endif @@ -4254,7 +4458,7 @@ index 4d409e6..f375351 100644 for (i = 0; i < 16; i++) { pteval_t v = pgprot_val(protection_map[i]); protection_map[i] = __pgprot(v | user_pgprot); -@@ -541,10 +636,15 @@ static void __init build_mem_type_table(void) +@@ -541,10 +625,15 @@ static void __init build_mem_type_table(void) mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask; mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask; @@ -4273,12 +4477,12 @@ index 4d409e6..f375351 100644 mem_types[MT_ROM].prot_sect |= cp->pmd; switch (cp->pmd) { -@@ -1166,18 +1266,15 @@ void __init arm_mm_memblock_reserve(void) +@@ -1166,18 +1255,15 @@ void __init arm_mm_memblock_reserve(void) * called function. This means you can't use any function or debugging * method which may touch any device, otherwise the kernel _will_ crash. */ + -+static char vectors[PAGE_SIZE] __read_only __aligned(PAGE_SIZE); ++static char vectors[PAGE_SIZE * 2] __read_only __aligned(PAGE_SIZE); + static void __init devicemaps_init(struct machine_desc *mdesc) { @@ -4289,14 +4493,14 @@ index 4d409e6..f375351 100644 - /* - * Allocate the vector page early. - */ -- vectors = early_alloc(PAGE_SIZE); +- vectors = early_alloc(PAGE_SIZE * 2); - - early_trap_init(vectors); + early_trap_init(&vectors); for (addr = VMALLOC_START; addr; addr += PMD_SIZE) pmd_clear(pmd_off_k(addr)); -@@ -1217,7 +1314,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc) +@@ -1217,7 +1303,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc) * location (0xffff0000). If we aren't using high-vectors, also * create a mapping at the low-vectors virtual address. */ @@ -4304,8 +4508,8 @@ index 4d409e6..f375351 100644 + map.pfn = __phys_to_pfn(virt_to_phys(&vectors)); map.virtual = 0xffff0000; map.length = PAGE_SIZE; - map.type = MT_HIGH_VECTORS; -@@ -1275,8 +1372,39 @@ static void __init map_lowmem(void) + #ifdef CONFIG_KUSER_HELPERS +@@ -1287,8 +1373,39 @@ static void __init map_lowmem(void) map.pfn = __phys_to_pfn(start); map.virtual = __phys_to_virt(start); map.length = end - start; @@ -4346,20 +4550,6 @@ index 4d409e6..f375351 100644 create_mapping(&map); } } -diff --git a/arch/arm/mm/proc-v7-2level.S b/arch/arm/mm/proc-v7-2level.S -index 9704097..3e36dde 100644 ---- a/arch/arm/mm/proc-v7-2level.S -+++ b/arch/arm/mm/proc-v7-2level.S -@@ -99,6 +99,9 @@ ENTRY(cpu_v7_set_pte_ext) - tst r1, #L_PTE_XN - orrne r3, r3, #PTE_EXT_XN - -+ tst r1, #L_PTE_PXN -+ orrne r3, r3, #PTE_EXT_PXN -+ - tst r1, #L_PTE_YOUNG - tstne r1, #L_PTE_VALID - #ifndef CONFIG_CPU_USE_DOMAINS diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c index a5bc92d..0bb4730 100644 --- a/arch/arm/plat-omap/sram.c @@ -5244,10 +5434,10 @@ index 4efe96a..60e8699 100644 #define SMP_CACHE_BYTES L1_CACHE_BYTES diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h -index 08b6079..eb272cf 100644 +index 08b6079..8b554d2 100644 --- a/arch/mips/include/asm/atomic.h +++ b/arch/mips/include/asm/atomic.h -@@ -21,6 +21,10 @@ +@@ -21,15 +21,39 @@ #include <asm/cmpxchg.h> #include <asm/war.h> @@ -5257,24 +5447,899 @@ index 08b6079..eb272cf 100644 + #define ATOMIC_INIT(i) { (i) } ++#ifdef CONFIG_64BIT ++#define _ASM_EXTABLE(from, to) \ ++" .section __ex_table,\"a\"\n" \ ++" .dword " #from ", " #to"\n" \ ++" .previous\n" ++#else ++#define _ASM_EXTABLE(from, to) \ ++" .section __ex_table,\"a\"\n" \ ++" .word " #from ", " #to"\n" \ ++" .previous\n" ++#endif ++ /* -@@ -759,6 +763,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + * atomic_read - read atomic variable + * @v: pointer of type atomic_t + * + * Atomically reads the value of @v. */ - #define atomic64_add_negative(i, v) (atomic64_add_return(i, (v)) < 0) +-#define atomic_read(v) (*(volatile int *)&(v)->counter) ++static inline int atomic_read(const atomic_t *v) ++{ ++ return (*(volatile const int *) &v->counter); ++} ++ ++static inline int atomic_read_unchecked(const atomic_unchecked_t *v) ++{ ++ return (*(volatile const int *) &v->counter); ++} -+#define atomic64_read_unchecked(v) atomic64_read(v) -+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) -+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) -+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) -+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) -+#define atomic64_inc_unchecked(v) atomic64_inc(v) -+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) -+#define atomic64_dec_unchecked(v) atomic64_dec(v) -+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) + /* + * atomic_set - set atomic variable +@@ -38,7 +62,15 @@ + * + * Atomically sets the value of @v to @i. + */ +-#define atomic_set(v, i) ((v)->counter = (i)) ++static inline void atomic_set(atomic_t *v, int i) ++{ ++ v->counter = i; ++} + - #endif /* CONFIG_64BIT */ ++static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i) ++{ ++ v->counter = i; ++} + + /* + * atomic_add - add integer to atomic variable +@@ -47,7 +79,67 @@ + * + * Atomically adds @i to @v. + */ +-static __inline__ void atomic_add(int i, atomic_t * v) ++static __inline__ void atomic_add(int i, atomic_t *v) ++{ ++ int temp; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %0, %1 # atomic_add \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: add %0, %2 \n" ++#else ++ " addu %0, %2 \n" ++#endif ++ " sc %0, %1 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %0, %1 # atomic_add \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: add %0, %2 \n" ++#else ++ " addu %0, %2 \n" ++#endif ++ " sc %0, %1 \n" ++ " beqz %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: add %0, %1 \n" ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#else ++ " addu %0, %1 \n" ++#endif ++ : "+r" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++} ++ ++static __inline__ void atomic_add_unchecked(int i, atomic_unchecked_t *v) + { + if (kernel_uses_llsc && R10000_LLSC_WAR) { + int temp; +@@ -90,7 +182,67 @@ static __inline__ void atomic_add(int i, atomic_t * v) + * + * Atomically subtracts @i from @v. + */ +-static __inline__ void atomic_sub(int i, atomic_t * v) ++static __inline__ void atomic_sub(int i, atomic_t *v) ++{ ++ int temp; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %0, %1 # atomic64_sub \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: sub %0, %2 \n" ++#else ++ " subu %0, %2 \n" ++#endif ++ " sc %0, %1 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %0, %1 # atomic64_sub \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: sub %0, %2 \n" ++#else ++ " subu %0, %2 \n" ++#endif ++ " sc %0, %1 \n" ++ " beqz %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: sub %0, %1 \n" ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#else ++ " subu %0, %1 \n" ++#endif ++ : "+r" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++} ++ ++static __inline__ void atomic_sub_unchecked(long i, atomic_unchecked_t *v) + { + if (kernel_uses_llsc && R10000_LLSC_WAR) { + int temp; +@@ -129,7 +281,93 @@ static __inline__ void atomic_sub(int i, atomic_t * v) + /* + * Same as above, but return the result value + */ +-static __inline__ int atomic_add_return(int i, atomic_t * v) ++static __inline__ int atomic_add_return(int i, atomic_t *v) ++{ ++ int result; ++ int temp; ++ ++ smp_mb__before_llsc(); ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %1, %2 # atomic_add_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: add %0, %1, %3 \n" ++#else ++ " addu %0, %1, %3 \n" ++#endif ++ " sc %0, %2 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " b 4f \n" ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: addu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %1, %2 # atomic_add_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: add %0, %1, %3 \n" ++#else ++ " addu %0, %1, %3 \n" ++#endif ++ " sc %0, %2 \n" ++ " bnez %0, 4f \n" ++ " b 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: addu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++ " lw %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: add %0, %2 \n" ++#else ++ " addu %0, %2 \n" ++#endif ++ " sw %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Note: Dest reg is not modified on overflow */ ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#endif ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++ ++ smp_llsc_mb(); ++ ++ return result; ++} ++ ++static __inline__ int atomic_add_return_unchecked(int i, atomic_unchecked_t *v) + { + int result; + +@@ -178,7 +416,93 @@ static __inline__ int atomic_add_return(int i, atomic_t * v) + return result; + } + +-static __inline__ int atomic_sub_return(int i, atomic_t * v) ++static __inline__ int atomic_sub_return(int i, atomic_t *v) ++{ ++ int result; ++ int temp; ++ ++ smp_mb__before_llsc(); ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %1, %2 # atomic_sub_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: sub %0, %1, %3 \n" ++#else ++ " subu %0, %1, %3 \n" ++#endif ++ " sc %0, %2 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " b 4f \n" ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: subu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter) ++ : "Ir" (i), "m" (v->counter) ++ : "memory"); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: ll %1, %2 # atomic_sub_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: sub %0, %1, %3 \n" ++#else ++ " subu %0, %1, %3 \n" ++#endif ++ " sc %0, %2 \n" ++ " bnez %0, 4f \n" ++ " b 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: subu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++ " lw %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: sub %0, %2 \n" ++#else ++ " subu %0, %2 \n" ++#endif ++ " sw %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Note: Dest reg is not modified on overflow */ ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#endif ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++ ++ smp_llsc_mb(); ++ ++ return result; ++} ++static __inline__ int atomic_sub_return_unchecked(int i, atomic_unchecked_t *v) + { + int result; + +@@ -238,7 +562,7 @@ static __inline__ int atomic_sub_return(int i, atomic_t * v) + * Atomically test @v and subtract @i if @v is greater or equal than @i. + * The function returns the old value of @v minus @i. + */ +-static __inline__ int atomic_sub_if_positive(int i, atomic_t * v) ++static __inline__ int atomic_sub_if_positive(int i, atomic_t *v) + { + int result; + +@@ -295,8 +619,26 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v) + return result; + } + +-#define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) +-#define atomic_xchg(v, new) (xchg(&((v)->counter), (new))) ++static inline int atomic_cmpxchg(atomic_t *v, int old, int new) ++{ ++ return cmpxchg(&v->counter, old, new); ++} ++ ++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, ++ int new) ++{ ++ return cmpxchg(&(v->counter), old, new); ++} ++ ++static inline int atomic_xchg(atomic_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} ++ ++static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new) ++{ ++ return xchg(&(v->counter), new); ++} + + /** + * __atomic_add_unless - add unless the number is a given value +@@ -324,6 +666,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + + #define atomic_dec_return(v) atomic_sub_return(1, (v)) + #define atomic_inc_return(v) atomic_add_return(1, (v)) ++static __inline__ int atomic_inc_return_unchecked(atomic_unchecked_t *v) ++{ ++ return atomic_add_return_unchecked(1, v); ++} /* + * atomic_sub_and_test - subtract value from variable and test result +@@ -345,6 +691,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * other cases. + */ + #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0) ++static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v) ++{ ++ return atomic_add_return_unchecked(1, v) == 0; ++} + + /* + * atomic_dec_and_test - decrement by 1 and test +@@ -369,6 +719,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * Atomically increments @v by 1. + */ + #define atomic_inc(v) atomic_add(1, (v)) ++static __inline__ void atomic_inc_unchecked(atomic_unchecked_t *v) ++{ ++ atomic_add_unchecked(1, v); ++} + + /* + * atomic_dec - decrement and test +@@ -377,6 +731,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * Atomically decrements @v by 1. + */ + #define atomic_dec(v) atomic_sub(1, (v)) ++static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v) ++{ ++ atomic_sub_unchecked(1, v); ++} + + /* + * atomic_add_negative - add and test if negative +@@ -398,14 +756,30 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * @v: pointer of type atomic64_t + * + */ +-#define atomic64_read(v) (*(volatile long *)&(v)->counter) ++static inline long atomic64_read(const atomic64_t *v) ++{ ++ return (*(volatile const long *) &v->counter); ++} ++ ++static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v) ++{ ++ return (*(volatile const long *) &v->counter); ++} + + /* + * atomic64_set - set atomic variable + * @v: pointer of type atomic64_t + * @i: required value + */ +-#define atomic64_set(v, i) ((v)->counter = (i)) ++static inline void atomic64_set(atomic64_t *v, long i) ++{ ++ v->counter = i; ++} ++ ++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i) ++{ ++ v->counter = i; ++} + + /* + * atomic64_add - add integer to atomic variable +@@ -414,7 +788,66 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + * + * Atomically adds @i to @v. + */ +-static __inline__ void atomic64_add(long i, atomic64_t * v) ++static __inline__ void atomic64_add(long i, atomic64_t *v) ++{ ++ long temp; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %0, %1 # atomic64_add \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: dadd %0, %2 \n" ++#else ++ " daddu %0, %2 \n" ++#endif ++ " scd %0, %1 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %0, %1 # atomic64_add \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: dadd %0, %2 \n" ++#else ++ " daddu %0, %2 \n" ++#endif ++ " scd %0, %1 \n" ++ " beqz %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: dadd %0, %1 \n" ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#else ++ " daddu %0, %1 \n" ++#endif ++ : "+r" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++} ++static __inline__ void atomic64_add_unchecked(long i, atomic64_unchecked_t *v) + { + if (kernel_uses_llsc && R10000_LLSC_WAR) { + long temp; +@@ -457,7 +890,67 @@ static __inline__ void atomic64_add(long i, atomic64_t * v) + * + * Atomically subtracts @i from @v. + */ +-static __inline__ void atomic64_sub(long i, atomic64_t * v) ++static __inline__ void atomic64_sub(long i, atomic64_t *v) ++{ ++ long temp; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %0, %1 # atomic64_sub \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: dsub %0, %2 \n" ++#else ++ " dsubu %0, %2 \n" ++#endif ++ " scd %0, %1 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %0, %1 # atomic64_sub \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "2: dsub %0, %2 \n" ++#else ++ " dsubu %0, %2 \n" ++#endif ++ " scd %0, %1 \n" ++ " beqz %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "3: \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ " .set mips0 \n" ++ : "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: dsub %0, %1 \n" ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#else ++ " dsubu %0, %1 \n" ++#endif ++ : "+r" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++} ++ ++static __inline__ void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v) + { + if (kernel_uses_llsc && R10000_LLSC_WAR) { + long temp; +@@ -496,7 +989,93 @@ static __inline__ void atomic64_sub(long i, atomic64_t * v) + /* + * Same as above, but return the result value + */ +-static __inline__ long atomic64_add_return(long i, atomic64_t * v) ++static __inline__ long atomic64_add_return(long i, atomic64_t *v) ++{ ++ long result; ++ long temp; ++ ++ smp_mb__before_llsc(); ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %1, %2 # atomic64_add_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: dadd %0, %1, %3 \n" ++#else ++ " daddu %0, %1, %3 \n" ++#endif ++ " scd %0, %2 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " b 4f \n" ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: daddu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "+m" (v->counter) ++ : "Ir" (i)); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %1, %2 # atomic64_add_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: dadd %0, %1, %3 \n" ++#else ++ " daddu %0, %1, %3 \n" ++#endif ++ " scd %0, %2 \n" ++ " bnez %0, 4f \n" ++ " b 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: daddu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter) ++ : "Ir" (i), "m" (v->counter) ++ : "memory"); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++ " ld %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: dadd %0, %2 \n" ++#else ++ " daddu %0, %2 \n" ++#endif ++ " sd %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Note: Dest reg is not modified on overflow */ ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#endif ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++ ++ smp_llsc_mb(); ++ ++ return result; ++} ++static __inline__ long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v) + { + long result; + +@@ -546,7 +1125,97 @@ static __inline__ long atomic64_add_return(long i, atomic64_t * v) + return result; + } + +-static __inline__ long atomic64_sub_return(long i, atomic64_t * v) ++static __inline__ long atomic64_sub_return(long i, atomic64_t *v) ++{ ++ long result; ++ long temp; ++ ++ smp_mb__before_llsc(); ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ long temp; ++ ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %1, %2 # atomic64_sub_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: dsub %0, %1, %3 \n" ++#else ++ " dsubu %0, %1, %3 \n" ++#endif ++ " scd %0, %2 \n" ++ " beqzl %0, 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " b 4f \n" ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: dsubu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter) ++ : "Ir" (i), "m" (v->counter) ++ : "memory"); ++ } else if (kernel_uses_llsc) { ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1: lld %1, %2 # atomic64_sub_return \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "2: dsub %0, %1, %3 \n" ++#else ++ " dsubu %0, %1, %3 \n" ++#endif ++ " scd %0, %2 \n" ++ " bnez %0, 4f \n" ++ " b 1b \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ " .set noreorder \n" ++ "3: b 5f \n" ++ " move %0, %1 \n" ++ " .set reorder \n" ++ _ASM_EXTABLE(2b, 3b) ++#endif ++ "4: dsubu %0, %1, %3 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ "5: \n" ++#endif ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (v->counter) ++ : "Ir" (i), "m" (v->counter) ++ : "memory"); ++ } else { ++ unsigned long flags; ++ ++ raw_local_irq_save(flags); ++ __asm__ __volatile__( ++ " ld %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Exception on overflow. */ ++ "1: dsub %0, %2 \n" ++#else ++ " dsubu %0, %2 \n" ++#endif ++ " sd %0, %1 \n" ++#ifdef CONFIG_PAX_REFCOUNT ++ /* Note: Dest reg is not modified on overflow */ ++ "2: \n" ++ _ASM_EXTABLE(1b, 2b) ++#endif ++ : "=&r" (result), "+m" (v->counter) : "Ir" (i)); ++ raw_local_irq_restore(flags); ++ } ++ ++ smp_llsc_mb(); ++ ++ return result; ++} ++ ++static __inline__ long atomic64_sub_return_unchecked(long i, atomic64_unchecked_t *v) + { + long result; + +@@ -605,7 +1274,7 @@ static __inline__ long atomic64_sub_return(long i, atomic64_t * v) + * Atomically test @v and subtract @i if @v is greater or equal than @i. + * The function returns the old value of @v minus @i. + */ +-static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v) ++static __inline__ long atomic64_sub_if_positive(long i, atomic64_t *v) + { + long result; + +@@ -662,9 +1331,26 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v) + return result; + } + +-#define atomic64_cmpxchg(v, o, n) \ +- ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n))) +-#define atomic64_xchg(v, new) (xchg(&((v)->counter), (new))) ++static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new) ++{ ++ return cmpxchg(&v->counter, old, new); ++} ++ ++static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, ++ long new) ++{ ++ return cmpxchg(&(v->counter), old, new); ++} ++ ++static inline long atomic64_xchg(atomic64_t *v, long new) ++{ ++ return xchg(&v->counter, new); ++} ++ ++static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new) ++{ ++ return xchg(&(v->counter), new); ++} + + /** + * atomic64_add_unless - add unless the number is a given value +@@ -694,6 +1380,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + + #define atomic64_dec_return(v) atomic64_sub_return(1, (v)) + #define atomic64_inc_return(v) atomic64_add_return(1, (v)) ++#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1, (v)) + + /* + * atomic64_sub_and_test - subtract value from variable and test result +@@ -715,6 +1402,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + * other cases. + */ + #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0) ++#define atomic64_inc_and_test_unchecked(v) atomic64_add_return_unchecked(1, (v)) == 0) + + /* + * atomic64_dec_and_test - decrement by 1 and test +@@ -739,6 +1427,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + * Atomically increments @v by 1. + */ + #define atomic64_inc(v) atomic64_add(1, (v)) ++#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1, (v)) + + /* + * atomic64_dec - decrement and test +@@ -747,6 +1436,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + * Atomically decrements @v by 1. + */ + #define atomic64_dec(v) atomic64_sub(1, (v)) ++#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1, (v)) + + /* + * atomic64_add_negative - add and test if negative diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h index b4db69f..8f3b093 100644 --- a/arch/mips/include/asm/cache.h @@ -5329,6 +6394,97 @@ index c1f6afa..38cc6e9 100644 +#define arch_align_stack(x) ((x) & ~0xfUL) #endif /* _ASM_EXEC_H */ +diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h +index d44622c..64990d2 100644 +--- a/arch/mips/include/asm/local.h ++++ b/arch/mips/include/asm/local.h +@@ -12,15 +12,25 @@ typedef struct + atomic_long_t a; + } local_t; + ++typedef struct { ++ atomic_long_unchecked_t a; ++} local_unchecked_t; ++ + #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) } + + #define local_read(l) atomic_long_read(&(l)->a) ++#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a) + #define local_set(l, i) atomic_long_set(&(l)->a, (i)) ++#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i)) + + #define local_add(i, l) atomic_long_add((i), (&(l)->a)) ++#define local_add_unchecked(i, l) atomic_long_add_unchecked((i), (&(l)->a)) + #define local_sub(i, l) atomic_long_sub((i), (&(l)->a)) ++#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i), (&(l)->a)) + #define local_inc(l) atomic_long_inc(&(l)->a) ++#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a) + #define local_dec(l) atomic_long_dec(&(l)->a) ++#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a) + + /* + * Same as above, but return the result value +@@ -70,6 +80,51 @@ static __inline__ long local_add_return(long i, local_t * l) + return result; + } + ++static __inline__ long local_add_return_unchecked(long i, local_unchecked_t * l) ++{ ++ unsigned long result; ++ ++ if (kernel_uses_llsc && R10000_LLSC_WAR) { ++ unsigned long temp; ++ ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1:" __LL "%1, %2 # local_add_return \n" ++ " addu %0, %1, %3 \n" ++ __SC "%0, %2 \n" ++ " beqzl %0, 1b \n" ++ " addu %0, %1, %3 \n" ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter) ++ : "Ir" (i), "m" (l->a.counter) ++ : "memory"); ++ } else if (kernel_uses_llsc) { ++ unsigned long temp; ++ ++ __asm__ __volatile__( ++ " .set mips3 \n" ++ "1:" __LL "%1, %2 # local_add_return \n" ++ " addu %0, %1, %3 \n" ++ __SC "%0, %2 \n" ++ " beqz %0, 1b \n" ++ " addu %0, %1, %3 \n" ++ " .set mips0 \n" ++ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter) ++ : "Ir" (i), "m" (l->a.counter) ++ : "memory"); ++ } else { ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ result = l->a.counter; ++ result += i; ++ l->a.counter = result; ++ local_irq_restore(flags); ++ } ++ ++ return result; ++} ++ + static __inline__ long local_sub_return(long i, local_t * l) + { + unsigned long result; +@@ -117,6 +172,8 @@ static __inline__ long local_sub_return(long i, local_t * l) + + #define local_cmpxchg(l, o, n) \ + ((long)cmpxchg_local(&((l)->a.counter), (o), (n))) ++#define local_cmpxchg_unchecked(l, o, n) \ ++ ((long)cmpxchg_local(&((l)->a.counter), (o), (n))) + #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n))) + + /** diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h index f59552f..3abe9b9 100644 --- a/arch/mips/include/asm/page.h @@ -5428,6 +6584,31 @@ index 202e581..689ca79 100644 #include <asm/processor.h> /* +diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c +index d1fea7a..45602ea 100644 +--- a/arch/mips/kernel/irq.c ++++ b/arch/mips/kernel/irq.c +@@ -77,17 +77,17 @@ void ack_bad_irq(unsigned int irq) + printk("unexpected IRQ # %d\n", irq); + } + +-atomic_t irq_err_count; ++atomic_unchecked_t irq_err_count; + + int arch_show_interrupts(struct seq_file *p, int prec) + { +- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count)); ++ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count)); + return 0; + } + + asmlinkage void spurious_interrupt(void) + { +- atomic_inc(&irq_err_count); ++ atomic_inc_unchecked(&irq_err_count); + } + + void __init init_IRQ(void) diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c index c6a041d..b3e7318 100644 --- a/arch/mips/kernel/process.c @@ -5527,8 +6708,100 @@ index 74f485d..47d2c38 100644 LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? and t0, t1, t0 bnez t0, trace_a_syscall +diff --git a/arch/mips/kernel/sync-r4k.c b/arch/mips/kernel/sync-r4k.c +index 1ff43d5..96fec68 100644 +--- a/arch/mips/kernel/sync-r4k.c ++++ b/arch/mips/kernel/sync-r4k.c +@@ -21,8 +21,8 @@ + #include <asm/mipsregs.h> + + static atomic_t __cpuinitdata count_start_flag = ATOMIC_INIT(0); +-static atomic_t __cpuinitdata count_count_start = ATOMIC_INIT(0); +-static atomic_t __cpuinitdata count_count_stop = ATOMIC_INIT(0); ++static atomic_unchecked_t __cpuinitdata count_count_start = ATOMIC_INIT(0); ++static atomic_unchecked_t __cpuinitdata count_count_stop = ATOMIC_INIT(0); + static atomic_t __cpuinitdata count_reference = ATOMIC_INIT(0); + + #define COUNTON 100 +@@ -69,13 +69,13 @@ void __cpuinit synchronise_count_master(int cpu) + + for (i = 0; i < NR_LOOPS; i++) { + /* slaves loop on '!= 2' */ +- while (atomic_read(&count_count_start) != 1) ++ while (atomic_read_unchecked(&count_count_start) != 1) + mb(); +- atomic_set(&count_count_stop, 0); ++ atomic_set_unchecked(&count_count_stop, 0); + smp_wmb(); + + /* this lets the slaves write their count register */ +- atomic_inc(&count_count_start); ++ atomic_inc_unchecked(&count_count_start); + + /* + * Everyone initialises count in the last loop: +@@ -86,11 +86,11 @@ void __cpuinit synchronise_count_master(int cpu) + /* + * Wait for all slaves to leave the synchronization point: + */ +- while (atomic_read(&count_count_stop) != 1) ++ while (atomic_read_unchecked(&count_count_stop) != 1) + mb(); +- atomic_set(&count_count_start, 0); ++ atomic_set_unchecked(&count_count_start, 0); + smp_wmb(); +- atomic_inc(&count_count_stop); ++ atomic_inc_unchecked(&count_count_stop); + } + /* Arrange for an interrupt in a short while */ + write_c0_compare(read_c0_count() + COUNTON); +@@ -131,8 +131,8 @@ void __cpuinit synchronise_count_slave(int cpu) + initcount = atomic_read(&count_reference); + + for (i = 0; i < NR_LOOPS; i++) { +- atomic_inc(&count_count_start); +- while (atomic_read(&count_count_start) != 2) ++ atomic_inc_unchecked(&count_count_start); ++ while (atomic_read_unchecked(&count_count_start) != 2) + mb(); + + /* +@@ -141,8 +141,8 @@ void __cpuinit synchronise_count_slave(int cpu) + if (i == NR_LOOPS-1) + write_c0_count(initcount); + +- atomic_inc(&count_count_stop); +- while (atomic_read(&count_count_stop) != 2) ++ atomic_inc_unchecked(&count_count_stop); ++ while (atomic_read_unchecked(&count_count_stop) != 2) + mb(); + } + /* Arrange for an interrupt in a short while */ +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index a75ae40..0d0f56a 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -675,7 +675,17 @@ asmlinkage void do_ov(struct pt_regs *regs) + { + siginfo_t info; + +- die_if_kernel("Integer overflow", regs); ++ if (unlikely(!user_mode(regs))) { ++ ++#ifdef CONFIG_PAX_REFCOUNT ++ if (fixup_exception(regs)) { ++ pax_report_refcount_overflow(regs); ++ return; ++ } ++#endif ++ ++ die("Integer overflow", regs); ++ } + + info.si_code = FPE_INTOVF; + info.si_signo = SIGFPE; diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c -index 0fead53..a2c0fb5 100644 +index 0fead53..eeb00a6 100644 --- a/arch/mips/mm/fault.c +++ b/arch/mips/mm/fault.c @@ -27,6 +27,23 @@ @@ -5555,6 +6828,21 @@ index 0fead53..a2c0fb5 100644 /* * This routine handles page faults. It determines the address, * and the problem, and then passes it off to one of the appropriate +@@ -196,6 +213,14 @@ bad_area: + bad_area_nosemaphore: + /* User mode accesses just cause a SIGSEGV */ + if (user_mode(regs)) { ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (cpu_has_rixi && (mm->pax_flags & MF_PAX_PAGEEXEC) && !write && address == instruction_pointer(regs)) { ++ pax_report_fault(regs, (void *)address, (void *)user_stack_pointer(regs)); ++ do_group_exit(SIGKILL); ++ } ++#endif ++ + tsk->thread.cp0_badvaddr = address; + tsk->thread.error_code = write; + #if 0 diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c index 7e5fe27..9656513 100644 --- a/arch/mips/mm/mmap.c @@ -5662,6 +6950,31 @@ index 7e5fe27..9656513 100644 int __virt_addr_valid(const volatile void *kaddr) { return pfn_valid(PFN_DOWN(virt_to_phys(kaddr))); +diff --git a/arch/mips/sgi-ip27/ip27-nmi.c b/arch/mips/sgi-ip27/ip27-nmi.c +index a2358b4..7cead4f 100644 +--- a/arch/mips/sgi-ip27/ip27-nmi.c ++++ b/arch/mips/sgi-ip27/ip27-nmi.c +@@ -187,9 +187,9 @@ void + cont_nmi_dump(void) + { + #ifndef REAL_NMI_SIGNAL +- static atomic_t nmied_cpus = ATOMIC_INIT(0); ++ static atomic_unchecked_t nmied_cpus = ATOMIC_INIT(0); + +- atomic_inc(&nmied_cpus); ++ atomic_inc_unchecked(&nmied_cpus); + #endif + /* + * Only allow 1 cpu to proceed +@@ -233,7 +233,7 @@ cont_nmi_dump(void) + udelay(10000); + } + #else +- while (atomic_read(&nmied_cpus) != num_online_cpus()); ++ while (atomic_read_unchecked(&nmied_cpus) != num_online_cpus()); + #endif + + /* diff --git a/arch/mn10300/proc-mn103e010/include/proc/cache.h b/arch/mn10300/proc-mn103e010/include/proc/cache.h index 967d144..db12197 100644 --- a/arch/mn10300/proc-mn103e010/include/proc/cache.h @@ -6442,7 +7755,7 @@ index 4aad413..85d86bf 100644 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h -index 362142b..8b22c1b 100644 +index e1fb161..2290d1d 100644 --- a/arch/powerpc/include/asm/reg.h +++ b/arch/powerpc/include/asm/reg.h @@ -234,6 +234,7 @@ @@ -6454,7 +7767,7 @@ index 362142b..8b22c1b 100644 #define DSISR_ISSTORE 0x02000000 /* access was a store */ #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */ diff --git a/arch/powerpc/include/asm/smp.h b/arch/powerpc/include/asm/smp.h -index ffbaabe..eabe843 100644 +index 48cfc85..891382f 100644 --- a/arch/powerpc/include/asm/smp.h +++ b/arch/powerpc/include/asm/smp.h @@ -50,7 +50,7 @@ struct smp_ops_t { @@ -6695,10 +8008,10 @@ index 645170a..6cf0271 100644 ld r4,_DAR(r1) bl .bad_page_fault diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S -index 4e00d22..b26abcc 100644 +index 902ca3c..e942155 100644 --- a/arch/powerpc/kernel/exceptions-64s.S +++ b/arch/powerpc/kernel/exceptions-64s.S -@@ -1356,10 +1356,10 @@ handle_page_fault: +@@ -1357,10 +1357,10 @@ handle_page_fault: 11: ld r4,_DAR(r1) ld r5,_DSISR(r1) addi r3,r1,STACK_FRAME_OVERHEAD @@ -6744,10 +8057,10 @@ index 2e3200c..72095ce 100644 /* Find this entry, or if that fails, the next avail. entry */ while (entry->jump[0]) { diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index 076d124..6cb2cbf 100644 +index 7baa27b..f6b394a 100644 --- a/arch/powerpc/kernel/process.c +++ b/arch/powerpc/kernel/process.c -@@ -874,8 +874,8 @@ void show_regs(struct pt_regs * regs) +@@ -884,8 +884,8 @@ void show_regs(struct pt_regs * regs) * Lookup NIP late so we have the best change of getting the * above info out without failing */ @@ -6758,7 +8071,7 @@ index 076d124..6cb2cbf 100644 #endif #ifdef CONFIG_PPC_TRANSACTIONAL_MEM printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch); -@@ -1335,10 +1335,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1345,10 +1345,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) newsp = stack[0]; ip = stack[STACK_FRAME_LR_SAVE]; if (!firstframe || ip != lr) { @@ -6771,7 +8084,7 @@ index 076d124..6cb2cbf 100644 (void *)current->ret_stack[curr_frame].ret); curr_frame--; } -@@ -1358,7 +1358,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1368,7 +1368,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) struct pt_regs *regs = (struct pt_regs *) (sp + STACK_FRAME_OVERHEAD); lr = regs->link; @@ -6780,7 +8093,7 @@ index 076d124..6cb2cbf 100644 regs->trap, (void *)regs->nip, (void *)lr); firstframe = 1; } -@@ -1394,58 +1394,3 @@ void notrace __ppc64_runlatch_off(void) +@@ -1404,58 +1404,3 @@ void notrace __ppc64_runlatch_off(void) mtspr(SPRN_CTRLT, ctrl); } #endif /* CONFIG_PPC64 */ @@ -6918,10 +8231,10 @@ index e68a845..8b140e6 100644 }; diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c -index e4f205a..8bfffb8 100644 +index 88929b1..bece8f8 100644 --- a/arch/powerpc/kernel/traps.c +++ b/arch/powerpc/kernel/traps.c -@@ -143,6 +143,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) +@@ -141,6 +141,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) return flags; } @@ -6930,7 +8243,7 @@ index e4f205a..8bfffb8 100644 static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr) { -@@ -192,6 +194,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, +@@ -190,6 +192,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, panic("Fatal exception in interrupt"); if (panic_on_oops) panic("Fatal exception"); @@ -7157,10 +8470,10 @@ index e779642..e5bb889 100644 }; diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c -index 2859a1f..74f9a6e 100644 +index cafad40..9cbc0fc 100644 --- a/arch/powerpc/mm/numa.c +++ b/arch/powerpc/mm/numa.c -@@ -919,7 +919,7 @@ static void __init *careful_zallocation(int nid, unsigned long size, +@@ -920,7 +920,7 @@ static void __init *careful_zallocation(int nid, unsigned long size, return ret; } @@ -8429,6 +9742,57 @@ index 7ff45e4..a58f271 100644 audit_syscall_exit(regs); if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) +diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c +index 77539ed..3ffffe7 100644 +--- a/arch/sparc/kernel/smp_64.c ++++ b/arch/sparc/kernel/smp_64.c +@@ -868,8 +868,8 @@ extern unsigned long xcall_flush_dcache_page_cheetah; + extern unsigned long xcall_flush_dcache_page_spitfire; + + #ifdef CONFIG_DEBUG_DCFLUSH +-extern atomic_t dcpage_flushes; +-extern atomic_t dcpage_flushes_xcall; ++extern atomic_unchecked_t dcpage_flushes; ++extern atomic_unchecked_t dcpage_flushes_xcall; + #endif + + static inline void __local_flush_dcache_page(struct page *page) +@@ -893,7 +893,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu) + return; + + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes); ++ atomic_inc_unchecked(&dcpage_flushes); + #endif + + this_cpu = get_cpu(); +@@ -917,7 +917,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu) + xcall_deliver(data0, __pa(pg_addr), + (u64) pg_addr, cpumask_of(cpu)); + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes_xcall); ++ atomic_inc_unchecked(&dcpage_flushes_xcall); + #endif + } + } +@@ -936,7 +936,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page) + preempt_disable(); + + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes); ++ atomic_inc_unchecked(&dcpage_flushes); + #endif + data0 = 0; + pg_addr = page_address(page); +@@ -953,7 +953,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page) + xcall_deliver(data0, __pa(pg_addr), + (u64) pg_addr, cpu_online_mask); + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes_xcall); ++ atomic_inc_unchecked(&dcpage_flushes_xcall); + #endif + } + __local_flush_dcache_page(page); diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c index 3a8d184..49498a8 100644 --- a/arch/sparc/kernel/sys_sparc_32.c @@ -8702,7 +10066,7 @@ index 6629829..036032d 100644 } diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c -index b3f833a..ac74b2d 100644 +index b3f833a..f485f80 100644 --- a/arch/sparc/kernel/traps_64.c +++ b/arch/sparc/kernel/traps_64.c @@ -76,7 +76,7 @@ static void dump_tl1_traplog(struct tl1_traplog *p) @@ -8772,6 +10136,55 @@ index b3f833a..ac74b2d 100644 } struct sun4v_error_entry { +@@ -1830,8 +1841,8 @@ struct sun4v_error_entry { + /*0x38*/u64 reserved_5; + }; + +-static atomic_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0); +-static atomic_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0); ++static atomic_unchecked_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0); ++static atomic_unchecked_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0); + + static const char *sun4v_err_type_to_str(u8 type) + { +@@ -1923,7 +1934,7 @@ static void sun4v_report_real_raddr(const char *pfx, struct pt_regs *regs) + } + + static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent, +- int cpu, const char *pfx, atomic_t *ocnt) ++ int cpu, const char *pfx, atomic_unchecked_t *ocnt) + { + u64 *raw_ptr = (u64 *) ent; + u32 attrs; +@@ -1981,8 +1992,8 @@ static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent, + + show_regs(regs); + +- if ((cnt = atomic_read(ocnt)) != 0) { +- atomic_set(ocnt, 0); ++ if ((cnt = atomic_read_unchecked(ocnt)) != 0) { ++ atomic_set_unchecked(ocnt, 0); + wmb(); + printk("%s: Queue overflowed %d times.\n", + pfx, cnt); +@@ -2036,7 +2047,7 @@ void sun4v_resum_error(struct pt_regs *regs, unsigned long offset) + */ + void sun4v_resum_overflow(struct pt_regs *regs) + { +- atomic_inc(&sun4v_resum_oflow_cnt); ++ atomic_inc_unchecked(&sun4v_resum_oflow_cnt); + } + + /* We run with %pil set to PIL_NORMAL_MAX and PSTATE_IE enabled in %pstate. +@@ -2089,7 +2100,7 @@ void sun4v_nonresum_overflow(struct pt_regs *regs) + /* XXX Actually even this can make not that much sense. Perhaps + * XXX we should just pull the plug and panic directly from here? + */ +- atomic_inc(&sun4v_nonresum_oflow_cnt); ++ atomic_inc_unchecked(&sun4v_nonresum_oflow_cnt); + } + + unsigned long sun4v_err_itlb_vaddr; @@ -2104,9 +2115,9 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl) printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n", @@ -9956,10 +11369,20 @@ index 5062ff3..e0b75f3 100644 * load/store/atomic was a write or not, it only says that there * was no match. So in such a case we (carefully) read the diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c -index d2b5944..bd813f2 100644 +index d2b5944..d878f3c 100644 --- a/arch/sparc/mm/hugetlbpage.c +++ b/arch/sparc/mm/hugetlbpage.c -@@ -38,7 +38,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, +@@ -28,7 +28,8 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, + unsigned long addr, + unsigned long len, + unsigned long pgoff, +- unsigned long flags) ++ unsigned long flags, ++ unsigned long offset) + { + unsigned long task_size = TASK_SIZE; + struct vm_unmapped_area_info info; +@@ -38,15 +39,22 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, info.flags = 0; info.length = len; @@ -9968,7 +11391,9 @@ index d2b5944..bd813f2 100644 info.high_limit = min(task_size, VA_EXCLUDE_START); info.align_mask = PAGE_MASK & ~HPAGE_MASK; info.align_offset = 0; -@@ -47,6 +47,12 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp, ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) { VM_BUG_ON(addr != -ENOMEM); info.low_limit = VA_EXCLUDE_END; @@ -9981,7 +11406,25 @@ index d2b5944..bd813f2 100644 info.high_limit = task_size; addr = vm_unmapped_area(&info); } -@@ -85,6 +91,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -58,7 +66,8 @@ static unsigned long + hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + const unsigned long len, + const unsigned long pgoff, +- const unsigned long flags) ++ const unsigned long flags, ++ const unsigned long offset) + { + struct mm_struct *mm = current->mm; + unsigned long addr = addr0; +@@ -73,6 +82,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + info.high_limit = mm->mmap_base; + info.align_mask = PAGE_MASK & ~HPAGE_MASK; + info.align_offset = 0; ++ info.threadstack_offset = offset; + addr = vm_unmapped_area(&info); + + /* +@@ -85,6 +95,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, VM_BUG_ON(addr != -ENOMEM); info.flags = 0; info.low_limit = TASK_UNMAPPED_BASE; @@ -9994,7 +11437,7 @@ index d2b5944..bd813f2 100644 info.high_limit = STACK_TOP32; addr = vm_unmapped_area(&info); } -@@ -99,6 +111,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -99,6 +115,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long task_size = TASK_SIZE; @@ -10002,7 +11445,7 @@ index d2b5944..bd813f2 100644 if (test_thread_flag(TIF_32BIT)) task_size = STACK_TOP32; -@@ -114,11 +127,14 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -114,19 +131,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, return addr; } @@ -10019,6 +11462,54 @@ index d2b5944..bd813f2 100644 return addr; } if (mm->get_unmapped_area == arch_get_unmapped_area) + return hugetlb_get_unmapped_area_bottomup(file, addr, len, +- pgoff, flags); ++ pgoff, flags, offset); + else + return hugetlb_get_unmapped_area_topdown(file, addr, len, +- pgoff, flags); ++ pgoff, flags, offset); + } + + pte_t *huge_pte_alloc(struct mm_struct *mm, +diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c +index 04fd55a..4ede686 100644 +--- a/arch/sparc/mm/init_64.c ++++ b/arch/sparc/mm/init_64.c +@@ -188,9 +188,9 @@ unsigned long sparc64_kern_sec_context __read_mostly; + int num_kernel_image_mappings; + + #ifdef CONFIG_DEBUG_DCFLUSH +-atomic_t dcpage_flushes = ATOMIC_INIT(0); ++atomic_unchecked_t dcpage_flushes = ATOMIC_INIT(0); + #ifdef CONFIG_SMP +-atomic_t dcpage_flushes_xcall = ATOMIC_INIT(0); ++atomic_unchecked_t dcpage_flushes_xcall = ATOMIC_INIT(0); + #endif + #endif + +@@ -198,7 +198,7 @@ inline void flush_dcache_page_impl(struct page *page) + { + BUG_ON(tlb_type == hypervisor); + #ifdef CONFIG_DEBUG_DCFLUSH +- atomic_inc(&dcpage_flushes); ++ atomic_inc_unchecked(&dcpage_flushes); + #endif + + #ifdef DCACHE_ALIASING_POSSIBLE +@@ -466,10 +466,10 @@ void mmu_info(struct seq_file *m) + + #ifdef CONFIG_DEBUG_DCFLUSH + seq_printf(m, "DCPageFlushes\t: %d\n", +- atomic_read(&dcpage_flushes)); ++ atomic_read_unchecked(&dcpage_flushes)); + #ifdef CONFIG_SMP + seq_printf(m, "DCPageFlushesXC\t: %d\n", +- atomic_read(&dcpage_flushes_xcall)); ++ atomic_read_unchecked(&dcpage_flushes_xcall)); + #endif /* CONFIG_SMP */ + #endif /* CONFIG_DEBUG_DCFLUSH */ + } diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h index f4500c6..889656c 100644 --- a/arch/tile/include/asm/atomic_64.h @@ -10958,6 +12449,57 @@ index 477e9d7..3ab339f 100644 ret ENDPROC(aesni_xts_crypt8) +diff --git a/arch/x86/crypto/blowfish-avx2-asm_64.S b/arch/x86/crypto/blowfish-avx2-asm_64.S +index 784452e..46982c7 100644 +--- a/arch/x86/crypto/blowfish-avx2-asm_64.S ++++ b/arch/x86/crypto/blowfish-avx2-asm_64.S +@@ -221,6 +221,7 @@ __blowfish_enc_blk32: + + write_block(RXl, RXr); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(__blowfish_enc_blk32) + +@@ -250,6 +251,7 @@ __blowfish_dec_blk32: + + write_block(RXl, RXr); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(__blowfish_dec_blk32) + +@@ -284,6 +286,7 @@ ENTRY(blowfish_ecb_enc_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(blowfish_ecb_enc_32way) + +@@ -318,6 +321,7 @@ ENTRY(blowfish_ecb_dec_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(blowfish_ecb_dec_32way) + +@@ -365,6 +369,7 @@ ENTRY(blowfish_cbc_dec_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(blowfish_cbc_dec_32way) + +@@ -445,5 +450,6 @@ ENTRY(blowfish_ctr_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(blowfish_ctr_32way) diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S index 246c670..4d1ed00 100644 --- a/arch/x86/crypto/blowfish-x86_64-asm_64.S @@ -11013,6 +12555,174 @@ index 246c670..4d1ed00 100644 + pax_force_retaddr 0, 1 ret; ENDPROC(blowfish_dec_blk_4way) +diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S +index ce71f92..2dd5b1e 100644 +--- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S ++++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S +@@ -16,6 +16,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + #define CAMELLIA_TABLE_BYTE_LEN 272 + +@@ -191,6 +192,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd: + roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15, + %rcx, (%r9)); ++ pax_force_retaddr_bts + ret; + ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) + +@@ -199,6 +201,7 @@ roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab: + roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3, + %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11, + %rax, (%r9)); ++ pax_force_retaddr_bts + ret; + ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) + +@@ -780,6 +783,7 @@ __camellia_enc_blk16: + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, + %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax)); + ++ pax_force_retaddr_bts + ret; + + .align 8 +@@ -865,6 +869,7 @@ __camellia_dec_blk16: + %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, + %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax)); + ++ pax_force_retaddr_bts + ret; + + .align 8 +@@ -904,6 +909,7 @@ ENTRY(camellia_ecb_enc_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ecb_enc_16way) + +@@ -932,6 +938,7 @@ ENTRY(camellia_ecb_dec_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ecb_dec_16way) + +@@ -981,6 +988,7 @@ ENTRY(camellia_cbc_dec_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_cbc_dec_16way) + +@@ -1092,6 +1100,7 @@ ENTRY(camellia_ctr_16way) + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ctr_16way) + +@@ -1234,6 +1243,7 @@ camellia_xts_crypt_16way: + %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9, + %xmm8, %rsi); + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_xts_crypt_16way) + +diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S +index 91a1878..bcf340a 100644 +--- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S ++++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S +@@ -11,6 +11,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + #define CAMELLIA_TABLE_BYTE_LEN 272 + +@@ -212,6 +213,7 @@ roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd: + roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7, + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15, + %rcx, (%r9)); ++ pax_force_retaddr_bts + ret; + ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd) + +@@ -220,6 +222,7 @@ roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab: + roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3, + %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11, + %rax, (%r9)); ++ pax_force_retaddr_bts + ret; + ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab) + +@@ -802,6 +805,7 @@ __camellia_enc_blk32: + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, + %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax)); + ++ pax_force_retaddr_bts + ret; + + .align 8 +@@ -887,6 +891,7 @@ __camellia_dec_blk32: + %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, + %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax)); + ++ pax_force_retaddr_bts + ret; + + .align 8 +@@ -930,6 +935,7 @@ ENTRY(camellia_ecb_enc_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ecb_enc_32way) + +@@ -962,6 +968,7 @@ ENTRY(camellia_ecb_dec_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ecb_dec_32way) + +@@ -1028,6 +1035,7 @@ ENTRY(camellia_cbc_dec_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_cbc_dec_32way) + +@@ -1166,6 +1174,7 @@ ENTRY(camellia_ctr_32way) + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_ctr_32way) + +@@ -1331,6 +1340,7 @@ camellia_xts_crypt_32way: + + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(camellia_xts_crypt_32way) + diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S index 310319c..ce174a4 100644 --- a/arch/x86/crypto/camellia-x86_64-asm_64.S @@ -11205,6 +12915,69 @@ index e3531f8..18ded3a 100644 + pax_force_retaddr ret; ENDPROC(cast6_xts_dec_8way) +diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +index dbc4339..3d868c5 100644 +--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S ++++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +@@ -45,6 +45,7 @@ + + #include <asm/inst.h> + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction + +@@ -312,6 +313,7 @@ do_return: + popq %rsi + popq %rdi + popq %rbx ++ pax_force_retaddr 0, 1 + ret + + ################################################################ +diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S +index 586f41a..d02851e 100644 +--- a/arch/x86/crypto/ghash-clmulni-intel_asm.S ++++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S +@@ -18,6 +18,7 @@ + + #include <linux/linkage.h> + #include <asm/inst.h> ++#include <asm/alternative-asm.h> + + .data + +@@ -93,6 +94,7 @@ __clmul_gf128mul_ble: + psrlq $1, T2 + pxor T2, T1 + pxor T1, DATA ++ pax_force_retaddr + ret + ENDPROC(__clmul_gf128mul_ble) + +@@ -105,6 +107,7 @@ ENTRY(clmul_ghash_mul) + call __clmul_gf128mul_ble + PSHUFB_XMM BSWAP DATA + movups DATA, (%rdi) ++ pax_force_retaddr + ret + ENDPROC(clmul_ghash_mul) + +@@ -132,6 +135,7 @@ ENTRY(clmul_ghash_update) + PSHUFB_XMM BSWAP DATA + movups DATA, (%rdi) + .Lupdate_just_ret: ++ pax_force_retaddr + ret + ENDPROC(clmul_ghash_update) + +@@ -157,5 +161,6 @@ ENTRY(clmul_ghash_setkey) + pand .Lpoly, %xmm1 + pxor %xmm1, %xmm0 + movups %xmm0, (%rdi) ++ pax_force_retaddr + ret + ENDPROC(clmul_ghash_setkey) diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S index 9279e0b..9270820 100644 --- a/arch/x86/crypto/salsa20-x86_64-asm_64.S @@ -11313,6 +13086,81 @@ index 2f202f4..d9164d6 100644 + pax_force_retaddr ret; ENDPROC(serpent_xts_dec_8way_avx) +diff --git a/arch/x86/crypto/serpent-avx2-asm_64.S b/arch/x86/crypto/serpent-avx2-asm_64.S +index b222085..abd483c 100644 +--- a/arch/x86/crypto/serpent-avx2-asm_64.S ++++ b/arch/x86/crypto/serpent-avx2-asm_64.S +@@ -15,6 +15,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + #include "glue_helper-asm-avx2.S" + + .file "serpent-avx2-asm_64.S" +@@ -610,6 +611,7 @@ __serpent_enc_blk16: + write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2); + write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__serpent_enc_blk16) + +@@ -664,6 +666,7 @@ __serpent_dec_blk16: + write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2); + write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2); + ++ pax_force_retaddr + ret; + ENDPROC(__serpent_dec_blk16) + +@@ -684,6 +687,7 @@ ENTRY(serpent_ecb_enc_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ecb_enc_16way) + +@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ecb_dec_16way) + +@@ -725,6 +730,7 @@ ENTRY(serpent_cbc_dec_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_cbc_dec_16way) + +@@ -748,6 +754,7 @@ ENTRY(serpent_ctr_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_ctr_16way) + +@@ -772,6 +779,7 @@ ENTRY(serpent_xts_enc_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_enc_16way) + +@@ -796,5 +804,6 @@ ENTRY(serpent_xts_dec_16way) + + vzeroupper; + ++ pax_force_retaddr + ret; + ENDPROC(serpent_xts_dec_16way) diff --git a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S index acc066c..1559cc4 100644 --- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S @@ -11367,6 +13215,126 @@ index a410950..3356d42 100644 ret ENDPROC(\name) +diff --git a/arch/x86/crypto/sha256-avx-asm.S b/arch/x86/crypto/sha256-avx-asm.S +index 642f156..4ab07b9 100644 +--- a/arch/x86/crypto/sha256-avx-asm.S ++++ b/arch/x86/crypto/sha256-avx-asm.S +@@ -49,6 +49,7 @@ + + #ifdef CONFIG_AS_AVX + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + ## assume buffers not aligned + #define VMOVDQ vmovdqu +@@ -460,6 +461,7 @@ done_hash: + popq %r13 + popq %rbp + popq %rbx ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha256_transform_avx) + +diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S +index 9e86944..2e7f95a 100644 +--- a/arch/x86/crypto/sha256-avx2-asm.S ++++ b/arch/x86/crypto/sha256-avx2-asm.S +@@ -50,6 +50,7 @@ + + #ifdef CONFIG_AS_AVX2 + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + ## assume buffers not aligned + #define VMOVDQ vmovdqu +@@ -720,6 +721,7 @@ done_hash: + popq %r12 + popq %rbp + popq %rbx ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha256_transform_rorx) + +diff --git a/arch/x86/crypto/sha256-ssse3-asm.S b/arch/x86/crypto/sha256-ssse3-asm.S +index f833b74..c36ed14 100644 +--- a/arch/x86/crypto/sha256-ssse3-asm.S ++++ b/arch/x86/crypto/sha256-ssse3-asm.S +@@ -47,6 +47,7 @@ + ######################################################################## + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + ## assume buffers not aligned + #define MOVDQ movdqu +@@ -471,6 +472,7 @@ done_hash: + popq %rbp + popq %rbx + ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha256_transform_ssse3) + +diff --git a/arch/x86/crypto/sha512-avx-asm.S b/arch/x86/crypto/sha512-avx-asm.S +index 974dde9..4533d34 100644 +--- a/arch/x86/crypto/sha512-avx-asm.S ++++ b/arch/x86/crypto/sha512-avx-asm.S +@@ -49,6 +49,7 @@ + + #ifdef CONFIG_AS_AVX + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + .text + +@@ -364,6 +365,7 @@ updateblock: + mov frame_RSPSAVE(%rsp), %rsp + + nowork: ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha512_transform_avx) + +diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S +index 568b961..061ef1d 100644 +--- a/arch/x86/crypto/sha512-avx2-asm.S ++++ b/arch/x86/crypto/sha512-avx2-asm.S +@@ -51,6 +51,7 @@ + + #ifdef CONFIG_AS_AVX2 + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + .text + +@@ -678,6 +679,7 @@ done_hash: + + # Restore Stack Pointer + mov frame_RSPSAVE(%rsp), %rsp ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha512_transform_rorx) + +diff --git a/arch/x86/crypto/sha512-ssse3-asm.S b/arch/x86/crypto/sha512-ssse3-asm.S +index fb56855..e23914f 100644 +--- a/arch/x86/crypto/sha512-ssse3-asm.S ++++ b/arch/x86/crypto/sha512-ssse3-asm.S +@@ -48,6 +48,7 @@ + ######################################################################## + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + + .text + +@@ -363,6 +364,7 @@ updateblock: + mov frame_RSPSAVE(%rsp), %rsp + + nowork: ++ pax_force_retaddr 0, 1 + ret + ENDPROC(sha512_transform_ssse3) + diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S index 0505813..63b1d00 100644 --- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S @@ -11442,6 +13410,74 @@ index 0505813..63b1d00 100644 + pax_force_retaddr 0, 1 ret; ENDPROC(twofish_xts_dec_8way) +diff --git a/arch/x86/crypto/twofish-avx2-asm_64.S b/arch/x86/crypto/twofish-avx2-asm_64.S +index e1a83b9..33006b9 100644 +--- a/arch/x86/crypto/twofish-avx2-asm_64.S ++++ b/arch/x86/crypto/twofish-avx2-asm_64.S +@@ -11,6 +11,7 @@ + */ + + #include <linux/linkage.h> ++#include <asm/alternative-asm.h> + #include "glue_helper-asm-avx2.S" + + .file "twofish-avx2-asm_64.S" +@@ -422,6 +423,7 @@ __twofish_enc_blk16: + outunpack_enc16(RA, RB, RC, RD); + write_blocks16(RA, RB, RC, RD); + ++ pax_force_retaddr_bts + ret; + ENDPROC(__twofish_enc_blk16) + +@@ -454,6 +456,7 @@ __twofish_dec_blk16: + outunpack_dec16(RA, RB, RC, RD); + write_blocks16(RA, RB, RC, RD); + ++ pax_force_retaddr_bts + ret; + ENDPROC(__twofish_dec_blk16) + +@@ -476,6 +479,7 @@ ENTRY(twofish_ecb_enc_16way) + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_ecb_enc_16way) + +@@ -498,6 +502,7 @@ ENTRY(twofish_ecb_dec_16way) + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_ecb_dec_16way) + +@@ -521,6 +526,7 @@ ENTRY(twofish_cbc_dec_16way) + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_cbc_dec_16way) + +@@ -546,6 +552,7 @@ ENTRY(twofish_ctr_16way) + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_ctr_16way) + +@@ -574,6 +581,7 @@ twofish_xts_crypt_16way: + popq %r12; + vzeroupper; + ++ pax_force_retaddr 0, 1 + ret; + ENDPROC(twofish_xts_crypt_16way) + diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S index 1c3b7ce..b365c5e 100644 --- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S @@ -11518,7 +13554,7 @@ index 52ff81c..98af645 100644 set_fs(KERNEL_DS); has_dumped = 1; diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c -index cf1a471..3bc4cf8 100644 +index cf1a471..5ba2673 100644 --- a/arch/x86/ia32/ia32_signal.c +++ b/arch/x86/ia32/ia32_signal.c @@ -340,7 +340,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, @@ -11548,7 +13584,12 @@ index cf1a471..3bc4cf8 100644 }; frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate); -@@ -463,16 +463,18 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, +@@ -459,20 +459,22 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig, + else + put_user_ex(0, &frame->uc.uc_flags); + put_user_ex(0, &frame->uc.uc_link); +- err |= __compat_save_altstack(&frame->uc.uc_stack, regs->sp); ++ __compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp); if (ksig->ka.sa.sa_flags & SA_RESTORER) restorer = ksig->ka.sa.sa_restorer; @@ -11571,7 +13612,7 @@ index cf1a471..3bc4cf8 100644 err |= copy_siginfo_to_user32(&frame->info, &ksig->info); diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 474dc1b..24aaa3e 100644 +index 474dc1b..9297c58 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -15,8 +15,10 @@ @@ -11631,7 +13672,7 @@ index 474dc1b..24aaa3e 100644 movl %ebp,%ebp /* zero extension */ pushq_cfi $__USER32_DS /*CFI_REL_OFFSET ss,0*/ -@@ -135,24 +157,44 @@ ENTRY(ia32_sysenter_target) +@@ -135,24 +157,49 @@ ENTRY(ia32_sysenter_target) CFI_REL_OFFSET rsp,0 pushfq_cfi /*CFI_REL_OFFSET rflags,0*/ @@ -11665,8 +13706,8 @@ index 474dc1b..24aaa3e 100644 32bit zero extended */ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ mov pax_user_shadow_base,%r11 -+ add %r11,%rbp ++ addq pax_user_shadow_base,%rbp ++ ASM_PAX_OPEN_USERLAND +#endif + ASM_STAC @@ -11675,13 +13716,18 @@ index 474dc1b..24aaa3e 100644 ASM_CLAC - orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_CLOSE_USERLAND ++#endif ++ + GET_THREAD_INFO(%r11) + orl $TS_COMPAT,TI_status(%r11) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11) CFI_REMEMBER_STATE jnz sysenter_tracesys cmpq $(IA32_NR_syscalls-1),%rax -@@ -162,12 +204,15 @@ sysenter_do_call: +@@ -162,12 +209,15 @@ sysenter_do_call: sysenter_dispatch: call *ia32_sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) @@ -11699,7 +13745,7 @@ index 474dc1b..24aaa3e 100644 /* clear IF, that popfq doesn't enable interrupts early */ andl $~0x200,EFLAGS-R11(%rsp) movl RIP-R11(%rsp),%edx /* User %eip */ -@@ -193,6 +238,9 @@ sysexit_from_sys_call: +@@ -193,6 +243,9 @@ sysexit_from_sys_call: movl %eax,%esi /* 2nd arg: syscall number */ movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ call __audit_syscall_entry @@ -11709,7 +13755,7 @@ index 474dc1b..24aaa3e 100644 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ cmpq $(IA32_NR_syscalls-1),%rax ja ia32_badsys -@@ -204,7 +252,7 @@ sysexit_from_sys_call: +@@ -204,7 +257,7 @@ sysexit_from_sys_call: .endm .macro auditsys_exit exit @@ -11718,7 +13764,7 @@ index 474dc1b..24aaa3e 100644 jnz ia32_ret_from_sys_call TRACE_IRQS_ON ENABLE_INTERRUPTS(CLBR_NONE) -@@ -215,11 +263,12 @@ sysexit_from_sys_call: +@@ -215,11 +268,12 @@ sysexit_from_sys_call: 1: setbe %al /* 1 if error, 0 if not */ movzbl %al,%edi /* zero-extend that into %edi */ call __audit_syscall_exit @@ -11732,7 +13778,7 @@ index 474dc1b..24aaa3e 100644 jz \exit CLEAR_RREGS -ARGOFFSET jmp int_with_check -@@ -237,7 +286,7 @@ sysexit_audit: +@@ -237,7 +291,7 @@ sysexit_audit: sysenter_tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -11741,7 +13787,7 @@ index 474dc1b..24aaa3e 100644 jz sysenter_auditsys #endif SAVE_REST -@@ -249,6 +298,9 @@ sysenter_tracesys: +@@ -249,6 +303,9 @@ sysenter_tracesys: RESTORE_REST cmpq $(IA32_NR_syscalls-1),%rax ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ @@ -11751,7 +13797,7 @@ index 474dc1b..24aaa3e 100644 jmp sysenter_do_call CFI_ENDPROC ENDPROC(ia32_sysenter_target) -@@ -276,19 +328,25 @@ ENDPROC(ia32_sysenter_target) +@@ -276,19 +333,25 @@ ENDPROC(ia32_sysenter_target) ENTRY(ia32_cstar_target) CFI_STARTPROC32 simple CFI_SIGNAL_FRAME @@ -11779,14 +13825,15 @@ index 474dc1b..24aaa3e 100644 movl %eax,%eax /* zero extension */ movq %rax,ORIG_RAX-ARGOFFSET(%rsp) movq %rcx,RIP-ARGOFFSET(%rsp) -@@ -304,12 +362,19 @@ ENTRY(ia32_cstar_target) +@@ -304,12 +367,25 @@ ENTRY(ia32_cstar_target) /* no need to do an access_ok check here because r8 has been 32bit zero extended */ /* hardware stack frame is complete now */ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ mov pax_user_shadow_base,%r11 -+ add %r11,%r8 ++ ASM_PAX_OPEN_USERLAND ++ movq pax_user_shadow_base,%r8 ++ addq RSP-ARGOFFSET(%rsp),%r8 +#endif + ASM_STAC @@ -11795,13 +13842,18 @@ index 474dc1b..24aaa3e 100644 ASM_CLAC - orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET) - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET) ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_CLOSE_USERLAND ++#endif ++ + GET_THREAD_INFO(%r11) + orl $TS_COMPAT,TI_status(%r11) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11) CFI_REMEMBER_STATE jnz cstar_tracesys cmpq $IA32_NR_syscalls-1,%rax -@@ -319,12 +384,15 @@ cstar_do_call: +@@ -319,12 +395,15 @@ cstar_do_call: cstar_dispatch: call *ia32_sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) @@ -11819,7 +13871,7 @@ index 474dc1b..24aaa3e 100644 RESTORE_ARGS 0,-ARG_SKIP,0,0,0 movl RIP-ARGOFFSET(%rsp),%ecx CFI_REGISTER rip,rcx -@@ -352,7 +420,7 @@ sysretl_audit: +@@ -352,7 +431,7 @@ sysretl_audit: cstar_tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -11828,7 +13880,7 @@ index 474dc1b..24aaa3e 100644 jz cstar_auditsys #endif xchgl %r9d,%ebp -@@ -366,6 +434,9 @@ cstar_tracesys: +@@ -366,11 +445,19 @@ cstar_tracesys: xchgl %ebp,%r9d cmpq $(IA32_NR_syscalls-1),%rax ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ @@ -11838,7 +13890,17 @@ index 474dc1b..24aaa3e 100644 jmp cstar_do_call END(ia32_cstar_target) -@@ -407,19 +478,26 @@ ENTRY(ia32_syscall) + ia32_badarg: + ASM_CLAC ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ ASM_PAX_CLOSE_USERLAND ++#endif ++ + movq $-EFAULT,%rax + jmp ia32_sysret + CFI_ENDPROC +@@ -407,19 +494,26 @@ ENTRY(ia32_syscall) CFI_REL_OFFSET rip,RIP-RIP PARAVIRT_ADJUST_EXCEPTION_FRAME SWAPGS @@ -11872,7 +13934,7 @@ index 474dc1b..24aaa3e 100644 jnz ia32_tracesys cmpq $(IA32_NR_syscalls-1),%rax ja ia32_badsys -@@ -442,6 +520,9 @@ ia32_tracesys: +@@ -442,6 +536,9 @@ ia32_tracesys: RESTORE_REST cmpq $(IA32_NR_syscalls-1),%rax ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ @@ -13109,9 +15171,18 @@ index 59c6c40..5e0b22c 100644 struct compat_timespec { compat_time_t tv_sec; diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h -index e99ac27..e89e28c 100644 +index e99ac27..10d834e 100644 --- a/arch/x86/include/asm/cpufeature.h +++ b/arch/x86/include/asm/cpufeature.h +@@ -203,7 +203,7 @@ + #define X86_FEATURE_DECODEASSISTS (8*32+12) /* AMD Decode Assists support */ + #define X86_FEATURE_PAUSEFILTER (8*32+13) /* AMD filtered pause intercept */ + #define X86_FEATURE_PFTHRESHOLD (8*32+14) /* AMD pause filter threshold */ +- ++#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */ + + /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */ + #define X86_FEATURE_FSGSBASE (9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/ @@ -211,7 +211,7 @@ #define X86_FEATURE_BMI1 (9*32+ 3) /* 1st group bit manipulation extensions */ #define X86_FEATURE_HLE (9*32+ 4) /* Hardware Lock Elision */ @@ -13121,7 +15192,15 @@ index e99ac27..e89e28c 100644 #define X86_FEATURE_BMI2 (9*32+ 8) /* 2nd group bit manipulation extensions */ #define X86_FEATURE_ERMS (9*32+ 9) /* Enhanced REP MOVSB/STOSB */ #define X86_FEATURE_INVPCID (9*32+10) /* Invalidate Processor Context ID */ -@@ -394,7 +394,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) +@@ -353,6 +353,7 @@ extern const char * const x86_power_flags[32]; + #undef cpu_has_centaur_mcr + #define cpu_has_centaur_mcr 0 + ++#define cpu_has_pcid boot_cpu_has(X86_FEATURE_PCID) + #endif /* CONFIG_X86_64 */ + + #if __GNUC__ >= 4 +@@ -394,7 +395,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) ".section .discard,\"aw\",@progbits\n" " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ ".previous\n" @@ -13444,12 +15523,14 @@ index 75ce3f4..882e801 100644 #endif /* _ASM_X86_EMERGENCY_RESTART_H */ diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h -index e25cc33..425d099 100644 +index e25cc33..7d3ec01 100644 --- a/arch/x86/include/asm/fpu-internal.h +++ b/arch/x86/include/asm/fpu-internal.h -@@ -127,7 +127,9 @@ static inline void sanitize_i387_state(struct task_struct *tsk) +@@ -126,8 +126,11 @@ static inline void sanitize_i387_state(struct task_struct *tsk) + #define user_insn(insn, output, input...) \ ({ \ int err; \ ++ pax_open_userland(); \ asm volatile(ASM_STAC "\n" \ - "1:" #insn "\n\t" \ + "1:" \ @@ -13458,7 +15539,15 @@ index e25cc33..425d099 100644 "2: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "3: movl $-1,%[err]\n" \ -@@ -300,7 +302,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) +@@ -136,6 +139,7 @@ static inline void sanitize_i387_state(struct task_struct *tsk) + _ASM_EXTABLE(1b, 3b) \ + : [err] "=r" (err), output \ + : "0"(0), input); \ ++ pax_close_userland(); \ + err; \ + }) + +@@ -300,7 +304,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk) "emms\n\t" /* clear stack tags */ "fildl %P[addr]", /* set F?P to defined value */ X86_FEATURE_FXSAVE_LEAK, @@ -13468,7 +15557,7 @@ index e25cc33..425d099 100644 return fpu_restore_checking(&tsk->thread.fpu); } diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h -index be27ba1..8f13ff9 100644 +index be27ba1..04a8801 100644 --- a/arch/x86/include/asm/futex.h +++ b/arch/x86/include/asm/futex.h @@ -12,6 +12,7 @@ @@ -13507,8 +15596,11 @@ index be27ba1..8f13ff9 100644 : "r" (oparg), "i" (-EFAULT), "1" (0)) static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) -@@ -59,10 +61,10 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) +@@ -57,12 +59,13 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + pagefault_disable(); + ++ pax_open_userland(); switch (op) { case FUTEX_OP_SET: - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg); @@ -13520,9 +15612,19 @@ index be27ba1..8f13ff9 100644 uaddr, oparg); break; case FUTEX_OP_OR: -@@ -116,14 +118,14 @@ static inline int futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +@@ -77,6 +80,7 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) + default: + ret = -ENOSYS; + } ++ pax_close_userland(); + + pagefault_enable(); + +@@ -115,18 +119,20 @@ static inline int futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) return -EFAULT; ++ pax_open_userland(); asm volatile("\t" ASM_STAC "\n" - "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n" + "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n" @@ -13537,6 +15639,10 @@ index be27ba1..8f13ff9 100644 : "i" (-EFAULT), "r" (newval), "1" (oldval) : "memory" ); ++ pax_close_userland(); + + *uval = oldval; + return ret; diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h index 1da97ef..9c2ebff 100644 --- a/arch/x86/include/asm/hw_irq.h @@ -13923,29 +16029,31 @@ index 5f55e69..e20bfb1 100644 #ifdef CONFIG_SMP diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h -index cdbf367..adb37ac 100644 +index cdbf367..4c73c9e 100644 --- a/arch/x86/include/asm/mmu_context.h +++ b/arch/x86/include/asm/mmu_context.h -@@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *mm); +@@ -24,6 +24,20 @@ void destroy_context(struct mm_struct *mm); static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) { + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ unsigned int i; -+ pgd_t *pgd; ++ if (!(static_cpu_has(X86_FEATURE_PCID))) { ++ unsigned int i; ++ pgd_t *pgd; + -+ pax_open_kernel(); -+ pgd = get_cpu_pgd(smp_processor_id()); -+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i) -+ set_pgd_batched(pgd+i, native_make_pgd(0)); -+ pax_close_kernel(); ++ pax_open_kernel(); ++ pgd = get_cpu_pgd(smp_processor_id(), kernel); ++ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i) ++ set_pgd_batched(pgd+i, native_make_pgd(0)); ++ pax_close_kernel(); ++ } +#endif + #ifdef CONFIG_SMP if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK) this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY); -@@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +@@ -34,16 +48,55 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, struct task_struct *tsk) { unsigned cpu = smp_processor_id(); @@ -13966,17 +16074,42 @@ index cdbf367..adb37ac 100644 /* Re-load page tables */ +#ifdef CONFIG_PAX_PER_CPU_PGD + pax_open_kernel(); -+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd); -+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) ++ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd); ++ else ++#endif ++ ++ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd); ++ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd); + pax_close_kernel(); -+ load_cr3(get_cpu_pgd(cpu)); ++ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK)); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; ++ descriptor[0] = PCID_USER; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); ++ } else { ++ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); ++ if (static_cpu_has(X86_FEATURE_STRONGUDEREF)) ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ else ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); ++ } ++ } else ++#endif ++ ++ load_cr3(get_cpu_pgd(cpu, kernel)); +#else load_cr3(next->pgd); +#endif /* stop flush ipis for the previous mm */ cpumask_clear_cpu(cpu, mm_cpumask(prev)); -@@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +@@ -53,9 +106,63 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, */ if (unlikely(prev->context.ldt != next->context.ldt)) load_LDT_nolock(&next->context); @@ -14006,17 +16139,42 @@ index cdbf367..adb37ac 100644 + +#ifdef CONFIG_PAX_PER_CPU_PGD + pax_open_kernel(); -+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd); -+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) ++ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd); ++ else ++#endif ++ ++ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd); ++ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd); + pax_close_kernel(); -+ load_cr3(get_cpu_pgd(cpu)); ++ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK)); ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; ++ descriptor[0] = PCID_USER; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory"); ++ } else { ++ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); ++ if (static_cpu_has(X86_FEATURE_STRONGUDEREF)) ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ else ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); ++ } ++ } else ++#endif ++ ++ load_cr3(get_cpu_pgd(cpu, kernel)); +#endif + +#ifdef CONFIG_SMP this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK); BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next); -@@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +@@ -64,11 +171,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, * tlb flush IPI delivery. We must reload CR3 * to make sure to use no freed page tables. */ @@ -14381,7 +16539,7 @@ index 4cc9f2b..5fd9226 100644 /* diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h -index 1e67223..dd6e7ea 100644 +index 1e67223..92a9585 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page); @@ -14487,23 +16645,24 @@ index 1e67223..dd6e7ea 100644 } static inline pte_t pte_mkdirty(pte_t pte) -@@ -394,6 +459,15 @@ pte_t *populate_extra_pte(unsigned long vaddr); +@@ -394,6 +459,16 @@ pte_t *populate_extra_pte(unsigned long vaddr); #endif #ifndef __ASSEMBLY__ + +#ifdef CONFIG_PAX_PER_CPU_PGD -+extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD]; -+static inline pgd_t *get_cpu_pgd(unsigned int cpu) ++extern pgd_t cpu_pgd[NR_CPUS][2][PTRS_PER_PGD]; ++enum cpu_pgd_type {kernel = 0, user = 1}; ++static inline pgd_t *get_cpu_pgd(unsigned int cpu, enum cpu_pgd_type type) +{ -+ return cpu_pgd[cpu]; ++ return cpu_pgd[cpu][type]; +} +#endif + #include <linux/mm_types.h> #include <linux/log2.h> -@@ -529,7 +603,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud) +@@ -529,7 +604,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud) * Currently stuck as a macro due to indirect forward reference to * linux/mmzone.h's __section_mem_map_addr() definition: */ @@ -14512,7 +16671,7 @@ index 1e67223..dd6e7ea 100644 /* Find an entry in the second-level page table.. */ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) -@@ -569,7 +643,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) +@@ -569,7 +644,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd) * Currently stuck as a macro due to indirect forward reference to * linux/mmzone.h's __section_mem_map_addr() definition: */ @@ -14521,7 +16680,7 @@ index 1e67223..dd6e7ea 100644 /* to find an entry in a page-table-directory. */ static inline unsigned long pud_index(unsigned long address) -@@ -584,7 +658,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) +@@ -584,7 +659,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address) static inline int pgd_bad(pgd_t pgd) { @@ -14530,7 +16689,7 @@ index 1e67223..dd6e7ea 100644 } static inline int pgd_none(pgd_t pgd) -@@ -607,7 +681,12 @@ static inline int pgd_none(pgd_t pgd) +@@ -607,7 +682,12 @@ static inline int pgd_none(pgd_t pgd) * pgd_offset() returns a (pgd_t *) * pgd_index() is used get the offset into the pgd page's array of pgd_t's; */ @@ -14538,13 +16697,13 @@ index 1e67223..dd6e7ea 100644 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address)) + +#ifdef CONFIG_PAX_PER_CPU_PGD -+#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address)) ++#define pgd_offset_cpu(cpu, type, address) (get_cpu_pgd(cpu, type) + pgd_index(address)) +#endif + /* * a shortcut which implies the use of the kernel's pgd, instead * of a process's -@@ -618,6 +697,22 @@ static inline int pgd_none(pgd_t pgd) +@@ -618,6 +698,23 @@ static inline int pgd_none(pgd_t pgd) #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET) #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY) @@ -14559,6 +16718,7 @@ index 1e67223..dd6e7ea 100644 +#define pax_user_shadow_base pax_user_shadow_base(%rip) +#else +extern unsigned long pax_user_shadow_base; ++extern pgdval_t clone_pgd_mask; +#endif +#endif + @@ -14567,7 +16727,7 @@ index 1e67223..dd6e7ea 100644 #ifndef __ASSEMBLY__ extern int direct_gbpages; -@@ -784,11 +879,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, +@@ -784,11 +881,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm, * dst and src can be on the same page, but the range must not overlap, * and must not cross a page boundary. */ @@ -14859,10 +17019,33 @@ index e642300..0ef8f31 100644 #define pgprot_writecombine pgprot_writecombine extern pgprot_t pgprot_writecombine(pgprot_t prot); diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 22224b3..4080dab 100644 +index 22224b3..b3a2f90 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h -@@ -282,7 +282,7 @@ struct tss_struct { +@@ -198,9 +198,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx, + : "memory"); + } + ++/* invpcid (%rdx),%rax */ ++#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02" ++ ++#define INVPCID_SINGLE_ADDRESS 0UL ++#define INVPCID_SINGLE_CONTEXT 1UL ++#define INVPCID_ALL_GLOBAL 2UL ++#define INVPCID_ALL_MONGLOBAL 3UL ++ ++#define PCID_KERNEL 0UL ++#define PCID_USER 1UL ++#define PCID_NOFLUSH (1UL << 63) ++ + static inline void load_cr3(pgd_t *pgdir) + { +- write_cr3(__pa(pgdir)); ++ write_cr3(__pa(pgdir) | PCID_KERNEL); + } + + #ifdef CONFIG_X86_32 +@@ -282,7 +294,7 @@ struct tss_struct { } ____cacheline_aligned; @@ -14871,7 +17054,47 @@ index 22224b3..4080dab 100644 /* * Save the original ist values for checking stack pointers during debugging -@@ -823,11 +823,18 @@ static inline void spin_lock_prefetch(const void *x) +@@ -452,6 +464,7 @@ struct thread_struct { + unsigned short ds; + unsigned short fsindex; + unsigned short gsindex; ++ unsigned short ss; + #endif + #ifdef CONFIG_X86_32 + unsigned long ip; +@@ -552,29 +565,8 @@ static inline void load_sp0(struct tss_struct *tss, + extern unsigned long mmu_cr4_features; + extern u32 *trampoline_cr4_features; + +-static inline void set_in_cr4(unsigned long mask) +-{ +- unsigned long cr4; +- +- mmu_cr4_features |= mask; +- if (trampoline_cr4_features) +- *trampoline_cr4_features = mmu_cr4_features; +- cr4 = read_cr4(); +- cr4 |= mask; +- write_cr4(cr4); +-} +- +-static inline void clear_in_cr4(unsigned long mask) +-{ +- unsigned long cr4; +- +- mmu_cr4_features &= ~mask; +- if (trampoline_cr4_features) +- *trampoline_cr4_features = mmu_cr4_features; +- cr4 = read_cr4(); +- cr4 &= ~mask; +- write_cr4(cr4); +-} ++extern void set_in_cr4(unsigned long mask); ++extern void clear_in_cr4(unsigned long mask); + + typedef struct { + unsigned long seg; +@@ -823,11 +815,18 @@ static inline void spin_lock_prefetch(const void *x) */ #define TASK_SIZE PAGE_OFFSET #define TASK_SIZE_MAX TASK_SIZE @@ -14892,7 +17115,7 @@ index 22224b3..4080dab 100644 .vm86_info = NULL, \ .sysenter_cs = __KERNEL_CS, \ .io_bitmap_ptr = NULL, \ -@@ -841,7 +848,7 @@ static inline void spin_lock_prefetch(const void *x) +@@ -841,7 +840,7 @@ static inline void spin_lock_prefetch(const void *x) */ #define INIT_TSS { \ .x86_tss = { \ @@ -14901,7 +17124,7 @@ index 22224b3..4080dab 100644 .ss0 = __KERNEL_DS, \ .ss1 = __KERNEL_CS, \ .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \ -@@ -852,11 +859,7 @@ static inline void spin_lock_prefetch(const void *x) +@@ -852,11 +851,7 @@ static inline void spin_lock_prefetch(const void *x) extern unsigned long thread_saved_pc(struct task_struct *tsk); #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long)) @@ -14914,7 +17137,7 @@ index 22224b3..4080dab 100644 /* * The below -8 is to reserve 8 bytes on top of the ring0 stack. -@@ -871,7 +874,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -871,7 +866,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); #define task_pt_regs(task) \ ({ \ struct pt_regs *__regs__; \ @@ -14923,7 +17146,7 @@ index 22224b3..4080dab 100644 __regs__ - 1; \ }) -@@ -881,13 +884,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -881,13 +876,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); /* * User space process size. 47bits minus one guard page. */ @@ -14939,7 +17162,7 @@ index 22224b3..4080dab 100644 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \ IA32_PAGE_OFFSET : TASK_SIZE_MAX) -@@ -898,11 +901,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); +@@ -898,11 +893,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk); #define STACK_TOP_MAX TASK_SIZE_MAX #define INIT_THREAD { \ @@ -14953,7 +17176,7 @@ index 22224b3..4080dab 100644 } /* -@@ -930,6 +933,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, +@@ -930,6 +925,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip, */ #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3)) @@ -14964,7 +17187,17 @@ index 22224b3..4080dab 100644 #define KSTK_EIP(task) (task_pt_regs(task)->ip) /* Get/set a process' ability to use the timestamp counter instruction */ -@@ -970,7 +977,7 @@ unsigned long calc_aperfmperf_ratio(struct aperfmperf *old, +@@ -942,7 +941,8 @@ extern int set_tsc_mode(unsigned int val); + extern u16 amd_get_nb_id(int cpu); + + struct aperfmperf { +- u64 aperf, mperf; ++ u64 aperf __intentional_overflow(0); ++ u64 mperf __intentional_overflow(0); + }; + + static inline void get_aperfmperf(struct aperfmperf *am) +@@ -970,7 +970,7 @@ unsigned long calc_aperfmperf_ratio(struct aperfmperf *old, return ratio; } @@ -14973,7 +17206,7 @@ index 22224b3..4080dab 100644 extern void free_init_pages(char *what, unsigned long begin, unsigned long end); void default_idle(void); -@@ -980,6 +987,6 @@ bool xen_set_default_idle(void); +@@ -980,6 +980,6 @@ bool xen_set_default_idle(void); #define xen_set_default_idle 0 #endif @@ -15221,7 +17454,7 @@ index cad82c9..2e5c5c1 100644 #endif /* __KERNEL__ */ diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h -index c48a950..c6d7468 100644 +index c48a950..bc40804 100644 --- a/arch/x86/include/asm/segment.h +++ b/arch/x86/include/asm/segment.h @@ -64,10 +64,15 @@ @@ -15282,15 +17515,32 @@ index c48a950..c6d7468 100644 #define GDT_ENTRY_TSS 8 /* needs two entries */ #define GDT_ENTRY_LDT 10 /* needs two entries */ #define GDT_ENTRY_TLS_MIN 12 -@@ -185,6 +200,7 @@ +@@ -173,6 +188,8 @@ + #define GDT_ENTRY_PER_CPU 15 /* Abused to load per CPU data from limit */ + #define __PER_CPU_SEG (GDT_ENTRY_PER_CPU * 8 + 3) + ++#define GDT_ENTRY_UDEREF_KERNEL_DS 16 ++ + /* TLS indexes for 64bit - hardcoded in arch_prctl */ + #define FS_TLS 0 + #define GS_TLS 1 +@@ -180,12 +197,14 @@ + #define GS_TLS_SEL ((GDT_ENTRY_TLS_MIN+GS_TLS)*8 + 3) + #define FS_TLS_SEL ((GDT_ENTRY_TLS_MIN+FS_TLS)*8 + 3) + +-#define GDT_ENTRIES 16 ++#define GDT_ENTRIES 17 + #endif #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8) +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8) #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8) ++#define __UDEREF_KERNEL_DS (GDT_ENTRY_UDEREF_KERNEL_DS*8) #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3) #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3) -@@ -265,7 +281,7 @@ static inline unsigned long get_limit(unsigned long segment) + #ifndef CONFIG_PARAVIRT +@@ -265,7 +284,7 @@ static inline unsigned long get_limit(unsigned long segment) { unsigned long __limit; asm("lsll %1,%0" : "=r" (__limit) : "r" (segment)); @@ -15299,6 +17549,99 @@ index c48a950..c6d7468 100644 } #endif /* !__ASSEMBLY__ */ +diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h +index 8d3120f..352b440 100644 +--- a/arch/x86/include/asm/smap.h ++++ b/arch/x86/include/asm/smap.h +@@ -25,11 +25,40 @@ + + #include <asm/alternative-asm.h> + ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++#define ASM_PAX_OPEN_USERLAND \ ++ 661: jmp 663f; \ ++ .pushsection .altinstr_replacement, "a" ; \ ++ 662: pushq %rax; nop; \ ++ .popsection ; \ ++ .pushsection .altinstructions, "a" ; \ ++ altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\ ++ .popsection ; \ ++ call __pax_open_userland; \ ++ popq %rax; \ ++ 663: ++ ++#define ASM_PAX_CLOSE_USERLAND \ ++ 661: jmp 663f; \ ++ .pushsection .altinstr_replacement, "a" ; \ ++ 662: pushq %rax; nop; \ ++ .popsection; \ ++ .pushsection .altinstructions, "a" ; \ ++ altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\ ++ .popsection; \ ++ call __pax_close_userland; \ ++ popq %rax; \ ++ 663: ++#else ++#define ASM_PAX_OPEN_USERLAND ++#define ASM_PAX_CLOSE_USERLAND ++#endif ++ + #ifdef CONFIG_X86_SMAP + + #define ASM_CLAC \ + 661: ASM_NOP3 ; \ +- .pushsection .altinstr_replacement, "ax" ; \ ++ .pushsection .altinstr_replacement, "a" ; \ + 662: __ASM_CLAC ; \ + .popsection ; \ + .pushsection .altinstructions, "a" ; \ +@@ -38,7 +67,7 @@ + + #define ASM_STAC \ + 661: ASM_NOP3 ; \ +- .pushsection .altinstr_replacement, "ax" ; \ ++ .pushsection .altinstr_replacement, "a" ; \ + 662: __ASM_STAC ; \ + .popsection ; \ + .pushsection .altinstructions, "a" ; \ +@@ -56,6 +85,37 @@ + + #include <asm/alternative.h> + ++#define __HAVE_ARCH_PAX_OPEN_USERLAND ++#define __HAVE_ARCH_PAX_CLOSE_USERLAND ++ ++extern void __pax_open_userland(void); ++static __always_inline unsigned long pax_open_userland(void) ++{ ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[open]", X86_FEATURE_STRONGUDEREF) ++ : ++ : [open] "i" (__pax_open_userland) ++ : "memory", "rax"); ++#endif ++ ++ return 0; ++} ++ ++extern void __pax_close_userland(void); ++static __always_inline unsigned long pax_close_userland(void) ++{ ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[close]", X86_FEATURE_STRONGUDEREF) ++ : ++ : [close] "i" (__pax_close_userland) ++ : "memory", "rax"); ++#endif ++ ++ return 0; ++} ++ + #ifdef CONFIG_X86_SMAP + + static __always_inline void clac(void) diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h index b073aae..39f9bdd 100644 --- a/arch/x86/include/asm/smp.h @@ -15704,8 +18047,106 @@ index a1df6e8..e002940 100644 + #endif #endif /* _ASM_X86_THREAD_INFO_H */ +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index 50a7fc0..45844c0 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -17,18 +17,44 @@ + + static inline void __native_flush_tlb(void) + { ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; ++ ++ descriptor[0] = PCID_KERNEL; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_MONGLOBAL) : "memory"); ++ return; ++ } ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ unsigned int cpu = raw_get_cpu(); ++ ++ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER); ++ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL); ++ raw_put_cpu_no_resched(); ++ return; ++ } ++#endif ++ + native_write_cr3(native_read_cr3()); + } + + static inline void __native_flush_tlb_global_irq_disabled(void) + { +- unsigned long cr4; ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; + +- cr4 = native_read_cr4(); +- /* clear PGE */ +- native_write_cr4(cr4 & ~X86_CR4_PGE); +- /* write old PGE again and flush TLBs */ +- native_write_cr4(cr4); ++ descriptor[0] = PCID_KERNEL; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory"); ++ } else { ++ unsigned long cr4; ++ ++ cr4 = native_read_cr4(); ++ /* clear PGE */ ++ native_write_cr4(cr4 & ~X86_CR4_PGE); ++ /* write old PGE again and flush TLBs */ ++ native_write_cr4(cr4); ++ } + } + + static inline void __native_flush_tlb_global(void) +@@ -49,6 +75,42 @@ static inline void __native_flush_tlb_global(void) + + static inline void __native_flush_tlb_single(unsigned long addr) + { ++ ++ if (static_cpu_has(X86_FEATURE_INVPCID)) { ++ unsigned long descriptor[2]; ++ ++ descriptor[0] = PCID_KERNEL; ++ descriptor[1] = addr; ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) { ++ if (addr < TASK_SIZE_MAX) ++ descriptor[1] += pax_user_shadow_base; ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory"); ++ } ++ ++ descriptor[0] = PCID_USER; ++ descriptor[1] = addr; ++#endif ++ ++ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory"); ++ return; ++ } ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) ++ if (static_cpu_has(X86_FEATURE_PCID)) { ++ unsigned int cpu = raw_get_cpu(); ++ ++ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH); ++ asm volatile("invlpg (%0)" ::"r" (addr) : "memory"); ++ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ raw_put_cpu_no_resched(); ++ ++ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) && addr < TASK_SIZE_MAX) ++ addr += pax_user_shadow_base; ++ } ++#endif ++ + asm volatile("invlpg (%0)" ::"r" (addr) : "memory"); + } + diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h -index 5ee2687..70d5895 100644 +index 5ee2687..74590b9 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -7,6 +7,7 @@ @@ -15765,7 +18206,20 @@ index 5ee2687..70d5895 100644 /* * The exception table consists of pairs of addresses relative to the -@@ -176,13 +207,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) +@@ -165,10 +196,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + register __inttype(*(ptr)) __val_gu asm("%edx"); \ + __chk_user_ptr(ptr); \ + might_fault(); \ ++ pax_open_userland(); \ + asm volatile("call __get_user_%P3" \ + : "=a" (__ret_gu), "=r" (__val_gu) \ + : "0" (ptr), "i" (sizeof(*(ptr)))); \ + (x) = (__typeof__(*(ptr))) __val_gu; \ ++ pax_close_userland(); \ + __ret_gu; \ + }) + +@@ -176,13 +209,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) asm volatile("call __put_user_" #size : "=a" (__ret_pu) \ : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx") @@ -15790,7 +18244,7 @@ index 5ee2687..70d5895 100644 "3: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "4: movl %3,%0\n" \ -@@ -195,8 +234,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) +@@ -195,8 +236,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) #define __put_user_asm_ex_u64(x, addr) \ asm volatile(ASM_STAC "\n" \ @@ -15801,34 +18255,50 @@ index 5ee2687..70d5895 100644 "3: " ASM_CLAC "\n" \ _ASM_EXTABLE_EX(1b, 2b) \ _ASM_EXTABLE_EX(2b, 3b) \ -@@ -246,7 +285,7 @@ extern void __put_user_8(void); +@@ -246,7 +287,8 @@ extern void __put_user_8(void); __typeof__(*(ptr)) __pu_val; \ __chk_user_ptr(ptr); \ might_fault(); \ - __pu_val = x; \ + __pu_val = (x); \ ++ pax_open_userland(); \ switch (sizeof(*(ptr))) { \ case 1: \ __put_user_x(1, __pu_val, ptr, __ret_pu); \ -@@ -345,7 +384,7 @@ do { \ +@@ -264,6 +306,7 @@ extern void __put_user_8(void); + __put_user_x(X, __pu_val, ptr, __ret_pu); \ + break; \ + } \ ++ pax_close_userland(); \ + __ret_pu; \ + }) + +@@ -344,8 +387,10 @@ do { \ + } while (0) #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \ ++do { \ ++ pax_open_userland(); \ asm volatile(ASM_STAC "\n" \ - "1: mov"itype" %2,%"rtype"1\n" \ + "1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\ "2: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "3: mov %3,%0\n" \ -@@ -353,7 +392,7 @@ do { \ +@@ -353,8 +398,10 @@ do { \ " jmp 2b\n" \ ".previous\n" \ _ASM_EXTABLE(1b, 3b) \ - : "=r" (err), ltype(x) \ +- : "m" (__m(addr)), "i" (errret), "0" (err)) + : "=r" (err), ltype (x) \ - : "m" (__m(addr)), "i" (errret), "0" (err)) ++ : "m" (__m(addr)), "i" (errret), "0" (err)); \ ++ pax_close_userland(); \ ++} while (0) #define __get_user_size_ex(x, ptr, size) \ -@@ -378,7 +417,7 @@ do { \ + do { \ +@@ -378,7 +425,7 @@ do { \ } while (0) #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ @@ -15837,7 +18307,7 @@ index 5ee2687..70d5895 100644 "2:\n" \ _ASM_EXTABLE_EX(1b, 2b) \ : ltype(x) : "m" (__m(addr))) -@@ -395,13 +434,24 @@ do { \ +@@ -395,13 +442,24 @@ do { \ int __gu_err; \ unsigned long __gu_val; \ __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \ @@ -15864,21 +18334,26 @@ index 5ee2687..70d5895 100644 /* * Tell gcc we read from memory instead of writing: this is because -@@ -410,7 +460,7 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -409,8 +467,10 @@ struct __large_struct { unsigned long buf[100]; }; + * aliasing issues. */ #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \ ++do { \ ++ pax_open_userland(); \ asm volatile(ASM_STAC "\n" \ - "1: mov"itype" %"rtype"1,%2\n" \ + "1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\ "2: " ASM_CLAC "\n" \ ".section .fixup,\"ax\"\n" \ "3: mov %3,%0\n" \ -@@ -418,10 +468,10 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -418,10 +478,12 @@ struct __large_struct { unsigned long buf[100]; }; ".previous\n" \ _ASM_EXTABLE(1b, 3b) \ : "=r"(err) \ - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err)) -+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err)) ++ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err));\ ++ pax_close_userland(); \ ++} while (0) #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \ - asm volatile("1: mov"itype" %"rtype"0,%1\n" \ @@ -15886,7 +18361,21 @@ index 5ee2687..70d5895 100644 "2:\n" \ _ASM_EXTABLE_EX(1b, 2b) \ : : ltype(x), "m" (__m(addr))) -@@ -460,8 +510,12 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -431,11 +493,13 @@ struct __large_struct { unsigned long buf[100]; }; + */ + #define uaccess_try do { \ + current_thread_info()->uaccess_err = 0; \ ++ pax_open_userland(); \ + stac(); \ + barrier(); + + #define uaccess_catch(err) \ + clac(); \ ++ pax_close_userland(); \ + (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0); \ + } while (0) + +@@ -460,8 +524,12 @@ struct __large_struct { unsigned long buf[100]; }; * On error, the variable @x is set to zero. */ @@ -15899,7 +18388,7 @@ index 5ee2687..70d5895 100644 /** * __put_user: - Write a simple value into user space, with less checking. -@@ -483,8 +537,12 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -483,8 +551,12 @@ struct __large_struct { unsigned long buf[100]; }; * Returns zero on success, or -EFAULT on error. */ @@ -15912,7 +18401,7 @@ index 5ee2687..70d5895 100644 #define __get_user_unaligned __get_user #define __put_user_unaligned __put_user -@@ -502,7 +560,7 @@ struct __large_struct { unsigned long buf[100]; }; +@@ -502,7 +574,7 @@ struct __large_struct { unsigned long buf[100]; }; #define get_user_ex(x, ptr) do { \ unsigned long __gue_val; \ __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \ @@ -15921,7 +18410,7 @@ index 5ee2687..70d5895 100644 } while (0) #define put_user_try uaccess_try -@@ -519,8 +577,8 @@ strncpy_from_user(char *dst, const char __user *src, long count); +@@ -519,8 +591,8 @@ strncpy_from_user(char *dst, const char __user *src, long count); extern __must_check long strlen_user(const char __user *str); extern __must_check long strnlen_user(const char __user *str, long n); @@ -16107,7 +18596,7 @@ index 7f760a9..04b1c65 100644 } diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h -index 142810c..1f2a0a7 100644 +index 142810c..1dbe82f 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -10,6 +10,9 @@ @@ -16426,8 +18915,9 @@ index 142810c..1f2a0a7 100644 } } - static __must_check __always_inline int +-static __must_check __always_inline int -__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size) ++static __must_check __always_inline unsigned long +__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size) { - return copy_user_generic(dst, (__force const void *)src, size); @@ -16567,12 +19057,14 @@ index d8d9922..bf6cecb 100644 extern struct x86_init_ops x86_init; extern struct x86_cpuinit_ops x86_cpuinit; diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h -index 0415cda..b43d877 100644 +index 0415cda..3b22adc 100644 --- a/arch/x86/include/asm/xsave.h +++ b/arch/x86/include/asm/xsave.h -@@ -71,7 +71,9 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -70,8 +70,11 @@ static inline int xsave_user(struct xsave_struct __user *buf) + if (unlikely(err)) return -EFAULT; ++ pax_open_userland(); __asm__ __volatile__(ASM_STAC "\n" - "1: .byte " REX_PREFIX "0x0f,0xae,0x27\n" + "1:" @@ -16581,7 +19073,14 @@ index 0415cda..b43d877 100644 "2: " ASM_CLAC "\n" ".section .fixup,\"ax\"\n" "3: movl $-1,%[err]\n" -@@ -87,12 +89,14 @@ static inline int xsave_user(struct xsave_struct __user *buf) +@@ -81,18 +84,22 @@ static inline int xsave_user(struct xsave_struct __user *buf) + : [err] "=r" (err) + : "D" (buf), "a" (-1), "d" (-1), "0" (0) + : "memory"); ++ pax_close_userland(); + return err; + } + static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) { int err; @@ -16590,6 +19089,7 @@ index 0415cda..b43d877 100644 u32 lmask = mask; u32 hmask = mask >> 32; ++ pax_open_userland(); __asm__ __volatile__(ASM_STAC "\n" - "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n" + "1:" @@ -16598,6 +19098,14 @@ index 0415cda..b43d877 100644 "2: " ASM_CLAC "\n" ".section .fixup,\"ax\"\n" "3: movl $-1,%[err]\n" +@@ -102,6 +109,7 @@ static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask) + : [err] "=r" (err) + : "D" (xstate), "a" (lmask), "d" (hmask), "0" (0) + : "memory"); /* memory required? */ ++ pax_close_userland(); + return err; + } + diff --git a/arch/x86/include/uapi/asm/e820.h b/arch/x86/include/uapi/asm/e820.h index bbae024..e1528f9 100644 --- a/arch/x86/include/uapi/asm/e820.h @@ -17197,7 +19705,7 @@ index 5013a48..0782c53 100644 if (c->x86_model == 3 && c->x86_mask == 0) size = 64; diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 22018f7..bc6f5e3 100644 +index 22018f7..df77e23 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -88,60 +88,6 @@ static const struct cpu_dev __cpuinitconst default_cpu = { @@ -17261,7 +19769,65 @@ index 22018f7..bc6f5e3 100644 static int __init x86_xsave_setup(char *s) { setup_clear_cpu_cap(X86_FEATURE_XSAVE); -@@ -386,7 +332,7 @@ void switch_to_new_gdt(int cpu) +@@ -288,6 +234,57 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c) + set_in_cr4(X86_CR4_SMAP); + } + ++#ifdef CONFIG_X86_64 ++static __init int setup_disable_pcid(char *arg) ++{ ++ setup_clear_cpu_cap(X86_FEATURE_PCID); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (clone_pgd_mask != ~(pgdval_t)0UL) ++ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; ++#endif ++ ++ return 1; ++} ++__setup("nopcid", setup_disable_pcid); ++ ++static void setup_pcid(struct cpuinfo_x86 *c) ++{ ++ if (!cpu_has(c, X86_FEATURE_PCID)) { ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ if (clone_pgd_mask != ~(pgdval_t)0UL) { ++ pax_open_kernel(); ++ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; ++ pax_close_kernel(); ++ printk("PAX: slow and weak UDEREF enabled\n"); ++ } else ++ printk("PAX: UDEREF disabled\n"); ++#endif ++ ++ return; ++ } ++ ++ printk("PAX: PCID detected\n"); ++ set_in_cr4(X86_CR4_PCIDE); ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ pax_open_kernel(); ++ clone_pgd_mask = ~(pgdval_t)0UL; ++ pax_close_kernel(); ++ if (pax_user_shadow_base) ++ printk("PAX: weak UDEREF enabled\n"); ++ else { ++ set_cpu_cap(c, X86_FEATURE_STRONGUDEREF); ++ printk("PAX: strong UDEREF enabled\n"); ++ } ++#endif ++ ++ if (cpu_has(c, X86_FEATURE_INVPCID)) ++ printk("PAX: INVPCID detected\n"); ++} ++#endif ++ + /* + * Some CPU features depend on higher CPUID levels, which may not always + * be available due to CPUID level capping or broken virtualization +@@ -386,7 +383,7 @@ void switch_to_new_gdt(int cpu) { struct desc_ptr gdt_descr; @@ -17270,7 +19836,18 @@ index 22018f7..bc6f5e3 100644 gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); /* Reload the per-cpu base */ -@@ -882,6 +828,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) +@@ -874,6 +871,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) + setup_smep(c); + setup_smap(c); + ++#ifdef CONFIG_X86_64 ++ setup_pcid(c); ++#endif ++ + /* + * The vendor-specific functions might have changed features. + * Now we do "generic changes." +@@ -882,6 +883,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c) /* Filter out anything that depends on CPUID levels we don't have */ filter_cpuid_features(c, true); @@ -17281,7 +19858,7 @@ index 22018f7..bc6f5e3 100644 /* If the model name is still unset, do table lookup. */ if (!c->x86_model_id[0]) { const char *p; -@@ -1069,10 +1019,12 @@ static __init int setup_disablecpuid(char *arg) +@@ -1069,10 +1074,12 @@ static __init int setup_disablecpuid(char *arg) } __setup("clearcpuid=", setup_disablecpuid); @@ -17296,7 +19873,7 @@ index 22018f7..bc6f5e3 100644 DEFINE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __aligned(PAGE_SIZE); -@@ -1086,7 +1038,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = +@@ -1086,7 +1093,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = EXPORT_PER_CPU_SYMBOL(current_task); DEFINE_PER_CPU(unsigned long, kernel_stack) = @@ -17305,7 +19882,7 @@ index 22018f7..bc6f5e3 100644 EXPORT_PER_CPU_SYMBOL(kernel_stack); DEFINE_PER_CPU(char *, irq_stack_ptr) = -@@ -1231,7 +1183,7 @@ void __cpuinit cpu_init(void) +@@ -1231,7 +1238,7 @@ void __cpuinit cpu_init(void) load_ucode_ap(); cpu = stack_smp_processor_id(); @@ -17314,7 +19891,7 @@ index 22018f7..bc6f5e3 100644 oist = &per_cpu(orig_ist, cpu); #ifdef CONFIG_NUMA -@@ -1257,7 +1209,7 @@ void __cpuinit cpu_init(void) +@@ -1257,7 +1264,7 @@ void __cpuinit cpu_init(void) switch_to_new_gdt(cpu); loadsegment(fs, 0); @@ -17323,7 +19900,7 @@ index 22018f7..bc6f5e3 100644 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8); syscall_init(); -@@ -1266,7 +1218,6 @@ void __cpuinit cpu_init(void) +@@ -1266,7 +1273,6 @@ void __cpuinit cpu_init(void) wrmsrl(MSR_KERNEL_GS_BASE, 0); barrier(); @@ -17331,7 +19908,7 @@ index 22018f7..bc6f5e3 100644 enable_x2apic(); /* -@@ -1318,7 +1269,7 @@ void __cpuinit cpu_init(void) +@@ -1318,7 +1324,7 @@ void __cpuinit cpu_init(void) { int cpu = smp_processor_id(); struct task_struct *curr = current; @@ -17734,7 +20311,7 @@ index a9e2207..d70c83a 100644 intel_ds_init(); diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c -index 52441a2..f94fae8 100644 +index 8aac56b..588fb13 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c @@ -3093,7 +3093,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) @@ -18233,7 +20810,7 @@ index d15f575..d692043 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 8f3e2de..caecc4e 100644 +index 8f3e2de..6b71e39 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -177,13 +177,153 @@ @@ -18743,6 +21320,15 @@ index 8f3e2de..caecc4e 100644 ENTRY(simd_coprocessor_error) RING0_INT_FRAME +@@ -826,7 +1065,7 @@ ENTRY(simd_coprocessor_error) + .section .altinstructions,"a" + altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f + .previous +-.section .altinstr_replacement,"ax" ++.section .altinstr_replacement,"a" + 663: pushl $do_simd_coprocessor_error + 664: + .previous @@ -835,7 +1074,7 @@ ENTRY(simd_coprocessor_error) #endif jmp error_code @@ -18993,7 +21579,7 @@ index 8f3e2de..caecc4e 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 7272089..6204f9c5 100644 +index 7272089..0b74104 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -59,6 +59,8 @@ @@ -19080,7 +21666,7 @@ index 7272089..6204f9c5 100644 #endif -@@ -284,6 +293,309 @@ ENTRY(native_usergs_sysret64) +@@ -284,6 +293,430 @@ ENTRY(native_usergs_sysret64) ENDPROC(native_usergs_sysret64) #endif /* CONFIG_PARAVIRT */ @@ -19100,18 +21686,19 @@ index 7272089..6204f9c5 100644 + + .macro pax_enter_kernel + pax_set_fptr_mask -+#ifdef CONFIG_PAX_KERNEXEC ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + call pax_enter_kernel +#endif + .endm + + .macro pax_exit_kernel -+#ifdef CONFIG_PAX_KERNEXEC ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) + call pax_exit_kernel +#endif ++ + .endm + -+#ifdef CONFIG_PAX_KERNEXEC ++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) +ENTRY(pax_enter_kernel) + pushq %rdi + @@ -19119,6 +21706,7 @@ index 7272089..6204f9c5 100644 + PV_SAVE_REGS(CLBR_RDI) +#endif + ++#ifdef CONFIG_PAX_KERNEXEC + GET_CR0_INTO_RDI + bts $16,%rdi + jnc 3f @@ -19126,6 +21714,32 @@ index 7272089..6204f9c5 100644 + cmp $__KERNEL_CS,%edi + jnz 2f +1: ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ GET_CR3_INTO_RDI ++ cmp $0,%dil ++ jnz 112f ++ mov $__KERNEL_DS,%edi ++ mov %edi,%ss ++ jmp 111f ++112: cmp $1,%dil ++ jz 113f ++ ud2 ++113: sub $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__UDEREF_KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif + +#ifdef CONFIG_PARAVIRT + PV_RESTORE_REGS(CLBR_RDI) @@ -19135,10 +21749,12 @@ index 7272089..6204f9c5 100644 + pax_force_retaddr + retq + ++#ifdef CONFIG_PAX_KERNEXEC +2: ljmpq __KERNEL_CS,1b +3: ljmpq __KERNEXEC_KERNEL_CS,4f +4: SET_RDI_INTO_CR0 + jmp 1b ++#endif +ENDPROC(pax_enter_kernel) + +ENTRY(pax_exit_kernel) @@ -19148,6 +21764,7 @@ index 7272089..6204f9c5 100644 + PV_SAVE_REGS(CLBR_RDI) +#endif + ++#ifdef CONFIG_PAX_KERNEXEC + mov %cs,%rdi + cmp $__KERNEXEC_KERNEL_CS,%edi + jz 2f @@ -19155,6 +21772,30 @@ index 7272089..6204f9c5 100644 + bts $16,%rdi + jnc 4f +1: ++#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ mov %ss,%edi ++ cmp $__UDEREF_KERNEL_DS,%edi ++ jnz 111f ++ GET_CR3_INTO_RDI ++ cmp $0,%dil ++ jz 112f ++ ud2 ++112: add $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif + +#ifdef CONFIG_PARAVIRT + PV_RESTORE_REGS(CLBR_RDI); @@ -19164,6 +21805,7 @@ index 7272089..6204f9c5 100644 + pax_force_retaddr + retq + ++#ifdef CONFIG_PAX_KERNEXEC +2: GET_CR0_INTO_RDI + btr $16,%rdi + jnc 4f @@ -19172,6 +21814,7 @@ index 7272089..6204f9c5 100644 + jmp 1b +4: ud2 + jmp 4b ++#endif +ENDPROC(pax_exit_kernel) +#endif + @@ -19204,6 +21847,22 @@ index 7272089..6204f9c5 100644 + PV_SAVE_REGS(CLBR_RDI) +#endif + ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ GET_CR3_INTO_RDI ++ cmp $1,%dil ++ jnz 4f ++ sub $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ jmp 3f ++111: ++ + GET_CR3_INTO_RDI + mov %rdi,%rbx + add $__START_KERNEL_map,%rbx @@ -19232,10 +21891,7 @@ index 7272089..6204f9c5 100644 + i = i + 1 + .endr + -+#ifdef CONFIG_PARAVIRT -+2: -+#endif -+ SET_RDI_INTO_CR3 ++2: SET_RDI_INTO_CR3 + +#ifdef CONFIG_PAX_KERNEXEC + GET_CR0_INTO_RDI @@ -19243,6 +21899,8 @@ index 7272089..6204f9c5 100644 + SET_RDI_INTO_CR0 +#endif + ++3: ++ +#ifdef CONFIG_PARAVIRT + PV_RESTORE_REGS(CLBR_RDI) +#endif @@ -19251,6 +21909,7 @@ index 7272089..6204f9c5 100644 + popq %rdi + pax_force_retaddr + retq ++4: ud2 +ENDPROC(pax_enter_kernel_user) + +ENTRY(pax_exit_kernel_user) @@ -19261,6 +21920,24 @@ index 7272089..6204f9c5 100644 + PV_SAVE_REGS(CLBR_RDI) +#endif + ++ GET_CR3_INTO_RDI ++ 661: jmp 1f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ cmp $0,%dil ++ jnz 3f ++ add $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ jmp 2f ++1: ++ ++ mov %rdi,%rbx ++ +#ifdef CONFIG_PAX_KERNEXEC + GET_CR0_INTO_RDI + btr $16,%rdi @@ -19268,8 +21945,6 @@ index 7272089..6204f9c5 100644 + SET_RDI_INTO_CR0 +#endif + -+ GET_CR3_INTO_RDI -+ mov %rdi,%rbx + add $__START_KERNEL_map,%rbx + sub phys_base(%rip),%rbx + @@ -19293,9 +21968,10 @@ index 7272089..6204f9c5 100644 + movb $0x67,i*8(%rbx) + i = i + 1 + .endr ++2: + +#ifdef CONFIG_PARAVIRT -+2: PV_RESTORE_REGS(CLBR_RDI) ++ PV_RESTORE_REGS(CLBR_RDI) +#endif + + popq %rbx @@ -19303,7 +21979,6 @@ index 7272089..6204f9c5 100644 + pax_force_retaddr + retq +3: ud2 -+ jmp 3b +ENDPROC(pax_exit_kernel_user) +#endif + @@ -19318,6 +21993,26 @@ index 7272089..6204f9c5 100644 + or $2,%ebx +110: +#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ 661: jmp 111f ++ .pushsection .altinstr_replacement, "a" ++ 662: ASM_NOP2 ++ .popsection ++ .pushsection .altinstructions, "a" ++ altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2 ++ .popsection ++ GET_CR3_INTO_RDI ++ cmp $0,%dil ++ jz 111f ++ sub $4097,%rdi ++ or $4,%ebx ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__UDEREF_KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif + .endm + + .macro pax_exit_kernel_nmi @@ -19329,6 +22024,18 @@ index 7272089..6204f9c5 100644 + SET_RDI_INTO_CR0 +110: +#endif ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ btr $2,%ebx ++ jnc 111f ++ GET_CR3_INTO_RDI ++ add $4097,%rdi ++ bts $63,%rdi ++ SET_RDI_INTO_CR3 ++ mov $__KERNEL_DS,%edi ++ mov %edi,%ss ++111: ++#endif + .endm + + .macro pax_erase_kstack @@ -19390,7 +22097,7 @@ index 7272089..6204f9c5 100644 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET #ifdef CONFIG_TRACE_IRQFLAGS -@@ -375,8 +687,8 @@ ENDPROC(native_usergs_sysret64) +@@ -375,8 +808,8 @@ ENDPROC(native_usergs_sysret64) .endm .macro UNFAKE_STACK_FRAME @@ -19401,7 +22108,7 @@ index 7272089..6204f9c5 100644 .endm /* -@@ -463,7 +775,7 @@ ENDPROC(native_usergs_sysret64) +@@ -463,7 +896,7 @@ ENDPROC(native_usergs_sysret64) movq %rsp, %rsi leaq -RBP(%rsp),%rdi /* arg1 for handler */ @@ -19410,7 +22117,7 @@ index 7272089..6204f9c5 100644 je 1f SWAPGS /* -@@ -498,9 +810,10 @@ ENTRY(save_rest) +@@ -498,9 +931,10 @@ ENTRY(save_rest) movq_cfi r15, R15+16 movq %r11, 8(%rsp) /* return address */ FIXUP_TOP_OF_STACK %r11, 16 @@ -19422,7 +22129,7 @@ index 7272089..6204f9c5 100644 /* save complete stack frame */ .pushsection .kprobes.text, "ax" -@@ -529,9 +842,10 @@ ENTRY(save_paranoid) +@@ -529,9 +963,10 @@ ENTRY(save_paranoid) js 1f /* negative -> in kernel */ SWAPGS xorl %ebx,%ebx @@ -19435,7 +22142,7 @@ index 7272089..6204f9c5 100644 .popsection /* -@@ -553,7 +867,7 @@ ENTRY(ret_from_fork) +@@ -553,7 +988,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -19444,7 +22151,7 @@ index 7272089..6204f9c5 100644 jz 1f testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -@@ -571,7 +885,7 @@ ENTRY(ret_from_fork) +@@ -571,7 +1006,7 @@ ENTRY(ret_from_fork) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19453,7 +22160,7 @@ index 7272089..6204f9c5 100644 /* * System call entry. Up to 6 arguments in registers are supported. -@@ -608,7 +922,7 @@ END(ret_from_fork) +@@ -608,7 +1043,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -19462,7 +22169,7 @@ index 7272089..6204f9c5 100644 CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -621,16 +935,23 @@ GLOBAL(system_call_after_swapgs) +@@ -621,16 +1056,23 @@ GLOBAL(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -19488,7 +22195,7 @@ index 7272089..6204f9c5 100644 jnz tracesys system_call_fastpath: #if __SYSCALL_MASK == ~0 -@@ -640,7 +961,7 @@ system_call_fastpath: +@@ -640,7 +1082,7 @@ system_call_fastpath: cmpl $__NR_syscall_max,%eax #endif ja badsys @@ -19497,7 +22204,7 @@ index 7272089..6204f9c5 100644 call *sys_call_table(,%rax,8) # XXX: rip relative movq %rax,RAX-ARGOFFSET(%rsp) /* -@@ -654,10 +975,13 @@ sysret_check: +@@ -654,10 +1096,13 @@ sysret_check: LOCKDEP_SYS_EXIT DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -19512,7 +22219,7 @@ index 7272089..6204f9c5 100644 /* * sysretq will re-enable interrupts: */ -@@ -709,14 +1033,18 @@ badsys: +@@ -709,14 +1154,18 @@ badsys: * jump back to the normal fast path. */ auditsys: @@ -19532,7 +22239,7 @@ index 7272089..6204f9c5 100644 jmp system_call_fastpath /* -@@ -737,7 +1065,7 @@ sysret_audit: +@@ -737,7 +1186,7 @@ sysret_audit: /* Do syscall tracing */ tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -19541,7 +22248,7 @@ index 7272089..6204f9c5 100644 jz auditsys #endif SAVE_REST -@@ -745,12 +1073,16 @@ tracesys: +@@ -745,12 +1194,16 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -19558,7 +22265,7 @@ index 7272089..6204f9c5 100644 RESTORE_REST #if __SYSCALL_MASK == ~0 cmpq $__NR_syscall_max,%rax -@@ -759,7 +1091,7 @@ tracesys: +@@ -759,7 +1212,7 @@ tracesys: cmpl $__NR_syscall_max,%eax #endif ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ @@ -19567,7 +22274,7 @@ index 7272089..6204f9c5 100644 call *sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) /* Use IRET because user could have changed frame */ -@@ -780,7 +1112,9 @@ GLOBAL(int_with_check) +@@ -780,7 +1233,9 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) @@ -19578,7 +22285,7 @@ index 7272089..6204f9c5 100644 /* Either reschedule or signal or syscall exit tracking needed. */ /* First do a reschedule test. */ -@@ -826,7 +1160,7 @@ int_restore_rest: +@@ -826,7 +1281,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -19587,7 +22294,7 @@ index 7272089..6204f9c5 100644 .macro FORK_LIKE func ENTRY(stub_\func) -@@ -839,9 +1173,10 @@ ENTRY(stub_\func) +@@ -839,9 +1294,10 @@ ENTRY(stub_\func) DEFAULT_FRAME 0 8 /* offset 8: return address */ call sys_\func RESTORE_TOP_OF_STACK %r11, 8 @@ -19599,7 +22306,7 @@ index 7272089..6204f9c5 100644 .endm .macro FIXED_FRAME label,func -@@ -851,9 +1186,10 @@ ENTRY(\label) +@@ -851,9 +1307,10 @@ ENTRY(\label) FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET call \func RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET @@ -19611,7 +22318,7 @@ index 7272089..6204f9c5 100644 .endm FORK_LIKE clone -@@ -870,9 +1206,10 @@ ENTRY(ptregscall_common) +@@ -870,9 +1327,10 @@ ENTRY(ptregscall_common) movq_cfi_restore R12+8, r12 movq_cfi_restore RBP+8, rbp movq_cfi_restore RBX+8, rbx @@ -19623,7 +22330,7 @@ index 7272089..6204f9c5 100644 ENTRY(stub_execve) CFI_STARTPROC -@@ -885,7 +1222,7 @@ ENTRY(stub_execve) +@@ -885,7 +1343,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19632,7 +22339,7 @@ index 7272089..6204f9c5 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -902,7 +1239,7 @@ ENTRY(stub_rt_sigreturn) +@@ -902,7 +1360,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19641,7 +22348,7 @@ index 7272089..6204f9c5 100644 #ifdef CONFIG_X86_X32_ABI ENTRY(stub_x32_rt_sigreturn) -@@ -916,7 +1253,7 @@ ENTRY(stub_x32_rt_sigreturn) +@@ -916,7 +1374,7 @@ ENTRY(stub_x32_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19650,7 +22357,7 @@ index 7272089..6204f9c5 100644 ENTRY(stub_x32_execve) CFI_STARTPROC -@@ -930,7 +1267,7 @@ ENTRY(stub_x32_execve) +@@ -930,7 +1388,7 @@ ENTRY(stub_x32_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19659,7 +22366,7 @@ index 7272089..6204f9c5 100644 #endif -@@ -967,7 +1304,7 @@ vector=vector+1 +@@ -967,7 +1425,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -19668,7 +22375,7 @@ index 7272089..6204f9c5 100644 .previous END(interrupt) -@@ -987,6 +1324,16 @@ END(interrupt) +@@ -987,6 +1445,16 @@ END(interrupt) subq $ORIG_RAX-RBP, %rsp CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP SAVE_ARGS_IRQ @@ -19685,7 +22392,7 @@ index 7272089..6204f9c5 100644 call \func .endm -@@ -1019,7 +1366,7 @@ ret_from_intr: +@@ -1019,7 +1487,7 @@ ret_from_intr: exit_intr: GET_THREAD_INFO(%rcx) @@ -19694,7 +22401,7 @@ index 7272089..6204f9c5 100644 je retint_kernel /* Interrupt came from user space */ -@@ -1041,12 +1388,16 @@ retint_swapgs: /* return to user-space */ +@@ -1041,12 +1509,16 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -19711,7 +22418,7 @@ index 7272089..6204f9c5 100644 /* * The iretq could re-enable interrupts: */ -@@ -1129,7 +1480,7 @@ ENTRY(retint_kernel) +@@ -1129,7 +1601,7 @@ ENTRY(retint_kernel) #endif CFI_ENDPROC @@ -19720,7 +22427,7 @@ index 7272089..6204f9c5 100644 /* * End of kprobes section */ -@@ -1147,7 +1498,7 @@ ENTRY(\sym) +@@ -1147,7 +1619,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -19729,7 +22436,7 @@ index 7272089..6204f9c5 100644 .endm #ifdef CONFIG_SMP -@@ -1208,12 +1559,22 @@ ENTRY(\sym) +@@ -1208,12 +1680,22 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -19753,7 +22460,7 @@ index 7272089..6204f9c5 100644 .endm .macro paranoidzeroentry sym do_sym -@@ -1226,15 +1587,25 @@ ENTRY(\sym) +@@ -1226,15 +1708,25 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF @@ -19781,7 +22488,7 @@ index 7272089..6204f9c5 100644 .macro paranoidzeroentry_ist sym do_sym ist ENTRY(\sym) INTR_FRAME -@@ -1245,14 +1616,30 @@ ENTRY(\sym) +@@ -1245,14 +1737,30 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF_DEBUG @@ -19813,7 +22520,7 @@ index 7272089..6204f9c5 100644 .endm .macro errorentry sym do_sym -@@ -1264,13 +1651,23 @@ ENTRY(\sym) +@@ -1264,13 +1772,23 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -19838,7 +22545,7 @@ index 7272089..6204f9c5 100644 .endm /* error code is on the stack already */ -@@ -1284,13 +1681,23 @@ ENTRY(\sym) +@@ -1284,13 +1802,23 @@ ENTRY(\sym) call save_paranoid DEFAULT_FRAME 0 TRACE_IRQS_OFF @@ -19863,7 +22570,7 @@ index 7272089..6204f9c5 100644 .endm zeroentry divide_error do_divide_error -@@ -1320,9 +1727,10 @@ gs_change: +@@ -1320,9 +1848,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -19875,7 +22582,7 @@ index 7272089..6204f9c5 100644 _ASM_EXTABLE(gs_change,bad_gs) .section .fixup,"ax" -@@ -1350,9 +1758,10 @@ ENTRY(call_softirq) +@@ -1350,9 +1879,10 @@ ENTRY(call_softirq) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -19887,7 +22594,7 @@ index 7272089..6204f9c5 100644 #ifdef CONFIG_XEN zeroentry xen_hypervisor_callback xen_do_hypervisor_callback -@@ -1390,7 +1799,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1390,7 +1920,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) decl PER_CPU_VAR(irq_count) jmp error_exit CFI_ENDPROC @@ -19896,7 +22603,7 @@ index 7272089..6204f9c5 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1449,7 +1858,7 @@ ENTRY(xen_failsafe_callback) +@@ -1449,7 +1979,7 @@ ENTRY(xen_failsafe_callback) SAVE_ALL jmp error_exit CFI_ENDPROC @@ -19905,7 +22612,7 @@ index 7272089..6204f9c5 100644 apicinterrupt HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1501,18 +1910,33 @@ ENTRY(paranoid_exit) +@@ -1501,18 +2031,33 @@ ENTRY(paranoid_exit) DEFAULT_FRAME DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF_DEBUG @@ -19941,7 +22648,7 @@ index 7272089..6204f9c5 100644 jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1541,7 +1965,7 @@ paranoid_schedule: +@@ -1541,7 +2086,7 @@ paranoid_schedule: TRACE_IRQS_OFF jmp paranoid_userspace CFI_ENDPROC @@ -19950,7 +22657,7 @@ index 7272089..6204f9c5 100644 /* * Exception entry point. This expects an error code/orig_rax on the stack. -@@ -1568,12 +1992,13 @@ ENTRY(error_entry) +@@ -1568,12 +2113,13 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -19965,7 +22672,7 @@ index 7272089..6204f9c5 100644 ret /* -@@ -1600,7 +2025,7 @@ bstep_iret: +@@ -1600,7 +2146,7 @@ bstep_iret: movq %rcx,RIP+8(%rsp) jmp error_swapgs CFI_ENDPROC @@ -19974,7 +22681,7 @@ index 7272089..6204f9c5 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ -@@ -1611,7 +2036,7 @@ ENTRY(error_exit) +@@ -1611,7 +2157,7 @@ ENTRY(error_exit) DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF GET_THREAD_INFO(%rcx) @@ -19983,7 +22690,7 @@ index 7272089..6204f9c5 100644 jne retint_kernel LOCKDEP_SYS_EXIT_IRQ movl TI_flags(%rcx),%edx -@@ -1620,7 +2045,7 @@ ENTRY(error_exit) +@@ -1620,7 +2166,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -19992,7 +22699,7 @@ index 7272089..6204f9c5 100644 /* * Test if a given stack is an NMI stack or not. -@@ -1678,9 +2103,11 @@ ENTRY(nmi) +@@ -1678,9 +2224,11 @@ ENTRY(nmi) * If %cs was not the kernel segment, then the NMI triggered in user * space, which means it is definitely not nested. */ @@ -20005,7 +22712,7 @@ index 7272089..6204f9c5 100644 /* * Check the special variable on the stack to see if NMIs are * executing. -@@ -1714,8 +2141,7 @@ nested_nmi: +@@ -1714,8 +2262,7 @@ nested_nmi: 1: /* Set up the interrupted NMIs stack to jump to repeat_nmi */ @@ -20015,7 +22722,7 @@ index 7272089..6204f9c5 100644 CFI_ADJUST_CFA_OFFSET 1*8 leaq -10*8(%rsp), %rdx pushq_cfi $__KERNEL_DS -@@ -1733,6 +2159,7 @@ nested_nmi_out: +@@ -1733,6 +2280,7 @@ nested_nmi_out: CFI_RESTORE rdx /* No need to check faults here */ @@ -20023,7 +22730,7 @@ index 7272089..6204f9c5 100644 INTERRUPT_RETURN CFI_RESTORE_STATE -@@ -1849,6 +2276,8 @@ end_repeat_nmi: +@@ -1849,6 +2397,8 @@ end_repeat_nmi: */ movq %cr2, %r12 @@ -20032,7 +22739,7 @@ index 7272089..6204f9c5 100644 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi movq $-1,%rsi -@@ -1861,26 +2290,31 @@ end_repeat_nmi: +@@ -1861,26 +2411,31 @@ end_repeat_nmi: movq %r12, %cr2 1: @@ -20188,7 +22895,7 @@ index 55b6761..a6456fc 100644 init_level4_pgt[511] = early_level4_pgt[511]; diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S -index 73afd11..d1670f5 100644 +index 73afd11..0ef46f2 100644 --- a/arch/x86/kernel/head_32.S +++ b/arch/x86/kernel/head_32.S @@ -26,6 +26,12 @@ @@ -20509,7 +23216,7 @@ index 73afd11..d1670f5 100644 + +#ifdef CONFIG_PAX_PER_CPU_PGD +ENTRY(cpu_pgd) -+ .rept NR_CPUS ++ .rept 2*NR_CPUS + .fill 4,8,0 + .endr +#endif @@ -20620,7 +23327,7 @@ index 73afd11..d1670f5 100644 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index a836860..bdeb7a5 100644 +index a836860..1b5c665 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -20,6 +20,8 @@ @@ -20755,7 +23462,7 @@ index a836860..bdeb7a5 100644 +#ifdef CONFIG_PAX_PER_CPU_PGD +NEXT_PAGE(cpu_pgd) -+ .rept NR_CPUS ++ .rept 2*NR_CPUS + .fill 512,8,0 + .endr +#endif @@ -20800,7 +23507,7 @@ index a836860..bdeb7a5 100644 NEXT_PAGE(level2_kernel_pgt) /* * 512 MB kernel mapping. We spend a full page on this pagetable -@@ -488,39 +544,64 @@ NEXT_PAGE(level2_kernel_pgt) +@@ -488,39 +544,70 @@ NEXT_PAGE(level2_kernel_pgt) KERNEL_IMAGE_SIZE/PMD_SIZE) NEXT_PAGE(level2_fixmap_pgt) @@ -20843,6 +23550,12 @@ index a836860..bdeb7a5 100644 + .quad 0x0000f40000000000 /* node/CPU stored in limit */ + /* asm/segment.h:GDT_ENTRIES must match this */ + ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++ .quad 0x00cf93000000ffff /* __UDEREF_KERNEL_DS */ ++#else ++ .quad 0x0 /* unused */ ++#endif ++ + /* zero the remaining page */ + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0 + .endr @@ -20881,7 +23594,7 @@ index a836860..bdeb7a5 100644 - .skip PAGE_SIZE + .fill 512,8,0 diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c -index 0fa6912..37fce70 100644 +index 0fa6912..b37438b 100644 --- a/arch/x86/kernel/i386_ksyms_32.c +++ b/arch/x86/kernel/i386_ksyms_32.c @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void); @@ -20897,7 +23610,7 @@ index 0fa6912..37fce70 100644 EXPORT_SYMBOL(__get_user_1); EXPORT_SYMBOL(__get_user_2); -@@ -37,3 +41,7 @@ EXPORT_SYMBOL(strstr); +@@ -37,3 +41,11 @@ EXPORT_SYMBOL(strstr); EXPORT_SYMBOL(csum_partial); EXPORT_SYMBOL(empty_zero_page); @@ -20905,8 +23618,12 @@ index 0fa6912..37fce70 100644 +#ifdef CONFIG_PAX_KERNEXEC +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR); +#endif ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++EXPORT_SYMBOL(cpu_pgd); ++#endif diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c -index cb33909..1163b40 100644 +index f7ea30d..6318acc 100644 --- a/arch/x86/kernel/i387.c +++ b/arch/x86/kernel/i387.c @@ -51,7 +51,7 @@ static inline bool interrupted_kernel_fpu_idle(void) @@ -22278,7 +24995,7 @@ index 7305f7d..22f73d6 100644 } - diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c -index 355ae06..4530766 100644 +index 355ae06..560fbbe 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -151,10 +151,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, @@ -22294,7 +25011,16 @@ index 355ae06..4530766 100644 set_tsk_thread_flag(p, TIF_FORK); p->fpu_counter = 0; p->thread.io_bitmap_ptr = NULL; -@@ -273,7 +274,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) +@@ -165,6 +166,8 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, + p->thread.fs = p->thread.fsindex ? 0 : me->thread.fs; + savesegment(es, p->thread.es); + savesegment(ds, p->thread.ds); ++ savesegment(ss, p->thread.ss); ++ BUG_ON(p->thread.ss == __UDEREF_KERNEL_DS); + memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps)); + + if (unlikely(p->flags & PF_KTHREAD)) { +@@ -273,7 +276,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) struct thread_struct *prev = &prev_p->thread; struct thread_struct *next = &next_p->thread; int cpu = smp_processor_id(); @@ -22303,7 +25029,17 @@ index 355ae06..4530766 100644 unsigned fsindex, gsindex; fpu_switch_t fpu; -@@ -355,10 +356,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) +@@ -296,6 +299,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) + if (unlikely(next->ds | prev->ds)) + loadsegment(ds, next->ds); + ++ savesegment(ss, prev->ss); ++ if (unlikely(next->ss != prev->ss)) ++ loadsegment(ss, next->ss); + + /* We must save %fs and %gs before load_TLS() because + * %fs and %gs may be cleared by load_TLS(). +@@ -355,10 +361,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) prev->usersp = this_cpu_read(old_rsp); this_cpu_write(old_rsp, next->usersp); this_cpu_write(current_task, next_p); @@ -22316,7 +25052,7 @@ index 355ae06..4530766 100644 /* * Now maybe reload the debug registers and handle I/O bitmaps -@@ -427,12 +427,11 @@ unsigned long get_wchan(struct task_struct *p) +@@ -427,12 +432,11 @@ unsigned long get_wchan(struct task_struct *p) if (!p || p == current || p->state == TASK_RUNNING) return 0; stack = (unsigned long)task_stack_page(p); @@ -22637,7 +25373,7 @@ index f2bb9c9..bed145d7 100644 1: diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 56f7fcf..fa229f4 100644 +index 56f7fcf..2cfe4f1 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -110,6 +110,7 @@ @@ -22648,7 +25384,61 @@ index 56f7fcf..fa229f4 100644 /* * max_low_pfn_mapped: highest direct mapped pfn under 4GB -@@ -444,7 +445,7 @@ static void __init parse_setup_data(void) +@@ -205,12 +206,50 @@ EXPORT_SYMBOL(boot_cpu_data); + #endif + + +-#if !defined(CONFIG_X86_PAE) || defined(CONFIG_X86_64) +-unsigned long mmu_cr4_features; ++#ifdef CONFIG_X86_64 ++unsigned long mmu_cr4_features __read_only = X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE; ++#elif defined(CONFIG_X86_PAE) ++unsigned long mmu_cr4_features __read_only = X86_CR4_PAE; + #else +-unsigned long mmu_cr4_features = X86_CR4_PAE; ++unsigned long mmu_cr4_features __read_only; + #endif + ++void set_in_cr4(unsigned long mask) ++{ ++ unsigned long cr4 = read_cr4(); ++ ++ if ((cr4 & mask) == mask && cr4 == mmu_cr4_features) ++ return; ++ ++ pax_open_kernel(); ++ mmu_cr4_features |= mask; ++ pax_close_kernel(); ++ ++ if (trampoline_cr4_features) ++ *trampoline_cr4_features = mmu_cr4_features; ++ cr4 |= mask; ++ write_cr4(cr4); ++} ++EXPORT_SYMBOL(set_in_cr4); ++ ++void clear_in_cr4(unsigned long mask) ++{ ++ unsigned long cr4 = read_cr4(); ++ ++ if (!(cr4 & mask) && cr4 == mmu_cr4_features) ++ return; ++ ++ pax_open_kernel(); ++ mmu_cr4_features &= ~mask; ++ pax_close_kernel(); ++ ++ if (trampoline_cr4_features) ++ *trampoline_cr4_features = mmu_cr4_features; ++ cr4 &= ~mask; ++ write_cr4(cr4); ++} ++EXPORT_SYMBOL(clear_in_cr4); ++ + /* Boot loader ID and version as integers, for the benefit of proc_dointvec */ + int bootloader_type, bootloader_version; + +@@ -444,7 +483,7 @@ static void __init parse_setup_data(void) switch (data->type) { case SETUP_E820_EXT: @@ -22657,7 +25447,7 @@ index 56f7fcf..fa229f4 100644 break; case SETUP_DTB: add_dtb(pa_data); -@@ -771,7 +772,7 @@ static void __init trim_bios_range(void) +@@ -771,7 +810,7 @@ static void __init trim_bios_range(void) * area (640->1Mb) as ram even though it is not. * take them out. */ @@ -22666,7 +25456,7 @@ index 56f7fcf..fa229f4 100644 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map); } -@@ -779,7 +780,7 @@ static void __init trim_bios_range(void) +@@ -779,7 +818,7 @@ static void __init trim_bios_range(void) /* called before trim_bios_range() to spare extra sanitize */ static void __init e820_add_kernel_range(void) { @@ -22675,7 +25465,7 @@ index 56f7fcf..fa229f4 100644 u64 size = __pa_symbol(_end) - start; /* -@@ -841,8 +842,12 @@ static void __init trim_low_memory_range(void) +@@ -841,8 +880,12 @@ static void __init trim_low_memory_range(void) void __init setup_arch(char **cmdline_p) { @@ -22688,7 +25478,7 @@ index 56f7fcf..fa229f4 100644 early_reserve_initrd(); -@@ -934,14 +939,14 @@ void __init setup_arch(char **cmdline_p) +@@ -934,14 +977,14 @@ void __init setup_arch(char **cmdline_p) if (!boot_params.hdr.root_flags) root_mountflags &= ~MS_RDONLY; @@ -22785,7 +25575,7 @@ index 5cdff03..80fa283 100644 * Up to this point, the boot CPU has been using .init.data * area. Reload any changed state for the boot CPU. diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c -index 6956299..f20beae 100644 +index 6956299..18126ec4 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -196,7 +196,7 @@ static unsigned long align_sigframe(unsigned long sp) @@ -22818,8 +25608,12 @@ index 6956299..f20beae 100644 if (err) return -EFAULT; -@@ -367,7 +367,10 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, - err |= __save_altstack(&frame->uc.uc_stack, regs->sp); +@@ -364,10 +364,13 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, + else + put_user_ex(0, &frame->uc.uc_flags); + put_user_ex(0, &frame->uc.uc_link); +- err |= __save_altstack(&frame->uc.uc_stack, regs->sp); ++ __save_altstack_ex(&frame->uc.uc_stack, regs->sp); /* Set up to return from userspace. */ - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn); @@ -22839,6 +25633,15 @@ index 6956299..f20beae 100644 } put_user_catch(err); err |= copy_siginfo_to_user(&frame->info, &ksig->info); +@@ -429,7 +432,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig, + else + put_user_ex(0, &frame->uc.uc_flags); + put_user_ex(0, &frame->uc.uc_link); +- err |= __save_altstack(&frame->uc.uc_stack, regs->sp); ++ __save_altstack_ex(&frame->uc.uc_stack, regs->sp); + + /* Set up to return from userspace. If provided, use a stub + already in userspace. */ @@ -615,7 +618,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) { int usig = signr_convert(ksig->sig); @@ -22876,10 +25679,35 @@ index 48d2b7d..90d328a 100644 .smp_prepare_cpus = native_smp_prepare_cpus, .smp_cpus_done = native_smp_cpus_done, diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c -index bfd348e..4816ad8 100644 +index bfd348e..914f323 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c -@@ -748,6 +748,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -251,14 +251,18 @@ notrace static void __cpuinit start_secondary(void *unused) + + enable_start_cpu0 = 0; + +-#ifdef CONFIG_X86_32 +- /* switch away from the initial page table */ +- load_cr3(swapper_pg_dir); +- __flush_tlb_all(); +-#endif +- + /* otherwise gcc will move up smp_processor_id before the cpu_init */ + barrier(); ++ ++ /* switch away from the initial page table */ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); ++ __flush_tlb_all(); ++#elif defined(CONFIG_X86_32) ++ load_cr3(swapper_pg_dir); ++ __flush_tlb_all(); ++#endif ++ + /* + * Check TSC synchronization with the BP: + */ +@@ -748,6 +752,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) idle->thread.sp = (unsigned long) (((struct pt_regs *) (THREAD_SIZE + task_stack_page(idle))) - 1); per_cpu(current_task, cpu) = idle; @@ -22887,7 +25715,7 @@ index bfd348e..4816ad8 100644 #ifdef CONFIG_X86_32 /* Stack for startup_32 can be just as for start_secondary onwards */ -@@ -755,11 +756,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) +@@ -755,11 +760,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle) #else clear_tsk_thread_flag(idle, TIF_FORK); initial_gs = per_cpu_offset(cpu); @@ -22904,19 +25732,19 @@ index bfd348e..4816ad8 100644 initial_code = (unsigned long)start_secondary; stack_start = idle->thread.sp; -@@ -908,6 +911,15 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle) +@@ -908,6 +915,15 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle) /* the FPU context is blank, nobody can own it */ __cpu_disable_lazy_restore(cpu); +#ifdef CONFIG_PAX_PER_CPU_PGD -+ clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY, ++ clone_pgd_range(get_cpu_pgd(cpu, kernel) + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++ clone_pgd_range(get_cpu_pgd(cpu, user) + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); +#endif + -+ /* the FPU context is blank, nobody can own it */ -+ __cpu_disable_lazy_restore(cpu); -+ err = do_boot_cpu(apicid, cpu, tidle); if (err) { pr_debug("do_boot_cpu failed %d\n", err); @@ -23153,7 +25981,7 @@ index 0000000..5877189 + return arch_get_unmapped_area(filp, addr0, len, pgoff, flags); +} diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c -index dbded5a..ace2781 100644 +index 30277e2..5664a29 100644 --- a/arch/x86/kernel/sys_x86_64.c +++ b/arch/x86/kernel/sys_x86_64.c @@ -81,8 +81,8 @@ out: @@ -23171,8 +25999,8 @@ index dbded5a..ace2781 100644 *begin = new_begin; } } else { -- *begin = TASK_UNMAPPED_BASE; -+ *begin = mm->mmap_base; +- *begin = current->mm->mmap_legacy_base; ++ *begin = mm->mmap_legacy_base; *end = TASK_SIZE; } } @@ -23932,7 +26760,7 @@ index 9a907a6..f83f921 100644 (unsigned long)VSYSCALL_START); diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c -index b014d94..6d6ca7b 100644 +index b014d94..e775258 100644 --- a/arch/x86/kernel/x8664_ksyms_64.c +++ b/arch/x86/kernel/x8664_ksyms_64.c @@ -34,8 +34,6 @@ EXPORT_SYMBOL(copy_user_generic_string); @@ -23944,6 +26772,14 @@ index b014d94..6d6ca7b 100644 EXPORT_SYMBOL(copy_page); EXPORT_SYMBOL(clear_page); +@@ -66,3 +64,7 @@ EXPORT_SYMBOL(empty_zero_page); + #ifndef CONFIG_PARAVIRT + EXPORT_SYMBOL(native_load_gs_index); + #endif ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++EXPORT_SYMBOL(cpu_pgd); ++#endif diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c index 45a14db..075bb9b 100644 --- a/arch/x86/kernel/x86_init.c @@ -25213,27 +28049,43 @@ index 176cca6..1166c50 100644 .byte (copy_page_rep - copy_page) - (2f - 1b) /* offset */ 2: diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S -index a30ca15..d25fab6 100644 +index a30ca15..6b3f4e1 100644 --- a/arch/x86/lib/copy_user_64.S +++ b/arch/x86/lib/copy_user_64.S -@@ -18,6 +18,7 @@ +@@ -18,31 +18,7 @@ #include <asm/alternative-asm.h> #include <asm/asm.h> #include <asm/smap.h> +- +-/* +- * By placing feature2 after feature1 in altinstructions section, we logically +- * implement: +- * If CPU has feature2, jmp to alt2 is used +- * else if CPU has feature1, jmp to alt1 is used +- * else jmp to orig is used. +- */ +- .macro ALTERNATIVE_JUMP feature1,feature2,orig,alt1,alt2 +-0: +- .byte 0xe9 /* 32bit jump */ +- .long \orig-1f /* by default jump to orig */ +-1: +- .section .altinstr_replacement,"ax" +-2: .byte 0xe9 /* near jump with 32bit immediate */ +- .long \alt1-1b /* offset */ /* or alternatively to alt1 */ +-3: .byte 0xe9 /* near jump with 32bit immediate */ +- .long \alt2-1b /* offset */ /* or alternatively to alt2 */ +- .previous +- +- .section .altinstructions,"a" +- altinstruction_entry 0b,2b,\feature1,5,5 +- altinstruction_entry 0b,3b,\feature2,5,5 +- .previous +- .endm +#include <asm/pgtable.h> - /* - * By placing feature2 after feature1 in altinstructions section, we logically -@@ -31,7 +32,7 @@ - .byte 0xe9 /* 32bit jump */ - .long \orig-1f /* by default jump to orig */ - 1: -- .section .altinstr_replacement,"ax" -+ .section .altinstr_replacement,"a" - 2: .byte 0xe9 /* near jump with 32bit immediate */ - .long \alt1-1b /* offset */ /* or alternatively to alt1 */ - 3: .byte 0xe9 /* near jump with 32bit immediate */ -@@ -70,47 +71,20 @@ + .macro ALIGN_DESTINATION + #ifdef FIX_ALIGNMENT +@@ -70,52 +46,6 @@ #endif .endm @@ -25267,24 +28119,34 @@ index a30ca15..d25fab6 100644 - CFI_ENDPROC -ENDPROC(_copy_from_user) - - .section .fixup,"ax" - /* must zero dest */ - ENTRY(bad_from_user) - bad_from_user: +- .section .fixup,"ax" +- /* must zero dest */ +-ENTRY(bad_from_user) +-bad_from_user: +- CFI_STARTPROC +- movl %edx,%ecx +- xorl %eax,%eax +- rep +- stosb +-bad_to_user: +- movl %edx,%eax +- ret +- CFI_ENDPROC +-ENDPROC(bad_from_user) +- .previous +- + /* + * copy_user_generic_unrolled - memory copy with exception handling. + * This version is for CPUs like P4 that don't have efficient micro +@@ -131,6 +61,7 @@ ENDPROC(bad_from_user) + */ + ENTRY(copy_user_generic_unrolled) CFI_STARTPROC -+ testl %edx,%edx -+ js bad_to_user - movl %edx,%ecx - xorl %eax,%eax - rep - stosb - bad_to_user: - movl %edx,%eax -+ pax_force_retaddr - ret - CFI_ENDPROC - ENDPROC(bad_from_user) -@@ -141,19 +115,19 @@ ENTRY(copy_user_generic_unrolled) ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + cmpl $8,%edx + jb 20f /* less then 8 bytes, go to byte copy loop */ +@@ -141,19 +72,19 @@ ENTRY(copy_user_generic_unrolled) jz 17f 1: movq (%rsi),%r8 2: movq 1*8(%rsi),%r9 @@ -25308,32 +28170,51 @@ index a30ca15..d25fab6 100644 16: movq %r11,7*8(%rdi) leaq 64(%rsi),%rsi leaq 64(%rdi),%rdi -@@ -180,6 +154,7 @@ ENTRY(copy_user_generic_unrolled) +@@ -180,6 +111,8 @@ ENTRY(copy_user_generic_unrolled) jnz 21b 23: xor %eax,%eax ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND + pax_force_retaddr ret .section .fixup,"ax" -@@ -251,6 +226,7 @@ ENTRY(copy_user_generic_string) +@@ -235,6 +168,7 @@ ENDPROC(copy_user_generic_unrolled) + */ + ENTRY(copy_user_generic_string) + CFI_STARTPROC ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + andl %edx,%edx + jz 4f +@@ -251,6 +185,8 @@ ENTRY(copy_user_generic_string) movsb 4: xorl %eax,%eax ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND + pax_force_retaddr ret .section .fixup,"ax" -@@ -286,6 +262,7 @@ ENTRY(copy_user_enhanced_fast_string) +@@ -278,6 +214,7 @@ ENDPROC(copy_user_generic_string) + */ + ENTRY(copy_user_enhanced_fast_string) + CFI_STARTPROC ++ ASM_PAX_OPEN_USERLAND + ASM_STAC + andl %edx,%edx + jz 2f +@@ -286,6 +223,8 @@ ENTRY(copy_user_enhanced_fast_string) movsb 2: xorl %eax,%eax ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND + pax_force_retaddr ret .section .fixup,"ax" diff --git a/arch/x86/lib/copy_user_nocache_64.S b/arch/x86/lib/copy_user_nocache_64.S -index 6a4f43c..f08b4a2 100644 +index 6a4f43c..55d26f2 100644 --- a/arch/x86/lib/copy_user_nocache_64.S +++ b/arch/x86/lib/copy_user_nocache_64.S @@ -8,6 +8,7 @@ @@ -25352,7 +28233,7 @@ index 6a4f43c..f08b4a2 100644 .macro ALIGN_DESTINATION #ifdef FIX_ALIGNMENT -@@ -49,6 +51,15 @@ +@@ -49,6 +51,16 @@ */ ENTRY(__copy_user_nocache) CFI_STARTPROC @@ -25365,10 +28246,11 @@ index 6a4f43c..f08b4a2 100644 +1: +#endif + ++ ASM_PAX_OPEN_USERLAND ASM_STAC cmpl $8,%edx jb 20f /* less then 8 bytes, go to byte copy loop */ -@@ -59,19 +70,19 @@ ENTRY(__copy_user_nocache) +@@ -59,19 +71,19 @@ ENTRY(__copy_user_nocache) jz 17f 1: movq (%rsi),%r8 2: movq 1*8(%rsi),%r9 @@ -25392,9 +28274,11 @@ index 6a4f43c..f08b4a2 100644 16: movnti %r11,7*8(%rdi) leaq 64(%rsi),%rsi leaq 64(%rdi),%rdi -@@ -99,6 +110,7 @@ ENTRY(__copy_user_nocache) +@@ -98,7 +110,9 @@ ENTRY(__copy_user_nocache) + jnz 21b 23: xorl %eax,%eax ASM_CLAC ++ ASM_PAX_CLOSE_USERLAND sfence + pax_force_retaddr ret @@ -25421,27 +28305,38 @@ index 2419d5f..953ee51 100644 CFI_RESTORE_STATE diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c -index 25b7ae8..169fafc 100644 +index 25b7ae8..c40113e 100644 --- a/arch/x86/lib/csum-wrappers_64.c +++ b/arch/x86/lib/csum-wrappers_64.c -@@ -52,7 +52,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, +@@ -52,8 +52,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst, len -= 2; } } - isum = csum_partial_copy_generic((__force const void *)src, ++ pax_open_userland(); ++ stac(); + isum = csum_partial_copy_generic((const void __force_kernel *)____m(src), dst, len, isum, errp, NULL); ++ clac(); ++ pax_close_userland(); if (unlikely(*errp)) goto out_err; -@@ -105,7 +105,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst, + +@@ -105,8 +109,13 @@ csum_partial_copy_to_user(const void *src, void __user *dst, } *errp = 0; - return csum_partial_copy_generic(src, (void __force *)dst, -+ return csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), ++ pax_open_userland(); ++ stac(); ++ isum = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst), len, isum, NULL, errp); ++ clac(); ++ pax_close_userland(); ++ return isum; } EXPORT_SYMBOL(csum_partial_copy_to_user); + diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S index a451235..1daa956 100644 --- a/arch/x86/lib/getuser.S @@ -25646,9 +28541,18 @@ index 05a95e7..326f2fa 100644 CFI_ENDPROC ENDPROC(__iowrite32_copy) diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S -index 56313a3..aa84a79 100644 +index 56313a3..9b59269 100644 --- a/arch/x86/lib/memcpy_64.S +++ b/arch/x86/lib/memcpy_64.S +@@ -24,7 +24,7 @@ + * This gets patched over the unrolled variant (below) via the + * alternative instructions framework: + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemcpy_c: + movq %rdi, %rax + movq %rdx, %rcx @@ -33,6 +33,7 @@ rep movsq movl %edx, %ecx @@ -25657,7 +28561,13 @@ index 56313a3..aa84a79 100644 ret .Lmemcpy_e: .previous -@@ -49,6 +50,7 @@ +@@ -44,11 +45,12 @@ + * This gets patched over the unrolled variant (below) via the + * alternative instructions framework: + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemcpy_c_e: movq %rdi, %rax movq %rdx, %rcx rep movsb @@ -25737,7 +28647,7 @@ index 56313a3..aa84a79 100644 CFI_ENDPROC ENDPROC(memcpy) diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S -index 65268a6..c9518d1 100644 +index 65268a6..5aa7815 100644 --- a/arch/x86/lib/memmove_64.S +++ b/arch/x86/lib/memmove_64.S @@ -61,13 +61,13 @@ ENTRY(memmove) @@ -25852,7 +28762,7 @@ index 65268a6..c9518d1 100644 jmp 13f 12: cmp $1, %rdx -@@ -202,6 +202,7 @@ ENTRY(memmove) +@@ -202,14 +202,16 @@ ENTRY(memmove) movb (%rsi), %r11b movb %r11b, (%rdi) 13: @@ -25860,7 +28770,9 @@ index 65268a6..c9518d1 100644 retq CFI_ENDPROC -@@ -210,6 +211,7 @@ ENTRY(memmove) +- .section .altinstr_replacement,"ax" ++ .section .altinstr_replacement,"a" + .Lmemmove_begin_forward_efs: /* Forward moving data. */ movq %rdx, %rcx rep movsb @@ -25869,9 +28781,18 @@ index 65268a6..c9518d1 100644 .Lmemmove_end_forward_efs: .previous diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S -index 2dcb380..963660a 100644 +index 2dcb380..50a78bc 100644 --- a/arch/x86/lib/memset_64.S +++ b/arch/x86/lib/memset_64.S +@@ -16,7 +16,7 @@ + * + * rax original destination + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemset_c: + movq %rdi,%r9 + movq %rdx,%rcx @@ -30,6 +30,7 @@ movl %edx,%ecx rep stosb @@ -25880,7 +28801,15 @@ index 2dcb380..963660a 100644 ret .Lmemset_e: .previous -@@ -52,6 +53,7 @@ +@@ -45,13 +46,14 @@ + * + * rax original destination + */ +- .section .altinstr_replacement, "ax", @progbits ++ .section .altinstr_replacement, "a", @progbits + .Lmemset_c_e: + movq %rdi,%r9 + movb %sil,%al movq %rdx,%rcx rep stosb movq %r9,%rax @@ -27157,10 +30086,18 @@ index 3eb18ac..6890bc3 100644 +EXPORT_SYMBOL(set_fs); +#endif diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c -index 906fea3..5646695 100644 +index 906fea3..0194a18 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c -@@ -39,7 +39,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) +@@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size) + might_fault(); + /* no memory constraint because it doesn't change any memory gcc knows + about */ ++ pax_open_userland(); + stac(); + asm volatile( + " testq %[size8],%[size8]\n" +@@ -39,9 +40,10 @@ unsigned long __clear_user(void __user *addr, unsigned long size) _ASM_EXTABLE(0b,3b) _ASM_EXTABLE(1b,2b) : [size8] "=&c"(size), [dst] "=&D" (__d0) @@ -27168,8 +30105,11 @@ index 906fea3..5646695 100644 + : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)), [zero] "r" (0UL), [eight] "r" (8UL)); clac(); ++ pax_close_userland(); return size; -@@ -54,12 +54,11 @@ unsigned long clear_user(void __user *to, unsigned long n) + } + EXPORT_SYMBOL(__clear_user); +@@ -54,12 +56,11 @@ unsigned long clear_user(void __user *to, unsigned long n) } EXPORT_SYMBOL(clear_user); @@ -27186,7 +30126,7 @@ index 906fea3..5646695 100644 } EXPORT_SYMBOL(copy_in_user); -@@ -69,7 +68,7 @@ EXPORT_SYMBOL(copy_in_user); +@@ -69,11 +70,13 @@ EXPORT_SYMBOL(copy_in_user); * it is not necessary to optimize tail handling. */ unsigned long @@ -27195,6 +30135,31 @@ index 906fea3..5646695 100644 { char c; unsigned zero_len; + ++ clac(); ++ pax_close_userland(); + for (; len; --len, to++) { + if (__get_user_nocheck(c, from++, sizeof(char))) + break; +@@ -84,6 +87,5 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) + for (c = 0, zero_len = len; zerorest && zero_len; --zero_len) + if (__put_user_nocheck(c, to++, sizeof(char))) + break; +- clac(); + return len; + } +diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile +index 23d8e5f..9ccc13a 100644 +--- a/arch/x86/mm/Makefile ++++ b/arch/x86/mm/Makefile +@@ -28,3 +28,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o + obj-$(CONFIG_NUMA_EMU) += numa_emulation.o + + obj-$(CONFIG_MEMTEST) += memtest.o ++ ++quote:=" ++obj-$(CONFIG_X86_64) += uderef_64.o ++CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS)) diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index 903ec1e..c4166b2 100644 --- a/arch/x86/mm/extable.c @@ -27250,7 +30215,7 @@ index 903ec1e..c4166b2 100644 } diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index 654be4a..d36985f 100644 +index 654be4a..a4a3da1 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -14,11 +14,18 @@ @@ -27340,7 +30305,7 @@ index 654be4a..d36985f 100644 DEFINE_SPINLOCK(pgd_lock); LIST_HEAD(pgd_list); -@@ -232,10 +273,22 @@ void vmalloc_sync_all(void) +@@ -232,10 +273,27 @@ void vmalloc_sync_all(void) for (address = VMALLOC_START & PMD_MASK; address >= TASK_SIZE && address < FIXADDR_TOP; address += PMD_SIZE) { @@ -27355,15 +30320,20 @@ index 654be4a..d36985f 100644 + +#ifdef CONFIG_PAX_PER_CPU_PGD + for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { -+ pgd_t *pgd = get_cpu_pgd(cpu); ++ pgd_t *pgd = get_cpu_pgd(cpu, user); + pmd_t *ret; ++ ++ ret = vmalloc_sync_one(pgd, address); ++ if (!ret) ++ break; ++ pgd = get_cpu_pgd(cpu, kernel); +#else list_for_each_entry(page, &pgd_list, lru) { + pgd_t *pgd; spinlock_t *pgt_lock; pmd_t *ret; -@@ -243,8 +296,14 @@ void vmalloc_sync_all(void) +@@ -243,8 +301,14 @@ void vmalloc_sync_all(void) pgt_lock = &pgd_page_get_mm(page)->page_table_lock; spin_lock(pgt_lock); @@ -27379,34 +30349,47 @@ index 654be4a..d36985f 100644 if (!ret) break; -@@ -278,6 +337,11 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) +@@ -278,6 +342,12 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) * an interrupt in the middle of a task switch.. */ pgd_paddr = read_cr3(); + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK)); ++ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (pgd_paddr & __PHYSICAL_MASK)); ++ vmalloc_sync_one(__va(pgd_paddr + PAGE_SIZE), address); +#endif + pmd_k = vmalloc_sync_one(__va(pgd_paddr), address); if (!pmd_k) return -1; -@@ -373,7 +437,14 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) +@@ -373,11 +443,25 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) * happen within a race in page table update. In the later * case just flush: */ +- pgd = pgd_offset(current->active_mm, address); + + pgd_ref = pgd_offset_k(address); + if (pgd_none(*pgd_ref)) + return -1; + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK)); -+ pgd = pgd_offset_cpu(smp_processor_id(), address); ++ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (read_cr3() & __PHYSICAL_MASK)); ++ pgd = pgd_offset_cpu(smp_processor_id(), user, address); ++ if (pgd_none(*pgd)) { ++ set_pgd(pgd, *pgd_ref); ++ arch_flush_lazy_mmu_mode(); ++ } else { ++ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); ++ } ++ pgd = pgd_offset_cpu(smp_processor_id(), kernel, address); +#else - pgd = pgd_offset(current->active_mm, address); ++ pgd = pgd_offset(current->active_mm, address); +#endif + - pgd_ref = pgd_offset_k(address); - if (pgd_none(*pgd_ref)) - return -1; -@@ -543,7 +614,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address) + if (pgd_none(*pgd)) { + set_pgd(pgd, *pgd_ref); + arch_flush_lazy_mmu_mode(); +@@ -543,7 +627,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address) static int is_errata100(struct pt_regs *regs, unsigned long address) { #ifdef CONFIG_X86_64 @@ -27415,7 +30398,7 @@ index 654be4a..d36985f 100644 return 1; #endif return 0; -@@ -570,7 +641,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address) +@@ -570,7 +654,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address) } static const char nx_warning[] = KERN_CRIT @@ -27424,7 +30407,7 @@ index 654be4a..d36985f 100644 static void show_fault_oops(struct pt_regs *regs, unsigned long error_code, -@@ -579,15 +650,27 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, +@@ -579,15 +663,27 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code, if (!oops_may_print()) return; @@ -27454,7 +30437,7 @@ index 654be4a..d36985f 100644 printk(KERN_ALERT "BUG: unable to handle kernel "); if (address < PAGE_SIZE) printk(KERN_CONT "NULL pointer dereference"); -@@ -750,6 +833,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, +@@ -750,6 +846,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, return; } #endif @@ -27477,7 +30460,7 @@ index 654be4a..d36985f 100644 /* Kernel addresses are always protection faults: */ if (address >= TASK_SIZE) error_code |= PF_PROT; -@@ -835,7 +934,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, +@@ -835,7 +947,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) { printk(KERN_ERR "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n", @@ -27486,7 +30469,7 @@ index 654be4a..d36985f 100644 code = BUS_MCEERR_AR; } #endif -@@ -898,6 +997,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) +@@ -898,6 +1010,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) return 1; } @@ -27586,7 +30569,7 @@ index 654be4a..d36985f 100644 /* * Handle a spurious fault caused by a stale TLB entry. * -@@ -964,6 +1156,9 @@ int show_unhandled_signals = 1; +@@ -964,6 +1169,9 @@ int show_unhandled_signals = 1; static inline int access_error(unsigned long error_code, struct vm_area_struct *vma) { @@ -27596,7 +30579,7 @@ index 654be4a..d36985f 100644 if (error_code & PF_WRITE) { /* write, present and write, not present: */ if (unlikely(!(vma->vm_flags & VM_WRITE))) -@@ -992,7 +1187,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs) +@@ -992,7 +1200,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs) if (error_code & PF_USER) return false; @@ -27605,7 +30588,7 @@ index 654be4a..d36985f 100644 return false; return true; -@@ -1008,18 +1203,33 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1008,18 +1216,33 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) { struct vm_area_struct *vma; struct task_struct *tsk; @@ -27644,7 +30627,7 @@ index 654be4a..d36985f 100644 /* * Detect and handle instructions that would cause a page fault for -@@ -1080,7 +1290,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1080,7 +1303,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code) * User-mode registers count as a user access even for any * potential system fault or CPU buglet: */ @@ -27653,7 +30636,7 @@ index 654be4a..d36985f 100644 local_irq_enable(); error_code |= PF_USER; } else { -@@ -1142,6 +1352,11 @@ retry: +@@ -1142,6 +1365,11 @@ retry: might_sleep(); } @@ -27665,7 +30648,7 @@ index 654be4a..d36985f 100644 vma = find_vma(mm, address); if (unlikely(!vma)) { bad_area(regs, error_code, address); -@@ -1153,18 +1368,24 @@ retry: +@@ -1153,18 +1381,24 @@ retry: bad_area(regs, error_code, address); return; } @@ -27701,7 +30684,7 @@ index 654be4a..d36985f 100644 if (unlikely(expand_stack(vma, address))) { bad_area(regs, error_code, address); return; -@@ -1230,3 +1451,292 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1230,3 +1464,292 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) __do_page_fault(regs, error_code); exception_exit(prev_state); } @@ -28132,7 +31115,7 @@ index ae1aa71..d9bea75 100644 #endif /*HAVE_ARCH_HUGETLB_UNMAPPED_AREA*/ diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c -index 1f34e92..d252637 100644 +index 1f34e92..c97b98f 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -4,6 +4,7 @@ @@ -28152,15 +31135,18 @@ index 1f34e92..d252637 100644 #include "mm_internal.h" -@@ -465,7 +468,15 @@ void __init init_mem_mapping(void) +@@ -465,7 +468,18 @@ void __init init_mem_mapping(void) early_ioremap_page_table_range_init(); #endif +#ifdef CONFIG_PAX_PER_CPU_PGD -+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY, ++ clone_pgd_range(get_cpu_pgd(0, kernel) + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); -+ load_cr3(get_cpu_pgd(0)); ++ clone_pgd_range(get_cpu_pgd(0, user) + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++ load_cr3(get_cpu_pgd(0, kernel)); +#else load_cr3(swapper_pg_dir); +#endif @@ -28168,7 +31154,7 @@ index 1f34e92..d252637 100644 __flush_tlb_all(); early_memtest(0, max_pfn_mapped << PAGE_SHIFT); -@@ -481,10 +492,40 @@ void __init init_mem_mapping(void) +@@ -481,10 +495,40 @@ void __init init_mem_mapping(void) * Access has to be given to non-kernel-ram areas as well, these contain the PCI * mmio resources as well as potential bios/acpi data regions. */ @@ -28210,7 +31196,7 @@ index 1f34e92..d252637 100644 if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) return 0; if (!page_is_ram(pagenr)) -@@ -538,8 +579,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) +@@ -538,8 +582,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) #endif } @@ -28591,7 +31577,7 @@ index 3ac7e31..89611b7 100644 printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index bb00c46..f31d2f0 100644 +index bb00c46..bf91a67 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -151,7 +151,7 @@ early_param("gbpages", parse_direct_gbpages_on); @@ -28603,7 +31589,7 @@ index bb00c46..f31d2f0 100644 EXPORT_SYMBOL_GPL(__supported_pte_mask); int force_personality32; -@@ -184,12 +184,22 @@ void sync_global_pgds(unsigned long start, unsigned long end) +@@ -184,12 +184,29 @@ void sync_global_pgds(unsigned long start, unsigned long end) for (address = start; address <= end; address += PGDIR_SIZE) { const pgd_t *pgd_ref = pgd_offset_k(address); @@ -28621,12 +31607,19 @@ index bb00c46..f31d2f0 100644 + +#ifdef CONFIG_PAX_PER_CPU_PGD + for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { -+ pgd_t *pgd = pgd_offset_cpu(cpu, address); ++ pgd_t *pgd = pgd_offset_cpu(cpu, user, address); ++ ++ if (pgd_none(*pgd)) ++ set_pgd(pgd, *pgd_ref); ++ else ++ BUG_ON(pgd_page_vaddr(*pgd) ++ != pgd_page_vaddr(*pgd_ref)); ++ pgd = pgd_offset_cpu(cpu, kernel, address); +#else list_for_each_entry(page, &pgd_list, lru) { pgd_t *pgd; spinlock_t *pgt_lock; -@@ -198,6 +208,7 @@ void sync_global_pgds(unsigned long start, unsigned long end) +@@ -198,6 +215,7 @@ void sync_global_pgds(unsigned long start, unsigned long end) /* the pgt_lock only for Xen */ pgt_lock = &pgd_page_get_mm(page)->page_table_lock; spin_lock(pgt_lock); @@ -28634,7 +31627,7 @@ index bb00c46..f31d2f0 100644 if (pgd_none(*pgd)) set_pgd(pgd, *pgd_ref); -@@ -205,7 +216,10 @@ void sync_global_pgds(unsigned long start, unsigned long end) +@@ -205,7 +223,10 @@ void sync_global_pgds(unsigned long start, unsigned long end) BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); @@ -28645,7 +31638,7 @@ index bb00c46..f31d2f0 100644 } spin_unlock(&pgd_lock); } -@@ -238,7 +252,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr) +@@ -238,7 +259,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr) { if (pgd_none(*pgd)) { pud_t *pud = (pud_t *)spp_getpage(); @@ -28654,7 +31647,7 @@ index bb00c46..f31d2f0 100644 if (pud != pud_offset(pgd, 0)) printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n", pud, pud_offset(pgd, 0)); -@@ -250,7 +264,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr) +@@ -250,7 +271,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr) { if (pud_none(*pud)) { pmd_t *pmd = (pmd_t *) spp_getpage(); @@ -28663,7 +31656,7 @@ index bb00c46..f31d2f0 100644 if (pmd != pmd_offset(pud, 0)) printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n", pmd, pmd_offset(pud, 0)); -@@ -279,7 +293,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte) +@@ -279,7 +300,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte) pmd = fill_pmd(pud, vaddr); pte = fill_pte(pmd, vaddr); @@ -28673,7 +31666,7 @@ index bb00c46..f31d2f0 100644 /* * It's enough to flush this one mapping. -@@ -338,14 +354,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size, +@@ -338,14 +361,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size, pgd = pgd_offset_k((unsigned long)__va(phys)); if (pgd_none(*pgd)) { pud = (pud_t *) spp_getpage(); @@ -28690,7 +31683,7 @@ index bb00c46..f31d2f0 100644 } pmd = pmd_offset(pud, phys); BUG_ON(!pmd_none(*pmd)); -@@ -586,7 +600,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, +@@ -586,7 +607,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end, prot); spin_lock(&init_mm.page_table_lock); @@ -28699,7 +31692,7 @@ index bb00c46..f31d2f0 100644 spin_unlock(&init_mm.page_table_lock); } __flush_tlb_all(); -@@ -627,7 +641,7 @@ kernel_physical_mapping_init(unsigned long start, +@@ -627,7 +648,7 @@ kernel_physical_mapping_init(unsigned long start, page_size_mask); spin_lock(&init_mm.page_table_lock); @@ -28708,7 +31701,7 @@ index bb00c46..f31d2f0 100644 spin_unlock(&init_mm.page_table_lock); pgd_changed = true; } -@@ -1221,8 +1235,8 @@ int kern_addr_valid(unsigned long addr) +@@ -1221,8 +1242,8 @@ int kern_addr_valid(unsigned long addr) static struct vm_area_struct gate_vma = { .vm_start = VSYSCALL_START, .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE), @@ -28719,7 +31712,7 @@ index bb00c46..f31d2f0 100644 }; struct vm_area_struct *get_gate_vma(struct mm_struct *mm) -@@ -1256,7 +1270,7 @@ int in_gate_area_no_mm(unsigned long addr) +@@ -1256,7 +1277,7 @@ int in_gate_area_no_mm(unsigned long addr) const char *arch_vma_name(struct vm_area_struct *vma) { @@ -28822,7 +31815,7 @@ index d87dd6d..bf3fa66 100644 pte = kmemcheck_pte_lookup(address); diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c -index 845df68..1d8d29f 100644 +index 5c1ae28..45f4ac9 100644 --- a/arch/x86/mm/mmap.c +++ b/arch/x86/mm/mmap.c @@ -52,7 +52,7 @@ static unsigned int stack_maxrandom_size(void) @@ -28880,32 +31873,24 @@ index 845df68..1d8d29f 100644 return TASK_UNMAPPED_BASE + mmap_rnd(); } -@@ -113,11 +126,23 @@ static unsigned long mmap_legacy_base(void) +@@ -112,8 +125,15 @@ static unsigned long mmap_legacy_base(void) + */ void arch_pick_mmap_layout(struct mm_struct *mm) { - if (mmap_is_legacy()) { -- mm->mmap_base = mmap_legacy_base(); -+ mm->mmap_base = mmap_legacy_base(mm); -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base += mm->delta_mmap; -+#endif -+ - mm->get_unmapped_area = arch_get_unmapped_area; - mm->unmap_area = arch_unmap_area; - } else { -- mm->mmap_base = mmap_base(); -+ mm->mmap_base = mmap_base(mm); +- mm->mmap_legacy_base = mmap_legacy_base(); +- mm->mmap_base = mmap_base(); ++ mm->mmap_legacy_base = mmap_legacy_base(mm); ++ mm->mmap_base = mmap_base(mm); + +#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++ if (mm->pax_flags & MF_PAX_RANDMMAP) { ++ mm->mmap_legacy_base += mm->delta_mmap; ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack; ++ } +#endif -+ - mm->get_unmapped_area = arch_get_unmapped_area_topdown; - mm->unmap_area = arch_unmap_area_topdown; - } + + if (mmap_is_legacy()) { + mm->mmap_base = mm->mmap_legacy_base; diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c index dc0b727..f612039 100644 --- a/arch/x86/mm/mmio-mod.c @@ -28982,7 +31967,7 @@ index d0b1773..4c3327c 100644 struct split_state { diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c -index bb32480..aef8278 100644 +index bb32480..75f2f5e 100644 --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -261,7 +261,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, @@ -29047,7 +32032,7 @@ index bb32480..aef8278 100644 +#ifdef CONFIG_PAX_PER_CPU_PGD + for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { -+ pgd_t *pgd = get_cpu_pgd(cpu); ++ pgd_t *pgd = get_cpu_pgd(cpu, kernel); +#else list_for_each_entry(page, &pgd_list, lru) { - pgd_t *pgd; @@ -29183,10 +32168,10 @@ index 9f0614d..92ae64a 100644 p += get_opcode(p, &opcode); for (i = 0; i < ARRAY_SIZE(imm_wop); i++) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c -index 17fda6a..489c74a 100644 +index 17fda6a..f7d54a0 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c -@@ -91,10 +91,64 @@ static inline void pgd_list_del(pgd_t *pgd) +@@ -91,10 +91,67 @@ static inline void pgd_list_del(pgd_t *pgd) list_del(&page->lru); } @@ -29199,6 +32184,9 @@ index 17fda6a..489c74a 100644 +{ + unsigned int count = USER_PGD_PTRS; ++ if (!pax_user_shadow_base) ++ return; ++ + while (count--) + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER); +} @@ -29253,7 +32241,7 @@ index 17fda6a..489c74a 100644 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm) { BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm)); -@@ -135,6 +189,7 @@ static void pgd_dtor(pgd_t *pgd) +@@ -135,6 +192,7 @@ static void pgd_dtor(pgd_t *pgd) pgd_list_del(pgd); spin_unlock(&pgd_lock); } @@ -29261,7 +32249,7 @@ index 17fda6a..489c74a 100644 /* * List of all pgd's needed for non-PAE so it can invalidate entries -@@ -147,7 +202,7 @@ static void pgd_dtor(pgd_t *pgd) +@@ -147,7 +205,7 @@ static void pgd_dtor(pgd_t *pgd) * -- nyc */ @@ -29270,7 +32258,7 @@ index 17fda6a..489c74a 100644 /* * In PAE mode, we need to do a cr3 reload (=tlb flush) when * updating the top-level pagetable entries to guarantee the -@@ -159,7 +214,7 @@ static void pgd_dtor(pgd_t *pgd) +@@ -159,7 +217,7 @@ static void pgd_dtor(pgd_t *pgd) * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate * and initialize the kernel pmds here. */ @@ -29279,7 +32267,7 @@ index 17fda6a..489c74a 100644 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) { -@@ -177,36 +232,38 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) +@@ -177,36 +235,38 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) */ flush_tlb_mm(mm); } @@ -29329,7 +32317,7 @@ index 17fda6a..489c74a 100644 return -ENOMEM; } -@@ -219,51 +276,55 @@ static int preallocate_pmds(pmd_t *pmds[]) +@@ -219,51 +279,55 @@ static int preallocate_pmds(pmd_t *pmds[]) * preallocate which never got a corresponding vma will need to be * freed manually. */ @@ -29402,7 +32390,7 @@ index 17fda6a..489c74a 100644 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP); -@@ -272,11 +333,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm) +@@ -272,11 +336,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm) mm->pgd = pgd; @@ -29416,7 +32404,7 @@ index 17fda6a..489c74a 100644 /* * Make sure that pre-populating the pmds is atomic with -@@ -286,14 +347,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm) +@@ -286,14 +350,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm) spin_lock(&pgd_lock); pgd_ctor(mm, pgd); @@ -29434,7 +32422,7 @@ index 17fda6a..489c74a 100644 out_free_pgd: free_page((unsigned long)pgd); out: -@@ -302,7 +363,7 @@ out: +@@ -302,7 +366,7 @@ out: void pgd_free(struct mm_struct *mm, pgd_t *pgd) { @@ -29532,6 +32520,49 @@ index 282375f..e03a98f 100644 } } EXPORT_SYMBOL_GPL(leave_mm); +diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c +new file mode 100644 +index 0000000..dace51c +--- /dev/null ++++ b/arch/x86/mm/uderef_64.c +@@ -0,0 +1,37 @@ ++#include <linux/mm.h> ++#include <asm/pgtable.h> ++#include <asm/uaccess.h> ++ ++#ifdef CONFIG_PAX_MEMORY_UDEREF ++/* PaX: due to the special call convention these functions must ++ * - remain leaf functions under all configurations, ++ * - never be called directly, only dereferenced from the wrappers. ++ */ ++void __pax_open_userland(void) ++{ ++ unsigned int cpu; ++ ++ if (unlikely(!segment_eq(get_fs(), USER_DS))) ++ return; ++ ++ cpu = raw_get_cpu(); ++ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL); ++ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH); ++ raw_put_cpu_no_resched(); ++} ++EXPORT_SYMBOL(__pax_open_userland); ++ ++void __pax_close_userland(void) ++{ ++ unsigned int cpu; ++ ++ if (unlikely(!segment_eq(get_fs(), USER_DS))) ++ return; ++ ++ cpu = raw_get_cpu(); ++ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER); ++ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH); ++ raw_put_cpu_no_resched(); ++} ++EXPORT_SYMBOL(__pax_close_userland); ++#endif diff --git a/arch/x86/net/bpf_jit.S b/arch/x86/net/bpf_jit.S index 877b9a1..a8ecf42 100644 --- a/arch/x86/net/bpf_jit.S @@ -30444,7 +33475,7 @@ index c77b24a..c979855 100644 } EXPORT_SYMBOL(pcibios_set_irq_routing); diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c -index 40e4469..0592924 100644 +index 40e4469..d915bf9 100644 --- a/arch/x86/platform/efi/efi_32.c +++ b/arch/x86/platform/efi/efi_32.c @@ -44,11 +44,22 @@ void efi_call_phys_prelog(void) @@ -30487,7 +33518,7 @@ index 40e4469..0592924 100644 load_gdt(&gdt_descr); +#ifdef CONFIG_PAX_PER_CPU_PGD -+ load_cr3(get_cpu_pgd(smp_processor_id())); ++ load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); +#else load_cr3(swapper_pg_dir); +#endif @@ -30496,7 +33527,7 @@ index 40e4469..0592924 100644 local_irq_restore(efi_rt_eflags); diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c -index 39a0e7f1..ecc2f1e 100644 +index 39a0e7f1..872396e 100644 --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -76,6 +76,11 @@ void __init efi_call_phys_prelog(void) @@ -30517,7 +33548,7 @@ index 39a0e7f1..ecc2f1e 100644 kfree(save_pgd); + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ load_cr3(get_cpu_pgd(smp_processor_id())); ++ load_cr3(get_cpu_pgd(smp_processor_id(), kernel)); +#endif + __flush_tlb_all(); @@ -30884,10 +33915,18 @@ index c1b2791..f9e31c7 100644 END(trampoline_header) diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S -index bb360dc..3e5945f 100644 +index bb360dc..d0fd8f8 100644 --- a/arch/x86/realmode/rm/trampoline_64.S +++ b/arch/x86/realmode/rm/trampoline_64.S -@@ -107,7 +107,7 @@ ENTRY(startup_32) +@@ -94,6 +94,7 @@ ENTRY(startup_32) + movl %edx, %gs + + movl pa_tr_cr4, %eax ++ andl $~X86_CR4_PCIDE, %eax + movl %eax, %cr4 # Enable PAE mode + + # Setup trampoline 4 level pagetables +@@ -107,7 +108,7 @@ ENTRY(startup_32) wrmsr # Enable paging and in turn activate Long Mode @@ -31484,7 +34523,7 @@ index fdc3ba2..3daee39 100644 .alloc_pud = xen_alloc_pmd_init, .release_pud = xen_release_pmd_init, diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c -index d99cae8..18401e1 100644 +index a1e58e1..9392ad8 100644 --- a/arch/x86/xen/smp.c +++ b/arch/x86/xen/smp.c @@ -240,11 +240,6 @@ static void __init xen_smp_prepare_boot_cpu(void) @@ -31665,6 +34704,28 @@ index af00795..2bb8105 100644 #define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */ #define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */ +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index e8918ff..b3ffc51 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -825,7 +825,7 @@ static void blkcg_css_free(struct cgroup *cgroup) + + static struct cgroup_subsys_state *blkcg_css_alloc(struct cgroup *cgroup) + { +- static atomic64_t id_seq = ATOMIC64_INIT(0); ++ static atomic64_unchecked_t id_seq = ATOMIC64_INIT(0); + struct blkcg *blkcg; + struct cgroup *parent = cgroup->parent; + +@@ -840,7 +840,7 @@ static struct cgroup_subsys_state *blkcg_css_alloc(struct cgroup *cgroup) + + blkcg->cfq_weight = CFQ_WEIGHT_DEFAULT; + blkcg->cfq_leaf_weight = CFQ_WEIGHT_DEFAULT; +- blkcg->id = atomic64_inc_return(&id_seq); /* root is 0, start from 1 */ ++ blkcg->id = atomic64_inc_return_unchecked(&id_seq); /* root is 0, start from 1 */ + done: + spin_lock_init(&blkcg->lock); + INIT_RADIX_TREE(&blkcg->blkg_tree, GFP_ATOMIC); diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c index 58916af..eb9dbcf6 100644 --- a/block/blk-iopoll.c @@ -31958,6 +35019,28 @@ index 33dc6a0..4b24b47 100644 } EXPORT_SYMBOL_GPL(cper_next_record_id); +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index fcd7d91..6b2f1a3 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -468,7 +468,7 @@ static void __ghes_print_estatus(const char *pfx, + const struct acpi_hest_generic *generic, + const struct acpi_hest_generic_status *estatus) + { +- static atomic_t seqno; ++ static atomic_unchecked_t seqno; + unsigned int curr_seqno; + char pfx_seq[64]; + +@@ -479,7 +479,7 @@ static void __ghes_print_estatus(const char *pfx, + else + pfx = KERN_ERR; + } +- curr_seqno = atomic_inc_return(&seqno); ++ curr_seqno = atomic_inc_return_unchecked(&seqno); + snprintf(pfx_seq, sizeof(pfx_seq), "%s{%u}" HW_ERR, pfx, curr_seqno); + printk("%s""Hardware error from APEI Generic Hardware Error Source: %d\n", + pfx_seq, generic->header.source_id); diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c index be60399..778b33e8 100644 --- a/drivers/acpi/bgrt.c @@ -32095,9 +35178,18 @@ index 7b9bdd8..37638ca 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index adf002a..39bb8f9 100644 +index adf002a..06c46a7 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c +@@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev); + static void ata_dev_xfermask(struct ata_device *dev); + static unsigned long ata_dev_blacklisted(const struct ata_device *dev); + +-atomic_t ata_print_id = ATOMIC_INIT(0); ++atomic_unchecked_t ata_print_id = ATOMIC_INIT(0); + + struct ata_force_param { + const char *name; @@ -4792,7 +4792,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) struct ata_port *ap; unsigned int tag; @@ -32135,6 +35227,41 @@ index adf002a..39bb8f9 100644 spin_unlock(&lock); } +@@ -6133,7 +6135,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) + + /* give ports names and add SCSI hosts */ + for (i = 0; i < host->n_ports; i++) +- host->ports[i]->print_id = atomic_inc_return(&ata_print_id); ++ host->ports[i]->print_id = atomic_inc_return_unchecked(&ata_print_id); + + + /* Create associated sysfs transport objects */ +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 0101af5..c70c325 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -4105,7 +4105,7 @@ int ata_sas_port_init(struct ata_port *ap) + + if (rc) + return rc; +- ap->print_id = atomic_inc_return(&ata_print_id); ++ ap->print_id = atomic_inc_return_unchecked(&ata_print_id); + return 0; + } + EXPORT_SYMBOL_GPL(ata_sas_port_init); +diff --git a/drivers/ata/libata.h b/drivers/ata/libata.h +index 577d902b..cb4781e 100644 +--- a/drivers/ata/libata.h ++++ b/drivers/ata/libata.h +@@ -53,7 +53,7 @@ enum { + ATA_DNXFER_QUIET = (1 << 31), + }; + +-extern atomic_t ata_print_id; ++extern atomic_unchecked_t ata_print_id; + extern int atapi_passthru16; + extern int libata_fua; + extern int libata_noacpi; diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c index 7638121..357a965 100644 --- a/drivers/ata/pata_arasan_cf.c @@ -33663,6 +36790,28 @@ index a5dca6a..bb27967 100644 kfree(tconn->current_epoch); idr_destroy(&tconn->volumes); +diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c +index 9e3f441..4044d47 100644 +--- a/drivers/block/drbd/drbd_nl.c ++++ b/drivers/block/drbd/drbd_nl.c +@@ -3339,7 +3339,7 @@ out: + + void drbd_bcast_event(struct drbd_conf *mdev, const struct sib_info *sib) + { +- static atomic_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */ ++ static atomic_unchecked_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */ + struct sk_buff *msg; + struct drbd_genlmsghdr *d_out; + unsigned seq; +@@ -3352,7 +3352,7 @@ void drbd_bcast_event(struct drbd_conf *mdev, const struct sib_info *sib) + return; + } + +- seq = atomic_inc_return(&drbd_genl_seq); ++ seq = atomic_inc_return_unchecked(&drbd_genl_seq); + msg = genlmsg_new(NLMSG_GOODSIZE, GFP_NOIO); + if (!msg) + goto failed; diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c index 4222aff..1f79506 100644 --- a/drivers/block/drbd/drbd_receiver.c @@ -34436,10 +37585,10 @@ index 84ddc55..1d32f1e 100644 return 0; } diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c -index 1b456fe..2510242 100644 +index fc45567..fa2a590 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c -@@ -679,7 +679,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, +@@ -682,7 +682,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count, if (to_user) { ssize_t ret; @@ -34448,7 +37597,7 @@ index 1b456fe..2510242 100644 if (ret) return -EFAULT; } else { -@@ -778,7 +778,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, +@@ -785,7 +785,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf, if (!port_has_data(port) && !port->host_connected) return 0; @@ -34508,6 +37657,19 @@ index a2b2541..bc1e7ff 100644 .notifier_call = arch_timer_cpu_notify, }; +diff --git a/drivers/clocksource/bcm_kona_timer.c b/drivers/clocksource/bcm_kona_timer.c +index 350f493..489479e 100644 +--- a/drivers/clocksource/bcm_kona_timer.c ++++ b/drivers/clocksource/bcm_kona_timer.c +@@ -199,7 +199,7 @@ static struct irqaction kona_timer_irq = { + .handler = kona_timer_interrupt, + }; + +-static void __init kona_timer_init(void) ++static void __init kona_timer_init(struct device_node *np) + { + kona_timers_init(); + kona_timer_clockevents_init(); diff --git a/drivers/clocksource/metag_generic.c b/drivers/clocksource/metag_generic.c index ade7513..069445f 100644 --- a/drivers/clocksource/metag_generic.c @@ -34574,10 +37736,10 @@ index edc089e..bc7c0bc 100644 pr_debug("CPU%u - ACPI performance management activated.\n", cpu); for (i = 0; i < perf->state_count; i++) diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c -index 178fe7a..5ee8501 100644 +index 6485547..477033e 100644 --- a/drivers/cpufreq/cpufreq.c +++ b/drivers/cpufreq/cpufreq.c -@@ -1853,7 +1853,7 @@ static int __cpuinit cpufreq_cpu_callback(struct notifier_block *nfb, +@@ -1854,7 +1854,7 @@ static int __cpuinit cpufreq_cpu_callback(struct notifier_block *nfb, return NOTIFY_OK; } @@ -34586,7 +37748,7 @@ index 178fe7a..5ee8501 100644 .notifier_call = cpufreq_cpu_callback, }; -@@ -1885,8 +1885,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) +@@ -1886,8 +1886,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data) pr_debug("trying to register driver %s\n", driver_data->name); @@ -34601,7 +37763,7 @@ index 178fe7a..5ee8501 100644 write_lock_irqsave(&cpufreq_driver_lock, flags); if (cpufreq_driver) { diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c -index 5af40ad..ddf907b 100644 +index a86ff72..aad2b03 100644 --- a/drivers/cpufreq/cpufreq_governor.c +++ b/drivers/cpufreq/cpufreq_governor.c @@ -235,7 +235,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy, @@ -34632,7 +37794,7 @@ index 5af40ad..ddf907b 100644 cpufreq_unregister_notifier(cs_ops->notifier_block, CPUFREQ_TRANSITION_NOTIFIER); diff --git a/drivers/cpufreq/cpufreq_governor.h b/drivers/cpufreq/cpufreq_governor.h -index e16a961..0e68927 100644 +index 0d9e6be..461fd3b 100644 --- a/drivers/cpufreq/cpufreq_governor.h +++ b/drivers/cpufreq/cpufreq_governor.h @@ -204,7 +204,7 @@ struct common_dbs_data { @@ -34645,7 +37807,7 @@ index e16a961..0e68927 100644 /* Governer Per policy data */ diff --git a/drivers/cpufreq/cpufreq_ondemand.c b/drivers/cpufreq/cpufreq_ondemand.c -index 93eb5cb..f8ab572 100644 +index c087347..dad6268 100644 --- a/drivers/cpufreq/cpufreq_ondemand.c +++ b/drivers/cpufreq/cpufreq_ondemand.c @@ -615,14 +615,18 @@ void od_register_powersave_bias_handler(unsigned int (*f) @@ -34889,6 +38051,28 @@ index 428754a..8bdf9cc 100644 .attrs = cpuidle_default_attrs, .name = "cpuidle", }; +diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c +index ebf130e..e32d8a9 100644 +--- a/drivers/crypto/hifn_795x.c ++++ b/drivers/crypto/hifn_795x.c +@@ -51,7 +51,7 @@ module_param_string(hifn_pll_ref, hifn_pll_ref, sizeof(hifn_pll_ref), 0444); + MODULE_PARM_DESC(hifn_pll_ref, + "PLL reference clock (pci[freq] or ext[freq], default ext)"); + +-static atomic_t hifn_dev_number; ++static atomic_unchecked_t hifn_dev_number; + + #define ACRYPTO_OP_DECRYPT 0 + #define ACRYPTO_OP_ENCRYPT 1 +@@ -2577,7 +2577,7 @@ static int hifn_probe(struct pci_dev *pdev, const struct pci_device_id *id) + goto err_out_disable_pci_device; + + snprintf(name, sizeof(name), "hifn%d", +- atomic_inc_return(&hifn_dev_number)-1); ++ atomic_inc_return_unchecked(&hifn_dev_number)-1); + + err = pci_request_regions(pdev, name); + if (err) diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c index 3b36797..db0b0c0 100644 --- a/drivers/devfreq/devfreq.c @@ -34933,6 +38117,22 @@ index b70709b..1d8d02a 100644 .notifier_call = sh_dmae_nmi_handler, /* Run before NMI debug handler and KGDB */ +diff --git a/drivers/edac/edac_device.c b/drivers/edac/edac_device.c +index 211021d..201d47f 100644 +--- a/drivers/edac/edac_device.c ++++ b/drivers/edac/edac_device.c +@@ -474,9 +474,9 @@ void edac_device_reset_delay_period(struct edac_device_ctl_info *edac_dev, + */ + int edac_device_alloc_index(void) + { +- static atomic_t device_indexes = ATOMIC_INIT(0); ++ static atomic_unchecked_t device_indexes = ATOMIC_INIT(0); + +- return atomic_inc_return(&device_indexes) - 1; ++ return atomic_inc_return_unchecked(&device_indexes) - 1; + } + EXPORT_SYMBOL_GPL(edac_device_alloc_index); + diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c index c4d700a..0b57abd 100644 --- a/drivers/edac/edac_mc_sysfs.c @@ -34967,6 +38167,28 @@ index c4d700a..0b57abd 100644 err = device_create_file(&mci->dev, &dev_attr_sdram_scrub_rate); if (err) { +diff --git a/drivers/edac/edac_pci.c b/drivers/edac/edac_pci.c +index dd370f9..0281629 100644 +--- a/drivers/edac/edac_pci.c ++++ b/drivers/edac/edac_pci.c +@@ -29,7 +29,7 @@ + + static DEFINE_MUTEX(edac_pci_ctls_mutex); + static LIST_HEAD(edac_pci_list); +-static atomic_t pci_indexes = ATOMIC_INIT(0); ++static atomic_unchecked_t pci_indexes = ATOMIC_INIT(0); + + /* + * edac_pci_alloc_ctl_info +@@ -315,7 +315,7 @@ EXPORT_SYMBOL_GPL(edac_pci_reset_delay_period); + */ + int edac_pci_alloc_index(void) + { +- return atomic_inc_return(&pci_indexes) - 1; ++ return atomic_inc_return_unchecked(&pci_indexes) - 1; + } + EXPORT_SYMBOL_GPL(edac_pci_alloc_index); + diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c index e8658e4..22746d6 100644 --- a/drivers/edac/edac_pci_sysfs.c @@ -35077,9 +38299,21 @@ index 51b7e3a..aa8a3e8 100644 void amd_report_gart_errors(bool); void amd_register_ecc_decoder(void (*f)(int, struct mce *)); diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c -index 57ea7f4..789e3c3 100644 +index 57ea7f4..af06b76 100644 --- a/drivers/firewire/core-card.c +++ b/drivers/firewire/core-card.c +@@ -528,9 +528,9 @@ void fw_card_initialize(struct fw_card *card, + const struct fw_card_driver *driver, + struct device *device) + { +- static atomic_t index = ATOMIC_INIT(-1); ++ static atomic_unchecked_t index = ATOMIC_INIT(-1); + +- card->index = atomic_inc_return(&index); ++ card->index = atomic_inc_return_unchecked(&index); + card->driver = driver; + card->device = device; + card->current_tlabel = 0; @@ -680,7 +680,7 @@ EXPORT_SYMBOL_GPL(fw_card_release); void fw_core_remove_card(struct fw_card *card) @@ -35634,7 +38868,7 @@ index e913d32..4d9b351 100644 if (IS_GEN6(dev) || IS_GEN7(dev)) { seq_printf(m, diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c -index f968590..19115e35 100644 +index 17d9b0b..860e6d9 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1259,7 +1259,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev) @@ -35823,10 +39057,10 @@ index e5e32869..1678f36 100644 iir = I915_READ(IIR); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index e1f4e6e..c94a4b3 100644 +index eea5982..eeef407 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c -@@ -8933,13 +8933,13 @@ struct intel_quirk { +@@ -8935,13 +8935,13 @@ struct intel_quirk { int subsystem_vendor; int subsystem_device; void (*hook)(struct drm_device *dev); @@ -35842,7 +39076,7 @@ index e1f4e6e..c94a4b3 100644 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) { -@@ -8947,18 +8947,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) +@@ -8949,18 +8949,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id) return 1; } @@ -36722,10 +39956,112 @@ index 8c04943..4370ed9 100644 err = drm_debugfs_create_files(dc->debugfs_files, ARRAY_SIZE(debugfs_files), diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 402f486..f862d7e 100644 +index 402f486..5340852 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c -@@ -2275,7 +2275,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); +@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, + struct hid_report_enum *report_enum = device->report_enum + type; + struct hid_report *report; + ++ if (id >= HID_MAX_IDS) ++ return NULL; + if (report_enum->report_id_hash[id]) + return report_enum->report_id_hash[id]; + +@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) + + case HID_GLOBAL_ITEM_TAG_REPORT_ID: + parser->global.report_id = item_udata(item); +- if (parser->global.report_id == 0) { +- hid_err(parser->device, "report_id 0 is invalid\n"); ++ if (parser->global.report_id == 0 || ++ parser->global.report_id >= HID_MAX_IDS) { ++ hid_err(parser->device, "report_id %u is invalid\n", ++ parser->global.report_id); + return -1; + } + return 0; +@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) + for (i = 0; i < HID_REPORT_TYPES; i++) { + struct hid_report_enum *report_enum = device->report_enum + i; + +- for (j = 0; j < 256; j++) { ++ for (j = 0; j < HID_MAX_IDS; j++) { + struct hid_report *report = report_enum->report_id_hash[j]; + if (report) + hid_free_report(report); +@@ -755,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) + } + EXPORT_SYMBOL_GPL(hid_parse_report); + ++static const char * const hid_report_names[] = { ++ "HID_INPUT_REPORT", ++ "HID_OUTPUT_REPORT", ++ "HID_FEATURE_REPORT", ++}; ++/** ++ * hid_validate_report - validate existing device report ++ * ++ * @device: hid device ++ * @type: which report type to examine ++ * @id: which report ID to examine (0 for first) ++ * @fields: expected number of fields ++ * @report_counts: expected number of values per field ++ * ++ * Validate the report details after parsing. ++ */ ++struct hid_report *hid_validate_report(struct hid_device *hid, ++ unsigned int type, unsigned int id, ++ unsigned int fields, ++ unsigned int report_counts) ++{ ++ struct hid_report *report; ++ unsigned int i; ++ ++ if (type > HID_FEATURE_REPORT) { ++ hid_err(hid, "invalid HID report %u\n", type); ++ return NULL; ++ } ++ ++ report = hid->report_enum[type].report_id_hash[id]; ++ if (!report) { ++ hid_err(hid, "missing %s %u\n", hid_report_names[type], id); ++ return NULL; ++ } ++ if (report->maxfield < fields) { ++ hid_err(hid, "not enough fields in %s %u\n", ++ hid_report_names[type], id); ++ return NULL; ++ } ++ for (i = 0; i < fields; i++) { ++ if (report->field[i]->report_count < report_counts) { ++ hid_err(hid, "not enough values in %s %u fields\n", ++ hid_report_names[type], id); ++ return NULL; ++ } ++ } ++ return report; ++} ++EXPORT_SYMBOL_GPL(hid_validate_report); ++ + /** + * hid_open_report - open a driver-specific device report + * +@@ -1152,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); + + int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) + { +- unsigned size = field->report_size; ++ unsigned size; ++ ++ if (!field) ++ return -1; ++ ++ size = field->report_size; + + hid_dump_input(field->report->device, field->usage + offset, value); + +@@ -2275,7 +2334,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); int hid_add_device(struct hid_device *hdev) { @@ -36734,7 +40070,7 @@ index 402f486..f862d7e 100644 int ret; if (WARN_ON(hdev->status & HID_STAT_ADDED)) -@@ -2309,7 +2309,7 @@ int hid_add_device(struct hid_device *hdev) +@@ -2309,7 +2368,7 @@ int hid_add_device(struct hid_device *hdev) /* XXX hack, any other cleaner solution after the driver core * is converted to allow more than 20 bytes as the device name? */ dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, @@ -36743,6 +40079,349 @@ index 402f486..f862d7e 100644 hid_debug_register(hdev, dev_name(&hdev->dev)); ret = device_add(&hdev->dev); +diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c +index 07837f5..b697ada 100644 +--- a/drivers/hid/hid-lenovo-tpkbd.c ++++ b/drivers/hid/hid-lenovo-tpkbd.c +@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev) + char *name_mute, *name_micmute; + int ret; + ++ /* Validate required reports. */ ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) || ++ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2)) ++ return -ENODEV; ++ + if (sysfs_create_group(&hdev->dev.kobj, + &tpkbd_attr_group_pointer)) { + hid_warn(hdev, "Could not create sysfs group\n"); +diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c +index b3cd150..9805197 100644 +--- a/drivers/hid/hid-lg2ff.c ++++ b/drivers/hid/hid-lg2ff.c +@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) + struct hid_report *report; + struct hid_input *hidinput = list_entry(hid->inputs.next, + struct hid_input, list); +- struct list_head *report_list = +- &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; + int error; + +- if (list_empty(report_list)) { +- hid_err(hid, "no output report found\n"); ++ /* Check that the report looks ok */ ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7); ++ if (!report) + return -ENODEV; +- } +- +- report = list_entry(report_list->next, struct hid_report, list); +- +- if (report->maxfield < 1) { +- hid_err(hid, "output report is empty\n"); +- return -ENODEV; +- } +- if (report->field[0]->report_count < 7) { +- hid_err(hid, "not enough values in the field\n"); +- return -ENODEV; +- } + + lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); + if (!lg2ff) +diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c +index e52f181..53ac79b 100644 +--- a/drivers/hid/hid-lg3ff.c ++++ b/drivers/hid/hid-lg3ff.c +@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, + int x, y; + + /* +- * Maxusage should always be 63 (maximum fields) +- * likely a better way to ensure this data is clean ++ * Available values in the field should always be 63, but we only use up to ++ * 35. Instead, clear the entire area, however big it is. + */ +- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage); ++ memset(report->field[0]->value, 0, ++ sizeof(__s32) * report->field[0]->report_count); + + switch (effect->type) { + case FF_CONSTANT: +@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = { + int lg3ff_init(struct hid_device *hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + const signed short *ff_bits = ff3_joystick_ac; + int error; + int i; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- if (!report) { +- hid_err(hid, "NULL output report\n"); +- return -1; +- } +- +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35)) ++ return -ENODEV; + + /* Assume single fixed device G940 */ + for (i = 0; ff_bits[i] >= 0; i++) +diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c +index 0ddae2a..8b89f0f 100644 +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde + int lg4ff_init(struct hid_device *hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + struct lg4ff_device_entry *entry; + struct lg_drv_data *drv_data; + struct usb_device_descriptor *udesc; + int error, i, j; + __u16 bcdDevice, rev_maj, rev_min; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- if (!report) { +- hid_err(hid, "NULL output report\n"); ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) + return -1; +- } +- +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } + + /* Check what wheel has been connected */ + for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { +diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c +index d7ea8c8..a84fb40 100644 +--- a/drivers/hid/hid-lgff.c ++++ b/drivers/hid/hid-lgff.c +@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) + int lgff_init(struct hid_device* hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + const signed short *ff_bits = ff_joystick; + int error; + int i; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) ++ return -ENODEV; + + for (i = 0; i < ARRAY_SIZE(devices); i++) { + if (dev->id.vendor == devices[i].idVendor && +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index 5207591a..6c9197f 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -421,7 +421,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, + struct hid_report *report; + struct hid_report_enum *output_report_enum; + u8 *data = (u8 *)(&dj_report->device_index); +- int i; ++ unsigned int i, length; + + output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; + report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; +@@ -431,7 +431,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, + return -ENODEV; + } + +- for (i = 0; i < report->field[0]->report_count; i++) ++ length = min_t(size_t, sizeof(*dj_report) - 1, ++ report->field[0]->report_count); ++ for (i = 0; i < length; i++) + report->field[0]->value[i] = data[i]; + + hid_hw_request(hdev, report, HID_REQ_SET_REPORT); +@@ -738,6 +740,12 @@ static int logi_dj_probe(struct hid_device *hdev, + goto hid_parse_fail; + } + ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, ++ 1, 3)) { ++ retval = -ENODEV; ++ goto hid_parse_fail; ++ } ++ + /* Starts the usb device and connects to upper interfaces hiddev and + * hidraw */ + retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index d39a5ce..4892dfc 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -330,9 +330,18 @@ static void mt_feature_mapping(struct hid_device *hdev, + break; + } + } ++ /* Ignore if value index is out of bounds. */ ++ if (td->inputmode_index < 0 || ++ td->inputmode_index >= field->report_count) { ++ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); ++ td->inputmode = -1; ++ } + + break; + case HID_DG_CONTACTMAX: ++ /* Ignore if value count is out of bounds. */ ++ if (field->report_count < 1) ++ break; + td->maxcontact_report_id = field->report->id; + td->maxcontacts = field->value[0]; + if (!td->maxcontacts && +@@ -743,15 +752,21 @@ static void mt_touch_report(struct hid_device *hid, struct hid_report *report) + unsigned count; + int r, n; + ++ if (report->maxfield == 0) ++ return; ++ + /* + * Includes multi-packet support where subsequent + * packets are sent with zero contactcount. + */ +- if (td->cc_index >= 0) { +- struct hid_field *field = report->field[td->cc_index]; +- int value = field->value[td->cc_value_index]; +- if (value) +- td->num_expected = value; ++ if (td->cc_index >= 0 && td->cc_index < report->maxfield) { ++ field = report->field[td->cc_index]; ++ if (td->cc_value_index >= 0 && ++ td->cc_value_index < field->report_count) { ++ int value = field->value[td->cc_value_index]; ++ if (value) ++ td->num_expected = value; ++ } + } + + for (r = 0; r < report->maxfield; r++) { +diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c +index ef95102..5482156 100644 +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) + struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. + report_id_hash[0x0d]; + +- if (!report) ++ if (!report || report->maxfield < 1 || ++ report->field[0]->report_count < 1) + return -EINVAL; + + hid_hw_request(hdev, report, HID_REQ_GET_REPORT); +diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c +index b48092d..72bba1e 100644 +--- a/drivers/hid/hid-picolcd_core.c ++++ b/drivers/hid/hid-picolcd_core.c +@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, + buf += 10; + cnt -= 10; + } +- if (!report) ++ if (!report || report->maxfield < 1) + return -EINVAL; + + while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) +diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c +index d29112f..2dcd7d9 100644 +--- a/drivers/hid/hid-pl.c ++++ b/drivers/hid/hid-pl.c +@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) + strong = &report->field[0]->value[2]; + weak = &report->field[0]->value[3]; + debug("detected single-field device"); +- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && +- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { ++ } else if (report->field[0]->maxusage == 1 && ++ report->field[0]->usage[0].hid == ++ (HID_UP_LED | 0x43) && ++ report->maxfield >= 4 && ++ report->field[0]->report_count >= 1 && ++ report->field[1]->report_count >= 1 && ++ report->field[2]->report_count >= 1 && ++ report->field[3]->report_count >= 1) { + report->field[0]->value[0] = 0x00; + report->field[1]->value[0] = 0x00; + strong = &report->field[2]->value[0]; +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index ca749810..aa34755 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, + + mutex_lock(&data->mutex); + report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); +- if (!report || (field_index >= report->maxfield)) { ++ if (!report || (field_index >= report->maxfield) || ++ report->field[field_index]->report_count < 1) { + ret = -EINVAL; + goto done_proc; + } +diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c +index d164911..ef42e86 100644 +--- a/drivers/hid/hid-steelseries.c ++++ b/drivers/hid/hid-steelseries.c +@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, + goto err_free; + } + ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 16)) { ++ ret = -ENODEV; ++ goto err_free; ++ } ++ + ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); + if (ret) { + hid_err(hdev, "hw start failed\n"); diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c index 90124ff..3761764 100644 --- a/drivers/hid/hid-wiimote-debug.c @@ -36756,6 +40435,66 @@ index 90124ff..3761764 100644 return -EFAULT; *off += size; +diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c +index 6ec28a3..b124991 100644 +--- a/drivers/hid/hid-zpff.c ++++ b/drivers/hid/hid-zpff.c +@@ -68,22 +68,12 @@ static int zpff_init(struct hid_device *hid) + struct hid_report *report; + struct hid_input *hidinput = list_entry(hid->inputs.next, + struct hid_input, list); +- struct list_head *report_list = +- &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; + int error; + +- if (list_empty(report_list)) { +- hid_err(hid, "no output report found\n"); ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1); ++ if (!report) + return -ENODEV; +- } +- +- report = list_entry(report_list->next, struct hid_report, list); +- +- if (report->maxfield < 4) { +- hid_err(hid, "not enough fields in report\n"); +- return -ENODEV; +- } + + zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); + if (!zpff) +diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c +index fc307e0..2b255e8 100644 +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -47,7 +47,7 @@ struct uhid_device { + struct mutex report_lock; + wait_queue_head_t report_wait; + atomic_t report_done; +- atomic_t report_id; ++ atomic_unchecked_t report_id; + struct uhid_event report_buf; + }; + +@@ -187,7 +187,7 @@ static int uhid_hid_get_raw(struct hid_device *hid, unsigned char rnum, + + spin_lock_irqsave(&uhid->qlock, flags); + ev->type = UHID_FEATURE; +- ev->u.feature.id = atomic_inc_return(&uhid->report_id); ++ ev->u.feature.id = atomic_inc_return_unchecked(&uhid->report_id); + ev->u.feature.rnum = rnum; + ev->u.feature.rtype = report_type; + +@@ -471,7 +471,7 @@ static int uhid_dev_feature_answer(struct uhid_device *uhid, + spin_lock_irqsave(&uhid->qlock, flags); + + /* id for old report; drop it silently */ +- if (atomic_read(&uhid->report_id) != ev->u.feature_answer.id) ++ if (atomic_read_unchecked(&uhid->report_id) != ev->u.feature_answer.id) + goto unlock; + if (atomic_read(&uhid->report_done)) + goto unlock; diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 0b122f8..b1d8160 100644 --- a/drivers/hv/channel.c @@ -36784,6 +40523,91 @@ index ae49237..380d4c9 100644 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi), "=a"(hv_status_lo) : "d" (control_hi), +diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c +index deb5c25..ed2d4fd 100644 +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -464,7 +464,7 @@ MODULE_PARM_DESC(hot_add, "If set attempt memory hot_add"); + + module_param(pressure_report_delay, uint, (S_IRUGO | S_IWUSR)); + MODULE_PARM_DESC(pressure_report_delay, "Delay in secs in reporting pressure"); +-static atomic_t trans_id = ATOMIC_INIT(0); ++static atomic_unchecked_t trans_id = ATOMIC_INIT(0); + + static int dm_ring_size = (5 * PAGE_SIZE); + +@@ -825,7 +825,7 @@ static void hot_add_req(struct work_struct *dummy) + memset(&resp, 0, sizeof(struct dm_hot_add_response)); + resp.hdr.type = DM_MEM_HOT_ADD_RESPONSE; + resp.hdr.size = sizeof(struct dm_hot_add_response); +- resp.hdr.trans_id = atomic_inc_return(&trans_id); ++ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + + #ifdef CONFIG_MEMORY_HOTPLUG + pg_start = dm->ha_wrk.ha_page_range.finfo.start_page; +@@ -960,7 +960,7 @@ static void post_status(struct hv_dynmem_device *dm) + memset(&status, 0, sizeof(struct dm_status)); + status.hdr.type = DM_STATUS_REPORT; + status.hdr.size = sizeof(struct dm_status); +- status.hdr.trans_id = atomic_inc_return(&trans_id); ++ status.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + + /* + * The host expects the guest to report free memory. +@@ -980,7 +980,7 @@ static void post_status(struct hv_dynmem_device *dm) + * send the status. This can happen if we were interrupted + * after we picked our transaction ID. + */ +- if (status.hdr.trans_id != atomic_read(&trans_id)) ++ if (status.hdr.trans_id != atomic_read_unchecked(&trans_id)) + return; + + vmbus_sendpacket(dm->dev->channel, &status, +@@ -1081,7 +1081,7 @@ static void balloon_up(struct work_struct *dummy) + bl_resp = (struct dm_balloon_response *)send_buffer; + memset(send_buffer, 0, PAGE_SIZE); + bl_resp->hdr.type = DM_BALLOON_RESPONSE; +- bl_resp->hdr.trans_id = atomic_inc_return(&trans_id); ++ bl_resp->hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + bl_resp->hdr.size = sizeof(struct dm_balloon_response); + bl_resp->more_pages = 1; + +@@ -1152,7 +1152,7 @@ static void balloon_down(struct hv_dynmem_device *dm, + + memset(&resp, 0, sizeof(struct dm_unballoon_response)); + resp.hdr.type = DM_UNBALLOON_RESPONSE; +- resp.hdr.trans_id = atomic_inc_return(&trans_id); ++ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + resp.hdr.size = sizeof(struct dm_unballoon_response); + + vmbus_sendpacket(dm_device.dev->channel, &resp, +@@ -1215,7 +1215,7 @@ static void version_resp(struct hv_dynmem_device *dm, + memset(&version_req, 0, sizeof(struct dm_version_request)); + version_req.hdr.type = DM_VERSION_REQUEST; + version_req.hdr.size = sizeof(struct dm_version_request); +- version_req.hdr.trans_id = atomic_inc_return(&trans_id); ++ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN7; + version_req.is_last_attempt = 1; + +@@ -1385,7 +1385,7 @@ static int balloon_probe(struct hv_device *dev, + memset(&version_req, 0, sizeof(struct dm_version_request)); + version_req.hdr.type = DM_VERSION_REQUEST; + version_req.hdr.size = sizeof(struct dm_version_request); +- version_req.hdr.trans_id = atomic_inc_return(&trans_id); ++ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN8; + version_req.is_last_attempt = 0; + +@@ -1416,7 +1416,7 @@ static int balloon_probe(struct hv_device *dev, + memset(&cap_msg, 0, sizeof(struct dm_capabilities)); + cap_msg.hdr.type = DM_CAPABILITIES_REPORT; + cap_msg.hdr.size = sizeof(struct dm_capabilities); +- cap_msg.hdr.trans_id = atomic_inc_return(&trans_id); ++ cap_msg.hdr.trans_id = atomic_inc_return_unchecked(&trans_id); + + cap_msg.caps.cap_bits.balloon = 1; + cap_msg.caps.cap_bits.hot_add = 1; diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h index 12f2f9e..679603c 100644 --- a/drivers/hv/hyperv_vmbus.h @@ -37385,6 +41209,32 @@ index 1f95bba..9530f87 100644 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr, sdata, wqe->wr.wr.atomic.swap); goto send_comp; +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index 4d599ce..697b17f 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -98,7 +98,7 @@ __be64 mlx4_ib_gen_node_guid(void) + + __be64 mlx4_ib_get_new_demux_tid(struct mlx4_ib_demux_ctx *ctx) + { +- return cpu_to_be64(atomic_inc_return(&ctx->tid)) | ++ return cpu_to_be64(atomic_inc_return_unchecked(&ctx->tid)) | + cpu_to_be64(0xff00000000000000LL); + } + +diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h +index f61ec26..ebf72cf 100644 +--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h ++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h +@@ -398,7 +398,7 @@ struct mlx4_ib_demux_ctx { + struct list_head mcg_mgid0_list; + struct workqueue_struct *mcg_wq; + struct mlx4_ib_demux_pv_ctx **tun; +- atomic_t tid; ++ atomic_unchecked_t tid; + int flushing; /* flushing the work queue */ + }; + diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c index 9d3e5c1..d9afe4a 100644 --- a/drivers/infiniband/hw/mthca/mthca_cmd.c @@ -37913,6 +41763,28 @@ index fa061d4..4a6957c 100644 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no); led->xpad = xpad; +diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c +index e204f26..8459f15 100644 +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1621,7 +1621,7 @@ static int ims_pcu_identify_type(struct ims_pcu *pcu, u8 *device_id) + + static int ims_pcu_init_application_mode(struct ims_pcu *pcu) + { +- static atomic_t device_no = ATOMIC_INIT(0); ++ static atomic_unchecked_t device_no = ATOMIC_INIT(0); + + const struct ims_pcu_device_info *info; + u8 device_id; +@@ -1653,7 +1653,7 @@ static int ims_pcu_init_application_mode(struct ims_pcu *pcu) + } + + /* Device appears to be operable, complete initialization */ +- pcu->device_no = atomic_inc_return(&device_no) - 1; ++ pcu->device_no = atomic_inc_return_unchecked(&device_no) - 1; + + error = ims_pcu_setup_backlight(pcu); + if (error) diff --git a/drivers/input/mouse/psmouse.h b/drivers/input/mouse/psmouse.h index 2f0b39d..7370f13 100644 --- a/drivers/input/mouse/psmouse.h @@ -37961,6 +41833,28 @@ index 25fc597..558bf3b3 100644 serio->dev.bus = &serio_bus; serio->dev.release = serio_release_port; serio->dev.groups = serio_device_attr_groups; +diff --git a/drivers/input/serio/serio_raw.c b/drivers/input/serio/serio_raw.c +index 59df2e7..8f1cafb 100644 +--- a/drivers/input/serio/serio_raw.c ++++ b/drivers/input/serio/serio_raw.c +@@ -293,7 +293,7 @@ static irqreturn_t serio_raw_interrupt(struct serio *serio, unsigned char data, + + static int serio_raw_connect(struct serio *serio, struct serio_driver *drv) + { +- static atomic_t serio_raw_no = ATOMIC_INIT(0); ++ static atomic_unchecked_t serio_raw_no = ATOMIC_INIT(0); + struct serio_raw *serio_raw; + int err; + +@@ -304,7 +304,7 @@ static int serio_raw_connect(struct serio *serio, struct serio_driver *drv) + } + + snprintf(serio_raw->name, sizeof(serio_raw->name), +- "serio_raw%ld", (long)atomic_inc_return(&serio_raw_no) - 1); ++ "serio_raw%ld", (long)atomic_inc_return_unchecked(&serio_raw_no) - 1); + kref_init(&serio_raw->kref); + INIT_LIST_HEAD(&serio_raw->client_list); + init_waitqueue_head(&serio_raw->wait); diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index d8f98b1..f62a640 100644 --- a/drivers/iommu/iommu.c @@ -38095,6 +41989,19 @@ index 600c79b..3752bab 100644 tty_port_tty_set(&cs->port, NULL); mutex_unlock(&cs->mutex); +diff --git a/drivers/isdn/gigaset/usb-gigaset.c b/drivers/isdn/gigaset/usb-gigaset.c +index d0a41cb..f0cdb8c 100644 +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -547,7 +547,7 @@ static int gigaset_brkchars(struct cardstate *cs, const unsigned char buf[6]) + gigaset_dbg_buffer(DEBUG_USBREQ, "brkchars", 6, buf); + memcpy(cs->hw.usb->bchars, buf, 6); + return usb_control_msg(udev, usb_sndctrlpipe(udev, 0), 0x19, 0x41, +- 0, 0, &buf, 6, 2000); ++ 0, 0, buf, 6, 2000); + } + + static void gigaset_freebcshw(struct bc_state *bcs) diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c index 4d9b195..455075c 100644 --- a/drivers/isdn/hardware/avm/b1.c @@ -38117,6 +42024,19 @@ index 4d9b195..455075c 100644 return -EFAULT; } else { memcpy(buf, dp, left); +diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c +index 9bb12ba..d4262f7 100644 +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1651,6 +1651,8 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg) + } else + return -EINVAL; + case IIOCDBGVAR: ++ if (!capable(CAP_SYS_RAWIO)) ++ return -EPERM; + if (arg) { + if (copy_to_user(argp, &dev, sizeof(ulong))) + return -EFAULT; diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c index 3c5f249..5fac4d0 100644 --- a/drivers/isdn/i4l/isdn_tty.c @@ -38385,6 +42305,19 @@ index 0003992..854bbce 100644 closure_set_ip(cl); cl->fn = fn; cl->wq = wq; +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index b4713ce..b30139b 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1603,7 +1603,7 @@ err_unlock_gc: + err: + closure_sync(&op.cl); + /* XXX: test this, it's broken */ +- bch_cache_set_error(c, err); ++ bch_cache_set_error(c, "%s", err); + } + + static bool can_attach_cache(struct cache *ca, struct cache_set *c) diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c index 5a2c754..0fa55db 100644 --- a/drivers/md/bitmap.c @@ -38939,6 +42872,19 @@ index c7a9be1..683f6f8 100644 module_param_array(video_nr, int, NULL, 0444); module_param_array(vbi_nr, int, NULL, 0444); +diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c +index 07b8460..e6d7265 100644 +--- a/drivers/media/pci/ivtv/ivtv-driver.c ++++ b/drivers/media/pci/ivtv/ivtv-driver.c +@@ -84,7 +84,7 @@ static struct pci_device_id ivtv_pci_tbl[] = { + MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl); + + /* ivtv instance counter */ +-static atomic_t ivtv_instance = ATOMIC_INIT(0); ++static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0); + + /* Parameter declarations */ + static int cardtype[IVTV_MAX_CARDS]; diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c index d338b19..aae4f9e 100644 --- a/drivers/media/platform/omap/omap_vout.c @@ -39149,6 +43095,80 @@ index 545c04c..a14bded 100644 i = -EFAULT; unlock: mutex_unlock(&dev->lock); +diff --git a/drivers/media/radio/radio-maxiradio.c b/drivers/media/radio/radio-maxiradio.c +index bd4d3a7..ffc0b9d 100644 +--- a/drivers/media/radio/radio-maxiradio.c ++++ b/drivers/media/radio/radio-maxiradio.c +@@ -61,7 +61,7 @@ MODULE_PARM_DESC(radio_nr, "Radio device number"); + /* TEA5757 pin mappings */ + static const int clk = 1, data = 2, wren = 4, mo_st = 8, power = 16; + +-static atomic_t maxiradio_instance = ATOMIC_INIT(0); ++static atomic_unchecked_t maxiradio_instance = ATOMIC_INIT(0); + + #define PCI_VENDOR_ID_GUILLEMOT 0x5046 + #define PCI_DEVICE_ID_GUILLEMOT_MAXIRADIO 0x1001 +diff --git a/drivers/media/radio/radio-shark.c b/drivers/media/radio/radio-shark.c +index 8fa18ab..caee70f 100644 +--- a/drivers/media/radio/radio-shark.c ++++ b/drivers/media/radio/radio-shark.c +@@ -79,7 +79,7 @@ struct shark_device { + u32 last_val; + }; + +-static atomic_t shark_instance = ATOMIC_INIT(0); ++static atomic_unchecked_t shark_instance = ATOMIC_INIT(0); + + static void shark_write_val(struct snd_tea575x *tea, u32 val) + { +diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c +index 9fb6697..f167415 100644 +--- a/drivers/media/radio/radio-shark2.c ++++ b/drivers/media/radio/radio-shark2.c +@@ -74,7 +74,7 @@ struct shark_device { + u8 *transfer_buffer; + }; + +-static atomic_t shark_instance = ATOMIC_INIT(0); ++static atomic_unchecked_t shark_instance = ATOMIC_INIT(0); + + static int shark_write_reg(struct radio_tea5777 *tea, u64 reg) + { +diff --git a/drivers/media/radio/radio-si476x.c b/drivers/media/radio/radio-si476x.c +index 9dc8baf..796d52f 100644 +--- a/drivers/media/radio/radio-si476x.c ++++ b/drivers/media/radio/radio-si476x.c +@@ -1456,7 +1456,7 @@ static int si476x_radio_probe(struct platform_device *pdev) + struct si476x_radio *radio; + struct v4l2_ctrl *ctrl; + +- static atomic_t instance = ATOMIC_INIT(0); ++ static atomic_unchecked_t instance = ATOMIC_INIT(0); + + radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL); + if (!radio) +diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c +index 1cf382a..c22998c 100644 +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1030,7 +1030,7 @@ EXPORT_SYMBOL_GPL(rc_free_device); + int rc_register_device(struct rc_dev *dev) + { + static bool raw_init = false; /* raw decoders loaded? */ +- static atomic_t devno = ATOMIC_INIT(0); ++ static atomic_unchecked_t devno = ATOMIC_INIT(0); + struct rc_map *rc_map; + const char *path; + int rc; +@@ -1061,7 +1061,7 @@ int rc_register_device(struct rc_dev *dev) + */ + mutex_lock(&dev->lock); + +- dev->devno = (unsigned long)(atomic_inc_return(&devno) - 1); ++ dev->devno = (unsigned long)(atomic_inc_return_unchecked(&devno) - 1); + dev_set_name(&dev->dev, "rc%ld", dev->devno); + dev_set_drvdata(&dev->dev, dev); + rc = device_add(&dev->dev); diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c index 3940bb0..fb3952a 100644 --- a/drivers/media/usb/dvb-usb/cxusb.c @@ -39206,6 +43226,22 @@ index f129551..ecf6514 100644 return -EFAULT; return 0; } +diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c +index 8ed5da2..47fee46 100644 +--- a/drivers/media/v4l2-core/v4l2-device.c ++++ b/drivers/media/v4l2-core/v4l2-device.c +@@ -74,9 +74,9 @@ int v4l2_device_put(struct v4l2_device *v4l2_dev) + EXPORT_SYMBOL_GPL(v4l2_device_put); + + int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename, +- atomic_t *instance) ++ atomic_unchecked_t *instance) + { +- int num = atomic_inc_return(instance) - 1; ++ int num = atomic_inc_return_unchecked(instance) - 1; + int len = strlen(basename); + + if (basename[len - 1] >= '0' && basename[len - 1] <= '9') diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 7658586..1079260 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c @@ -40377,6 +44413,18 @@ index d3f8797..82a03d3 100644 vlan_req = (struct qlcnic_vlan_req *)&req->words[1]; vlan_req->vlan_id = cpu_to_le16(vlan_id); +diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c +index 887aebe..9095ff9 100644 +--- a/drivers/net/ethernet/realtek/8139cp.c ++++ b/drivers/net/ethernet/realtek/8139cp.c +@@ -524,6 +524,7 @@ rx_status_loop: + PCI_DMA_FROMDEVICE); + if (dma_mapping_error(&cp->pdev->dev, new_mapping)) { + dev->stats.rx_dropped++; ++ kfree_skb(new_skb); + goto rx_next; + } + diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c index 393f961..d343034 100644 --- a/drivers/net/ethernet/realtek/r8169.c @@ -40594,10 +44642,32 @@ index b305105..8ead6df 100644 }; diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 2491eb2..694b2ec 100644 +index 2491eb2..1a453eb 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c -@@ -1869,7 +1869,7 @@ unlock: +@@ -1076,8 +1076,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + u32 rxhash; + + if (!(tun->flags & TUN_NO_PI)) { +- if ((len -= sizeof(pi)) > total_len) ++ if (len < sizeof(pi)) + return -EINVAL; ++ len -= sizeof(pi); + + if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi))) + return -EFAULT; +@@ -1085,8 +1086,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + } + + if (tun->flags & TUN_VNET_HDR) { +- if ((len -= tun->vnet_hdr_sz) > total_len) ++ if (len < tun->vnet_hdr_sz) + return -EINVAL; ++ len -= tun->vnet_hdr_sz; + + if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso))) + return -EFAULT; +@@ -1869,7 +1871,7 @@ unlock: } static long __tun_chr_ioctl(struct file *file, unsigned int cmd, @@ -40606,7 +44676,7 @@ index 2491eb2..694b2ec 100644 { struct tun_file *tfile = file->private_data; struct tun_struct *tun; -@@ -1881,6 +1881,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +@@ -1881,6 +1883,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int vnet_hdr_sz; int ret; @@ -40707,6 +44777,28 @@ index cba1d46..f703766 100644 result = hso_start_serial_device(serial_table[i], GFP_NOIO); hso_kick_transmit(dev2ser(serial_table[i])); +diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c +index a79e9d3..78cd4fa 100644 +--- a/drivers/net/usb/sierra_net.c ++++ b/drivers/net/usb/sierra_net.c +@@ -52,7 +52,7 @@ static const char driver_name[] = "sierra_net"; + /* atomic counter partially included in MAC address to make sure 2 devices + * do not end up with the same MAC - concept breaks in case of > 255 ifaces + */ +-static atomic_t iface_counter = ATOMIC_INIT(0); ++static atomic_unchecked_t iface_counter = ATOMIC_INIT(0); + + /* + * SYNC Timer Delay definition used to set the expiry time +@@ -698,7 +698,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf) + dev->net->netdev_ops = &sierra_net_device_ops; + + /* change MAC addr to include, ifacenum, and to be unique */ +- dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter); ++ dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return_unchecked(&iface_counter); + dev->net->dev_addr[ETH_ALEN-1] = ifacenum; + + /* we will have to manufacture ethernet headers, prepare template */ diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index 57325f3..36b181f 100644 --- a/drivers/net/vxlan.c @@ -41111,8 +45203,29 @@ index d532948..e0d8bb1 100644 memset(buf, 0, sizeof(buf)); buf_size = min(count, sizeof(buf) - 1); +diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c +index a8afc7b..de058b2 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/main.c ++++ b/drivers/net/wireless/iwlwifi/dvm/main.c +@@ -1189,7 +1189,7 @@ static void iwl_option_config(struct iwl_priv *priv) + static int iwl_eeprom_init_hw_params(struct iwl_priv *priv) + { + struct iwl_nvm_data *data = priv->nvm_data; +- char *debug_msg; ++ static const char debug_msg[] = "Device SKU: 24GHz %s %s, 52GHz %s %s, 11.n %s %s\n"; + + if (data->sku_cap_11n_enable && + !priv->cfg->ht_params) { +@@ -1203,7 +1203,6 @@ static int iwl_eeprom_init_hw_params(struct iwl_priv *priv) + return -EINVAL; + } + +- debug_msg = "Device SKU: 24GHz %s %s, 52GHz %s %s, 11.n %s %s\n"; + IWL_DEBUG_INFO(priv, debug_msg, + data->sku_cap_band_24GHz_enable ? "" : "NOT", "enabled", + data->sku_cap_band_52GHz_enable ? "" : "NOT", "enabled", diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c -index 50ba0a4..29424e7 100644 +index aeb70e1..d7b5bb5 100644 --- a/drivers/net/wireless/iwlwifi/pcie/trans.c +++ b/drivers/net/wireless/iwlwifi/pcie/trans.c @@ -1329,7 +1329,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, @@ -41203,7 +45316,7 @@ index 7510723..5ba37f5 100644 static inline struct rt2x00_intf* vif_to_intf(struct ieee80211_vif *vif) diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c -index 2c12311..7b77f24 100644 +index d955741..8730748 100644 --- a/drivers/net/wireless/rt2x00/rt2x00queue.c +++ b/drivers/net/wireless/rt2x00/rt2x00queue.c @@ -252,9 +252,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev, @@ -41607,6 +45720,26 @@ index 7d72c5e..edce02c 100644 char name[SLOT_NAME_SIZE]; int retval = -ENOMEM; +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index 5127f3f..b225573 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -773,14 +773,12 @@ static void pcie_shutdown_notification(struct controller *ctrl) + static int pcie_init_slot(struct controller *ctrl) + { + struct slot *slot; +- char name[32]; + + slot = kzalloc(sizeof(*slot), GFP_KERNEL); + if (!slot) + return -ENOMEM; + +- snprintf(name, sizeof(name), "pciehp-%u", PSN(ctrl)); +- slot->wq = alloc_workqueue(name, 0, 0); ++ slot->wq = alloc_workqueue("pciehp-%u", 0, 0, PSN(ctrl)); + if (!slot->wq) + goto abort; + diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 5b4a9d9..cd5ac1f 100644 --- a/drivers/pci/pci-sysfs.c @@ -41885,6 +46018,19 @@ index 54d31c0..3f896d3 100644 /* * Polling driver +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index e4ac38a..b13344c 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -743,7 +743,7 @@ static int wmi_create_device(const struct guid_block *gblock, + wblock->dev.class = &wmi_class; + + wmi_gtoa(gblock->guid, guid_string); +- dev_set_name(&wblock->dev, guid_string); ++ dev_set_name(&wblock->dev, "%s", guid_string); + + dev_set_drvdata(&wblock->dev, wblock); + diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c index 769d265..a3a05ca 100644 --- a/drivers/pnp/pnpbios/bioscalls.c @@ -42060,6 +46206,28 @@ index 29178f7..c65f324 100644 for (i = 0; i < ARRAY_SIZE(power_supply_attrs); i++) __power_supply_attrs[i] = &power_supply_attrs[i].attr; } +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 815d6df..811633a 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -3529,7 +3529,7 @@ regulator_register(const struct regulator_desc *regulator_desc, + { + const struct regulation_constraints *constraints = NULL; + const struct regulator_init_data *init_data; +- static atomic_t regulator_no = ATOMIC_INIT(0); ++ static atomic_unchecked_t regulator_no = ATOMIC_INIT(0); + struct regulator_dev *rdev; + struct device *dev; + int ret, i; +@@ -3599,7 +3599,7 @@ regulator_register(const struct regulator_desc *regulator_desc, + rdev->dev.of_node = config->of_node; + rdev->dev.parent = dev; + dev_set_name(&rdev->dev, "regulator.%d", +- atomic_inc_return(®ulator_no) - 1); ++ atomic_inc_return_unchecked(®ulator_no) - 1); + ret = device_register(&rdev->dev); + if (ret != 0) { + put_device(&rdev->dev); diff --git a/drivers/regulator/max8660.c b/drivers/regulator/max8660.c index d428ef9..fdc0357 100644 --- a/drivers/regulator/max8660.c @@ -42214,6 +46382,50 @@ index 23a90e7..9cf04ee 100644 /* * Queue element to wait for room in request queue. FIFO order is +diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c +index 8c05ae01..b2cf224 100644 +--- a/drivers/scsi/fcoe/fcoe_sysfs.c ++++ b/drivers/scsi/fcoe/fcoe_sysfs.c +@@ -33,8 +33,8 @@ + */ + #include "libfcoe.h" + +-static atomic_t ctlr_num; +-static atomic_t fcf_num; ++static atomic_unchecked_t ctlr_num; ++static atomic_unchecked_t fcf_num; + + /* + * fcoe_fcf_dev_loss_tmo: the default number of seconds that fcoe sysfs +@@ -681,7 +681,7 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent, + if (!ctlr) + goto out; + +- ctlr->id = atomic_inc_return(&ctlr_num) - 1; ++ ctlr->id = atomic_inc_return_unchecked(&ctlr_num) - 1; + ctlr->f = f; + ctlr->mode = FIP_CONN_TYPE_FABRIC; + INIT_LIST_HEAD(&ctlr->fcfs); +@@ -898,7 +898,7 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr, + fcf->dev.parent = &ctlr->dev; + fcf->dev.bus = &fcoe_bus_type; + fcf->dev.type = &fcoe_fcf_device_type; +- fcf->id = atomic_inc_return(&fcf_num) - 1; ++ fcf->id = atomic_inc_return_unchecked(&fcf_num) - 1; + fcf->state = FCOE_FCF_STATE_UNKNOWN; + + fcf->dev_loss_tmo = ctlr->fcf_dev_loss_tmo; +@@ -934,8 +934,8 @@ int __init fcoe_sysfs_setup(void) + { + int error; + +- atomic_set(&ctlr_num, 0); +- atomic_set(&fcf_num, 0); ++ atomic_set_unchecked(&ctlr_num, 0); ++ atomic_set_unchecked(&fcf_num, 0); + + error = bus_register(&fcoe_bus_type); + if (error) diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index df0c3c7..b00e1d0 100644 --- a/drivers/scsi/hosts.c @@ -42925,7 +47137,7 @@ index 4d231c1..2892c37 100644 ddb_entry->default_relogin_timeout = (def_timeout > LOGIN_TOV) && (def_timeout < LOGIN_TOV * 10) ? diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c -index 3b1ea34..1583a72 100644 +index eaa808e..95f8841 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c @@ -661,7 +661,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *cmd) @@ -43091,7 +47303,7 @@ index f379c7f..e8fc69c 100644 transport_setup_device(&rport->dev); diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c -index 610417e..1544fa9 100644 +index 610417e..167c46c 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -2928,7 +2928,7 @@ static int sd_probe(struct device *dev) @@ -43103,6 +47315,15 @@ index 610417e..1544fa9 100644 if (!sdp->request_queue->rq_timeout) { if (sdp->type != TYPE_MOD) +@@ -2941,7 +2941,7 @@ static int sd_probe(struct device *dev) + device_initialize(&sdkp->dev); + sdkp->dev.parent = dev; + sdkp->dev.class = &sd_disk_class; +- dev_set_name(&sdkp->dev, dev_name(dev)); ++ dev_set_name(&sdkp->dev, "%s", dev_name(dev)); + + if (device_add(&sdkp->dev)) + goto out_free_index; diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index df5e961..df6b97f 100644 --- a/drivers/scsi/sg.c @@ -43129,6 +47350,37 @@ index 32b7bb1..2f1c4bd 100644 static u8 *buf; +diff --git a/drivers/staging/android/timed_output.c b/drivers/staging/android/timed_output.c +index ec9e2ae..cd15d67 100644 +--- a/drivers/staging/android/timed_output.c ++++ b/drivers/staging/android/timed_output.c +@@ -25,7 +25,7 @@ + #include "timed_output.h" + + static struct class *timed_output_class; +-static atomic_t device_count; ++static atomic_unchecked_t device_count; + + static ssize_t enable_show(struct device *dev, struct device_attribute *attr, + char *buf) +@@ -59,7 +59,7 @@ static int create_timed_output_class(void) + timed_output_class = class_create(THIS_MODULE, "timed_output"); + if (IS_ERR(timed_output_class)) + return PTR_ERR(timed_output_class); +- atomic_set(&device_count, 0); ++ atomic_set_unchecked(&device_count, 0); + } + + return 0; +@@ -76,7 +76,7 @@ int timed_output_dev_register(struct timed_output_dev *tdev) + if (ret < 0) + return ret; + +- tdev->index = atomic_inc_return(&device_count); ++ tdev->index = atomic_inc_return_unchecked(&device_count); + tdev->dev = device_create(timed_output_class, NULL, + MKDEV(0, tdev->index), NULL, tdev->name); + if (IS_ERR(tdev->dev)) diff --git a/drivers/staging/media/solo6x10/solo6x10-core.c b/drivers/staging/media/solo6x10/solo6x10-core.c index 3675020..e80d92c 100644 --- a/drivers/staging/media/solo6x10/solo6x10-core.c @@ -43142,6 +47394,32 @@ index 3675020..e80d92c 100644 struct device *dev = &solo_dev->dev; const char *driver; int i; +diff --git a/drivers/staging/media/solo6x10/solo6x10-p2m.c b/drivers/staging/media/solo6x10/solo6x10-p2m.c +index 3335941..2b26186 100644 +--- a/drivers/staging/media/solo6x10/solo6x10-p2m.c ++++ b/drivers/staging/media/solo6x10/solo6x10-p2m.c +@@ -77,7 +77,7 @@ int solo_p2m_dma_desc(struct solo_dev *solo_dev, + + /* Get next ID. According to Softlogic, 6110 has problems on !=0 P2M */ + if (solo_dev->type != SOLO_DEV_6110 && multi_p2m) { +- p2m_id = atomic_inc_return(&solo_dev->p2m_count) % SOLO_NR_P2M; ++ p2m_id = atomic_inc_return_unchecked(&solo_dev->p2m_count) % SOLO_NR_P2M; + if (p2m_id < 0) + p2m_id = -p2m_id; + } +diff --git a/drivers/staging/media/solo6x10/solo6x10.h b/drivers/staging/media/solo6x10/solo6x10.h +index 6f91d2e..3f011d2 100644 +--- a/drivers/staging/media/solo6x10/solo6x10.h ++++ b/drivers/staging/media/solo6x10/solo6x10.h +@@ -238,7 +238,7 @@ struct solo_dev { + + /* P2M DMA Engine */ + struct solo_p2m_dev p2m_dev[SOLO_NR_P2M]; +- atomic_t p2m_count; ++ atomic_unchecked_t p2m_count; + int p2m_jiffies; + unsigned int p2m_timeouts; + diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c index 34afc16..ffe44dd 100644 --- a/drivers/staging/octeon/ethernet-rx.c @@ -43337,48 +47615,50 @@ index c699a30..b90a5fd 100644 pDevice->apdev->netdev_ops = &apdev_netdev_ops; pDevice->apdev->type = ARPHRD_IEEE80211; -diff --git a/drivers/staging/zcache/tmem.c b/drivers/staging/zcache/tmem.c -index d7e51e4..d07eaab 100644 ---- a/drivers/staging/zcache/tmem.c -+++ b/drivers/staging/zcache/tmem.c -@@ -51,7 +51,7 @@ - * A tmem host implementation must use this function to register callbacks - * for memory allocation. - */ --static struct tmem_hostops tmem_hostops; -+static tmem_hostops_no_const tmem_hostops; - - static void tmem_objnode_tree_init(void); - -@@ -65,7 +65,7 @@ void tmem_register_hostops(struct tmem_hostops *m) - * A tmem host implementation must use this function to register - * callbacks for a page-accessible memory (PAM) implementation. - */ --static struct tmem_pamops tmem_pamops; -+static tmem_pamops_no_const tmem_pamops; - - void tmem_register_pamops(struct tmem_pamops *m) - { diff --git a/drivers/staging/zcache/tmem.h b/drivers/staging/zcache/tmem.h -index d128ce2..a43980c 100644 +index d128ce2..fc1f9a1 100644 --- a/drivers/staging/zcache/tmem.h +++ b/drivers/staging/zcache/tmem.h -@@ -226,6 +226,7 @@ struct tmem_pamops { +@@ -225,7 +225,7 @@ struct tmem_pamops { + bool (*is_remote)(void *); int (*replace_in_obj)(void *, struct tmem_obj *); #endif - }; -+typedef struct tmem_pamops __no_const tmem_pamops_no_const; +-}; ++} __no_const; extern void tmem_register_pamops(struct tmem_pamops *m); /* memory allocation methods provided by the host implementation */ -@@ -235,6 +236,7 @@ struct tmem_hostops { +@@ -234,7 +234,7 @@ struct tmem_hostops { + void (*obj_free)(struct tmem_obj *, struct tmem_pool *); struct tmem_objnode *(*objnode_alloc)(struct tmem_pool *); void (*objnode_free)(struct tmem_objnode *, struct tmem_pool *); - }; -+typedef struct tmem_hostops __no_const tmem_hostops_no_const; +-}; ++} __no_const; extern void tmem_register_hostops(struct tmem_hostops *m); /* core tmem accessor functions */ +diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c +index d3536f5..a0c2ce9 100644 +--- a/drivers/target/sbp/sbp_target.c ++++ b/drivers/target/sbp/sbp_target.c +@@ -62,7 +62,7 @@ static const u32 sbp_unit_directory_template[] = { + + #define SESSION_MAINTENANCE_INTERVAL HZ + +-static atomic_t login_id = ATOMIC_INIT(0); ++static atomic_unchecked_t login_id = ATOMIC_INIT(0); + + static void session_maintenance_work(struct work_struct *); + static int sbp_run_transaction(struct fw_card *, int, int, int, int, +@@ -444,7 +444,7 @@ static void sbp_management_request_login( + login->lun = se_lun; + login->status_fifo_addr = sbp2_pointer_to_addr(&req->orb.status_fifo); + login->exclusive = LOGIN_ORB_EXCLUSIVE(be32_to_cpu(req->orb.misc)); +- login->login_id = atomic_inc_return(&login_id); ++ login->login_id = atomic_inc_return_unchecked(&login_id); + + login->tgt_agt = sbp_target_agent_register(login); + if (IS_ERR(login->tgt_agt)) { diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c index 4630481..c26782a 100644 --- a/drivers/target/target_core_device.c @@ -43586,6 +47866,95 @@ index 81e939e..95ead10 100644 return 0; return HVCS_BUFF_LEN - hvcsd->chars_in_buffer; +diff --git a/drivers/tty/hvc/hvsi.c b/drivers/tty/hvc/hvsi.c +index 4190199..48f2920 100644 +--- a/drivers/tty/hvc/hvsi.c ++++ b/drivers/tty/hvc/hvsi.c +@@ -85,7 +85,7 @@ struct hvsi_struct { + int n_outbuf; + uint32_t vtermno; + uint32_t virq; +- atomic_t seqno; /* HVSI packet sequence number */ ++ atomic_unchecked_t seqno; /* HVSI packet sequence number */ + uint16_t mctrl; + uint8_t state; /* HVSI protocol state */ + uint8_t flags; +@@ -295,7 +295,7 @@ static int hvsi_version_respond(struct hvsi_struct *hp, uint16_t query_seqno) + + packet.hdr.type = VS_QUERY_RESPONSE_PACKET_HEADER; + packet.hdr.len = sizeof(struct hvsi_query_response); +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.verb = VSV_SEND_VERSION_NUMBER; + packet.u.version = HVSI_VERSION; + packet.query_seqno = query_seqno+1; +@@ -555,7 +555,7 @@ static int hvsi_query(struct hvsi_struct *hp, uint16_t verb) + + packet.hdr.type = VS_QUERY_PACKET_HEADER; + packet.hdr.len = sizeof(struct hvsi_query); +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.verb = verb; + + pr_debug("%s: sending %i bytes\n", __func__, packet.hdr.len); +@@ -597,7 +597,7 @@ static int hvsi_set_mctrl(struct hvsi_struct *hp, uint16_t mctrl) + int wrote; + + packet.hdr.type = VS_CONTROL_PACKET_HEADER, +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.hdr.len = sizeof(struct hvsi_control); + packet.verb = VSV_SET_MODEM_CTL; + packet.mask = HVSI_TSDTR; +@@ -680,7 +680,7 @@ static int hvsi_put_chars(struct hvsi_struct *hp, const char *buf, int count) + BUG_ON(count > HVSI_MAX_OUTGOING_DATA); + + packet.hdr.type = VS_DATA_PACKET_HEADER; +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.hdr.len = count + sizeof(struct hvsi_header); + memcpy(&packet.data, buf, count); + +@@ -697,7 +697,7 @@ static void hvsi_close_protocol(struct hvsi_struct *hp) + struct hvsi_control packet __ALIGNED__; + + packet.hdr.type = VS_CONTROL_PACKET_HEADER; +- packet.hdr.seqno = atomic_inc_return(&hp->seqno); ++ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno); + packet.hdr.len = 6; + packet.verb = VSV_CLOSE_PROTOCOL; + +diff --git a/drivers/tty/hvc/hvsi_lib.c b/drivers/tty/hvc/hvsi_lib.c +index 3396eb9..6d3d540 100644 +--- a/drivers/tty/hvc/hvsi_lib.c ++++ b/drivers/tty/hvc/hvsi_lib.c +@@ -9,7 +9,7 @@ + + static int hvsi_send_packet(struct hvsi_priv *pv, struct hvsi_header *packet) + { +- packet->seqno = atomic_inc_return(&pv->seqno); ++ packet->seqno = atomic_inc_return_unchecked(&pv->seqno); + + /* Assumes that always succeeds, works in practice */ + return pv->put_chars(pv->termno, (char *)packet, packet->len); +@@ -21,7 +21,7 @@ static void hvsi_start_handshake(struct hvsi_priv *pv) + + /* Reset state */ + pv->established = 0; +- atomic_set(&pv->seqno, 0); ++ atomic_set_unchecked(&pv->seqno, 0); + + pr_devel("HVSI@%x: Handshaking started\n", pv->termno); + +@@ -265,7 +265,7 @@ int hvsilib_read_mctrl(struct hvsi_priv *pv) + pv->mctrl_update = 0; + q.hdr.type = VS_QUERY_PACKET_HEADER; + q.hdr.len = sizeof(struct hvsi_query); +- q.hdr.seqno = atomic_inc_return(&pv->seqno); ++ q.hdr.seqno = atomic_inc_return_unchecked(&pv->seqno); + q.verb = VSV_SEND_MODEM_CTL_STATUS; + rc = hvsi_send_packet(pv, &q.hdr); + if (rc <= 0) { diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c index 8fd72ff..34a0bed 100644 --- a/drivers/tty/ipwireless/tty.c @@ -43798,6 +48167,37 @@ index 354564e..fe50d9a 100644 atomic_dec(&rp_num_ports_open); clear_bit((info->aiop * 8) + info->chan, (void *) &xmit_flags[info->board]); spin_unlock_irqrestore(&info->port.lock, flags); +diff --git a/drivers/tty/serial/ioc4_serial.c b/drivers/tty/serial/ioc4_serial.c +index e2520ab..034e20b 100644 +--- a/drivers/tty/serial/ioc4_serial.c ++++ b/drivers/tty/serial/ioc4_serial.c +@@ -437,7 +437,7 @@ struct ioc4_soft { + } is_intr_info[MAX_IOC4_INTR_ENTS]; + + /* Number of entries active in the above array */ +- atomic_t is_num_intrs; ++ atomic_unchecked_t is_num_intrs; + } is_intr_type[IOC4_NUM_INTR_TYPES]; + + /* is_ir_lock must be held while +@@ -974,7 +974,7 @@ intr_connect(struct ioc4_soft *soft, int type, + BUG_ON(!((type == IOC4_SIO_INTR_TYPE) + || (type == IOC4_OTHER_INTR_TYPE))); + +- i = atomic_inc_return(&soft-> is_intr_type[type].is_num_intrs) - 1; ++ i = atomic_inc_return_unchecked(&soft-> is_intr_type[type].is_num_intrs) - 1; + BUG_ON(!(i < MAX_IOC4_INTR_ENTS || (printk("i %d\n", i), 0))); + + /* Save off the lower level interrupt handler */ +@@ -1001,7 +1001,7 @@ static irqreturn_t ioc4_intr(int irq, void *arg) + + soft = arg; + for (intr_type = 0; intr_type < IOC4_NUM_INTR_TYPES; intr_type++) { +- num_intrs = (int)atomic_read( ++ num_intrs = (int)atomic_read_unchecked( + &soft->is_intr_type[intr_type].is_num_intrs); + + this_mir = this_ir = pending_intrs(soft, intr_type); diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c index 1002054..dd644a8 100644 --- a/drivers/tty/serial/kgdboc.c @@ -43904,6 +48304,28 @@ index 1002054..dd644a8 100644 #ifdef CONFIG_KGDB_SERIAL_CONSOLE /* This is only available if kgdboc is a built in for early debugging */ static int __init kgdboc_early_init(char *opt) +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c +index b11e997..6d25a3b 100644 +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -857,7 +857,7 @@ static struct uart_driver msm_uart_driver = { + .cons = MSM_CONSOLE, + }; + +-static atomic_t msm_uart_next_id = ATOMIC_INIT(0); ++static atomic_unchecked_t msm_uart_next_id = ATOMIC_INIT(0); + + static int __init msm_serial_probe(struct platform_device *pdev) + { +@@ -867,7 +867,7 @@ static int __init msm_serial_probe(struct platform_device *pdev) + int irq; + + if (pdev->id == -1) +- pdev->id = atomic_inc_return(&msm_uart_next_id) - 1; ++ pdev->id = atomic_inc_return_unchecked(&msm_uart_next_id) - 1; + + if (unlikely(pdev->id < 0 || pdev->id >= UART_NR)) + return -ENXIO; diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c index 0c8a9fa..234a95f 100644 --- a/drivers/tty/serial/samsung.c @@ -44812,6 +49234,29 @@ index d53547d..6a22d02 100644 if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); usb_put_urb(urb); +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index da2905a..834a569 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -27,6 +27,7 @@ + #include <linux/freezer.h> + #include <linux/random.h> + #include <linux/pm_qos.h> ++#include <linux/grsecurity.h> + + #include <asm/uaccess.h> + #include <asm/byteorder.h> +@@ -4424,6 +4425,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, + goto done; + return; + } ++ ++ if (gr_handle_new_usb()) ++ goto done; ++ + if (hub_is_superspeed(hub->hdev)) + unit_load = 150; + else diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 444d30e..f15c850 100644 --- a/drivers/usb/core/message.c @@ -44851,6 +49296,19 @@ index b10da72..43aa0b2 100644 INIT_LIST_HEAD(&dev->ep0.urb_list); dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE; +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index f77083f..f3e2e34 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -550,8 +550,6 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, + if (!usb_endpoint_xfer_isoc(desc)) + return 0; + +- memset(&trb_link, 0, sizeof(trb_link)); +- + /* Link TRB for ISOC. The HWO bit is never reset */ + trb_st_hw = &dep->trb_pool[0]; + diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c index 5e29dde..eca992f 100644 --- a/drivers/usb/early/ehci-dbgp.c @@ -44977,6 +49435,28 @@ index b369292..9f3ba40 100644 gs_buf_free(&port->port_write_buf); gs_free_requests(gser->out, &port->read_pool, NULL); gs_free_requests(gser->out, &port->read_queue, NULL); +diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c +index ba6a5d6..f88f7f3 100644 +--- a/drivers/usb/misc/appledisplay.c ++++ b/drivers/usb/misc/appledisplay.c +@@ -83,7 +83,7 @@ struct appledisplay { + spinlock_t lock; + }; + +-static atomic_t count_displays = ATOMIC_INIT(0); ++static atomic_unchecked_t count_displays = ATOMIC_INIT(0); + static struct workqueue_struct *wq; + + static void appledisplay_complete(struct urb *urb) +@@ -281,7 +281,7 @@ static int appledisplay_probe(struct usb_interface *iface, + + /* Register backlight device */ + snprintf(bl_name, sizeof(bl_name), "appledisplay%d", +- atomic_inc_return(&count_displays) - 1); ++ atomic_inc_return_unchecked(&count_displays) - 1); + memset(&props, 0, sizeof(struct backlight_properties)); + props.type = BACKLIGHT_RAW; + props.max_brightness = 0xff; diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c index 5f3bcd3..bfca43f 100644 --- a/drivers/usb/serial/console.c @@ -45044,7 +49524,7 @@ index d6bea3e..60b250e 100644 /** diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c -index 6ef94bc..1b41265 100644 +index 028fc83..65bb105 100644 --- a/drivers/usb/wusbcore/wa-xfer.c +++ b/drivers/usb/wusbcore/wa-xfer.c @@ -296,7 +296,7 @@ out: @@ -45056,6 +49536,28 @@ index 6ef94bc..1b41265 100644 } /* +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index 6d78736..65be90e 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -486,7 +486,7 @@ static int vfio_group_nb_add_dev(struct vfio_group *group, struct device *dev) + return 0; + + /* TODO Prevent device auto probing */ +- WARN("Device %s added to live group %d!\n", dev_name(dev), ++ WARN(1, "Device %s added to live group %d!\n", dev_name(dev), + iommu_group_id(group->iommu_group)); + + return 0; +@@ -506,7 +506,7 @@ static int vfio_group_nb_del_dev(struct vfio_group *group, struct device *dev) + if (likely(!device)) + return 0; + +- WARN("Device %s removed from live group %d!\n", dev_name(dev), ++ WARN(1, "Device %s removed from live group %d!\n", dev_name(dev), + iommu_group_id(group->iommu_group)); + + vfio_device_put(device); diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c index 5174eba..86e764a 100644 --- a/drivers/vhost/vringh.c @@ -45234,6 +49736,28 @@ index 098bfc6..796841d 100644 return -EINVAL; if (!registered_fb[con2fb.framebuffer]) request_module("fb%d", con2fb.framebuffer); +diff --git a/drivers/video/hyperv_fb.c b/drivers/video/hyperv_fb.c +index d4d2c5f..ebbd113 100644 +--- a/drivers/video/hyperv_fb.c ++++ b/drivers/video/hyperv_fb.c +@@ -233,7 +233,7 @@ static uint screen_fb_size; + static inline int synthvid_send(struct hv_device *hdev, + struct synthvid_msg *msg) + { +- static atomic64_t request_id = ATOMIC64_INIT(0); ++ static atomic64_unchecked_t request_id = ATOMIC64_INIT(0); + int ret; + + msg->pipe_hdr.type = PIPE_MSG_DATA; +@@ -241,7 +241,7 @@ static inline int synthvid_send(struct hv_device *hdev, + + ret = vmbus_sendpacket(hdev->channel, msg, + msg->vid_hdr.size + sizeof(struct pipe_msg_hdr), +- atomic64_inc_return(&request_id), ++ atomic64_inc_return_unchecked(&request_id), + VM_PKT_DATA_INBAND, 0); + + if (ret) diff --git a/drivers/video/i810/i810_accel.c b/drivers/video/i810/i810_accel.c index 7672d2e..b56437f 100644 --- a/drivers/video/i810/i810_accel.c @@ -48501,6 +53025,28 @@ index 370b24c..ff0be7b 100644 ---help--- A.out (Assembler.OUTput) is a set of formats for libraries and executables used in the earliest versions of UNIX. Linux used +diff --git a/fs/afs/inode.c b/fs/afs/inode.c +index 789bc25..fafaeea 100644 +--- a/fs/afs/inode.c ++++ b/fs/afs/inode.c +@@ -141,7 +141,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name, + struct afs_vnode *vnode; + struct super_block *sb; + struct inode *inode; +- static atomic_t afs_autocell_ino; ++ static atomic_unchecked_t afs_autocell_ino; + + _enter("{%x:%u},%*.*s,", + AFS_FS_I(dir)->fid.vid, AFS_FS_I(dir)->fid.vnode, +@@ -154,7 +154,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name, + data.fid.unique = 0; + data.fid.vnode = 0; + +- inode = iget5_locked(sb, atomic_inc_return(&afs_autocell_ino), ++ inode = iget5_locked(sb, atomic_inc_return_unchecked(&afs_autocell_ino), + afs_iget5_autocell_test, afs_iget5_set, + &data); + if (!inode) { diff --git a/fs/aio.c b/fs/aio.c index 2bbcacf..8614116 100644 --- a/fs/aio.c @@ -49711,10 +54257,10 @@ index d50bbe5..af3b649 100644 goto err; } diff --git a/fs/bio.c b/fs/bio.c -index 94bbc04..6fe78a4 100644 +index c5eae72..599e3cf 100644 --- a/fs/bio.c +++ b/fs/bio.c -@@ -1096,7 +1096,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q, +@@ -1106,7 +1106,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q, /* * Overflow, abort */ @@ -49723,7 +54269,7 @@ index 94bbc04..6fe78a4 100644 return ERR_PTR(-EINVAL); nr_pages += end - start; -@@ -1230,7 +1230,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, +@@ -1240,7 +1240,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, /* * Overflow, abort */ @@ -49732,7 +54278,7 @@ index 94bbc04..6fe78a4 100644 return ERR_PTR(-EINVAL); nr_pages += end - start; -@@ -1492,7 +1492,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err) +@@ -1502,7 +1502,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err) const int read = bio_data_dir(bio) == READ; struct bio_map_data *bmd = bio->bi_private; int i; @@ -49774,6 +54320,59 @@ index 7fb054b..ad36c67 100644 parent_start = 0; WARN_ON(trans->transid != btrfs_header_generation(parent)); +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c +index f26f38c..3d0f149 100644 +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -458,7 +458,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node, + + static void finish_one_item(struct btrfs_delayed_root *delayed_root) + { +- int seq = atomic_inc_return(&delayed_root->items_seq); ++ int seq = atomic_inc_return_unchecked(&delayed_root->items_seq); + if ((atomic_dec_return(&delayed_root->items) < + BTRFS_DELAYED_BACKGROUND || seq % BTRFS_DELAYED_BATCH == 0) && + waitqueue_active(&delayed_root->wait)) +@@ -1391,7 +1391,7 @@ void btrfs_assert_delayed_root_empty(struct btrfs_root *root) + static int refs_newer(struct btrfs_delayed_root *delayed_root, + int seq, int count) + { +- int val = atomic_read(&delayed_root->items_seq); ++ int val = atomic_read_unchecked(&delayed_root->items_seq); + + if (val < seq || val >= seq + count) + return 1; +@@ -1408,7 +1408,7 @@ void btrfs_balance_delayed_items(struct btrfs_root *root) + if (atomic_read(&delayed_root->items) < BTRFS_DELAYED_BACKGROUND) + return; + +- seq = atomic_read(&delayed_root->items_seq); ++ seq = atomic_read_unchecked(&delayed_root->items_seq); + + if (atomic_read(&delayed_root->items) >= BTRFS_DELAYED_WRITEBACK) { + int ret; +diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h +index 1d5c5f7..0ba0afc 100644 +--- a/fs/btrfs/delayed-inode.h ++++ b/fs/btrfs/delayed-inode.h +@@ -43,7 +43,7 @@ struct btrfs_delayed_root { + */ + struct list_head prepare_list; + atomic_t items; /* for delayed items */ +- atomic_t items_seq; /* for delayed items */ ++ atomic_unchecked_t items_seq; /* for delayed items */ + int nodes; /* for delayed nodes */ + wait_queue_head_t wait; + }; +@@ -87,7 +87,7 @@ static inline void btrfs_init_delayed_root( + struct btrfs_delayed_root *delayed_root) + { + atomic_set(&delayed_root->items, 0); +- atomic_set(&delayed_root->items_seq, 0); ++ atomic_set_unchecked(&delayed_root->items_seq, 0); + delayed_root->nodes = 0; + spin_lock_init(&delayed_root->lock); + init_waitqueue_head(&delayed_root->wait); diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 0f81d67..0ad55fe 100644 --- a/fs/btrfs/ioctl.c @@ -49995,6 +54594,28 @@ index f02d82b..2632cf86 100644 int err; u32 ftype; struct ceph_mds_reply_info_parsed *rinfo; +diff --git a/fs/ceph/super.c b/fs/ceph/super.c +index 7d377c9..3fb6559 100644 +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -839,7 +839,7 @@ static int ceph_compare_super(struct super_block *sb, void *data) + /* + * construct our own bdi so we can control readahead, etc. + */ +-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0); ++static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0); + + static int ceph_register_bdi(struct super_block *sb, + struct ceph_fs_client *fsc) +@@ -856,7 +856,7 @@ static int ceph_register_bdi(struct super_block *sb, + default_backing_dev_info.ra_pages; + + err = bdi_register(&fsc->backing_dev_info, NULL, "ceph-%ld", +- atomic_long_inc_return(&bdi_seq)); ++ atomic_long_inc_return_unchecked(&bdi_seq)); + if (!err) + sb->s_bdi = &fsc->backing_dev_info; + return err; diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index d597483..747901b 100644 --- a/fs/cifs/cifs_debug.c @@ -50073,10 +54694,10 @@ index 3752b9f..8db5569 100644 atomic_set(&midCount, 0); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h -index 4f07f6f..55de8ce 100644 +index ea3a0b3..0194e39 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h -@@ -751,35 +751,35 @@ struct cifs_tcon { +@@ -752,35 +752,35 @@ struct cifs_tcon { __u16 Flags; /* optional support bits */ enum statusEnum tidStatus; #ifdef CONFIG_CIFS_STATS @@ -50136,7 +54757,7 @@ index 4f07f6f..55de8ce 100644 } smb2_stats; #endif /* CONFIG_CIFS_SMB2 */ } stats; -@@ -1080,7 +1080,7 @@ convert_delimiter(char *path, char delim) +@@ -1081,7 +1081,7 @@ convert_delimiter(char *path, char delim) } #ifdef CONFIG_CIFS_STATS @@ -50145,7 +54766,7 @@ index 4f07f6f..55de8ce 100644 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon, unsigned int bytes) -@@ -1445,8 +1445,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; +@@ -1446,8 +1446,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount; /* Various Debug counters */ GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */ #ifdef CONFIG_CIFS_STATS2 @@ -50833,7 +55454,7 @@ index f09b908..04b9690 100644 dcache_init(); inode_init(); diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index 4888cb3..e0f7cf8 100644 +index c7c83ff..bda9461 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -415,7 +415,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); @@ -50884,7 +55505,7 @@ index e4141f2..d8263e8 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/exec.c b/fs/exec.c -index ffd7a81..d95acf6 100644 +index 1f44670..3c84660 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,8 +55,20 @@ @@ -51366,7 +55987,7 @@ index ffd7a81..d95acf6 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1701,3 +1875,285 @@ asmlinkage long compat_sys_execve(const char __user * filename, +@@ -1701,3 +1875,287 @@ asmlinkage long compat_sys_execve(const char __user * filename, return error; } #endif @@ -51475,7 +56096,7 @@ index ffd7a81..d95acf6 100644 + offset = vma_fault->vm_pgoff << PAGE_SHIFT; + if (vma_fault->vm_file) + path_fault = pax_get_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE); -+ else if (pc >= mm->start_brk && pc < mm->brk) ++ else if ((unsigned long)pc >= mm->start_brk && (unsigned long)pc < mm->brk) + path_fault = "<heap>"; + else if (vma_fault->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) + path_fault = "<stack>"; @@ -51513,7 +56134,9 @@ index ffd7a81..d95acf6 100644 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid())); + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); ++ preempt_disable(); + show_regs(regs); ++ preempt_enable(); + force_sig_info(SIGKILL, SEND_SIG_FORCED, current); +} +#endif @@ -51905,7 +56528,7 @@ index 49d3c01..9579efd 100644 else if (input->reserved_blocks > input->blocks_count / 5) ext4_warning(sb, "Reserved blocks too high (%u)", diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 6681c03..d88cd33 100644 +index 3f7c39e..227f24f 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1236,7 +1236,7 @@ static ext4_fsblk_t get_sb_block(void **data) @@ -52096,9 +56719,18 @@ index d8ac61d..79a36f0 100644 .seq = SEQCNT_ZERO, .umask = 0022, diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c -index e2cba1f..17a25bb 100644 +index e2cba1f..20319c5 100644 --- a/fs/fscache/cookie.c +++ b/fs/fscache/cookie.c +@@ -19,7 +19,7 @@ + + struct kmem_cache *fscache_cookie_jar; + +-static atomic_t fscache_object_debug_id = ATOMIC_INIT(0); ++static atomic_unchecked_t fscache_object_debug_id = ATOMIC_INIT(0); + + static int fscache_acquire_non_index_cookie(struct fscache_cookie *cookie); + static int fscache_alloc_object(struct fscache_cache *cache, @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire_cookie( parent ? (char *) parent->def->name : "<no-parent>", def->name, netfs_data); @@ -52164,7 +56796,7 @@ index e2cba1f..17a25bb 100644 _leave(" = -ENOMEDIUM [no cache]"); return -ENOMEDIUM; } -@@ -255,12 +255,12 @@ static int fscache_alloc_object(struct fscache_cache *cache, +@@ -255,14 +255,14 @@ static int fscache_alloc_object(struct fscache_cache *cache, object = cache->ops->alloc_object(cache, cookie); fscache_stat_d(&fscache_n_cop_alloc_object); if (IS_ERR(object)) { @@ -52177,8 +56809,11 @@ index e2cba1f..17a25bb 100644 - fscache_stat(&fscache_n_object_alloc); + fscache_stat_unchecked(&fscache_n_object_alloc); - object->debug_id = atomic_inc_return(&fscache_object_debug_id); +- object->debug_id = atomic_inc_return(&fscache_object_debug_id); ++ object->debug_id = atomic_inc_return_unchecked(&fscache_object_debug_id); + _debug("ALLOC OBJ%x: %s {%lx}", + object->debug_id, cookie->def->name, object->events); @@ -376,7 +376,7 @@ void __fscache_invalidate(struct fscache_cookie *cookie) _enter("{%s}", cookie->def->name); @@ -53671,7 +58306,7 @@ index 916da8c..1588998 100644 next->d_inode->i_ino, dt_type(next->d_inode)) < 0) diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c -index 9760ecb..9b838ef 100644 +index acd3947..1f896e2 100644 --- a/fs/lockd/clntproc.c +++ b/fs/lockd/clntproc.c @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops; @@ -54301,7 +58936,7 @@ index 9ed9361..2b72db1 100644 out: return len; diff --git a/fs/namespace.c b/fs/namespace.c -index 7b1ca9b..6faeccf 100644 +index a45ba4f..44cfe66 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1265,6 +1265,9 @@ static int do_umount(struct mount *mnt, int flags) @@ -54369,6 +59004,24 @@ index 7b1ca9b..6faeccf 100644 return retval; } +@@ -2344,7 +2363,7 @@ static void free_mnt_ns(struct mnt_namespace *ns) + * number incrementing at 10Ghz will take 12,427 years to wrap which + * is effectively never, so we can ignore the possibility. + */ +-static atomic64_t mnt_ns_seq = ATOMIC64_INIT(1); ++static atomic64_unchecked_t mnt_ns_seq = ATOMIC64_INIT(1); + + static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) + { +@@ -2359,7 +2378,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) + kfree(new_ns); + return ERR_PTR(ret); + } +- new_ns->seq = atomic64_add_return(1, &mnt_ns_seq); ++ new_ns->seq = atomic64_inc_return_unchecked(&mnt_ns_seq); + atomic_set(&new_ns->count, 1); + new_ns->root = NULL; + INIT_LIST_HEAD(&new_ns->list); @@ -2500,8 +2519,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name) } EXPORT_SYMBOL(mount_subtree); @@ -54659,18 +59312,10 @@ index e7bc1d7..06bd4bb 100644 } diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c -index 6c80083..a1e6299 100644 +index 77cc85d..a1e6299 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c -@@ -122,6 +122,7 @@ static int fill_event_metadata(struct fsnotify_group *group, - metadata->event_len = FAN_EVENT_METADATA_LEN; - metadata->metadata_len = FAN_EVENT_METADATA_LEN; - metadata->vers = FANOTIFY_METADATA_VERSION; -+ metadata->reserved = 0; - metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS; - metadata->pid = pid_vnr(event->tgid); - if (unlikely(event->mask & FAN_Q_OVERFLOW)) -@@ -252,8 +253,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, +@@ -253,8 +253,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, fd = fanotify_event_metadata.fd; ret = -EFAULT; @@ -54717,9 +59362,18 @@ index aa411c3..c260a84 100644 "inode 0x%lx or driver bug.", vdir->i_ino); goto err_out; diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c -index c5670b8..01a3656 100644 +index c5670b8..2b43d9b 100644 --- a/fs/ntfs/file.c +++ b/fs/ntfs/file.c +@@ -1282,7 +1282,7 @@ static inline size_t ntfs_copy_from_user(struct page **pages, + char *addr; + size_t total = 0; + unsigned len; +- int left; ++ unsigned left; + + do { + len = PAGE_CACHE_SIZE - ofs; @@ -2241,6 +2241,6 @@ const struct inode_operations ntfs_file_inode_ops = { #endif /* NTFS_RW */ }; @@ -54729,6 +59383,81 @@ index c5670b8..01a3656 100644 -const struct inode_operations ntfs_empty_inode_ops = {}; +const struct inode_operations ntfs_empty_inode_ops __read_only; +diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c +index 82650d5..db37dcf 100644 +--- a/fs/ntfs/super.c ++++ b/fs/ntfs/super.c +@@ -685,7 +685,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb, + if (!silent) + ntfs_error(sb, "Primary boot sector is invalid."); + } else if (!silent) +- ntfs_error(sb, read_err_str, "primary"); ++ ntfs_error(sb, read_err_str, "%s", "primary"); + if (!(NTFS_SB(sb)->on_errors & ON_ERRORS_RECOVER)) { + if (bh_primary) + brelse(bh_primary); +@@ -701,7 +701,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb, + goto hotfix_primary_boot_sector; + brelse(bh_backup); + } else if (!silent) +- ntfs_error(sb, read_err_str, "backup"); ++ ntfs_error(sb, read_err_str, "%s", "backup"); + /* Try to read NT3.51- backup boot sector. */ + if ((bh_backup = sb_bread(sb, nr_blocks >> 1))) { + if (is_boot_sector_ntfs(sb, (NTFS_BOOT_SECTOR*) +@@ -712,7 +712,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb, + "sector."); + brelse(bh_backup); + } else if (!silent) +- ntfs_error(sb, read_err_str, "backup"); ++ ntfs_error(sb, read_err_str, "%s", "backup"); + /* We failed. Cleanup and return. */ + if (bh_primary) + brelse(bh_primary); +diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c +index 20dfec7..e238cb7 100644 +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -1756,7 +1756,7 @@ try_again: + goto out; + } else if (ret == 1) { + clusters_need = wc->w_clen; +- ret = ocfs2_refcount_cow(inode, filp, di_bh, ++ ret = ocfs2_refcount_cow(inode, di_bh, + wc->w_cpos, wc->w_clen, UINT_MAX); + if (ret) { + mlog_errno(ret); +diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c +index ff54014..ff125fd 100644 +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -370,7 +370,7 @@ static int ocfs2_cow_file_pos(struct inode *inode, + if (!(ext_flags & OCFS2_EXT_REFCOUNTED)) + goto out; + +- return ocfs2_refcount_cow(inode, NULL, fe_bh, cpos, 1, cpos+1); ++ return ocfs2_refcount_cow(inode, fe_bh, cpos, 1, cpos+1); + + out: + return status; +@@ -899,7 +899,7 @@ static int ocfs2_zero_extend_get_range(struct inode *inode, + zero_clusters = last_cpos - zero_cpos; + + if (needs_cow) { +- rc = ocfs2_refcount_cow(inode, NULL, di_bh, zero_cpos, ++ rc = ocfs2_refcount_cow(inode, di_bh, zero_cpos, + zero_clusters, UINT_MAX); + if (rc) { + mlog_errno(rc); +@@ -2078,7 +2078,7 @@ static int ocfs2_prepare_inode_for_refcount(struct inode *inode, + + *meta_level = 1; + +- ret = ocfs2_refcount_cow(inode, file, di_bh, cpos, clusters, UINT_MAX); ++ ret = ocfs2_refcount_cow(inode, di_bh, cpos, clusters, UINT_MAX); + if (ret) + mlog_errno(ret); + out: diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c index aebeacd..0dcdd26 100644 --- a/fs/ocfs2/localalloc.c @@ -54742,6 +59471,19 @@ index aebeacd..0dcdd26 100644 bail: if (handle) +diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c +index f1fc172..452068b 100644 +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -69,7 +69,7 @@ static int __ocfs2_move_extent(handle_t *handle, + u64 ino = ocfs2_metadata_cache_owner(context->et.et_ci); + u64 old_blkno = ocfs2_clusters_to_blocks(inode->i_sb, p_cpos); + +- ret = ocfs2_duplicate_clusters_by_page(handle, context->file, cpos, ++ ret = ocfs2_duplicate_clusters_by_page(handle, inode, cpos, + p_cpos, new_p_cpos, len); + if (ret) { + mlog_errno(ret); diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h index d355e6e..578d905 100644 --- a/fs/ocfs2/ocfs2.h @@ -54763,6 +59505,188 @@ index d355e6e..578d905 100644 }; enum ocfs2_local_alloc_state +diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c +index 998b17e..aefe414 100644 +--- a/fs/ocfs2/refcounttree.c ++++ b/fs/ocfs2/refcounttree.c +@@ -49,7 +49,6 @@ + + struct ocfs2_cow_context { + struct inode *inode; +- struct file *file; + u32 cow_start; + u32 cow_len; + struct ocfs2_extent_tree data_et; +@@ -66,7 +65,7 @@ struct ocfs2_cow_context { + u32 *num_clusters, + unsigned int *extent_flags); + int (*cow_duplicate_clusters)(handle_t *handle, +- struct file *file, ++ struct inode *inode, + u32 cpos, u32 old_cluster, + u32 new_cluster, u32 new_len); + }; +@@ -2922,14 +2921,12 @@ static int ocfs2_clear_cow_buffer(handle_t *handle, struct buffer_head *bh) + } + + int ocfs2_duplicate_clusters_by_page(handle_t *handle, +- struct file *file, ++ struct inode *inode, + u32 cpos, u32 old_cluster, + u32 new_cluster, u32 new_len) + { + int ret = 0, partial; +- struct inode *inode = file_inode(file); +- struct ocfs2_caching_info *ci = INODE_CACHE(inode); +- struct super_block *sb = ocfs2_metadata_cache_get_super(ci); ++ struct super_block *sb = inode->i_sb; + u64 new_block = ocfs2_clusters_to_blocks(sb, new_cluster); + struct page *page; + pgoff_t page_index; +@@ -2973,13 +2970,6 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle, + if (PAGE_CACHE_SIZE <= OCFS2_SB(sb)->s_clustersize) + BUG_ON(PageDirty(page)); + +- if (PageReadahead(page)) { +- page_cache_async_readahead(mapping, +- &file->f_ra, file, +- page, page_index, +- readahead_pages); +- } +- + if (!PageUptodate(page)) { + ret = block_read_full_page(page, ocfs2_get_block); + if (ret) { +@@ -2999,7 +2989,8 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle, + } + } + +- ocfs2_map_and_dirty_page(inode, handle, from, to, ++ ocfs2_map_and_dirty_page(inode, ++ handle, from, to, + page, 0, &new_block); + mark_page_accessed(page); + unlock: +@@ -3015,12 +3006,11 @@ unlock: + } + + int ocfs2_duplicate_clusters_by_jbd(handle_t *handle, +- struct file *file, ++ struct inode *inode, + u32 cpos, u32 old_cluster, + u32 new_cluster, u32 new_len) + { + int ret = 0; +- struct inode *inode = file_inode(file); + struct super_block *sb = inode->i_sb; + struct ocfs2_caching_info *ci = INODE_CACHE(inode); + int i, blocks = ocfs2_clusters_to_blocks(sb, new_len); +@@ -3145,7 +3135,7 @@ static int ocfs2_replace_clusters(handle_t *handle, + + /*If the old clusters is unwritten, no need to duplicate. */ + if (!(ext_flags & OCFS2_EXT_UNWRITTEN)) { +- ret = context->cow_duplicate_clusters(handle, context->file, ++ ret = context->cow_duplicate_clusters(handle, context->inode, + cpos, old, new, len); + if (ret) { + mlog_errno(ret); +@@ -3423,35 +3413,12 @@ static int ocfs2_replace_cow(struct ocfs2_cow_context *context) + return ret; + } + +-static void ocfs2_readahead_for_cow(struct inode *inode, +- struct file *file, +- u32 start, u32 len) +-{ +- struct address_space *mapping; +- pgoff_t index; +- unsigned long num_pages; +- int cs_bits = OCFS2_SB(inode->i_sb)->s_clustersize_bits; +- +- if (!file) +- return; +- +- mapping = file->f_mapping; +- num_pages = (len << cs_bits) >> PAGE_CACHE_SHIFT; +- if (!num_pages) +- num_pages = 1; +- +- index = ((loff_t)start << cs_bits) >> PAGE_CACHE_SHIFT; +- page_cache_sync_readahead(mapping, &file->f_ra, file, +- index, num_pages); +-} +- + /* + * Starting at cpos, try to CoW write_len clusters. Don't CoW + * past max_cpos. This will stop when it runs into a hole or an + * unrefcounted extent. + */ + static int ocfs2_refcount_cow_hunk(struct inode *inode, +- struct file *file, + struct buffer_head *di_bh, + u32 cpos, u32 write_len, u32 max_cpos) + { +@@ -3480,8 +3447,6 @@ static int ocfs2_refcount_cow_hunk(struct inode *inode, + + BUG_ON(cow_len == 0); + +- ocfs2_readahead_for_cow(inode, file, cow_start, cow_len); +- + context = kzalloc(sizeof(struct ocfs2_cow_context), GFP_NOFS); + if (!context) { + ret = -ENOMEM; +@@ -3503,7 +3468,6 @@ static int ocfs2_refcount_cow_hunk(struct inode *inode, + context->ref_root_bh = ref_root_bh; + context->cow_duplicate_clusters = ocfs2_duplicate_clusters_by_page; + context->get_clusters = ocfs2_di_get_clusters; +- context->file = file; + + ocfs2_init_dinode_extent_tree(&context->data_et, + INODE_CACHE(inode), di_bh); +@@ -3532,7 +3496,6 @@ out: + * clusters between cpos and cpos+write_len are safe to modify. + */ + int ocfs2_refcount_cow(struct inode *inode, +- struct file *file, + struct buffer_head *di_bh, + u32 cpos, u32 write_len, u32 max_cpos) + { +@@ -3552,7 +3515,7 @@ int ocfs2_refcount_cow(struct inode *inode, + num_clusters = write_len; + + if (ext_flags & OCFS2_EXT_REFCOUNTED) { +- ret = ocfs2_refcount_cow_hunk(inode, file, di_bh, cpos, ++ ret = ocfs2_refcount_cow_hunk(inode, di_bh, cpos, + num_clusters, max_cpos); + if (ret) { + mlog_errno(ret); +diff --git a/fs/ocfs2/refcounttree.h b/fs/ocfs2/refcounttree.h +index 7754608..6422bbcdb 100644 +--- a/fs/ocfs2/refcounttree.h ++++ b/fs/ocfs2/refcounttree.h +@@ -53,7 +53,7 @@ int ocfs2_prepare_refcount_change_for_del(struct inode *inode, + int *credits, + int *ref_blocks); + int ocfs2_refcount_cow(struct inode *inode, +- struct file *filep, struct buffer_head *di_bh, ++ struct buffer_head *di_bh, + u32 cpos, u32 write_len, u32 max_cpos); + + typedef int (ocfs2_post_refcount_func)(struct inode *inode, +@@ -85,11 +85,11 @@ int ocfs2_refcount_cow_xattr(struct inode *inode, + u32 cpos, u32 write_len, + struct ocfs2_post_refcount *post); + int ocfs2_duplicate_clusters_by_page(handle_t *handle, +- struct file *file, ++ struct inode *inode, + u32 cpos, u32 old_cluster, + u32 new_cluster, u32 new_len); + int ocfs2_duplicate_clusters_by_jbd(handle_t *handle, +- struct file *file, ++ struct inode *inode, + u32 cpos, u32 old_cluster, + u32 new_cluster, u32 new_len); + int ocfs2_cow_sync_writeback(struct super_block *sb, diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index b7e74b5..19c6536 100644 --- a/fs/ocfs2/suballoc.c @@ -56263,7 +61187,7 @@ index 6b6a993..807cccc 100644 kfree(s); } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 3e636d8..83e3b71 100644 +index 65fc60a..350cc48 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -11,12 +11,19 @@ @@ -56686,10 +61610,10 @@ index 2b7882b..1c5ef48 100644 /* balance leaf returns 0 except if combining L R and S into diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c -index 33532f7..4846ade 100644 +index 1d48974..2f8f4e0 100644 --- a/fs/reiserfs/procfs.c +++ b/fs/reiserfs/procfs.c -@@ -112,7 +112,7 @@ static int show_super(struct seq_file *m, struct super_block *sb) +@@ -114,7 +114,7 @@ static int show_super(struct seq_file *m, void *unused) "SMALL_TAILS " : "NO_TAILS ", replay_only(sb) ? "REPLAY_ONLY " : "", convert_reiserfs(sb) ? "CONV " : "", @@ -57374,10 +62298,10 @@ index ca9ecaa..60100c7 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..712a85d +index 0000000..76e84b9 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1043 @@ +@@ -0,0 +1,1063 @@ +# +# grecurity configuration +# @@ -58349,6 +63273,26 @@ index 0000000..712a85d + option with name "socket_server_gid" is created. + +endmenu ++ ++menu "Physical Protections" ++depends on GRKERNSEC ++ ++config GRKERNSEC_DENYUSB ++ bool "Deny new USB connections after toggle" ++ default y if GRKERNSEC_CONFIG_AUTO ++ help ++ If you say Y here, a new sysctl option with name "deny_new_usb" ++ will be created. Setting its value to 1 will prevent any new ++ USB devices from being recognized by the OS. Any attempted USB ++ device insertion will be logged. This option is intended to be ++ used against custom USB devices designed to exploit vulnerabilities ++ in various USB device drivers. ++ ++ For greatest effectiveness, this sysctl should be set after any ++ relevant init scripts. Once set, it cannot be unset. ++ ++endmenu ++ +menu "Sysctl Support" +depends on GRKERNSEC && SYSCTL + @@ -58423,10 +63367,10 @@ index 0000000..712a85d +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..36845aa +index 0000000..b0b77d5 --- /dev/null +++ b/grsecurity/Makefile -@@ -0,0 +1,42 @@ +@@ -0,0 +1,43 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001-2009 it has been completely redesigned by Brad Spengler +# into an RBAC system @@ -58439,7 +63383,8 @@ index 0000000..36845aa + +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ + grsec_mount.o grsec_sig.o grsec_sysctl.o \ -+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o ++ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \ ++ grsec_usb.o + +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \ + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \ @@ -65724,10 +70669,10 @@ index 0000000..8ca18bf +} diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c new file mode 100644 -index 0000000..ab2d875 +index 0000000..836f38f --- /dev/null +++ b/grsecurity/grsec_init.c -@@ -0,0 +1,279 @@ +@@ -0,0 +1,280 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -65756,6 +70701,7 @@ index 0000000..ab2d875 +int grsec_enable_chdir; +int grsec_enable_mount; +int grsec_enable_rofs; ++int grsec_deny_new_usb; +int grsec_enable_chroot_findtask; +int grsec_enable_chroot_mount; +int grsec_enable_chroot_shmat; @@ -67123,10 +72069,10 @@ index 0000000..4030d57 +} diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c new file mode 100644 -index 0000000..7624d1c +index 0000000..a9e378f --- /dev/null +++ b/grsecurity/grsec_sysctl.c -@@ -0,0 +1,460 @@ +@@ -0,0 +1,472 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/sysctl.h> @@ -67147,11 +72093,12 @@ index 0000000..7624d1c + return 0; +} + -+#ifdef CONFIG_GRKERNSEC_ROFS -+static int __maybe_unused one = 1; ++#if defined(CONFIG_GRKERNSEC_ROFS) || defined(CONFIG_GRKERNSEC_DENYUSB) ++static int __maybe_unused __read_only one = 1; +#endif + -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) ++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) || \ ++ defined(CONFIG_GRKERNSEC_DENYUSB) +struct ctl_table grsecurity_table[] = { +#ifdef CONFIG_GRKERNSEC_SYSCTL +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO @@ -67584,6 +72531,17 @@ index 0000000..7624d1c + .extra2 = &one, + }, +#endif ++#ifdef CONFIG_GRKERNSEC_DENYUSB ++ { ++ .procname = "deny_new_usb", ++ .data = &grsec_deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0600, ++ .proc_handler = &proc_dointvec_minmax, ++ .extra1 = &one, ++ .extra2 = &one, ++ }, ++#endif + { } +}; +#endif @@ -67688,6 +72646,27 @@ index 0000000..ee57dcf +#endif + return 1; +} +diff --git a/grsecurity/grsec_usb.c b/grsecurity/grsec_usb.c +new file mode 100644 +index 0000000..ae02d8e +--- /dev/null ++++ b/grsecurity/grsec_usb.c +@@ -0,0 +1,15 @@ ++#include <linux/kernel.h> ++#include <linux/grinternal.h> ++#include <linux/module.h> ++ ++int gr_handle_new_usb(void) ++{ ++#ifdef CONFIG_GRKERNSEC_DENYUSB ++ if (grsec_deny_new_usb) { ++ printk(KERN_ALERT "grsec: denied insert of new USB device\n"); ++ return 1; ++ } ++#endif ++ return 0; ++} ++EXPORT_SYMBOL_GPL(gr_handle_new_usb); diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c new file mode 100644 index 0000000..9f7b1ac @@ -68342,6 +73321,23 @@ index a59ff51..2594a70 100644 #endif /* CONFIG_MMU */ #endif /* !__ASSEMBLY__ */ +diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h +index c184aa8..d049942 100644 +--- a/include/asm-generic/uaccess.h ++++ b/include/asm-generic/uaccess.h +@@ -343,4 +343,12 @@ clear_user(void __user *to, unsigned long n) + return __clear_user(to, n); + } + ++#ifndef __HAVE_ARCH_PAX_OPEN_USERLAND ++//static inline unsigned long pax_open_userland(void) { return 0; } ++#endif ++ ++#ifndef __HAVE_ARCH_PAX_CLOSE_USERLAND ++//static inline unsigned long pax_close_userland(void) { return 0; } ++#endif ++ + #endif /* __ASM_GENERIC_UACCESS_H */ diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h index eb58d2d..df131bf 100644 --- a/include/asm-generic/vmlinux.lds.h @@ -68631,7 +73627,7 @@ index 1186098..f87e53d 100644 /** * struct clk_init_data - holds init data that's common to all clocks and is diff --git a/include/linux/compat.h b/include/linux/compat.h -index 7f0c1dd..b5729c6 100644 +index 7f0c1dd..206ac34 100644 --- a/include/linux/compat.h +++ b/include/linux/compat.h @@ -312,7 +312,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr, @@ -68652,6 +73648,14 @@ index 7f0c1dd..b5729c6 100644 asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, size_t); /* +@@ -669,6 +669,7 @@ asmlinkage long compat_sys_sigaltstack(const compat_stack_t __user *uss_ptr, + + int compat_restore_altstack(const compat_stack_t __user *uss); + int __compat_save_altstack(compat_stack_t __user *, unsigned long); ++void __compat_save_altstack_ex(compat_stack_t __user *, unsigned long); + + asmlinkage long compat_sys_sched_rr_get_interval(compat_pid_t pid, + struct compat_timespec __user *interval); diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h index 842de22..7f3a41f 100644 --- a/include/linux/compiler-gcc4.h @@ -70049,10 +75053,10 @@ index 0000000..be66033 +#endif diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h new file mode 100644 -index 0000000..fd8598b +index 0000000..e337683 --- /dev/null +++ b/include/linux/grinternal.h -@@ -0,0 +1,228 @@ +@@ -0,0 +1,229 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H + @@ -70101,6 +75105,7 @@ index 0000000..fd8598b +extern int grsec_enable_forkfail; +extern int grsec_enable_time; +extern int grsec_enable_rofs; ++extern int grsec_deny_new_usb; +extern int grsec_enable_chroot_shmat; +extern int grsec_enable_chroot_mount; +extern int grsec_enable_chroot_double; @@ -70402,10 +75407,10 @@ index 0000000..a4396b5 +#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..3676b0b +index 0000000..d6f5a21 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,242 @@ +@@ -0,0 +1,244 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -70427,6 +75432,8 @@ index 0000000..3676b0b +#error "CONFIG_PAX enabled, but no PaX options are enabled." +#endif + ++int gr_handle_new_usb(void); ++ +void gr_handle_brute_attach(unsigned long mm_flags); +void gr_handle_brute_check(void); +void gr_handle_kernel_exploit(void); @@ -70673,6 +75680,35 @@ index 0000000..e7ffaaf + const int protocol); + +#endif +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 0c48991..76e41d8 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -393,10 +393,12 @@ struct hid_report { + struct hid_device *device; /* associated device */ + }; + ++#define HID_MAX_IDS 256 ++ + struct hid_report_enum { + unsigned numbered; + struct list_head report_list; +- struct hid_report *report_id_hash[256]; ++ struct hid_report *report_id_hash[HID_MAX_IDS]; + }; + + #define HID_REPORT_TYPES 3 +@@ -747,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data); + struct hid_device *hid_allocate_device(void); + struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); + int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); ++struct hid_report *hid_validate_report(struct hid_device *hid, ++ unsigned int type, unsigned int id, ++ unsigned int fields, ++ unsigned int report_counts); + int hid_open_report(struct hid_device *device); + int hid_check_keys_pressed(struct hid_device *hid); + int hid_connect(struct hid_device *hid, unsigned int connect_mask); diff --git a/include/linux/highmem.h b/include/linux/highmem.h index 7fb31da..08b5114 100644 --- a/include/linux/highmem.h @@ -70929,7 +75965,7 @@ index 3e203eb..3fe68d0 100644 void gic_init_bases(unsigned int, int, void __iomem *, void __iomem *, u32 offset, struct device_node *); diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h -index 6883e19..06992b1 100644 +index 6883e19..e854fcb 100644 --- a/include/linux/kallsyms.h +++ b/include/linux/kallsyms.h @@ -15,7 +15,8 @@ @@ -70942,12 +75978,13 @@ index 6883e19..06992b1 100644 /* Lookup the address for a symbol. Returns 0 if not found. */ unsigned long kallsyms_lookup_name(const char *name); -@@ -106,6 +107,17 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u +@@ -106,6 +107,21 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u /* Stupid that this does nothing, but I didn't create this mess. */ #define __print_symbol(fmt, addr) #endif /*CONFIG_KALLSYMS*/ -+#else /* when included by kallsyms.c, vsnprintf.c, or ++#else /* when included by kallsyms.c, vsnprintf.c, kprobes.c, or + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */ ++extern unsigned long kallsyms_lookup_name(const char *name); +extern void __print_symbol(const char *fmt, unsigned long address); +extern int sprint_backtrace(char *buffer, unsigned long address); +extern int sprint_symbol(char *buffer, unsigned long address); @@ -70956,6 +75993,9 @@ index 6883e19..06992b1 100644 + unsigned long *symbolsize, + unsigned long *offset, + char **modname, char *namebuf); ++extern int kallsyms_lookup_size_offset(unsigned long addr, ++ unsigned long *symbolsize, ++ unsigned long *offset); +#endif /* This macro allows us to keep printk typechecking */ @@ -71133,7 +76173,7 @@ index b83e565..baa6c1d 100644 * list_move - delete from one list and add as another's head * @list: the entry to move diff --git a/include/linux/math64.h b/include/linux/math64.h -index 2913b86..4209244 100644 +index 2913b86..8dcbb1e 100644 --- a/include/linux/math64.h +++ b/include/linux/math64.h @@ -15,7 +15,7 @@ @@ -71145,6 +76185,15 @@ index 2913b86..4209244 100644 { *remainder = dividend % divisor; return dividend / divisor; +@@ -33,7 +33,7 @@ static inline s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder) + /** + * div64_u64 - unsigned 64bit divide with 64bit divisor + */ +-static inline u64 div64_u64(u64 dividend, u64 divisor) ++static inline u64 __intentional_overflow(0) div64_u64(u64 dividend, u64 divisor) + { + return dividend / divisor; + } @@ -52,7 +52,7 @@ static inline s64 div64_s64(s64 dividend, s64 divisor) #define div64_ul(x, y) div_u64((x), (y)) @@ -71421,7 +76470,7 @@ index e0c8528..bcf0c29 100644 #endif /* __KERNEL__ */ #endif /* _LINUX_MM_H */ diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index ace9a5f..81bdb59 100644 +index 4a189ba..04101d6 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -289,6 +289,8 @@ struct vm_area_struct { @@ -71433,7 +76482,7 @@ index ace9a5f..81bdb59 100644 }; struct core_thread { -@@ -437,6 +439,24 @@ struct mm_struct { +@@ -438,6 +440,24 @@ struct mm_struct { int first_nid; #endif struct uprobes_state uprobes_state; @@ -72097,6 +77146,61 @@ index 4ea1d37..80f4b33 100644 /* * The return value from decompress routine is the length of the +diff --git a/include/linux/preempt.h b/include/linux/preempt.h +index f5d4723..a6ea2fa 100644 +--- a/include/linux/preempt.h ++++ b/include/linux/preempt.h +@@ -18,8 +18,13 @@ + # define sub_preempt_count(val) do { preempt_count() -= (val); } while (0) + #endif + ++#define raw_add_preempt_count(val) do { preempt_count() += (val); } while (0) ++#define raw_sub_preempt_count(val) do { preempt_count() -= (val); } while (0) ++ + #define inc_preempt_count() add_preempt_count(1) ++#define raw_inc_preempt_count() raw_add_preempt_count(1) + #define dec_preempt_count() sub_preempt_count(1) ++#define raw_dec_preempt_count() raw_sub_preempt_count(1) + + #define preempt_count() (current_thread_info()->preempt_count) + +@@ -64,6 +69,12 @@ do { \ + barrier(); \ + } while (0) + ++#define raw_preempt_disable() \ ++do { \ ++ raw_inc_preempt_count(); \ ++ barrier(); \ ++} while (0) ++ + #define sched_preempt_enable_no_resched() \ + do { \ + barrier(); \ +@@ -72,6 +83,12 @@ do { \ + + #define preempt_enable_no_resched() sched_preempt_enable_no_resched() + ++#define raw_preempt_enable_no_resched() \ ++do { \ ++ barrier(); \ ++ raw_dec_preempt_count(); \ ++} while (0) ++ + #define preempt_enable() \ + do { \ + preempt_enable_no_resched(); \ +@@ -116,8 +133,10 @@ do { \ + * region. + */ + #define preempt_disable() barrier() ++#define raw_preempt_disable() barrier() + #define sched_preempt_enable_no_resched() barrier() + #define preempt_enable_no_resched() barrier() ++#define raw_preempt_enable_no_resched() barrier() + #define preempt_enable() barrier() + + #define preempt_disable_notrace() barrier() diff --git a/include/linux/printk.h b/include/linux/printk.h index 22c7052..ad3fa0a 100644 --- a/include/linux/printk.h @@ -72314,7 +77418,7 @@ index 6dacb93..6174423 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, struct vm_area_struct *next) diff --git a/include/linux/sched.h b/include/linux/sched.h -index 178a8d9..450bf11 100644 +index 178a8d9..918ea01 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -62,6 +62,7 @@ struct bio_list; @@ -72334,7 +77438,7 @@ index 178a8d9..450bf11 100644 extern signed long schedule_timeout_interruptible(signed long timeout); extern signed long schedule_timeout_killable(signed long timeout); extern signed long schedule_timeout_uninterruptible(signed long timeout); -@@ -314,6 +315,19 @@ struct nsproxy; +@@ -314,6 +315,18 @@ struct nsproxy; struct user_namespace; #ifdef CONFIG_MMU @@ -72350,11 +77454,10 @@ index 178a8d9..450bf11 100644 + +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset); +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset); -+ extern void arch_pick_mmap_layout(struct mm_struct *mm); extern unsigned long arch_get_unmapped_area(struct file *, unsigned long, unsigned long, -@@ -591,6 +605,17 @@ struct signal_struct { +@@ -591,6 +604,17 @@ struct signal_struct { #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif @@ -72372,7 +77475,7 @@ index 178a8d9..450bf11 100644 #ifdef CONFIG_AUDIT unsigned audit_tty; unsigned audit_tty_log_passwd; -@@ -671,6 +696,14 @@ struct user_struct { +@@ -671,6 +695,14 @@ struct user_struct { struct key *session_keyring; /* UID's default session keyring */ #endif @@ -72387,7 +77490,7 @@ index 178a8d9..450bf11 100644 /* Hash table maintenance information */ struct hlist_node uidhash_node; kuid_t uid; -@@ -1158,8 +1191,8 @@ struct task_struct { +@@ -1158,8 +1190,8 @@ struct task_struct { struct list_head thread_group; struct completion *vfork_done; /* for vfork() */ @@ -72398,7 +77501,7 @@ index 178a8d9..450bf11 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1184,11 +1217,6 @@ struct task_struct { +@@ -1184,11 +1216,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -72410,7 +77513,7 @@ index 178a8d9..450bf11 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1205,6 +1233,10 @@ struct task_struct { +@@ -1205,6 +1232,10 @@ struct task_struct { #endif /* CPU-specific state of this task */ struct thread_struct thread; @@ -72421,7 +77524,7 @@ index 178a8d9..450bf11 100644 /* filesystem information */ struct fs_struct *fs; /* open file information */ -@@ -1278,6 +1310,10 @@ struct task_struct { +@@ -1278,6 +1309,10 @@ struct task_struct { gfp_t lockdep_reclaim_gfp; #endif @@ -72432,7 +77535,7 @@ index 178a8d9..450bf11 100644 /* journalling filesystem info */ void *journal_info; -@@ -1316,6 +1352,10 @@ struct task_struct { +@@ -1316,6 +1351,10 @@ struct task_struct { /* cg_list protected by css_set_lock and tsk->alloc_lock */ struct list_head cg_list; #endif @@ -72443,7 +77546,7 @@ index 178a8d9..450bf11 100644 #ifdef CONFIG_FUTEX struct robust_list_head __user *robust_list; #ifdef CONFIG_COMPAT -@@ -1416,8 +1456,76 @@ struct task_struct { +@@ -1416,8 +1455,76 @@ struct task_struct { unsigned int sequential_io; unsigned int sequential_io_avg; #endif @@ -72520,7 +77623,7 @@ index 178a8d9..450bf11 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -1476,7 +1584,7 @@ struct pid_namespace; +@@ -1476,7 +1583,7 @@ struct pid_namespace; pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, struct pid_namespace *ns); @@ -72529,7 +77632,7 @@ index 178a8d9..450bf11 100644 { return tsk->pid; } -@@ -1919,7 +2027,9 @@ void yield(void); +@@ -1919,7 +2026,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -72539,7 +77642,7 @@ index 178a8d9..450bf11 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -1952,6 +2062,7 @@ extern struct pid_namespace init_pid_ns; +@@ -1952,6 +2061,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -72547,7 +77650,7 @@ index 178a8d9..450bf11 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2118,7 +2229,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2118,7 +2228,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -72556,7 +77659,7 @@ index 178a8d9..450bf11 100644 extern int allow_signal(int); extern int disallow_signal(int); -@@ -2309,9 +2420,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2309,9 +2419,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -72629,6 +77732,18 @@ index 429c199..4d42e38 100644 }; /* shm_mode upper byte flags */ +diff --git a/include/linux/signal.h b/include/linux/signal.h +index d897484..323ba98 100644 +--- a/include/linux/signal.h ++++ b/include/linux/signal.h +@@ -433,6 +433,7 @@ void signals_init(void); + + int restore_altstack(const stack_t __user *); + int __save_altstack(stack_t __user *, unsigned long); ++void __save_altstack_ex(stack_t __user *, unsigned long); + + #ifdef CONFIG_PROC_FS + struct seq_file; diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index dec1748..112c1f9 100644 --- a/include/linux/skbuff.h @@ -72953,6 +78068,20 @@ index 027276f..092bfe8 100644 void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node); #ifdef CONFIG_TRACING +diff --git a/include/linux/smp.h b/include/linux/smp.h +index c848876..11e8a84 100644 +--- a/include/linux/smp.h ++++ b/include/linux/smp.h +@@ -221,7 +221,9 @@ static inline void kick_all_cpus_sync(void) { } + #endif + + #define get_cpu() ({ preempt_disable(); smp_processor_id(); }) ++#define raw_get_cpu() ({ raw_preempt_disable(); raw_smp_processor_id(); }) + #define put_cpu() preempt_enable() ++#define raw_put_cpu_no_resched() raw_preempt_enable_no_resched() + + /* + * Callback to arch code if there's nosmp or maxcpus=0 on the diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h index 54f91d3..be2c379 100644 --- a/include/linux/sock_diag.h @@ -73096,7 +78225,7 @@ index a5ffd32..0935dea 100644 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h -index 4147d70..d356a10 100644 +index 84662ec..d8f8adb 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -97,8 +97,12 @@ struct sigaltstack; @@ -73601,6 +78730,25 @@ index c586679..f06b389 100644 } static inline void __dec_zone_page_state(struct page *page, +diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h +index 623488f..44b5742 100644 +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -410,11 +410,11 @@ __alloc_workqueue_key(const char *fmt, unsigned int flags, int max_active, + alloc_workqueue(fmt, WQ_UNBOUND | __WQ_ORDERED | (flags), 1, ##args) + + #define create_workqueue(name) \ +- alloc_workqueue((name), WQ_MEM_RECLAIM, 1) ++ alloc_workqueue("%s", WQ_MEM_RECLAIM, 1, (name)) + #define create_freezable_workqueue(name) \ +- alloc_workqueue((name), WQ_FREEZABLE | WQ_UNBOUND | WQ_MEM_RECLAIM, 1) ++ alloc_workqueue("%s", WQ_FREEZABLE | WQ_UNBOUND | WQ_MEM_RECLAIM, 1, (name)) + #define create_singlethread_workqueue(name) \ +- alloc_workqueue((name), WQ_UNBOUND | WQ_MEM_RECLAIM, 1) ++ alloc_workqueue("%s", WQ_UNBOUND | WQ_MEM_RECLAIM, 1, (name)) + + extern void destroy_workqueue(struct workqueue_struct *wq); + diff --git a/include/linux/xattr.h b/include/linux/xattr.h index fdbafc6..49dfe4f 100644 --- a/include/linux/xattr.h @@ -73658,6 +78806,19 @@ index 95d1c91..6798cca 100644 /* * Newer version of video_device, handled by videodev2.c +diff --git a/include/media/v4l2-device.h b/include/media/v4l2-device.h +index c9b1593..a572459 100644 +--- a/include/media/v4l2-device.h ++++ b/include/media/v4l2-device.h +@@ -95,7 +95,7 @@ int __must_check v4l2_device_register(struct device *dev, struct v4l2_device *v4 + this function returns 0. If the name ends with a digit (e.g. cx18), + then the name will be set to cx18-0 since cx180 looks really odd. */ + int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename, +- atomic_t *instance); ++ atomic_unchecked_t *instance); + + /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects. + Since the parent disappears this ensures that v4l2_dev doesn't have an diff --git a/include/net/9p/transport.h b/include/net/9p/transport.h index adcbb20..62c2559 100644 --- a/include/net/9p/transport.h @@ -73760,7 +78921,7 @@ index de2c785..0588a6b 100644 /** inet_connection_sock - INET connection oriented sock * diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h -index 53f464d..ba76aaa 100644 +index 53f464d..0bd0b49 100644 --- a/include/net/inetpeer.h +++ b/include/net/inetpeer.h @@ -47,8 +47,8 @@ struct inet_peer { @@ -73774,20 +78935,28 @@ index 53f464d..ba76aaa 100644 }; struct rcu_head rcu; struct inet_peer *gc_next; -@@ -182,11 +182,11 @@ static inline int inet_getid(struct inet_peer *p, int more) +@@ -178,16 +178,13 @@ static inline void inet_peer_refcheck(const struct inet_peer *p) + /* can be called with or without local BH being disabled */ + static inline int inet_getid(struct inet_peer *p, int more) + { +- int old, new; ++ int id; more++; inet_peer_refcheck(p); - do { +- do { - old = atomic_read(&p->ip_id_count); -+ old = atomic_read_unchecked(&p->ip_id_count); - new = old + more; - if (!new) - new = 1; +- new = old + more; +- if (!new) +- new = 1; - } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old); -+ } while (atomic_cmpxchg_unchecked(&p->ip_id_count, old, new) != old); - return new; +- return new; ++ id = atomic_add_return_unchecked(more, &p->ip_id_count); ++ if (!id) ++ id = atomic_inc_return_unchecked(&p->ip_id_count); ++ return id; } + #endif /* _NET_INETPEER_H */ diff --git a/include/net/ip.h b/include/net/ip.h index a68f838..74518ab 100644 --- a/include/net/ip.h @@ -75126,7 +80295,7 @@ index a67ef9d..2d17ed9 100644 #ifdef CONFIG_BLK_DEV_RAM int fd; diff --git a/init/main.c b/init/main.c -index 9484f4b..4c01430 100644 +index 9484f4b..0eac7c3 100644 --- a/init/main.c +++ b/init/main.c @@ -100,6 +100,8 @@ static inline void mark_rodata_ro(void) { } @@ -75138,7 +80307,7 @@ index 9484f4b..4c01430 100644 /* * Debug helper: via this flag we know that we are in 'early bootup code' * where only the boot processor is running with IRQ disabled. This means -@@ -153,6 +155,64 @@ static int __init set_reset_devices(char *str) +@@ -153,6 +155,74 @@ static int __init set_reset_devices(char *str) __setup("reset_devices", set_reset_devices); @@ -75153,11 +80322,10 @@ index 9484f4b..4c01430 100644 +#endif + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+unsigned long pax_user_shadow_base __read_only = 1UL << TASK_SIZE_MAX_SHIFT; ++unsigned long pax_user_shadow_base __read_only; +EXPORT_SYMBOL(pax_user_shadow_base); +extern char pax_enter_kernel_user[]; +extern char pax_exit_kernel_user[]; -+extern pgdval_t clone_pgd_mask; +#endif + +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF) @@ -75182,11 +80350,22 @@ index 9484f4b..4c01430 100644 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1); + clone_pgd_mask = ~(pgdval_t)0UL; + pax_user_shadow_base = 0UL; ++ setup_clear_cpu_cap(X86_FEATURE_PCID); +#endif + + return 0; +} +early_param("pax_nouderef", setup_pax_nouderef); ++ ++#ifdef CONFIG_X86_64 ++static int __init setup_pax_weakuderef(char *str) ++{ ++ if (clone_pgd_mask != ~(pgdval_t)0UL) ++ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT; ++ return 1; ++} ++__setup("pax_weakuderef", setup_pax_weakuderef); ++#endif +#endif + +#ifdef CONFIG_PAX_SOFTMODE @@ -75203,7 +80382,7 @@ index 9484f4b..4c01430 100644 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; static const char *panic_later, *panic_param; -@@ -655,8 +715,6 @@ static void __init do_ctors(void) +@@ -655,8 +725,6 @@ static void __init do_ctors(void) bool initcall_debug; core_param(initcall_debug, initcall_debug, bool, 0644); @@ -75212,7 +80391,7 @@ index 9484f4b..4c01430 100644 static int __init_or_module do_one_initcall_debug(initcall_t fn) { ktime_t calltime, delta, rettime; -@@ -679,23 +737,22 @@ int __init_or_module do_one_initcall(initcall_t fn) +@@ -679,23 +747,22 @@ int __init_or_module do_one_initcall(initcall_t fn) { int count = preempt_count(); int ret; @@ -75240,7 +80419,7 @@ index 9484f4b..4c01430 100644 return ret; } -@@ -748,8 +805,14 @@ static void __init do_initcall_level(int level) +@@ -748,8 +815,14 @@ static void __init do_initcall_level(int level) level, level, &repair_env_string); @@ -75256,7 +80435,7 @@ index 9484f4b..4c01430 100644 } static void __init do_initcalls(void) -@@ -783,8 +846,14 @@ static void __init do_pre_smp_initcalls(void) +@@ -783,8 +856,14 @@ static void __init do_pre_smp_initcalls(void) { initcall_t *fn; @@ -75272,7 +80451,7 @@ index 9484f4b..4c01430 100644 } /* -@@ -802,8 +871,8 @@ static int run_init_process(const char *init_filename) +@@ -802,8 +881,8 @@ static int run_init_process(const char *init_filename) { argv_init[0] = init_filename; return do_execve(init_filename, @@ -75283,7 +80462,7 @@ index 9484f4b..4c01430 100644 } static noinline void __init kernel_init_freeable(void); -@@ -880,7 +949,7 @@ static noinline void __init kernel_init_freeable(void) +@@ -880,7 +959,7 @@ static noinline void __init kernel_init_freeable(void) do_basic_setup(); /* Open the /dev/console on the rootfs, this should never fail */ @@ -75292,7 +80471,7 @@ index 9484f4b..4c01430 100644 pr_err("Warning: unable to open an initial console.\n"); (void) sys_dup(0); -@@ -893,11 +962,13 @@ static noinline void __init kernel_init_freeable(void) +@@ -893,11 +972,13 @@ static noinline void __init kernel_init_freeable(void) if (!ramdisk_execute_command) ramdisk_execute_command = "/init"; @@ -75721,10 +80900,10 @@ index f6c2ce5..982c0f9 100644 + return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid); +} diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index c6e77ef..af531a0 100644 +index 2e9b387..61817b1 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c -@@ -5391,7 +5391,7 @@ static int cgroup_css_links_read(struct cgroup *cont, +@@ -5398,7 +5398,7 @@ static int cgroup_css_links_read(struct cgroup *cont, struct css_set *cg = link->cg; struct task_struct *task; int count = 0; @@ -76272,7 +81451,7 @@ index e76e495..cbfe63a 100644 /* diff --git a/kernel/events/internal.h b/kernel/events/internal.h -index ca65997..cc8cee4 100644 +index ca65997..60df03d 100644 --- a/kernel/events/internal.h +++ b/kernel/events/internal.h @@ -81,10 +81,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb) @@ -76280,11 +81459,12 @@ index ca65997..cc8cee4 100644 } -#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \ +-static inline unsigned int \ +#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \ - static inline unsigned int \ ++static inline unsigned long \ func_name(struct perf_output_handle *handle, \ - const void *buf, unsigned int len) \ -+ const void user *buf, unsigned int len) \ ++ const void user *buf, unsigned long len) \ { \ unsigned long size, written; \ \ @@ -76309,6 +81489,19 @@ index ca65997..cc8cee4 100644 /* Callchain handling */ extern struct perf_callchain_entry * +diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c +index f356974..cb8c570 100644 +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1556,7 +1556,7 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr) + { + struct page *page; + uprobe_opcode_t opcode; +- int result; ++ long result; + + pagefault_disable(); + result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr, diff --git a/kernel/exit.c b/kernel/exit.c index 7bb73f9..d7978ed 100644 --- a/kernel/exit.c @@ -76370,7 +81563,7 @@ index 7bb73f9..d7978ed 100644 { struct signal_struct *sig = current->signal; diff --git a/kernel/fork.c b/kernel/fork.c -index 987b28a..11ee8a5 100644 +index ffbc090..08ceeee 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -319,7 +319,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -76665,7 +81858,7 @@ index 987b28a..11ee8a5 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1723,7 +1785,7 @@ void __init proc_caches_init(void) +@@ -1729,7 +1791,7 @@ void __init proc_caches_init(void) mm_cachep = kmem_cache_create("mm_struct", sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN, SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL); @@ -76674,7 +81867,7 @@ index 987b28a..11ee8a5 100644 mmap_init(); nsproxy_cache_init(); } -@@ -1763,7 +1825,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1769,7 +1831,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -76683,7 +81876,7 @@ index 987b28a..11ee8a5 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1875,7 +1937,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1881,7 +1943,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -76694,7 +81887,7 @@ index 987b28a..11ee8a5 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 49dacfb..5c6b450 100644 +index 49dacfb..2ac4526 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -76717,6 +81910,15 @@ index 49dacfb..5c6b450 100644 /* * The futex address must be "naturally" aligned. */ +@@ -440,7 +446,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr, + + static int get_futex_value_locked(u32 *dest, u32 __user *from) + { +- int ret; ++ unsigned long ret; + + pagefault_disable(); + ret = __copy_from_user_inatomic(dest, from, sizeof(u32)); @@ -2733,6 +2739,7 @@ static int __init futex_init(void) { u32 curval; @@ -77144,10 +82346,20 @@ index 8241906..d625f2c 100644 kernel_cap_t new_cap; int err, i; diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index bddf3b2..07b90dd 100644 +index bddf3b2..233bf40 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c -@@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_insn_slot(struct kprobe_insn_cache *c) +@@ -31,6 +31,9 @@ + * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi + * <prasanna@in.ibm.com> added function-return probes. + */ ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++#define __INCLUDED_BY_HIDESYM 1 ++#endif + #include <linux/kprobes.h> + #include <linux/hash.h> + #include <linux/init.h> +@@ -185,7 +188,7 @@ static kprobe_opcode_t __kprobes *__get_insn_slot(struct kprobe_insn_cache *c) * kernel image and loaded module images reside. This is required * so x86_64 can correctly handle the %rip-relative fixups. */ @@ -77156,7 +82368,7 @@ index bddf3b2..07b90dd 100644 if (!kip->insns) { kfree(kip); return NULL; -@@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(struct kprobe_insn_page *kip, int idx) +@@ -225,7 +228,7 @@ static int __kprobes collect_one_slot(struct kprobe_insn_page *kip, int idx) */ if (!list_is_singular(&kip->list)) { list_del(&kip->list); @@ -77165,7 +82377,7 @@ index bddf3b2..07b90dd 100644 kfree(kip); } return 1; -@@ -2083,7 +2083,7 @@ static int __init init_kprobes(void) +@@ -2083,7 +2086,7 @@ static int __init init_kprobes(void) { int i, err = 0; unsigned long offset = 0, size = 0; @@ -77174,7 +82386,7 @@ index bddf3b2..07b90dd 100644 const char *symbol_name; void *addr; struct kprobe_blackpoint *kb; -@@ -2168,11 +2168,11 @@ static void __kprobes report_probe(struct seq_file *pi, struct kprobe *p, +@@ -2168,11 +2171,11 @@ static void __kprobes report_probe(struct seq_file *pi, struct kprobe *p, kprobe_type = "k"; if (sym) @@ -77188,7 +82400,7 @@ index bddf3b2..07b90dd 100644 p->addr, kprobe_type, p->addr); if (!pp) -@@ -2209,7 +2209,7 @@ static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v) +@@ -2209,7 +2212,7 @@ static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v) const char *sym = NULL; unsigned int i = *(loff_t *) v; unsigned long offset = 0; @@ -78369,7 +83581,7 @@ index 42670e9..8719c2f 100644 .clock_get = thread_cpu_clock_get, .timer_create = thread_cpu_timer_create, diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c -index 424c2d4..a9194f7 100644 +index 424c2d4..679242f 100644 --- a/kernel/posix-timers.c +++ b/kernel/posix-timers.c @@ -43,6 +43,7 @@ @@ -78461,6 +83673,15 @@ index 424c2d4..a9194f7 100644 } static int common_timer_create(struct k_itimer *new_timer) +@@ -597,7 +598,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock, + struct k_clock *kc = clockid_to_kclock(which_clock); + struct k_itimer *new_timer; + int error, new_timer_id; +- sigevent_t event; ++ sigevent_t event = { }; + int it_id_set = IT_ID_NOT_SET; + + if (!kc) @@ -1011,6 +1012,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock, if (copy_from_user(&new_tp, tp, sizeof (*tp))) return -EFAULT; @@ -79674,7 +84895,7 @@ index e8b3350..d83d44e 100644 .priority = CPU_PRI_MIGRATION, }; diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index c61a614..d7f3d7e 100644 +index 03b73be..9422b9f 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -831,7 +831,7 @@ void task_numa_fault(int node, int pages, bool migrated) @@ -79686,7 +84907,7 @@ index c61a614..d7f3d7e 100644 p->mm->numa_scan_offset = 0; } -@@ -5686,7 +5686,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { } +@@ -5687,7 +5687,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { } * run_rebalance_domains is triggered when needed from the scheduler tick. * Also triggered for nohz idle balancing (with nohz_balancing_kick set). */ @@ -79709,7 +84930,7 @@ index ce39224d..0e09343 100644 #define sched_class_highest (&stop_sched_class) #define for_each_class(class) \ diff --git a/kernel/signal.c b/kernel/signal.c -index 113411b..17190e2 100644 +index 113411b..20d0a99 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -51,12 +51,12 @@ static struct kmem_cache *sigqueue_cachep; @@ -79835,7 +85056,24 @@ index 113411b..17190e2 100644 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) { error = check_kill_permission(sig, info, p); /* -@@ -3240,8 +3271,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, +@@ -3219,6 +3250,16 @@ int __save_altstack(stack_t __user *uss, unsigned long sp) + __put_user(t->sas_ss_size, &uss->ss_size); + } + ++#ifdef CONFIG_X86 ++void __save_altstack_ex(stack_t __user *uss, unsigned long sp) ++{ ++ struct task_struct *t = current; ++ put_user_ex((void __user *)t->sas_ss_sp, &uss->ss_sp); ++ put_user_ex(sas_ss_flags(sp), &uss->ss_flags); ++ put_user_ex(t->sas_ss_size, &uss->ss_size); ++} ++#endif ++ + #ifdef CONFIG_COMPAT + COMPAT_SYSCALL_DEFINE2(sigaltstack, + const compat_stack_t __user *, uss_ptr, +@@ -3240,8 +3281,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack, } seg = get_fs(); set_fs(KERNEL_DS); @@ -79846,6 +85084,23 @@ index 113411b..17190e2 100644 compat_user_stack_pointer()); set_fs(seg); if (ret >= 0 && uoss_ptr) { +@@ -3268,6 +3309,16 @@ int __compat_save_altstack(compat_stack_t __user *uss, unsigned long sp) + __put_user(sas_ss_flags(sp), &uss->ss_flags) | + __put_user(t->sas_ss_size, &uss->ss_size); + } ++ ++#ifdef CONFIG_X86 ++void __compat_save_altstack_ex(compat_stack_t __user *uss, unsigned long sp) ++{ ++ struct task_struct *t = current; ++ put_user_ex(ptr_to_compat((void __user *)t->sas_ss_sp), &uss->ss_sp); ++ put_user_ex(sas_ss_flags(sp), &uss->ss_flags); ++ put_user_ex(t->sas_ss_size, &uss->ss_size); ++} ++#endif + #endif + + #ifdef __ARCH_WANT_SYS_SIGPENDING diff --git a/kernel/smp.c b/kernel/smp.c index 4dba0f7..fe9f773 100644 --- a/kernel/smp.c @@ -80658,10 +85913,10 @@ index b8b8560..75b1a09 100644 ret = -EIO; bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c -index 6c508ff..ee55a13 100644 +index f23449d..b8cc3a1 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c -@@ -1915,12 +1915,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) +@@ -1925,12 +1925,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) if (unlikely(ftrace_disabled)) return 0; @@ -80681,7 +85936,7 @@ index 6c508ff..ee55a13 100644 } /* -@@ -3931,8 +3936,10 @@ static int ftrace_process_locs(struct module *mod, +@@ -3994,8 +3999,10 @@ static int ftrace_process_locs(struct module *mod, if (!count) return 0; @@ -80692,7 +85947,7 @@ index 6c508ff..ee55a13 100644 start_pg = ftrace_allocate_pages(count); if (!start_pg) -@@ -4655,8 +4662,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, +@@ -4718,8 +4725,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write, #ifdef CONFIG_FUNCTION_GRAPH_TRACER static int ftrace_graph_active; @@ -80701,7 +85956,7 @@ index 6c508ff..ee55a13 100644 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace) { return 0; -@@ -4800,6 +4805,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, +@@ -4863,6 +4868,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state, return NOTIFY_DONE; } @@ -80712,7 +85967,7 @@ index 6c508ff..ee55a13 100644 int register_ftrace_graph(trace_func_graph_ret_t retfunc, trace_func_graph_ent_t entryfunc) { -@@ -4813,7 +4822,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, +@@ -4876,7 +4885,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc, goto out; } @@ -80999,10 +86254,10 @@ index e444ff8..438b8f4 100644 *data_page = bpage; diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c -index f7bc3ce..b8ef9b5 100644 +index 0582a01..310bed1 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c -@@ -3303,7 +3303,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) +@@ -3327,7 +3327,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set) return 0; } @@ -81024,11 +86279,31 @@ index 51b4448..7be601f 100644 /* * Normal trace_printk() and friends allocates special buffers +diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c +index 26dc348..8708ca7 100644 +--- a/kernel/trace/trace_clock.c ++++ b/kernel/trace/trace_clock.c +@@ -123,7 +123,7 @@ u64 notrace trace_clock_global(void) + return now; + } + +-static atomic64_t trace_counter; ++static atomic64_unchecked_t trace_counter; + + /* + * trace_clock_counter(): simply an atomic counter. +@@ -132,5 +132,5 @@ static atomic64_t trace_counter; + */ + u64 notrace trace_clock_counter(void) + { +- return atomic64_add_return(1, &trace_counter); ++ return atomic64_inc_return_unchecked(&trace_counter); + } diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c -index 6953263..2004e16 100644 +index 3d18aad..d1be0eb 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c -@@ -1748,10 +1748,6 @@ static LIST_HEAD(ftrace_module_file_list); +@@ -1794,10 +1794,6 @@ static LIST_HEAD(ftrace_module_file_list); struct ftrace_module_file_ops { struct list_head list; struct module *mod; @@ -81039,7 +86314,7 @@ index 6953263..2004e16 100644 }; static struct ftrace_module_file_ops * -@@ -1792,17 +1788,12 @@ trace_create_file_ops(struct module *mod) +@@ -1838,17 +1834,12 @@ trace_create_file_ops(struct module *mod) file_ops->mod = mod; @@ -81063,7 +86338,7 @@ index 6953263..2004e16 100644 list_add(&file_ops->list, &ftrace_module_file_list); -@@ -1895,8 +1886,8 @@ __trace_add_new_mod_event(struct ftrace_event_call *call, +@@ -1941,8 +1932,8 @@ __trace_add_new_mod_event(struct ftrace_event_call *call, struct ftrace_module_file_ops *file_ops) { return __trace_add_new_event(call, tr, @@ -81162,10 +86437,10 @@ index b20428c..4845a10 100644 local_irq_save(flags); diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index d8c30db..f2f6af5 100644 +index 9064b91..1f5d2f8 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c -@@ -79,6 +79,21 @@ int create_user_ns(struct cred *new) +@@ -82,6 +82,21 @@ int create_user_ns(struct cred *new) !kgid_has_mapping(parent_ns, group)) return -EPERM; @@ -81187,30 +86462,7 @@ index d8c30db..f2f6af5 100644 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL); if (!ns) return -ENOMEM; -@@ -105,6 +120,7 @@ int create_user_ns(struct cred *new) - int unshare_userns(unsigned long unshare_flags, struct cred **new_cred) - { - struct cred *cred; -+ int err; - - if (!(unshare_flags & CLONE_NEWUSER)) - return 0; -@@ -113,8 +129,12 @@ int unshare_userns(unsigned long unshare_flags, struct cred **new_cred) - if (!cred) - return -ENOMEM; - -- *new_cred = cred; -- return create_user_ns(cred); -+ err = create_user_ns(cred); -+ if (err) -+ put_cred(cred); -+ else -+ *new_cred = cred; -+ return err; - } - - void free_user_ns(struct user_namespace *ns) -@@ -853,7 +873,7 @@ static int userns_install(struct nsproxy *nsproxy, void *ns) +@@ -862,7 +877,7 @@ static int userns_install(struct nsproxy *nsproxy, void *ns) if (atomic_read(¤t->mm->mm_users) > 1) return -EINVAL; @@ -81246,10 +86498,10 @@ index 05039e3..17490c7 100644 .thread_should_run = watchdog_should_run, .thread_fn = watchdog, diff --git a/kernel/workqueue.c b/kernel/workqueue.c -index ee8e29a..410568e 100644 +index 6f01921..139869b 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c -@@ -4584,7 +4584,7 @@ static void rebind_workers(struct worker_pool *pool) +@@ -4596,7 +4596,7 @@ static void rebind_workers(struct worker_pool *pool) WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND)); worker_flags |= WORKER_REBOUND; worker_flags &= ~WORKER_UNBOUND; @@ -81937,9 +87189,18 @@ index e742d06..c56fdd8 100644 config NOMMU_INITIAL_TRIM_EXCESS diff --git a/mm/backing-dev.c b/mm/backing-dev.c -index 5025174..9fc1c5c 100644 +index 5025174..9d67dcd 100644 --- a/mm/backing-dev.c +++ b/mm/backing-dev.c +@@ -12,7 +12,7 @@ + #include <linux/device.h> + #include <trace/events/writeback.h> + +-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0); ++static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0); + + struct backing_dev_info default_backing_dev_info = { + .name = "default", @@ -515,7 +515,6 @@ EXPORT_SYMBOL(bdi_destroy); int bdi_setup_and_register(struct backing_dev_info *bdi, char *name, unsigned int cap) @@ -81954,12 +87215,12 @@ index 5025174..9fc1c5c 100644 - sprintf(tmp, "%.28s%s", name, "-%d"); - err = bdi_register(bdi, NULL, tmp, atomic_long_inc_return(&bdi_seq)); -+ err = bdi_register(bdi, NULL, "%.28s-%ld", name, atomic_long_inc_return(&bdi_seq)); ++ err = bdi_register(bdi, NULL, "%.28s-%ld", name, atomic_long_inc_return_unchecked(&bdi_seq)); if (err) { bdi_destroy(bdi); return err; diff --git a/mm/filemap.c b/mm/filemap.c -index 7905fe7..e60faa8 100644 +index 7905fe7..f59502b 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -1766,7 +1766,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma) @@ -81971,6 +87232,42 @@ index 7905fe7..e60faa8 100644 file_accessed(file); vma->vm_ops = &generic_file_vm_ops; return 0; +@@ -1948,7 +1948,7 @@ static size_t __iovec_copy_from_user_inatomic(char *vaddr, + + while (bytes) { + char __user *buf = iov->iov_base + base; +- int copy = min(bytes, iov->iov_len - base); ++ size_t copy = min(bytes, iov->iov_len - base); + + base = 0; + left = __copy_from_user_inatomic(vaddr, buf, copy); +@@ -1977,7 +1977,7 @@ size_t iov_iter_copy_from_user_atomic(struct page *page, + BUG_ON(!in_atomic()); + kaddr = kmap_atomic(page); + if (likely(i->nr_segs == 1)) { +- int left; ++ size_t left; + char __user *buf = i->iov->iov_base + i->iov_offset; + left = __copy_from_user_inatomic(kaddr + offset, buf, bytes); + copied = bytes - left; +@@ -2005,7 +2005,7 @@ size_t iov_iter_copy_from_user(struct page *page, + + kaddr = kmap(page); + if (likely(i->nr_segs == 1)) { +- int left; ++ size_t left; + char __user *buf = i->iov->iov_base + i->iov_offset; + left = __copy_from_user(kaddr + offset, buf, bytes); + copied = bytes - left; +@@ -2035,7 +2035,7 @@ void iov_iter_advance(struct iov_iter *i, size_t bytes) + * zero-length segments (without overruning the iovec). + */ + while (bytes || unlikely(i->count && !iov->iov_len)) { +- int copy; ++ size_t copy; + + copy = min(bytes, iov->iov_len - base); + BUG_ON(!i->count || i->count < copy); @@ -2106,6 +2106,7 @@ inline int generic_write_checks(struct file *file, loff_t *pos, size_t *count, i *pos = i_size_read(inode); @@ -82024,7 +87321,7 @@ index b32b70c..e512eb0 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 5cf99bf..28634c8 100644 +index 7c5eb85..5c01c2f 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2022,15 +2022,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, @@ -82159,7 +87456,7 @@ index 5cf99bf..28634c8 100644 if (!ptep) return VM_FAULT_OOM; diff --git a/mm/internal.h b/mm/internal.h -index 8562de0..7fdfe92 100644 +index 8562de0..92b2073 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -100,6 +100,7 @@ extern pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address); @@ -82170,6 +87467,15 @@ index 8562de0..7fdfe92 100644 extern void prep_compound_page(struct page *page, unsigned long order); #ifdef CONFIG_MEMORY_FAILURE extern bool is_free_buddy_page(struct page *page); +@@ -355,7 +356,7 @@ extern u32 hwpoison_filter_enable; + + extern unsigned long vm_mmap_pgoff(struct file *, unsigned long, + unsigned long, unsigned long, +- unsigned long, unsigned long); ++ unsigned long, unsigned long) __intentional_overflow(-1); + + extern void set_pageblock_order(void); + unsigned long reclaim_clean_pages_from_list(struct zone *zone, diff --git a/mm/kmemleak.c b/mm/kmemleak.c index c8d7f31..2dbeffd 100644 --- a/mm/kmemleak.c @@ -82412,10 +87718,10 @@ index ceb0c7f..b2b8e94 100644 } else { pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n", diff --git a/mm/memory.c b/mm/memory.c -index 5e50800..c47ba9a 100644 +index 5a35443..7c0340f 100644 --- a/mm/memory.c +++ b/mm/memory.c -@@ -429,6 +429,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, +@@ -428,6 +428,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, free_pte_range(tlb, pmd, addr); } while (pmd++, addr = next, addr != end); @@ -82423,7 +87729,7 @@ index 5e50800..c47ba9a 100644 start &= PUD_MASK; if (start < floor) return; -@@ -443,6 +444,8 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, +@@ -442,6 +443,8 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, pmd = pmd_offset(pud, start); pud_clear(pud); pmd_free_tlb(tlb, pmd, start); @@ -82432,7 +87738,7 @@ index 5e50800..c47ba9a 100644 } static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, -@@ -462,6 +465,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, +@@ -461,6 +464,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, free_pmd_range(tlb, pud, addr, next, floor, ceiling); } while (pud++, addr = next, addr != end); @@ -82440,7 +87746,7 @@ index 5e50800..c47ba9a 100644 start &= PGDIR_MASK; if (start < floor) return; -@@ -476,6 +480,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, +@@ -475,6 +479,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, pud = pud_offset(pgd, start); pgd_clear(pgd); pud_free_tlb(tlb, pud, start); @@ -82449,7 +87755,7 @@ index 5e50800..c47ba9a 100644 } /* -@@ -1638,12 +1644,6 @@ no_page_table: +@@ -1644,12 +1650,6 @@ no_page_table: return page; } @@ -82462,7 +87768,7 @@ index 5e50800..c47ba9a 100644 /** * __get_user_pages() - pin user pages in memory * @tsk: task_struct of target task -@@ -1730,10 +1730,10 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, +@@ -1736,10 +1736,10 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, i = 0; @@ -82475,7 +87781,7 @@ index 5e50800..c47ba9a 100644 if (!vma && in_gate_area(mm, start)) { unsigned long pg = start & PAGE_MASK; pgd_t *pgd; -@@ -1782,7 +1782,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, +@@ -1788,7 +1788,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, goto next_page; } @@ -82484,7 +87790,7 @@ index 5e50800..c47ba9a 100644 (vma->vm_flags & (VM_IO | VM_PFNMAP)) || !(vm_flags & vma->vm_flags)) return i ? : -EFAULT; -@@ -1811,11 +1811,6 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, +@@ -1817,11 +1817,6 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, int ret; unsigned int fault_flags = 0; @@ -82496,7 +87802,7 @@ index 5e50800..c47ba9a 100644 if (foll_flags & FOLL_WRITE) fault_flags |= FAULT_FLAG_WRITE; if (nonblocking) -@@ -1895,7 +1890,7 @@ next_page: +@@ -1901,7 +1896,7 @@ next_page: start += page_increm * PAGE_SIZE; nr_pages -= page_increm; } while (nr_pages && start < vma->vm_end); @@ -82505,7 +87811,7 @@ index 5e50800..c47ba9a 100644 return i; } EXPORT_SYMBOL(__get_user_pages); -@@ -2102,6 +2097,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, +@@ -2108,6 +2103,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, page_add_file_rmap(page); set_pte_at(mm, addr, pte, mk_pte(page, prot)); @@ -82516,7 +87822,7 @@ index 5e50800..c47ba9a 100644 retval = 0; pte_unmap_unlock(pte, ptl); return retval; -@@ -2146,9 +2145,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr, +@@ -2152,9 +2151,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr, if (!page_count(page)) return -EINVAL; if (!(vma->vm_flags & VM_MIXEDMAP)) { @@ -82538,7 +87844,7 @@ index 5e50800..c47ba9a 100644 } return insert_page(vma, addr, page, vma->vm_page_prot); } -@@ -2231,6 +2242,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, +@@ -2237,6 +2248,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr, unsigned long pfn) { BUG_ON(!(vma->vm_flags & VM_MIXEDMAP)); @@ -82546,7 +87852,7 @@ index 5e50800..c47ba9a 100644 if (addr < vma->vm_start || addr >= vma->vm_end) return -EFAULT; -@@ -2478,7 +2490,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, +@@ -2484,7 +2496,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, BUG_ON(pud_huge(*pud)); @@ -82557,7 +87863,7 @@ index 5e50800..c47ba9a 100644 if (!pmd) return -ENOMEM; do { -@@ -2498,7 +2512,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, +@@ -2504,7 +2518,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd, unsigned long next; int err; @@ -82568,7 +87874,7 @@ index 5e50800..c47ba9a 100644 if (!pud) return -ENOMEM; do { -@@ -2586,6 +2602,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo +@@ -2592,6 +2608,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo copy_user_highpage(dst, src, va, vma); } @@ -82755,7 +88061,7 @@ index 5e50800..c47ba9a 100644 /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address -@@ -2802,6 +2998,12 @@ gotten: +@@ -2808,6 +3004,12 @@ gotten: */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); if (likely(pte_same(*page_table, orig_pte))) { @@ -82768,7 +88074,7 @@ index 5e50800..c47ba9a 100644 if (old_page) { if (!PageAnon(old_page)) { dec_mm_counter_fast(mm, MM_FILEPAGES); -@@ -2853,6 +3055,10 @@ gotten: +@@ -2859,6 +3061,10 @@ gotten: page_remove_rmap(old_page); } @@ -82779,7 +88085,7 @@ index 5e50800..c47ba9a 100644 /* Free the old page.. */ new_page = old_page; ret |= VM_FAULT_WRITE; -@@ -3128,6 +3334,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3134,6 +3340,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, swap_free(entry); if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); @@ -82791,7 +88097,7 @@ index 5e50800..c47ba9a 100644 unlock_page(page); if (page != swapcache) { /* -@@ -3151,6 +3362,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3157,6 +3368,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -82803,7 +88109,7 @@ index 5e50800..c47ba9a 100644 unlock: pte_unmap_unlock(page_table, ptl); out: -@@ -3170,40 +3386,6 @@ out_release: +@@ -3176,40 +3392,6 @@ out_release: } /* @@ -82844,7 +88150,7 @@ index 5e50800..c47ba9a 100644 * We enter with non-exclusive mmap_sem (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. * We return with mmap_sem still held, but pte unmapped and unlocked. -@@ -3212,27 +3394,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3218,27 +3400,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long address, pte_t *page_table, pmd_t *pmd, unsigned int flags) { @@ -82877,7 +88183,7 @@ index 5e50800..c47ba9a 100644 if (unlikely(anon_vma_prepare(vma))) goto oom; page = alloc_zeroed_user_highpage_movable(vma, address); -@@ -3256,6 +3434,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3262,6 +3440,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, if (!pte_none(*page_table)) goto release; @@ -82889,7 +88195,7 @@ index 5e50800..c47ba9a 100644 inc_mm_counter_fast(mm, MM_ANONPAGES); page_add_new_anon_rmap(page, vma, address); setpte: -@@ -3263,6 +3446,12 @@ setpte: +@@ -3269,6 +3452,12 @@ setpte: /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -82902,7 +88208,7 @@ index 5e50800..c47ba9a 100644 unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -3406,6 +3595,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3412,6 +3601,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, */ /* Only go through if we didn't race with anybody else... */ if (likely(pte_same(*page_table, orig_pte))) { @@ -82915,7 +88221,7 @@ index 5e50800..c47ba9a 100644 flush_icache_page(vma, page); entry = mk_pte(page, vma->vm_page_prot); if (flags & FAULT_FLAG_WRITE) -@@ -3425,6 +3620,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3431,6 +3626,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma, /* no need to invalidate: a not-present page won't be cached */ update_mmu_cache(vma, address, page_table); @@ -82930,7 +88236,7 @@ index 5e50800..c47ba9a 100644 } else { if (cow_page) mem_cgroup_uncharge_page(cow_page); -@@ -3746,6 +3949,12 @@ int handle_pte_fault(struct mm_struct *mm, +@@ -3752,6 +3955,12 @@ int handle_pte_fault(struct mm_struct *mm, if (flags & FAULT_FLAG_WRITE) flush_tlb_fix_spurious_fault(vma, address); } @@ -82943,7 +88249,7 @@ index 5e50800..c47ba9a 100644 unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -3762,6 +3971,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3768,6 +3977,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, pmd_t *pmd; pte_t *pte; @@ -82954,7 +88260,7 @@ index 5e50800..c47ba9a 100644 __set_current_state(TASK_RUNNING); count_vm_event(PGFAULT); -@@ -3773,6 +3986,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3779,6 +3992,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (unlikely(is_vm_hugetlb_page(vma))) return hugetlb_fault(mm, vma, address, flags); @@ -82989,7 +88295,7 @@ index 5e50800..c47ba9a 100644 retry: pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); -@@ -3871,6 +4112,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3877,6 +4118,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -83013,7 +88319,7 @@ index 5e50800..c47ba9a 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -3901,6 +4159,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -3907,6 +4165,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -83044,7 +88350,7 @@ index 5e50800..c47ba9a 100644 #endif /* __PAGETABLE_PMD_FOLDED */ #if !defined(__HAVE_ARCH_GATE_AREA) -@@ -3914,7 +4196,7 @@ static int __init gate_vma_init(void) +@@ -3920,7 +4202,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -83053,7 +88359,7 @@ index 5e50800..c47ba9a 100644 return 0; } -@@ -4048,8 +4330,8 @@ out: +@@ -4054,8 +4336,8 @@ out: return ret; } @@ -83064,7 +88370,7 @@ index 5e50800..c47ba9a 100644 { resource_size_t phys_addr; unsigned long prot = 0; -@@ -4074,8 +4356,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr, +@@ -4080,8 +4362,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr, * Access another process' address space as given in mm. If non-NULL, use the * given task for page fault accounting. */ @@ -83075,7 +88381,7 @@ index 5e50800..c47ba9a 100644 { struct vm_area_struct *vma; void *old_buf = buf; -@@ -4083,7 +4365,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4089,7 +4371,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, down_read(&mm->mmap_sem); /* ignore errors, just check how much was successfully transferred */ while (len) { @@ -83084,7 +88390,7 @@ index 5e50800..c47ba9a 100644 void *maddr; struct page *page = NULL; -@@ -4142,8 +4424,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -4148,8 +4430,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, * * The caller must hold a reference on @mm. */ @@ -83095,7 +88401,7 @@ index 5e50800..c47ba9a 100644 { return __access_remote_vm(NULL, mm, addr, buf, len, write); } -@@ -4153,11 +4435,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, +@@ -4159,11 +4441,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, * Source/target buffer must be kernel space, * Do not walk the page table directly, use get_user_pages */ @@ -83272,7 +88578,7 @@ index 79b7cf7..9944291 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 7dbe397..e84c411 100644 +index 8d25fdc..bfb7626 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -36,6 +36,7 @@ @@ -86930,6 +92236,89 @@ index f680ee1..97e3542 100644 if (batadv_ogm_packet->flags & BATADV_DIRECTLINK) has_directlink_flag = 1; +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index de27b31..7058bfe 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1522,6 +1522,8 @@ out: + * in these cases, the skb is further handled by this function and + * returns 1, otherwise it returns 0 and the caller shall further + * process the skb. ++ * ++ * This call might reallocate skb data. + */ + int batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb, short vid) + { +diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c +index f105219..7614af3 100644 +--- a/net/batman-adv/gateway_client.c ++++ b/net/batman-adv/gateway_client.c +@@ -508,6 +508,7 @@ out: + return 0; + } + ++/* this call might reallocate skb data */ + static bool batadv_is_type_dhcprequest(struct sk_buff *skb, int header_len) + { + int ret = false; +@@ -568,6 +569,7 @@ out: + return ret; + } + ++/* this call might reallocate skb data */ + bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len) + { + struct ethhdr *ethhdr; +@@ -619,6 +621,12 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len) + + if (!pskb_may_pull(skb, *header_len + sizeof(*udphdr))) + return false; ++ ++ /* skb->data might have been reallocated by pskb_may_pull() */ ++ ethhdr = (struct ethhdr *)skb->data; ++ if (ntohs(ethhdr->h_proto) == ETH_P_8021Q) ++ ethhdr = (struct ethhdr *)(skb->data + VLAN_HLEN); ++ + udphdr = (struct udphdr *)(skb->data + *header_len); + *header_len += sizeof(*udphdr); + +@@ -634,12 +642,14 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len) + return true; + } + ++/* this call might reallocate skb data */ + bool batadv_gw_out_of_range(struct batadv_priv *bat_priv, +- struct sk_buff *skb, struct ethhdr *ethhdr) ++ struct sk_buff *skb) + { + struct batadv_neigh_node *neigh_curr = NULL, *neigh_old = NULL; + struct batadv_orig_node *orig_dst_node = NULL; + struct batadv_gw_node *curr_gw = NULL; ++ struct ethhdr *ethhdr; + bool ret, out_of_range = false; + unsigned int header_len = 0; + uint8_t curr_tq_avg; +@@ -648,6 +658,7 @@ bool batadv_gw_out_of_range(struct batadv_priv *bat_priv, + if (!ret) + goto out; + ++ ethhdr = (struct ethhdr *)skb->data; + orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source, + ethhdr->h_dest); + if (!orig_dst_node) +diff --git a/net/batman-adv/gateway_client.h b/net/batman-adv/gateway_client.h +index 039902d..1037d75 100644 +--- a/net/batman-adv/gateway_client.h ++++ b/net/batman-adv/gateway_client.h +@@ -34,7 +34,6 @@ void batadv_gw_node_delete(struct batadv_priv *bat_priv, + void batadv_gw_node_purge(struct batadv_priv *bat_priv); + int batadv_gw_client_seq_print_text(struct seq_file *seq, void *offset); + bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len); +-bool batadv_gw_out_of_range(struct batadv_priv *bat_priv, +- struct sk_buff *skb, struct ethhdr *ethhdr); ++bool batadv_gw_out_of_range(struct batadv_priv *bat_priv, struct sk_buff *skb); + + #endif /* _NET_BATMAN_ADV_GATEWAY_CLIENT_H_ */ diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c index 522243a..b48c0ef 100644 --- a/net/batman-adv/hard-interface.c @@ -86953,10 +92342,31 @@ index 522243a..b48c0ef 100644 return hard_iface; diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c -index 819dfb0..9a672d1 100644 +index 819dfb0..226bacd 100644 --- a/net/batman-adv/soft-interface.c +++ b/net/batman-adv/soft-interface.c -@@ -253,7 +253,7 @@ static int batadv_interface_tx(struct sk_buff *skb, +@@ -180,6 +180,9 @@ static int batadv_interface_tx(struct sk_buff *skb, + if (batadv_bla_tx(bat_priv, skb, vid)) + goto dropped; + ++ /* skb->data might have been reallocated by batadv_bla_tx() */ ++ ethhdr = (struct ethhdr *)skb->data; ++ + /* Register the client MAC in the transtable */ + if (!is_multicast_ether_addr(ethhdr->h_source)) + batadv_tt_local_add(soft_iface, ethhdr->h_source, skb->skb_iif); +@@ -220,6 +223,10 @@ static int batadv_interface_tx(struct sk_buff *skb, + default: + break; + } ++ ++ /* reminder: ethhdr might have become unusable from here on ++ * (batadv_gw_is_dhcp_target() might have reallocated skb data) ++ */ + } + + /* ethernet packet should be broadcasted */ +@@ -253,7 +260,7 @@ static int batadv_interface_tx(struct sk_buff *skb, primary_if->net_dev->dev_addr, ETH_ALEN); /* set broadcast sequence number */ @@ -86965,7 +92375,16 @@ index 819dfb0..9a672d1 100644 bcast_packet->seqno = htonl(seqno); batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay); -@@ -472,7 +472,7 @@ static int batadv_softif_init_late(struct net_device *dev) +@@ -266,7 +273,7 @@ static int batadv_interface_tx(struct sk_buff *skb, + /* unicast packet */ + } else { + if (atomic_read(&bat_priv->gw_mode) != BATADV_GW_MODE_OFF) { +- ret = batadv_gw_out_of_range(bat_priv, skb, ethhdr); ++ ret = batadv_gw_out_of_range(bat_priv, skb); + if (ret) + goto dropped; + } +@@ -472,7 +479,7 @@ static int batadv_softif_init_late(struct net_device *dev) atomic_set(&bat_priv->batman_queue_left, BATADV_BATMAN_QUEUE_LEN); atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE); @@ -87006,7 +92425,7 @@ index aba8364..50fcbb8 100644 atomic_t batman_queue_left; char num_ifaces; diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c -index 0bb3b59..ffcbf2f 100644 +index 0bb3b59..0e3052e 100644 --- a/net/batman-adv/unicast.c +++ b/net/batman-adv/unicast.c @@ -270,7 +270,7 @@ int batadv_frag_send_skb(struct sk_buff *skb, struct batadv_priv *bat_priv, @@ -87018,6 +92437,58 @@ index 0bb3b59..ffcbf2f 100644 frag1->seqno = htons(seqno - 1); frag2->seqno = htons(seqno); +@@ -326,7 +326,9 @@ static bool batadv_unicast_push_and_fill_skb(struct sk_buff *skb, int hdr_size, + * @skb: the skb containing the payload to encapsulate + * @orig_node: the destination node + * +- * Returns false if the payload could not be encapsulated or true otherwise ++ * Returns false if the payload could not be encapsulated or true otherwise. ++ * ++ * This call might reallocate skb data. + */ + static bool batadv_unicast_prepare_skb(struct sk_buff *skb, + struct batadv_orig_node *orig_node) +@@ -343,7 +345,9 @@ static bool batadv_unicast_prepare_skb(struct sk_buff *skb, + * @orig_node: the destination node + * @packet_subtype: the batman 4addr packet subtype to use + * +- * Returns false if the payload could not be encapsulated or true otherwise ++ * Returns false if the payload could not be encapsulated or true otherwise. ++ * ++ * This call might reallocate skb data. + */ + bool batadv_unicast_4addr_prepare_skb(struct batadv_priv *bat_priv, + struct sk_buff *skb, +@@ -401,7 +405,7 @@ int batadv_unicast_generic_send_skb(struct batadv_priv *bat_priv, + struct batadv_neigh_node *neigh_node; + int data_len = skb->len; + int ret = NET_RX_DROP; +- unsigned int dev_mtu; ++ unsigned int dev_mtu, header_len; + + /* get routing information */ + if (is_multicast_ether_addr(ethhdr->h_dest)) { +@@ -429,10 +433,12 @@ find_router: + switch (packet_type) { + case BATADV_UNICAST: + batadv_unicast_prepare_skb(skb, orig_node); ++ header_len = sizeof(struct batadv_unicast_packet); + break; + case BATADV_UNICAST_4ADDR: + batadv_unicast_4addr_prepare_skb(bat_priv, skb, orig_node, + packet_subtype); ++ header_len = sizeof(struct batadv_unicast_4addr_packet); + break; + default: + /* this function supports UNICAST and UNICAST_4ADDR only. It +@@ -441,6 +447,7 @@ find_router: + goto out; + } + ++ ethhdr = (struct ethhdr *)(skb->data + header_len); + unicast_packet = (struct batadv_unicast_packet *)skb->data; + + /* inform the destination node that we are still missing a correct route diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index ace5e55..a65a1c0 100644 --- a/net/bluetooth/hci_core.c @@ -87303,6 +92774,28 @@ index 3ee690e..00d581b 100644 register_netdevice_notifier(¬ifier); if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index eb0a46a..5f3bae8 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -186,7 +186,7 @@ static void con_fault(struct ceph_connection *con); + #define MAX_ADDR_STR_LEN 64 /* 54 is enough */ + + static char addr_str[ADDR_STR_COUNT][MAX_ADDR_STR_LEN]; +-static atomic_t addr_str_seq = ATOMIC_INIT(0); ++static atomic_unchecked_t addr_str_seq = ATOMIC_INIT(0); + + static struct page *zero_page; /* used in certain error cases */ + +@@ -197,7 +197,7 @@ const char *ceph_pr_addr(const struct sockaddr_storage *ss) + struct sockaddr_in *in4 = (struct sockaddr_in *) ss; + struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) ss; + +- i = atomic_inc_return(&addr_str_seq) & ADDR_STR_COUNT_MASK; ++ i = atomic_inc_return_unchecked(&addr_str_seq) & ADDR_STR_COUNT_MASK; + s = addr_str[i]; + + switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c index f0a1ba6..0541331 100644 --- a/net/compat.c @@ -87738,8 +93231,30 @@ index f9765203..9feaef8 100644 mutex_unlock(&net_mutex); return error; } +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index cec074b..a53a938 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -428,7 +428,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len) + struct udphdr *udph; + struct iphdr *iph; + struct ethhdr *eth; +- static atomic_t ip_ident; ++ static atomic_unchecked_t ip_ident; + struct ipv6hdr *ip6h; + + udp_len = len + sizeof(*udph); +@@ -499,7 +499,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len) + put_unaligned(0x45, (unsigned char *)iph); + iph->tos = 0; + put_unaligned(htons(ip_len), &(iph->tot_len)); +- iph->id = htons(atomic_inc_return(&ip_ident)); ++ iph->id = htons(atomic_inc_return_unchecked(&ip_ident)); + iph->frag_off = 0; + iph->ttl = 64; + iph->protocol = IPPROTO_UDP; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index a08bd2b..4e8f43c 100644 +index a08bd2b..c59bd7c 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -58,7 +58,7 @@ struct rtnl_link { @@ -87777,10 +93292,28 @@ index a08bd2b..4e8f43c 100644 } EXPORT_SYMBOL_GPL(__rtnl_link_unregister); +@@ -2374,7 +2377,7 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb) + struct nlattr *extfilt; + u32 filter_mask = 0; + +- extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct rtgenmsg), ++ extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg), + IFLA_EXT_MASK); + if (extfilt) + filter_mask = nla_get_u32(extfilt); diff --git a/net/core/scm.c b/net/core/scm.c -index 03795d0..eaf7368 100644 +index 03795d0..98d6bdb 100644 --- a/net/core/scm.c +++ b/net/core/scm.c +@@ -54,7 +54,7 @@ static __inline__ int scm_check_creds(struct ucred *creds) + return -EINVAL; + + if ((creds->pid == task_tgid_vnr(current) || +- ns_capable(current->nsproxy->pid_ns->user_ns, CAP_SYS_ADMIN)) && ++ ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) && + ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) || + uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) && + ((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) || @@ -210,7 +210,7 @@ EXPORT_SYMBOL(__scm_send); int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data) { @@ -88092,6 +93625,19 @@ index a55eecc..dd8428c 100644 return -EFAULT; *lenp = len; +diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c +index 55e1fd5..fd602b8 100644 +--- a/net/ieee802154/6lowpan.c ++++ b/net/ieee802154/6lowpan.c +@@ -459,7 +459,7 @@ static int lowpan_header_create(struct sk_buff *skb, + hc06_ptr += 3; + } else { + /* compress nothing */ +- memcpy(hc06_ptr, &hdr, 4); ++ memcpy(hc06_ptr, hdr, 4); + /* replace the top byte with new ECN | DSCP format */ + *hc06_ptr = tmp; + hc06_ptr += 4; diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index d01be2a..8976537 100644 --- a/net/ipv4/af_inet.c @@ -88223,9 +93769,18 @@ index dfc39d4..0d4fa52 100644 #endif if (dflt != &ipv4_devconf_dflt) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c -index 4cfe34d..a6ba66e 100644 +index 4cfe34d..d2fac8a 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c +@@ -477,7 +477,7 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu) + } + + return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - +- net_adj) & ~(align - 1)) + (net_adj - 2); ++ net_adj) & ~(align - 1)) + net_adj - 2; + } + + static void esp4_err(struct sk_buff *skb, u32 info) @@ -503,7 +503,7 @@ static void esp4_err(struct sk_buff *skb, u32 info) return; @@ -88276,6 +93831,30 @@ index 8f6cb7a..34507f9 100644 return nh->nh_saddr; } +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index 49616fe..6e8a13d 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -71,7 +71,6 @@ + #include <linux/init.h> + #include <linux/list.h> + #include <linux/slab.h> +-#include <linux/prefetch.h> + #include <linux/export.h> + #include <net/net_namespace.h> + #include <net/ip.h> +@@ -1761,10 +1760,8 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c) + if (!c) + continue; + +- if (IS_LEAF(c)) { +- prefetch(rcu_dereference_rtnl(p->child[idx])); ++ if (IS_LEAF(c)) + return (struct leaf *) c; +- } + + /* Rescan start scanning in new node */ + p = (struct tnode *) c; diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index 6acb541..9ea617d 100644 --- a/net/ipv4/inet_connection_sock.c @@ -88385,7 +93964,7 @@ index b66910a..cfe416e 100644 return -ENOMEM; } diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index 855004f..68e7458 100644 +index 855004f..9644112 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -115,7 +115,7 @@ static bool log_ecn_error = true; @@ -88397,6 +93976,15 @@ index 855004f..68e7458 100644 static int ipgre_tunnel_init(struct net_device *dev); static int ipgre_net_id __read_mostly; +@@ -572,7 +572,7 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + if (daddr) + memcpy(&iph->daddr, daddr, 4); + if (iph->daddr) +- return t->hlen; ++ return t->hlen + sizeof(*iph); + + return -(t->hlen + sizeof(*iph)); + } @@ -919,7 +919,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = { [IFLA_GRE_PMTUDISC] = { .type = NLA_U8 }, }; @@ -88749,10 +94337,10 @@ index d35bbf0..faa3ab8 100644 sizeof(net->ipv4.dev_addr_genid)); return 0; diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c -index fa2f63f..6554815 100644 +index 3f25e75..3ae0f4d 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c -@@ -55,7 +55,7 @@ static int ipv4_local_port_range(ctl_table *table, int write, +@@ -57,7 +57,7 @@ static int ipv4_local_port_range(ctl_table *table, int write, { int ret; int range[2]; @@ -88761,7 +94349,7 @@ index fa2f63f..6554815 100644 .data = &range, .maxlen = sizeof(range), .mode = table->mode, -@@ -108,7 +108,7 @@ static int ipv4_ping_group_range(ctl_table *table, int write, +@@ -110,7 +110,7 @@ static int ipv4_ping_group_range(ctl_table *table, int write, int ret; gid_t urange[2]; kgid_t low, high; @@ -88770,7 +94358,7 @@ index fa2f63f..6554815 100644 .data = &urange, .maxlen = sizeof(urange), .mode = table->mode, -@@ -139,7 +139,7 @@ static int proc_tcp_congestion_control(ctl_table *ctl, int write, +@@ -141,7 +141,7 @@ static int proc_tcp_congestion_control(ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { char val[TCP_CA_NAME_MAX]; @@ -88779,7 +94367,7 @@ index fa2f63f..6554815 100644 .data = val, .maxlen = TCP_CA_NAME_MAX, }; -@@ -158,7 +158,7 @@ static int proc_tcp_available_congestion_control(ctl_table *ctl, +@@ -160,7 +160,7 @@ static int proc_tcp_available_congestion_control(ctl_table *ctl, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -88788,7 +94376,7 @@ index fa2f63f..6554815 100644 int ret; tbl.data = kmalloc(tbl.maxlen, GFP_USER); -@@ -175,7 +175,7 @@ static int proc_allowed_congestion_control(ctl_table *ctl, +@@ -177,7 +177,7 @@ static int proc_allowed_congestion_control(ctl_table *ctl, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -88797,7 +94385,7 @@ index fa2f63f..6554815 100644 int ret; tbl.data = kmalloc(tbl.maxlen, GFP_USER); -@@ -201,15 +201,17 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, +@@ -203,15 +203,17 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, struct mem_cgroup *memcg; #endif @@ -88818,7 +94406,7 @@ index fa2f63f..6554815 100644 } ret = proc_doulongvec_minmax(&tmp, write, buffer, lenp, ppos); -@@ -236,7 +238,7 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, +@@ -238,7 +240,7 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, static int proc_tcp_fastopen_key(ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -88827,7 +94415,7 @@ index fa2f63f..6554815 100644 struct tcp_fastopen_context *ctxt; int ret; u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ -@@ -477,7 +479,7 @@ static struct ctl_table ipv4_table[] = { +@@ -481,7 +483,7 @@ static struct ctl_table ipv4_table[] = { }, { .procname = "ip_local_reserved_ports", @@ -88836,7 +94424,7 @@ index fa2f63f..6554815 100644 .maxlen = 65536, .mode = 0644, .proc_handler = proc_do_large_bitmap, -@@ -842,11 +844,10 @@ static struct ctl_table ipv4_net_table[] = { +@@ -846,11 +848,10 @@ static struct ctl_table ipv4_net_table[] = { static __net_init int ipv4_sysctl_init_net(struct net *net) { @@ -88850,7 +94438,7 @@ index fa2f63f..6554815 100644 if (table == NULL) goto err_alloc; -@@ -881,15 +882,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net) +@@ -885,15 +886,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net) tcp_init_mem(net); @@ -88871,7 +94459,7 @@ index fa2f63f..6554815 100644 err_alloc: return -ENOMEM; } -@@ -911,16 +914,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = { +@@ -915,16 +918,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = { static __init int sysctl_ipv4_init(void) { struct ctl_table_header *hdr; @@ -89212,7 +94800,7 @@ index 9a459be..086b866 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index fb8c94c..fb18024 100644 +index fb8c94c..80a31d8 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -621,7 +621,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, @@ -89224,7 +94812,24 @@ index fb8c94c..fb18024 100644 net->dev_base_seq; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) -@@ -2380,7 +2380,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) +@@ -1124,12 +1124,10 @@ retry: + if (ifp->flags & IFA_F_OPTIMISTIC) + addr_flags |= IFA_F_OPTIMISTIC; + +- ift = !max_addresses || +- ipv6_count_addresses(idev) < max_addresses ? +- ipv6_add_addr(idev, &addr, tmp_plen, +- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, +- addr_flags) : NULL; +- if (IS_ERR_OR_NULL(ift)) { ++ ift = ipv6_add_addr(idev, &addr, tmp_plen, ++ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, ++ addr_flags); ++ if (IS_ERR(ift)) { + in6_ifa_put(ifp); + in6_dev_put(idev); + pr_info("%s: retry temporary address regeneration\n", __func__); +@@ -2380,7 +2378,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) p.iph.ihl = 5; p.iph.protocol = IPPROTO_IPV6; p.iph.ttl = 64; @@ -89233,7 +94838,7 @@ index fb8c94c..fb18024 100644 if (ops->ndo_do_ioctl) { mm_segment_t oldfs = get_fs(); -@@ -4002,7 +4002,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, +@@ -4002,7 +4000,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, s_ip_idx = ip_idx = cb->args[2]; rcu_read_lock(); @@ -89242,7 +94847,7 @@ index fb8c94c..fb18024 100644 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; head = &net->dev_index_head[h]; -@@ -4587,7 +4587,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) +@@ -4587,7 +4585,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) dst_free(&ifp->rt->dst); break; } @@ -89251,7 +94856,7 @@ index fb8c94c..fb18024 100644 } static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp) -@@ -4607,7 +4607,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write, +@@ -4607,7 +4605,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -89260,7 +94865,7 @@ index fb8c94c..fb18024 100644 int ret; /* -@@ -4689,7 +4689,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write, +@@ -4689,7 +4687,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -89269,6 +94874,19 @@ index fb8c94c..fb18024 100644 int ret; /* +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index 40ffd72..aeac0dc 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -425,7 +425,7 @@ static u32 esp6_get_mtu(struct xfrm_state *x, int mtu) + net_adj = 0; + + return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - +- net_adj) & ~(align - 1)) + (net_adj - 2); ++ net_adj) & ~(align - 1)) + net_adj - 2; + } + + static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index b4ff0a4..db9b764 100644 --- a/net/ipv6/icmp.c @@ -89448,10 +95066,52 @@ index dffdc1a..ccc6678 100644 err_alloc: return -ENOMEM; } +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index c2e73e6..12cca6f 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -8,8 +8,8 @@ + + void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) + { +- static atomic_t ipv6_fragmentation_id; +- int old, new; ++ static atomic_unchecked_t ipv6_fragmentation_id; ++ int id; + + #if IS_ENABLED(CONFIG_IPV6) + if (rt && !(rt->dst.flags & DST_NOPEER)) { +@@ -25,13 +25,10 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) + } + } + #endif +- do { +- old = atomic_read(&ipv6_fragmentation_id); +- new = old + 1; +- if (!new) +- new = 1; +- } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old); +- fhdr->identification = htonl(new); ++ id = atomic_inc_return_unchecked(&ipv6_fragmentation_id); ++ if (!id) ++ id = atomic_inc_return_unchecked(&ipv6_fragmentation_id); ++ fhdr->identification = htonl(id); + } + EXPORT_SYMBOL(ipv6_select_ident); + diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c -index eedff8c..6e13a47 100644 +index eedff8c..7d7e24a 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c +@@ -108,7 +108,7 @@ found: + */ + static int icmpv6_filter(const struct sock *sk, const struct sk_buff *skb) + { +- struct icmp6hdr *_hdr; ++ struct icmp6hdr _hdr; + const struct icmp6hdr *hdr; + + hdr = skb_header_pointer(skb, skb_transport_offset(skb), @@ -378,7 +378,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb) { if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) && @@ -89887,10 +95547,10 @@ index 4fe76ff..426a904 100644 }; diff --git a/net/key/af_key.c b/net/key/af_key.c -index 9da8620..97070ad 100644 +index ab8bd2c..cd2d641 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c -@@ -3047,10 +3047,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc +@@ -3048,10 +3048,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc static u32 get_acqseq(void) { u32 res; @@ -89904,10 +95564,10 @@ index 9da8620..97070ad 100644 return res; } diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c -index 4fdb306e..920086a 100644 +index ae36f8e..09d42ac 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c -@@ -804,7 +804,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy, +@@ -806,7 +806,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy, ret = ieee80211_vif_use_channel(sdata, chandef, IEEE80211_CHANCTX_EXCLUSIVE); } @@ -89916,7 +95576,7 @@ index 4fdb306e..920086a 100644 local->_oper_chandef = *chandef; ieee80211_hw_config(local, 0); } -@@ -2920,7 +2920,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy, +@@ -2922,7 +2922,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy, else local->probe_req_reg--; @@ -89925,7 +95585,7 @@ index 4fdb306e..920086a 100644 break; ieee80211_queue_work(&local->hw, &local->reconfig_filter); -@@ -3383,8 +3383,8 @@ static int ieee80211_cfg_get_channel(struct wiphy *wiphy, +@@ -3385,8 +3385,8 @@ static int ieee80211_cfg_get_channel(struct wiphy *wiphy, if (chanctx_conf) { *chandef = chanctx_conf->def; ret = 0; @@ -90034,7 +95694,7 @@ index 514e90f..56f22bf 100644 } diff --git a/net/mac80211/main.c b/net/mac80211/main.c -index 8a7bfc4..4407cd0 100644 +index 8a7bfc4..be07e86 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -181,7 +181,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed) @@ -90046,8 +95706,17 @@ index 8a7bfc4..4407cd0 100644 ret = drv_config(local, changed); /* * Goal: +@@ -921,7 +921,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + hw->queues = IEEE80211_MAX_QUEUES; + + local->workqueue = +- alloc_ordered_workqueue(wiphy_name(local->hw.wiphy), 0); ++ alloc_ordered_workqueue("%s", 0, wiphy_name(local->hw.wiphy)); + if (!local->workqueue) { + result = -ENOMEM; + goto fail_workqueue; diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c -index 7fc5d0d..07ea536 100644 +index 3401262..d5cd68d 100644 --- a/net/mac80211/pm.c +++ b/net/mac80211/pm.c @@ -12,7 +12,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) @@ -90068,7 +95737,7 @@ index 7fc5d0d..07ea536 100644 if (local->wowlan) { int err = drv_suspend(local, wowlan); if (err < 0) { -@@ -113,7 +113,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) +@@ -116,7 +116,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) WARN_ON(!list_empty(&local->chanctx_list)); /* stop hardware - this must stop RX */ @@ -90450,9 +96119,18 @@ index 0ab9636..cea3c6a 100644 { if (users > 0) diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c -index a99b6c3..3841268 100644 +index a99b6c3..cb372f9 100644 --- a/net/netfilter/nf_conntrack_proto_dccp.c +++ b/net/netfilter/nf_conntrack_proto_dccp.c +@@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, + const char *msg; + u_int8_t state; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + BUG_ON(dh == NULL); + + state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; @@ -457,7 +457,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, out_invalid: if (LOG_INVALID(net, IPPROTO_DCCP)) @@ -90462,6 +96140,24 @@ index a99b6c3..3841268 100644 return false; } +@@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, + u_int8_t type, old_state, new_state; + enum ct_dccp_roles role; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + BUG_ON(dh == NULL); + type = dh->dccph_type; + +@@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, + unsigned int cscov; + const char *msg; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + if (dh == NULL) { + msg = "nf_ct_dccp: short packet "; + goto out_invalid; @@ -614,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, out_invalid: @@ -90471,6 +96167,49 @@ index a99b6c3..3841268 100644 return -NF_ACCEPT; } +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index 4d4d8f1..e0f9a32 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -526,7 +526,7 @@ static bool tcp_in_window(const struct nf_conn *ct, + const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; + __u32 seq, ack, sack, end, win, swin; + s16 receiver_offset; +- bool res; ++ bool res, in_recv_win; + + /* + * Get the required data from the packet. +@@ -649,14 +649,18 @@ static bool tcp_in_window(const struct nf_conn *ct, + receiver->td_end, receiver->td_maxend, receiver->td_maxwin, + receiver->td_scale); + ++ /* Is the ending sequence in the receive window (if available)? */ ++ in_recv_win = !receiver->td_maxwin || ++ after(end, sender->td_end - receiver->td_maxwin - 1); ++ + pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n", + before(seq, sender->td_maxend + 1), +- after(end, sender->td_end - receiver->td_maxwin - 1), ++ (in_recv_win ? 1 : 0), + before(sack, receiver->td_end + 1), + after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)); + + if (before(seq, sender->td_maxend + 1) && +- after(end, sender->td_end - receiver->td_maxwin - 1) && ++ in_recv_win && + before(sack, receiver->td_end + 1) && + after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) { + /* +@@ -725,7 +729,7 @@ static bool tcp_in_window(const struct nf_conn *ct, + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, + "nf_ct_tcp: %s ", + before(seq, sender->td_maxend + 1) ? +- after(end, sender->td_end - receiver->td_maxwin - 1) ? ++ in_recv_win ? + before(sack, receiver->td_end + 1) ? + after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG" + : "ACK is under the lower bound (possible overly delayed ACK)" diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index bd700b4..4a3dc61 100644 --- a/net/netfilter/nf_conntrack_standalone.c @@ -90553,7 +96292,7 @@ index f042ae5..30ea486 100644 } EXPORT_SYMBOL(nf_unregister_sockopt); diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c -index 962e979..d4ae2e9 100644 +index 962e979..e46f350 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c @@ -82,7 +82,7 @@ static int nfnl_log_net_id __read_mostly; @@ -90565,7 +96304,27 @@ index 962e979..d4ae2e9 100644 }; static struct nfnl_log_net *nfnl_log_pernet(struct net *net) -@@ -559,7 +559,7 @@ __build_packet_message(struct nfnl_log_net *log, +@@ -419,6 +419,7 @@ __build_packet_message(struct nfnl_log_net *log, + nfmsg->version = NFNETLINK_V0; + nfmsg->res_id = htons(inst->group_num); + ++ memset(&pmsg, 0, sizeof(pmsg)); + pmsg.hw_protocol = skb->protocol; + pmsg.hook = hooknum; + +@@ -498,7 +499,10 @@ __build_packet_message(struct nfnl_log_net *log, + if (indev && skb->dev && + skb->mac_header != skb->network_header) { + struct nfulnl_msg_packet_hw phw; +- int len = dev_parse_header(skb, phw.hw_addr); ++ int len; ++ ++ memset(&phw, 0, sizeof(phw)); ++ len = dev_parse_header(skb, phw.hw_addr); + if (len > 0) { + phw.hw_addrlen = htons(len); + if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw)) +@@ -559,7 +563,7 @@ __build_packet_message(struct nfnl_log_net *log, /* global sequence number */ if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) && nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL, @@ -90574,6 +96333,130 @@ index 962e979..d4ae2e9 100644 goto nla_put_failure; if (data_len) { +diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c +index 5352b2d..e0083ce 100644 +--- a/net/netfilter/nfnetlink_queue_core.c ++++ b/net/netfilter/nfnetlink_queue_core.c +@@ -444,7 +444,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, + if (indev && entskb->dev && + entskb->mac_header != entskb->network_header) { + struct nfqnl_msg_packet_hw phw; +- int len = dev_parse_header(entskb, phw.hw_addr); ++ int len; ++ ++ memset(&phw, 0, sizeof(phw)); ++ len = dev_parse_header(entskb, phw.hw_addr); + if (len) { + phw.hw_addrlen = htons(len); + if (nla_put(skb, NFQA_HWADDR, sizeof(phw), &phw)) +diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c +index 7011c71..6113cc7 100644 +--- a/net/netfilter/xt_TCPMSS.c ++++ b/net/netfilter/xt_TCPMSS.c +@@ -52,7 +52,8 @@ tcpmss_mangle_packet(struct sk_buff *skb, + { + const struct xt_tcpmss_info *info = par->targinfo; + struct tcphdr *tcph; +- unsigned int tcplen, i; ++ int len, tcp_hdrlen; ++ unsigned int i; + __be16 oldval; + u16 newmss; + u8 *opt; +@@ -64,11 +65,14 @@ tcpmss_mangle_packet(struct sk_buff *skb, + if (!skb_make_writable(skb, skb->len)) + return -1; + +- tcplen = skb->len - tcphoff; ++ len = skb->len - tcphoff; ++ if (len < (int)sizeof(struct tcphdr)) ++ return -1; ++ + tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); ++ tcp_hdrlen = tcph->doff * 4; + +- /* Header cannot be larger than the packet */ +- if (tcplen < tcph->doff*4) ++ if (len < tcp_hdrlen) + return -1; + + if (info->mss == XT_TCPMSS_CLAMP_PMTU) { +@@ -87,9 +91,8 @@ tcpmss_mangle_packet(struct sk_buff *skb, + newmss = info->mss; + + opt = (u_int8_t *)tcph; +- for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) { +- if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS && +- opt[i+1] == TCPOLEN_MSS) { ++ for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { ++ if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) { + u_int16_t oldmss; + + oldmss = (opt[i+2] << 8) | opt[i+3]; +@@ -112,9 +115,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, + } + + /* There is data after the header so the option can't be added +- without moving it, and doing so may make the SYN packet +- itself too large. Accept the packet unmodified instead. */ +- if (tcplen > tcph->doff*4) ++ * without moving it, and doing so may make the SYN packet ++ * itself too large. Accept the packet unmodified instead. ++ */ ++ if (len > tcp_hdrlen) + return 0; + + /* +@@ -143,10 +147,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, + newmss = min(newmss, (u16)1220); + + opt = (u_int8_t *)tcph + sizeof(struct tcphdr); +- memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr)); ++ memmove(opt + TCPOLEN_MSS, opt, len - sizeof(struct tcphdr)); + + inet_proto_csum_replace2(&tcph->check, skb, +- htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1); ++ htons(len), htons(len + TCPOLEN_MSS), 1); + opt[0] = TCPOPT_MSS; + opt[1] = TCPOLEN_MSS; + opt[2] = (newmss & 0xff00) >> 8; +diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c +index b68fa19..625fa1d 100644 +--- a/net/netfilter/xt_TCPOPTSTRIP.c ++++ b/net/netfilter/xt_TCPOPTSTRIP.c +@@ -38,7 +38,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb, + struct tcphdr *tcph; + u_int16_t n, o; + u_int8_t *opt; +- int len; ++ int len, tcp_hdrlen; + + /* This is a fragment, no TCP header is available */ + if (par->fragoff != 0) +@@ -52,7 +52,9 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb, + return NF_DROP; + + tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); +- if (tcph->doff * 4 > len) ++ tcp_hdrlen = tcph->doff * 4; ++ ++ if (len < tcp_hdrlen) + return NF_DROP; + + opt = (u_int8_t *)tcph; +@@ -61,10 +63,10 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb, + * Walk through all TCP options - if we find some option to remove, + * set all octets to %TCPOPT_NOP and adjust checksum. + */ +- for (i = sizeof(struct tcphdr); i < tcp_hdrlen(skb); i += optl) { ++ for (i = sizeof(struct tcphdr); i < tcp_hdrlen - 1; i += optl) { + optl = optlen(opt, i); + +- if (i + optl > tcp_hdrlen(skb)) ++ if (i + optl > tcp_hdrlen) + break; + + if (!tcpoptstrip_test_bit(info->strip_bmap, opt[i])) diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c new file mode 100644 index 0000000..c566332 @@ -90688,7 +96571,7 @@ index 57ee84d..8b99cf5 100644 ); diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c -index 2fd6dbe..1032269 100644 +index 1076fe1..f190285 100644 --- a/net/netlink/genetlink.c +++ b/net/netlink/genetlink.c @@ -310,18 +310,20 @@ int genl_register_ops(struct genl_family *family, struct genl_ops *ops) @@ -91296,18 +97179,6 @@ index f226709..0e735a8 100644 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial)); ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len); -diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c -index ca8e0a5..1f9c314 100644 ---- a/net/sched/sch_atm.c -+++ b/net/sched/sch_atm.c -@@ -605,6 +605,7 @@ static int atm_tc_dump_class(struct Qdisc *sch, unsigned long cl, - struct sockaddr_atmpvc pvc; - int state; - -+ memset(&pvc, 0, sizeof(pvc)); - pvc.sap_family = AF_ATMPVC; - pvc.sap_addr.itf = flow->vcc->dev ? flow->vcc->dev->number : -1; - pvc.sap_addr.vpi = flow->vcc->vpi; diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index 391a245..296b3d7 100644 --- a/net/sctp/ipv6.c @@ -91513,6 +97384,25 @@ index bf3c6e8..376d8d0 100644 int i; table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); +diff --git a/net/sctp/transport.c b/net/sctp/transport.c +index 098f1d5f..60da2f7 100644 +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -178,12 +178,12 @@ static void sctp_transport_destroy(struct sctp_transport *transport) + { + SCTP_ASSERT(transport->dead, "Transport is not dead", return); + +- call_rcu(&transport->rcu, sctp_transport_destroy_rcu); +- + sctp_packet_free(&transport->packet); + + if (transport->asoc) + sctp_association_put(transport->asoc); ++ ++ call_rcu(&transport->rcu, sctp_transport_destroy_rcu); + } + + /* Start T3_rtx timer if it is not already running and update the heartbeat diff --git a/net/socket.c b/net/socket.c index 4ca1526..df83e47 100644 --- a/net/socket.c @@ -91759,8 +97649,30 @@ index 4ca1526..df83e47 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 29b4ba9..f648ae7 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1144,7 +1144,7 @@ static int gss_proxy_save_rsc(struct cache_detail *cd, + uint64_t *handle) + { + struct rsc rsci, *rscp = NULL; +- static atomic64_t ctxhctr; ++ static atomic64_unchecked_t ctxhctr = ATOMIC64_INIT(0); + long long ctxh; + struct gss_api_mech *gm = NULL; + time_t expiry; +@@ -1155,7 +1155,7 @@ static int gss_proxy_save_rsc(struct cache_detail *cd, + status = -ENOMEM; + /* the handle needs to be just a unique id, + * use a static counter */ +- ctxh = atomic64_inc_return(&ctxhctr); ++ ctxh = atomic64_inc_return_unchecked(&ctxhctr); + + /* make a copy for the caller */ + *handle = ctxh; diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c -index 5a750b9..ca5d7af 100644 +index 426f8fc..1ef9c32 100644 --- a/net/sunrpc/clnt.c +++ b/net/sunrpc/clnt.c @@ -1288,7 +1288,9 @@ call_start(struct rpc_task *task) @@ -92179,6 +98091,19 @@ index 8800604..0526440 100644 table = kmemdup(unix_table, sizeof(unix_table), GFP_KERNEL); if (table == NULL) +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 3f77f42..662d89b 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -335,7 +335,7 @@ void vsock_for_each_connected_socket(void (*fn)(struct sock *sk)) + for (i = 0; i < ARRAY_SIZE(vsock_connected_table); i++) { + struct vsock_sock *vsk; + list_for_each_entry(vsk, &vsock_connected_table[i], +- connected_table); ++ connected_table) + fn(sk_vsock(vsk)); + } + diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c index c8717c1..08539f5 100644 --- a/net/wireless/wext-core.c @@ -92318,7 +98243,7 @@ index ea970b8..c68edb9f 100644 } diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c -index 78f66fa..9286768 100644 +index 78f66fa..b93d547 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -177,12 +177,14 @@ int xfrm_register_type(const struct xfrm_type *type, unsigned short family) @@ -92412,6 +98337,19 @@ index 78f66fa..9286768 100644 module_put(mode->afinfo->owner); err = 0; } +@@ -1486,10 +1493,10 @@ EXPORT_SYMBOL(xfrm_find_acq_byseq); + u32 xfrm_get_acqseq(void) + { + u32 res; +- static atomic_t acqseq; ++ static atomic_unchecked_t acqseq; + + do { +- res = atomic_inc_return(&acqseq); ++ res = atomic_inc_return_unchecked(&acqseq); + } while (!res); + + return res; diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c index 05a6e3d..6716ec9 100644 --- a/net/xfrm/xfrm_sysctl.c @@ -92861,10 +98799,10 @@ index f5eb43d..1814de8 100644 shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff)); shstrtab_sec = shdr + r2(&ehdr->e_shstrndx); diff --git a/security/Kconfig b/security/Kconfig -index e9c6ac7..a4d558d 100644 +index e9c6ac7..c5d45c8 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,956 @@ +@@ -4,6 +4,959 @@ menu "Security options" @@ -93232,7 +99170,7 @@ index e9c6ac7..a4d558d 100644 +config PAX_NOEXEC + bool "Enforce non-executable pages" + default y if GRKERNSEC_CONFIG_AUTO -+ depends on ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86 ++ depends on ALPHA || (ARM && (CPU_V6 || CPU_V6K || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86 + help + By design some architectures do not allow for protecting memory + pages against execution or even if they do, Linux does not make @@ -93262,8 +99200,6 @@ index e9c6ac7..a4d558d 100644 + bool "Paging based non-executable pages" + default y if GRKERNSEC_CONFIG_AUTO + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7) -+ select S390_SWITCH_AMODE if S390 -+ select S390_EXEC_PROTECT if S390 + select ARCH_TRACK_EXEC_LIMIT if X86_32 + help + This implementation is based on the paging feature of the CPU. @@ -93445,7 +99381,7 @@ index e9c6ac7..a4d558d 100644 +config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" + default y if GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_NONE || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_GUEST) || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_KVM)) -+ depends on (X86 || (ARM && (CPU_V6 || CPU_V7) && !(ARM_LPAE && MODULES))) && !XEN ++ depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !(ARM_LPAE && MODULES))) && !XEN + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) + select PAX_KERNEXEC_PLUGIN if X86_64 + help @@ -93677,7 +99613,7 @@ index e9c6ac7..a4d558d 100644 +config PAX_MEMORY_UDEREF + bool "Prevent invalid userland pointer dereference" + default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && (GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT) -+ depends on (X86 || (ARM && (CPU_V6 || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN ++ depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN + select PAX_PER_CPU_PGD if X86_64 + help + By saying Y here the kernel will be prevented from dereferencing @@ -93694,10 +99630,15 @@ index e9c6ac7..a4d558d 100644 + VMs running on CPUs without hardware virtualization support (i.e., + the majority of IA-32 CPUs) will likely experience the slowdown. + ++ On X86_64 the kernel will make use of PCID support when available ++ (Intel's Westmere, Sandy Bridge, etc) for better security (default) ++ or performance impact. Pass pax_weakuderef on the kernel command ++ line to choose the latter. ++ +config PAX_REFCOUNT + bool "Prevent various kernel object reference counter overflows" + default y if GRKERNSEC_CONFIG_AUTO -+ depends on GRKERNSEC && ((ARM && (CPU_32v6 || CPU_32v6K || CPU_32v7)) || SPARC64 || X86) ++ depends on GRKERNSEC && ((ARM && (CPU_V6 || CPU_V6K || CPU_V7)) || MIPS || SPARC64 || X86) + help + By saying Y here the kernel will detect and prevent overflowing + various (but not all) kinds of object reference counters. Such @@ -93821,7 +99762,7 @@ index e9c6ac7..a4d558d 100644 source security/keys/Kconfig config SECURITY_DMESG_RESTRICT -@@ -103,7 +1053,7 @@ config INTEL_TXT +@@ -103,7 +1056,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -94416,6 +100357,37 @@ index a3dce87..9ca1435 100644 } /* Save user chosen LSM */ +diff --git a/security/selinux/avc.c b/security/selinux/avc.c +index dad36a6..7e5ffbf 100644 +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -59,7 +59,7 @@ struct avc_node { + struct avc_cache { + struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ + spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ +- atomic_t lru_hint; /* LRU hint for reclaim scan */ ++ atomic_unchecked_t lru_hint; /* LRU hint for reclaim scan */ + atomic_t active_nodes; + u32 latest_notif; /* latest revocation notification */ + }; +@@ -167,7 +167,7 @@ void __init avc_init(void) + spin_lock_init(&avc_cache.slots_lock[i]); + } + atomic_set(&avc_cache.active_nodes, 0); +- atomic_set(&avc_cache.lru_hint, 0); ++ atomic_set_unchecked(&avc_cache.lru_hint, 0); + + avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), + 0, SLAB_PANIC, NULL); +@@ -242,7 +242,7 @@ static inline int avc_reclaim_node(void) + spinlock_t *lock; + + for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { +- hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); ++ hvalue = atomic_inc_return_unchecked(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); + head = &avc_cache.slots[hvalue]; + lock = &avc_cache.slots_lock[hvalue]; + diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5c6f2cd..b4f945c 100644 --- a/security/selinux/hooks.c @@ -95014,6 +100986,27 @@ index 7d8803a..559f8d0 100644 list_add(&s->list, &cs4297a_devs); +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 55108b5..d973e11 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -916,14 +916,10 @@ find_codec_preset(struct hda_codec *codec) + mutex_unlock(&preset_mutex); + + if (mod_requested < HDA_MODREQ_MAX_COUNT) { +- char name[32]; + if (!mod_requested) +- snprintf(name, sizeof(name), "snd-hda-codec-id:%08x", +- codec->vendor_id); ++ request_module("snd-hda-codec-id:%08x", codec->vendor_id); + else +- snprintf(name, sizeof(name), "snd-hda-codec-id:%04x*", +- (codec->vendor_id >> 16) & 0xffff); +- request_module(name); ++ request_module("snd-hda-codec-id:%04x*", (codec->vendor_id >> 16) & 0xffff); + mod_requested++; + goto again; + } diff --git a/sound/pci/ymfpci/ymfpci.h b/sound/pci/ymfpci/ymfpci.h index 4631a23..001ae57 100644 --- a/sound/pci/ymfpci/ymfpci.h @@ -96334,10 +102327,10 @@ index 0000000..568b360 +} diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c new file mode 100644 -index 0000000..0408e06 +index 0000000..257529f --- /dev/null +++ b/tools/gcc/kernexec_plugin.c -@@ -0,0 +1,465 @@ +@@ -0,0 +1,471 @@ +/* + * Copyright 2011-2013 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -96389,7 +102382,7 @@ index 0000000..0408e06 +int plugin_is_GPL_compatible; + +static struct plugin_info kernexec_plugin_info = { -+ .version = "201302112000", ++ .version = "201308230150", + .help = "method=[bts|or]\tinstrumentation method\n" +}; + @@ -96540,7 +102533,7 @@ index 0000000..0408e06 +static void kernexec_instrument_fptr_bts(gimple_stmt_iterator *gsi) +{ + gimple assign_intptr, assign_new_fptr, call_stmt; -+ tree intptr, old_fptr, new_fptr, kernexec_mask; ++ tree intptr, orptr, old_fptr, new_fptr, kernexec_mask; + + call_stmt = gsi_stmt(*gsi); + old_fptr = gimple_call_fn(call_stmt); @@ -96549,16 +102542,20 @@ index 0000000..0408e06 + intptr = create_tmp_var(long_unsigned_type_node, "kernexec_bts"); +#if BUILDING_GCC_VERSION <= 4007 + add_referenced_var(intptr); -+ mark_sym_for_renaming(intptr); +#endif ++ intptr = make_ssa_name(intptr, NULL); + assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr)); ++ SSA_NAME_DEF_STMT(intptr) = assign_intptr; + gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT); + update_stmt(assign_intptr); + + // apply logical or to temporary unsigned long and bitmask + kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL); +// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL); -+ assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask)); ++ orptr = fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask); ++ intptr = make_ssa_name(SSA_NAME_VAR(intptr), NULL); ++ assign_intptr = gimple_build_assign(intptr, orptr); ++ SSA_NAME_DEF_STMT(intptr) = assign_intptr; + gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT); + update_stmt(assign_intptr); + @@ -96566,9 +102563,10 @@ index 0000000..0408e06 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_fptr"); +#if BUILDING_GCC_VERSION <= 4007 + add_referenced_var(new_fptr); -+ mark_sym_for_renaming(new_fptr); +#endif ++ new_fptr = make_ssa_name(new_fptr, NULL); + assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr)); ++ SSA_NAME_DEF_STMT(new_fptr) = assign_new_fptr; + gsi_insert_before(gsi, assign_new_fptr, GSI_SAME_STMT); + update_stmt(assign_new_fptr); + @@ -96596,8 +102594,8 @@ index 0000000..0408e06 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_or"); +#if BUILDING_GCC_VERSION <= 4007 + add_referenced_var(new_fptr); -+ mark_sym_for_renaming(new_fptr); +#endif ++ new_fptr = make_ssa_name(new_fptr, NULL); + + // build asm volatile("orq %%r10, %0\n\t" : "=r"(new_fptr) : "0"(old_fptr)); + input = build_tree_list(NULL_TREE, build_string(2, "0")); @@ -96612,6 +102610,7 @@ index 0000000..0408e06 + vec_safe_push(outputs, output); +#endif + asm_or_stmt = gimple_build_asm_vec("orq %%r10, %0\n\t", inputs, outputs, NULL, NULL); ++ SSA_NAME_DEF_STMT(new_fptr) = asm_or_stmt; + gimple_asm_set_volatile(asm_or_stmt, true); + gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT); + update_stmt(asm_or_stmt); @@ -96805,10 +102804,10 @@ index 0000000..0408e06 +} diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c new file mode 100644 -index 0000000..b5395ba +index 0000000..2ef6fd9 --- /dev/null +++ b/tools/gcc/latent_entropy_plugin.c -@@ -0,0 +1,327 @@ +@@ -0,0 +1,321 @@ +/* + * Copyright 2012-2013 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -96860,7 +102859,7 @@ index 0000000..b5395ba +static tree latent_entropy_decl; + +static struct plugin_info latent_entropy_plugin_info = { -+ .version = "201303102320", ++ .version = "201308230230", + .help = NULL +}; + @@ -96969,13 +102968,10 @@ index 0000000..b5395ba + op = get_op(&rhs); + addxorrol = fold_build2_loc(UNKNOWN_LOCATION, op, unsigned_intDI_type_node, local_entropy, rhs); + assign = gimple_build_assign(local_entropy, addxorrol); -+#if BUILDING_GCC_VERSION <= 4007 -+ find_referenced_vars_in(assign); -+#endif -+//debug_bb(bb); + gsi = gsi_after_labels(bb); + gsi_insert_before(&gsi, assign, GSI_NEW_STMT); + update_stmt(assign); ++//debug_bb(bb); +} + +static void perturb_latent_entropy(basic_block bb, tree rhs) @@ -96988,13 +102984,14 @@ index 0000000..b5395ba + temp = create_tmp_var(unsigned_intDI_type_node, "temp_latent_entropy"); +#if BUILDING_GCC_VERSION <= 4007 + add_referenced_var(temp); -+ mark_sym_for_renaming(temp); +#endif + + // 2. read... ++ temp = make_ssa_name(temp, NULL); + assign = gimple_build_assign(temp, latent_entropy_decl); ++ SSA_NAME_DEF_STMT(temp) = assign; +#if BUILDING_GCC_VERSION <= 4007 -+ find_referenced_vars_in(assign); ++ add_referenced_var(latent_entropy_decl); +#endif + gsi = gsi_after_labels(bb); + gsi_insert_after(&gsi, assign, GSI_NEW_STMT); @@ -97002,18 +102999,14 @@ index 0000000..b5395ba + + // 3. ...modify... + addxorrol = fold_build2_loc(UNKNOWN_LOCATION, get_op(NULL), unsigned_intDI_type_node, temp, rhs); ++ temp = make_ssa_name(SSA_NAME_VAR(temp), NULL); + assign = gimple_build_assign(temp, addxorrol); -+#if BUILDING_GCC_VERSION <= 4007 -+ find_referenced_vars_in(assign); -+#endif ++ SSA_NAME_DEF_STMT(temp) = assign; + gsi_insert_after(&gsi, assign, GSI_NEW_STMT); + update_stmt(assign); + + // 4. ...write latent_entropy + assign = gimple_build_assign(latent_entropy_decl, temp); -+#if BUILDING_GCC_VERSION <= 4007 -+ find_referenced_vars_in(assign); -+#endif + gsi_insert_after(&gsi, assign, GSI_NEW_STMT); + update_stmt(assign); +} @@ -97064,21 +103057,21 @@ index 0000000..b5395ba + + assign = gimple_build_assign(local_entropy, build_int_cstu(unsigned_intDI_type_node, get_random_const())); +// gimple_set_location(assign, loc); -+#if BUILDING_GCC_VERSION <= 4007 -+ find_referenced_vars_in(assign); -+#endif + gsi_insert_after(&gsi, assign, GSI_NEW_STMT); + update_stmt(assign); ++//debug_bb(bb); + bb = bb->next_bb; + + // 3. instrument each BB with an operation on the local entropy variable + while (bb != EXIT_BLOCK_PTR) { + perturb_local_entropy(bb, local_entropy); ++//debug_bb(bb); + bb = bb->next_bb; + }; + + // 4. mix local entropy into the global entropy variable + perturb_latent_entropy(EXIT_BLOCK_PTR->prev_bb, local_entropy); ++//debug_bb(EXIT_BLOCK_PTR->prev_bb); + return 0; +} + @@ -103494,10 +109487,10 @@ index 0000000..b04803b +alloc_dr_65495 alloc_dr 2 65495 NULL diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c new file mode 100644 -index 0000000..9db0d0e +index 0000000..03d0c84 --- /dev/null +++ b/tools/gcc/size_overflow_plugin.c -@@ -0,0 +1,2114 @@ +@@ -0,0 +1,2113 @@ +/* + * Copyright 2011, 2012, 2013 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 @@ -103587,7 +109580,7 @@ index 0000000..9db0d0e +static void print_missing_msg(tree func, unsigned int argnum); + +static struct plugin_info size_overflow_plugin_info = { -+ .version = "20130410beta", ++ .version = "20130822beta", + .help = "no-size-overflow\tturn off size overflow checking\n", +}; + @@ -103967,7 +109960,6 @@ index 0000000..9db0d0e + +#if BUILDING_GCC_VERSION <= 4007 + add_referenced_var(new_var); -+ mark_sym_for_renaming(new_var); +#endif + return new_var; +} @@ -106228,6 +112220,32 @@ index 0000000..4fae911 + + return 0; +} +diff --git a/tools/lib/lk/Makefile b/tools/lib/lk/Makefile +index 926cbf3..b8403e0 100644 +--- a/tools/lib/lk/Makefile ++++ b/tools/lib/lk/Makefile +@@ -10,7 +10,7 @@ LIB_OBJS += $(OUTPUT)debugfs.o + + LIBFILE = liblk.a + +-CFLAGS = -ggdb3 -Wall -Wextra -std=gnu99 -Werror -O6 -D_FORTIFY_SOURCE=2 $(EXTRA_WARNINGS) $(EXTRA_CFLAGS) -fPIC ++CFLAGS = -ggdb3 -Wall -Wextra -std=gnu99 -Werror -O6 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $(EXTRA_WARNINGS) $(EXTRA_CFLAGS) -fPIC + EXTLIBS = -lpthread -lrt -lelf -lm + ALL_CFLAGS = $(CFLAGS) $(BASIC_CFLAGS) -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 + ALL_LDFLAGS = $(LDFLAGS) +diff --git a/tools/perf/Makefile b/tools/perf/Makefile +index b0f164b..63c9f7d 100644 +--- a/tools/perf/Makefile ++++ b/tools/perf/Makefile +@@ -188,7 +188,7 @@ endif + + ifndef PERF_DEBUG + ifeq ($(call try-cc,$(SOURCE_HELLO),$(CFLAGS) -D_FORTIFY_SOURCE=2,-D_FORTIFY_SOURCE=2),y) +- CFLAGS := $(CFLAGS) -D_FORTIFY_SOURCE=2 ++ CFLAGS := $(CFLAGS) -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 + endif + endif + diff --git a/tools/perf/util/include/asm/alternative-asm.h b/tools/perf/util/include/asm/alternative-asm.h index 6789d78..4afd019e 100644 --- a/tools/perf/util/include/asm/alternative-asm.h diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86 index 36a0fef5af..5af34f6110 100644 --- a/main/linux-grsec/kernelconfig.x86 +++ b/main/linux-grsec/kernelconfig.x86 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.10.4 Kernel Configuration +# Linux/x86 3.10.10 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -5634,6 +5634,11 @@ CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y # CONFIG_GRKERNSEC_SOCKET is not set # +# Physical Protections +# +# CONFIG_GRKERNSEC_DENYUSB is not set + +# # Sysctl Support # CONFIG_GRKERNSEC_SYSCTL=y diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64 index 3e48639202..9732d747e8 100644 --- a/main/linux-grsec/kernelconfig.x86_64 +++ b/main/linux-grsec/kernelconfig.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.10.4 Kernel Configuration +# Linux/x86 3.10.10 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -5571,6 +5571,11 @@ CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y # CONFIG_GRKERNSEC_SOCKET is not set # +# Physical Protections +# +# CONFIG_GRKERNSEC_DENYUSB is not set + +# # Sysctl Support # CONFIG_GRKERNSEC_SYSCTL=y diff --git a/main/linux-grsec/net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch b/main/linux-grsec/net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch deleted file mode 100644 index aeaeb33d7a..0000000000 --- a/main/linux-grsec/net-ip_gre-fix-ipgre_header-to-return-correct-offset.patch +++ /dev/null @@ -1,45 +0,0 @@ -From patchwork Tue Aug 6 10:45:43 2013 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -Subject: [net] ip_gre: fix ipgre_header to return correct offset -From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi> -X-Patchwork-Id: 264994 -Message-Id: <1375785943-23908-1-git-send-email-timo.teras@iki.fi> -To: netdev@vger.kernel.org -Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>, - Pravin B Shelar <pshelar@nicira.com> -Date: Tue, 6 Aug 2013 13:45:43 +0300 - -Fix ipgre_header() (header_ops->create) to return the correct -amount of bytes pushed. Most callers of dev_hard_header() seem -to care only if it was success, but af_packet.c uses it as -offset to the skb to copy from userspace only once. In practice -this fixes packet socket sendto()/sendmsg() to gre tunnels. - -Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 -("GRE: Refactor GRE tunneling code.") - -Cc: Pravin B Shelar <pshelar@nicira.com> -Signed-off-by: Timo Teräs <timo.teras@iki.fi> - ---- -Should go to 3.10-stable too. Without this dmvpn setup does not work -at all, as opennhrp uses packet sockets to send the nhrp packets. - - net/ipv4/ip_gre.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index 855004f..c52fee0 100644 ---- a/net/ipv4/ip_gre.c -+++ b/net/ipv4/ip_gre.c -@@ -572,7 +572,7 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, - if (daddr) - memcpy(&iph->daddr, daddr, 4); - if (iph->daddr) -- return t->hlen; -+ return t->hlen + sizeof(*iph); - - return -(t->hlen + sizeof(*iph)); - } |