diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2014-08-26 06:58:45 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-08-26 06:58:45 +0000 |
| commit | 4d13abc277362c9cc5b8005f8c39ffd43b0c4797 (patch) | |
| tree | 36683440e563035df95a827dcc77eced4b16c869 /main/linux-grsec | |
| parent | 8994720aa10d251625a7703c8830a58d6897303d (diff) | |
| download | aports-4d13abc277362c9cc5b8005f8c39ffd43b0c4797.tar.bz2 aports-4d13abc277362c9cc5b8005f8c39ffd43b0c4797.tar.xz | |
main/linux-grsec: upgrade to grsecurity-3.0-3.14.17-201408260041
Diffstat (limited to 'main/linux-grsec')
| -rw-r--r-- | main/linux-grsec/APKBUILD | 10 | ||||
| -rw-r--r-- | main/linux-grsec/grsecurity-3.0-3.14.17-201408260041.patch (renamed from main/linux-grsec/grsecurity-3.0-3.14.17-201408140021.patch) | 744 |
2 files changed, 579 insertions, 175 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 9d8082ce70..a3f3a7b60d 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -7,7 +7,7 @@ case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac -pkgrel=0 +pkgrel=1 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-3.0-3.14.17-201408140021.patch + grsecurity-3.0-3.14.17-201408260041.patch fix-memory-map-for-PIE-applications.patch imx6q-no-unclocked-sleep.patch @@ -166,7 +166,7 @@ dev() { md5sums="b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz a9a6539c8df7245c2ab9bfca56f2ef04 patch-3.14.17.xz -bcd6ccef7af2981f9b7b08e31953d765 grsecurity-3.0-3.14.17-201408140021.patch +25066c4bc665d172b980d09435f18432 grsecurity-3.0-3.14.17-201408260041.patch c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch 1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch dc5e04d422b807e740fd15b141b89a62 kernelconfig.x86 @@ -174,7 +174,7 @@ dc5e04d422b807e740fd15b141b89a62 kernelconfig.x86 0d71b1663f7cbfffc6e403deca4bbe86 kernelconfig.armhf" sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa linux-3.14.tar.xz 50b0e2a6812597b401a417bd1269b5388fdd980b6009d564fff09605100f0df8 patch-3.14.17.xz -ee21a2886acb87d01e14ab14e92d1235fe3d2dcc1f474fecba68d712b59a7394 grsecurity-3.0-3.14.17-201408140021.patch +40352c8bd115d91089444670999925e2a383c66c42ae11d94ec295d656772caf grsecurity-3.0-3.14.17-201408260041.patch 500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch 21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch 148fe2f06c98716744139f0c92aa702665bb9da96ecc163ef56c8ba3084d534a kernelconfig.x86 @@ -182,7 +182,7 @@ ee21a2886acb87d01e14ab14e92d1235fe3d2dcc1f474fecba68d712b59a7394 grsecurity-3.0 3cddaac02211dd0f5eb4531aecc3a1427f29dcec7b31d9fe0042192d591bcdc8 kernelconfig.armhf" sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e linux-3.14.tar.xz 03638215934a08a67e3d92d051b6a341e1874872388de910870021934f11f8ed20502a1afbff89a24f0e14053a02f4e40441e2f9878b099ddd1504159ff19872 patch-3.14.17.xz -c02cf98ab7adae82574240dee155670b60b774cdae8c0b58620e4c9d689b36f998625e536878dbf7ef671317bafaa22d6c81497d17ffba320b0395932ba27b09 grsecurity-3.0-3.14.17-201408140021.patch +6c54a9f120dd896b595239f984c326933e50ba2e324215fb8e4bb6092cb624771dc301e78424f7be3f1d42c542fda086e5d8fe84cf9e06dc8106d3b16c0a69bd grsecurity-3.0-3.14.17-201408260041.patch 4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch 87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch 65697a0652795bc2f57c74968b4e541b372bf9ebfd8effe9d17b75143f2444a76d41982dddee3c7cda28dc33c88f221b89964282d82761593ec697b5fa77f8d4 kernelconfig.x86 diff --git a/main/linux-grsec/grsecurity-3.0-3.14.17-201408140021.patch b/main/linux-grsec/grsecurity-3.0-3.14.17-201408260041.patch index 1f1739cdbb..c27879a613 100644 --- a/main/linux-grsec/grsecurity-3.0-3.14.17-201408140021.patch +++ b/main/linux-grsec/grsecurity-3.0-3.14.17-201408260041.patch @@ -38844,28 +38844,10 @@ index 8320abd..ec48108 100644 if (cmd != SIOCWANDEV) diff --git a/drivers/char/random.c b/drivers/char/random.c -index 429b75b..a7f4145 100644 +index 429b75b..de805d0 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c -@@ -270,10 +270,17 @@ - /* - * Configuration information - */ -+#ifdef CONFIG_GRKERNSEC_RANDNET -+#define INPUT_POOL_SHIFT 14 -+#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) -+#define OUTPUT_POOL_SHIFT 12 -+#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) -+#else - #define INPUT_POOL_SHIFT 12 - #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5)) - #define OUTPUT_POOL_SHIFT 10 - #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5)) -+#endif - #define SEC_XFER_SIZE 512 - #define EXTRACT_SIZE 10 - -@@ -284,9 +291,6 @@ +@@ -284,9 +284,6 @@ /* * To allow fractional bits to be tracked, the entropy_count field is * denominated in units of 1/8th bits. @@ -38875,27 +38857,7 @@ index 429b75b..a7f4145 100644 */ #define ENTROPY_SHIFT 3 #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT) -@@ -361,12 +365,19 @@ static struct poolinfo { - #define S(x) ilog2(x)+5, (x), (x)*4, (x)*32, (x) << (ENTROPY_SHIFT+5) - int tap1, tap2, tap3, tap4, tap5; - } poolinfo_table[] = { -+#ifdef CONFIG_GRKERNSEC_RANDNET -+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */ -+ { S(512), 411, 308, 208, 104, 1 }, -+ /* x^128 + x^104 + x^76 + x^51 + x^25 + x + 1 -- 105 */ -+ { S(128), 104, 76, 51, 25, 1 }, -+#else - /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */ - /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */ - { S(128), 104, 76, 51, 25, 1 }, - /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */ - /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */ - { S(32), 26, 19, 14, 7, 1 }, -+#endif - #if 0 - /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ - { S(2048), 1638, 1231, 819, 411, 1 }, -@@ -433,9 +444,9 @@ struct entropy_store { +@@ -433,9 +430,9 @@ struct entropy_store { }; static void push_to_pool(struct work_struct *work); @@ -38908,7 +38870,7 @@ index 429b75b..a7f4145 100644 static struct entropy_store input_pool = { .poolinfo = &poolinfo_table[0], -@@ -524,8 +535,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, +@@ -524,8 +521,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, input_rotate = (input_rotate + (i ? 7 : 14)) & 31; } @@ -38919,7 +38881,7 @@ index 429b75b..a7f4145 100644 smp_wmb(); if (out) -@@ -632,7 +643,7 @@ retry: +@@ -632,7 +629,7 @@ retry: /* The +2 corresponds to the /4 in the denominator */ do { @@ -38928,7 +38890,7 @@ index 429b75b..a7f4145 100644 unsigned int add = ((pool_size - entropy_count)*anfrac*3) >> s; -@@ -1151,7 +1162,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -1151,7 +1148,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -38937,7 +38899,7 @@ index 429b75b..a7f4145 100644 ret = -EFAULT; break; } -@@ -1507,7 +1518,7 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1507,7 +1504,7 @@ EXPORT_SYMBOL(generate_random_uuid); #include <linux/sysctl.h> static int min_read_thresh = 8, min_write_thresh; @@ -38946,7 +38908,7 @@ index 429b75b..a7f4145 100644 static int max_write_thresh = INPUT_POOL_WORDS * 32; static char sysctl_bootid[16]; -@@ -1523,7 +1534,7 @@ static char sysctl_bootid[16]; +@@ -1523,7 +1520,7 @@ static char sysctl_bootid[16]; static int proc_do_uuid(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -38955,7 +38917,7 @@ index 429b75b..a7f4145 100644 unsigned char buf[64], tmp_uuid[16], *uuid; uuid = table->data; -@@ -1553,7 +1564,7 @@ static int proc_do_uuid(struct ctl_table *table, int write, +@@ -1553,7 +1550,7 @@ static int proc_do_uuid(struct ctl_table *table, int write, static int proc_do_entropy(ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -41703,6 +41665,19 @@ index 6866448..2ad2b34 100644 { /* copy over all the bus versions */ if (dev->bus && dev->bus->pm) { +diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c +index 1bdcccc..f745d2c 100644 +--- a/drivers/hid/hid-cherry.c ++++ b/drivers/hid/hid-cherry.c +@@ -28,7 +28,7 @@ + static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { ++ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) { + hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n"); + rdesc[11] = rdesc[16] = 0xff; + rdesc[12] = rdesc[17] = 0x03; diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 7cd42ea..a367c48 100644 --- a/drivers/hid/hid-core.c @@ -41725,6 +41700,110 @@ index 7cd42ea..a367c48 100644 hid_debug_register(hdev, dev_name(&hdev->dev)); ret = device_add(&hdev->dev); +diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c +index e776963..b92bf01 100644 +--- a/drivers/hid/hid-kye.c ++++ b/drivers/hid/hid-kye.c +@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, + * - change the button usage range to 4-7 for the extra + * buttons + */ +- if (*rsize >= 74 && ++ if (*rsize >= 75 && + rdesc[61] == 0x05 && rdesc[62] == 0x08 && + rdesc[63] == 0x19 && rdesc[64] == 0x08 && + rdesc[65] == 0x29 && rdesc[66] == 0x0f && +diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c +index 9fe9d4a..b8207e0 100644 +--- a/drivers/hid/hid-lg.c ++++ b/drivers/hid/hid-lg.c +@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc, + struct usb_device_descriptor *udesc; + __u16 bcdDevice, rev_maj, rev_min; + +- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 && ++ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 && + rdesc[84] == 0x8c && rdesc[85] == 0x02) { + hid_info(hdev, + "fixing up Logitech keyboard report descriptor\n"); + rdesc[84] = rdesc[89] = 0x4d; + rdesc[85] = rdesc[90] = 0x10; + } +- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 && ++ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 && + rdesc[32] == 0x81 && rdesc[33] == 0x06 && + rdesc[49] == 0x81 && rdesc[50] == 0x06) { + hid_info(hdev, +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index f45279c..0b14d32 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -237,13 +237,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, + return; + } + +- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || +- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { +- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n", +- __func__, dj_report->device_index); +- return; +- } +- + if (djrcv_dev->paired_dj_devices[dj_report->device_index]) { + /* The device is already known. No need to reallocate it. */ + dbg_hid("%s: device is already known\n", __func__); +@@ -721,6 +714,12 @@ static int logi_dj_raw_event(struct hid_device *hdev, + * device (via hid_input_report() ) and return 1 so hid-core does not do + * anything else with it. + */ ++ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) || ++ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) { ++ dev_err(&hdev->dev, "%s: invalid device index:%d\n", ++ __func__, dj_report->device_index); ++ return false; ++ } + + spin_lock_irqsave(&djrcv_dev->lock, flags); + if (dj_report->report_id == REPORT_ID_DJ_SHORT) { +diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c +index 9e14c00..25daf28 100644 +--- a/drivers/hid/hid-monterey.c ++++ b/drivers/hid/hid-monterey.c +@@ -24,7 +24,7 @@ + static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { ++ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) { + hid_info(hdev, "fixing up button/consumer in HID report descriptor\n"); + rdesc[30] = 0x0c; + } +diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c +index 736b250..6aca4f2 100644 +--- a/drivers/hid/hid-petalynx.c ++++ b/drivers/hid/hid-petalynx.c +@@ -25,7 +25,7 @@ + static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && ++ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 && + rdesc[41] == 0x00 && rdesc[59] == 0x26 && + rdesc[60] == 0xf9 && rdesc[61] == 0x00) { + hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n"); +diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c +index 87fc91e..91072fa 100644 +--- a/drivers/hid/hid-sunplus.c ++++ b/drivers/hid/hid-sunplus.c +@@ -24,7 +24,7 @@ + static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && ++ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 && + rdesc[106] == 0x03) { + hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n"); + rdesc[105] = rdesc[110] = 0x03; diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c index c13fb5b..55a3802 100644 --- a/drivers/hid/hid-wiimote-debug.c @@ -44456,7 +44535,7 @@ index 56e24c0..e1c8e1f 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index cb882aa..9bd076e 100644 +index cb882aa..cb8aeca 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -1949,7 +1949,7 @@ static void end_sync_read(struct bio *bio, int error) @@ -44518,8 +44597,25 @@ index cb882aa..9bd076e 100644 } rdev_dec_pending(rdev, mddev); +@@ -2954,6 +2954,7 @@ static sector_t sync_request(struct mddev *mddev, sector_t sector_nr, + */ + if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery)) { + end_reshape(conf); ++ close_sync(conf); + return 0; + } + +@@ -4411,7 +4412,7 @@ read_more: + read_bio->bi_private = r10_bio; + read_bio->bi_end_io = end_sync_read; + read_bio->bi_rw = READ; +- read_bio->bi_flags &= ~(BIO_POOL_MASK - 1); ++ read_bio->bi_flags &= (~0UL << BIO_RESET_BITS); + read_bio->bi_flags |= 1 << BIO_UPTODATE; + read_bio->bi_vcnt = 0; + read_bio->bi_iter.bi_size = 0; diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index 16f5c21..522b82e 100644 +index 16f5c21..c5d72c7 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -1707,6 +1707,10 @@ static int grow_one_stripe(struct r5conf *conf, int hash) @@ -44580,6 +44676,15 @@ index 16f5c21..522b82e 100644 > conf->max_nr_stripes) printk(KERN_WARNING "md/raid:%s: Too many read errors, failing device %s.\n", +@@ -3779,6 +3787,8 @@ static void handle_stripe(struct stripe_head *sh) + set_bit(R5_Wantwrite, &dev->flags); + if (prexor) + continue; ++ if (s.failed > 1) ++ continue; + if (!test_bit(R5_Insync, &dev->flags) || + ((i == sh->pd_idx || i == sh->qd_idx) && + s.failed == 0)) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 983db75..ef9248c 100644 --- a/drivers/media/dvb-core/dvbdev.c @@ -61787,6 +61892,185 @@ index e846a32..bb06bd0 100644 put_cpu_var(last_ino); return res; } +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c +index 4a9e10e..a9daccb 100644 +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -61,7 +61,7 @@ static void isofs_put_super(struct super_block *sb) + return; + } + +-static int isofs_read_inode(struct inode *); ++static int isofs_read_inode(struct inode *, int relocated); + static int isofs_statfs (struct dentry *, struct kstatfs *); + + static struct kmem_cache *isofs_inode_cachep; +@@ -1258,7 +1258,7 @@ out_toomany: + goto out; + } + +-static int isofs_read_inode(struct inode *inode) ++static int isofs_read_inode(struct inode *inode, int relocated) + { + struct super_block *sb = inode->i_sb; + struct isofs_sb_info *sbi = ISOFS_SB(sb); +@@ -1403,7 +1403,7 @@ static int isofs_read_inode(struct inode *inode) + */ + + if (!high_sierra) { +- parse_rock_ridge_inode(de, inode); ++ parse_rock_ridge_inode(de, inode, relocated); + /* if we want uid/gid set, override the rock ridge setting */ + if (sbi->s_uid_set) + inode->i_uid = sbi->s_uid; +@@ -1482,9 +1482,10 @@ static int isofs_iget5_set(struct inode *ino, void *data) + * offset that point to the underlying meta-data for the inode. The + * code below is otherwise similar to the iget() code in + * include/linux/fs.h */ +-struct inode *isofs_iget(struct super_block *sb, +- unsigned long block, +- unsigned long offset) ++struct inode *__isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset, ++ int relocated) + { + unsigned long hashval; + struct inode *inode; +@@ -1506,7 +1507,7 @@ struct inode *isofs_iget(struct super_block *sb, + return ERR_PTR(-ENOMEM); + + if (inode->i_state & I_NEW) { +- ret = isofs_read_inode(inode); ++ ret = isofs_read_inode(inode, relocated); + if (ret < 0) { + iget_failed(inode); + inode = ERR_PTR(ret); +diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h +index 9916723..0ac4c1f 100644 +--- a/fs/isofs/isofs.h ++++ b/fs/isofs/isofs.h +@@ -107,7 +107,7 @@ extern int iso_date(char *, int); + + struct inode; /* To make gcc happy */ + +-extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *); ++extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated); + extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *); + extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *); + +@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int + extern struct buffer_head *isofs_bread(struct inode *, sector_t); + extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long); + +-extern struct inode *isofs_iget(struct super_block *sb, +- unsigned long block, +- unsigned long offset); ++struct inode *__isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset, ++ int relocated); ++ ++static inline struct inode *isofs_iget(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset) ++{ ++ return __isofs_iget(sb, block, offset, 0); ++} ++ ++static inline struct inode *isofs_iget_reloc(struct super_block *sb, ++ unsigned long block, ++ unsigned long offset) ++{ ++ return __isofs_iget(sb, block, offset, 1); ++} + + /* Because the inode number is no longer relevant to finding the + * underlying meta-data for an inode, we are free to choose a more +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c +index c0bf424..f488bba 100644 +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -288,12 +288,16 @@ eio: + goto out; + } + ++#define RR_REGARD_XA 1 ++#define RR_RELOC_DE 2 ++ + static int + parse_rock_ridge_inode_internal(struct iso_directory_record *de, +- struct inode *inode, int regard_xa) ++ struct inode *inode, int flags) + { + int symlink_len = 0; + int cnt, sig; ++ unsigned int reloc_block; + struct inode *reloc; + struct rock_ridge *rr; + int rootflag; +@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de, + + init_rock_state(&rs, inode); + setup_rock_ridge(de, inode, &rs); +- if (regard_xa) { ++ if (flags & RR_REGARD_XA) { + rs.chr += 14; + rs.len -= 14; + if (rs.len < 0) +@@ -485,12 +489,22 @@ repeat: + "relocated directory\n"); + goto out; + case SIG('C', 'L'): +- ISOFS_I(inode)->i_first_extent = +- isonum_733(rr->u.CL.location); +- reloc = +- isofs_iget(inode->i_sb, +- ISOFS_I(inode)->i_first_extent, +- 0); ++ if (flags & RR_RELOC_DE) { ++ printk(KERN_ERR ++ "ISOFS: Recursive directory relocation " ++ "is not supported\n"); ++ goto eio; ++ } ++ reloc_block = isonum_733(rr->u.CL.location); ++ if (reloc_block == ISOFS_I(inode)->i_iget5_block && ++ ISOFS_I(inode)->i_iget5_offset == 0) { ++ printk(KERN_ERR ++ "ISOFS: Directory relocation points to " ++ "itself\n"); ++ goto eio; ++ } ++ ISOFS_I(inode)->i_first_extent = reloc_block; ++ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0); + if (IS_ERR(reloc)) { + ret = PTR_ERR(reloc); + goto out; +@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit) + return rpnt; + } + +-int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) ++int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode, ++ int relocated) + { +- int result = parse_rock_ridge_inode_internal(de, inode, 0); ++ int flags = relocated ? RR_RELOC_DE : 0; ++ int result = parse_rock_ridge_inode_internal(de, inode, flags); + + /* + * if rockridge flag was reset and we didn't look for attributes +@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode) + */ + if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1) + && (ISOFS_SB(inode->i_sb)->s_rock == 2)) { +- result = parse_rock_ridge_inode_internal(de, inode, 14); ++ result = parse_rock_ridge_inode_internal(de, inode, ++ flags | RR_REGARD_XA); + } + return result; + } diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index 4a6cf28..d3a29d3 100644 --- a/fs/jffs2/erase.c @@ -65487,7 +65771,7 @@ index 467bb1c..cf9d65a 100644 return -EINVAL; diff --git a/fs/seq_file.c b/fs/seq_file.c -index 1d641bb..c2f4743 100644 +index 1d641bb..9ca7f61 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c @@ -10,6 +10,8 @@ @@ -65580,6 +65864,15 @@ index 1d641bb..c2f4743 100644 int res = -ENOMEM; if (op) { +@@ -605,7 +620,7 @@ EXPORT_SYMBOL(single_open); + int single_open_size(struct file *file, int (*show)(struct seq_file *, void *), + void *data, size_t size) + { +- char *buf = kmalloc(size, GFP_KERNEL); ++ char *buf = kmalloc(size, GFP_KERNEL | GFP_USERCOPY); + int ret; + if (!buf) + return -ENOMEM; @@ -620,6 +635,17 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *), } EXPORT_SYMBOL(single_open_size); @@ -66136,10 +66429,10 @@ index 78e62cc..eec3706 100644 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..bfd482c +index 0000000..27cec32 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1176 @@ +@@ -0,0 +1,1166 @@ +# +# grecurity configuration +# @@ -67072,16 +67365,6 @@ index 0000000..bfd482c +menu "Network Protections" +depends on GRKERNSEC + -+config GRKERNSEC_RANDNET -+ bool "Larger entropy pools" -+ default y if GRKERNSEC_CONFIG_AUTO -+ help -+ If you say Y here, the entropy pools used for many features of Linux -+ and grsecurity will be doubled in size. Since several grsecurity -+ features use additional randomness, it is recommended that you say Y -+ here. Saying Y here has a similar effect as modifying -+ /proc/sys/kernel/random/poolsize. -+ +config GRKERNSEC_BLACKHOLE + bool "TCP/UDP blackhole and LAST_ACK DoS prevention" + default y if GRKERNSEC_CONFIG_AUTO @@ -70174,10 +70457,10 @@ index 0000000..18ffbbd +} diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c new file mode 100644 -index 0000000..bdd51ea +index 0000000..1a94c11 --- /dev/null +++ b/grsecurity/gracl_cap.c -@@ -0,0 +1,110 @@ +@@ -0,0 +1,127 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -70188,6 +70471,29 @@ index 0000000..bdd51ea +extern const char *captab_log[]; +extern int captab_log_entries; + ++int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap) ++{ ++ struct acl_subject_label *curracl; ++ ++ if (!gr_acl_is_enabled()) ++ return 1; ++ ++ curracl = task->acl; ++ ++ if (curracl->mode & (GR_LEARN | GR_INHERITLEARN)) { ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, ++ task->role->roletype, GR_GLOBAL_UID(cred->uid), ++ GR_GLOBAL_GID(cred->gid), task->exec_file ? ++ gr_to_filename(task->exec_file->f_path.dentry, ++ task->exec_file->f_path.mnt) : curracl->filename, ++ curracl->filename, 0UL, ++ 0UL, "", (unsigned long) cap, &task->signal->saved_ip); ++ return 1; ++ } ++ ++ return 0; ++} ++ +int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap) +{ + struct acl_subject_label *curracl; @@ -70224,19 +70530,13 @@ index 0000000..bdd51ea + return 1; + } + -+ curracl = task->acl; -+ -+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) -+ && cap_raised(cred->cap_effective, cap)) { -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, -+ task->role->roletype, GR_GLOBAL_UID(cred->uid), -+ GR_GLOBAL_GID(cred->gid), task->exec_file ? -+ gr_to_filename(task->exec_file->f_path.dentry, -+ task->exec_file->f_path.mnt) : curracl->filename, -+ curracl->filename, 0UL, -+ 0UL, "", (unsigned long) cap, &task->signal->saved_ip); ++ /* only learn the capability use if the process has the capability in the ++ general case, the two uses in sys.c of gr_learn_cap are an exception ++ to this rule to ensure any role transition involves what the full-learned ++ policy believes in a privileged process ++ */ ++ if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap)) + return 1; -+ } + + if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap)) + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]); @@ -74259,10 +74559,10 @@ index 0000000..baa635c +} diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c new file mode 100644 -index 0000000..4d6fce8 +index 0000000..1e028d7 --- /dev/null +++ b/grsecurity/grsec_disabled.c -@@ -0,0 +1,433 @@ +@@ -0,0 +1,439 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -74304,6 +74604,12 @@ index 0000000..4d6fce8 + return 0; +} + ++int ++gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap) ++{ ++ return 0; ++} ++ +void +gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode) +{ @@ -74698,10 +75004,10 @@ index 0000000..4d6fce8 +#endif diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c new file mode 100644 -index 0000000..f35f454 +index 0000000..14638ff --- /dev/null +++ b/grsecurity/grsec_exec.c -@@ -0,0 +1,187 @@ +@@ -0,0 +1,188 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -74836,7 +75142,8 @@ index 0000000..f35f454 + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", -+ "CAP_WAKE_ALARM" ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND" +}; + +int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]); @@ -76944,10 +77251,10 @@ index 0000000..61b514e +EXPORT_SYMBOL_GPL(gr_log_timechange); diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c new file mode 100644 -index 0000000..ee57dcf +index 0000000..d1953de --- /dev/null +++ b/grsecurity/grsec_tpe.c -@@ -0,0 +1,73 @@ +@@ -0,0 +1,78 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -76961,6 +77268,7 @@ index 0000000..ee57dcf +{ +#ifdef CONFIG_GRKERNSEC + struct inode *inode = file->f_path.dentry->d_parent->d_inode; ++ struct inode *file_inode = file->f_path.dentry->d_inode; + const struct cred *cred = current_cred(); + char *msg = NULL; + char *msg2 = NULL; @@ -76993,6 +77301,8 @@ index 0000000..ee57dcf + msg2 = "file in world-writable directory"; + else if (inode->i_mode & S_IWGRP) + msg2 = "file in group-writable directory"; ++ else if (file_inode->i_mode & S_IWOTH) ++ msg2 = "file is world-writable"; + + if (msg && msg2) { + char fullmsg[70] = {0}; @@ -77012,6 +77322,8 @@ index 0000000..ee57dcf + msg = "file in world-writable directory"; + else if (inode->i_mode & S_IWGRP) + msg = "file in group-writable directory"; ++ else if (file_inode->i_mode & S_IWOTH) ++ msg = "file is world-writable"; + + if (msg) { + gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt); @@ -80065,10 +80377,10 @@ index 0000000..b02ba9d +#define GR_MSRWRITE_MSG "denied write to CPU MSR by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..b87dd26 +index 0000000..acda855 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,252 @@ +@@ -0,0 +1,254 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -80108,6 +80420,8 @@ index 0000000..b87dd26 +int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs); +int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs); + ++int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap); ++ +void gr_del_task_from_ip_table(struct task_struct *p); + +int gr_pid_is_chrooted(struct task_struct *p); @@ -86036,10 +86350,25 @@ index 1191a44..7c81292 100644 +} +EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog); diff --git a/kernel/cgroup.c b/kernel/cgroup.c -index 0c753dd..dd7d3d6 100644 +index 0c753dd..3ce8cca 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c -@@ -5372,7 +5372,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v) +@@ -5190,6 +5190,14 @@ static void cgroup_release_agent(struct work_struct *work) + release_list); + list_del_init(&cgrp->release_list); + raw_spin_unlock(&release_list_lock); ++ ++ /* ++ * don't bother calling call_usermodehelper if we haven't ++ * configured a binary to execute ++ */ ++ if (cgrp->root->release_agent_path[0] == '\0') ++ goto continue_free; ++ + pathbuf = kmalloc(PAGE_SIZE, GFP_KERNEL); + if (!pathbuf) + goto continue_free; +@@ -5372,7 +5380,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v) struct css_set *cset = link->cset; struct task_struct *task; int count = 0; @@ -90666,7 +90995,7 @@ index 490fcbb..1e502c6 100644 .thread_should_run = ksoftirqd_should_run, .thread_fn = run_ksoftirqd, diff --git a/kernel/sys.c b/kernel/sys.c -index c0a58be..784c618 100644 +index c0a58be..95e292b 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -148,6 +148,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -90682,17 +91011,28 @@ index c0a58be..784c618 100644 no_nice = security_task_setnice(p, niceval); if (no_nice) { error = no_nice; -@@ -351,6 +357,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) +@@ -351,6 +357,20 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) goto error; } + if (gr_check_group_change(new->gid, new->egid, INVALID_GID)) + goto error; + ++ if (!gid_eq(new->gid, old->gid)) { ++ /* make sure we generate a learn log for what will ++ end up being a role transition after a full-learning ++ policy is generated ++ CAP_SETGID is required to perform a transition ++ we may not log a CAP_SETGID check above, e.g. ++ in the case where new rgid = old egid ++ */ ++ gr_learn_cap(current, new, CAP_SETGID); ++ } ++ if (rgid != (gid_t) -1 || (egid != (gid_t) -1 && !gid_eq(kegid, old->gid))) new->sgid = new->egid; -@@ -386,6 +395,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid) +@@ -386,6 +406,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid) old = current_cred(); retval = -EPERM; @@ -90703,7 +91043,7 @@ index c0a58be..784c618 100644 if (ns_capable(old->user_ns, CAP_SETGID)) new->gid = new->egid = new->sgid = new->fsgid = kgid; else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid)) -@@ -403,7 +416,7 @@ error: +@@ -403,7 +427,7 @@ error: /* * change the user struct in a credentials set to match the new UID */ @@ -90712,7 +91052,7 @@ index c0a58be..784c618 100644 { struct user_struct *new_user; -@@ -483,6 +496,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) +@@ -483,7 +507,18 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) goto error; } @@ -90720,9 +91060,18 @@ index c0a58be..784c618 100644 + goto error; + if (!uid_eq(new->uid, old->uid)) { ++ /* make sure we generate a learn log for what will ++ end up being a role transition after a full-learning ++ policy is generated ++ CAP_SETUID is required to perform a transition ++ we may not log a CAP_SETUID check above, e.g. ++ in the case where new ruid = old euid ++ */ ++ gr_learn_cap(current, new, CAP_SETUID); retval = set_user(new); if (retval < 0) -@@ -533,6 +549,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) + goto error; +@@ -533,6 +568,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) old = current_cred(); retval = -EPERM; @@ -90735,7 +91084,7 @@ index c0a58be..784c618 100644 if (ns_capable(old->user_ns, CAP_SETUID)) { new->suid = new->uid = kuid; if (!uid_eq(kuid, old->uid)) { -@@ -602,6 +624,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) +@@ -602,6 +643,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) goto error; } @@ -90745,7 +91094,7 @@ index c0a58be..784c618 100644 if (ruid != (uid_t) -1) { new->uid = kruid; if (!uid_eq(kruid, old->uid)) { -@@ -684,6 +709,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) +@@ -684,6 +728,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) goto error; } @@ -90755,7 +91104,7 @@ index c0a58be..784c618 100644 if (rgid != (gid_t) -1) new->gid = krgid; if (egid != (gid_t) -1) -@@ -745,12 +773,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) +@@ -745,12 +792,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) uid_eq(kuid, old->suid) || uid_eq(kuid, old->fsuid) || ns_capable(old->user_ns, CAP_SETUID)) { if (!uid_eq(kuid, old->fsuid)) { @@ -90772,7 +91121,7 @@ index c0a58be..784c618 100644 abort_creds(new); return old_fsuid; -@@ -783,12 +815,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) +@@ -783,12 +834,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) || gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) || ns_capable(old->user_ns, CAP_SETGID)) { @@ -90789,7 +91138,7 @@ index c0a58be..784c618 100644 abort_creds(new); return old_fsgid; -@@ -1167,19 +1203,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) +@@ -1167,19 +1222,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) return -EFAULT; down_read(&uts_sem); @@ -90814,7 +91163,7 @@ index c0a58be..784c618 100644 __OLD_UTS_LEN); error |= __put_user(0, name->machine + __OLD_UTS_LEN); up_read(&uts_sem); -@@ -1381,6 +1417,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource, +@@ -1381,6 +1436,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource, */ new_rlim->rlim_cur = 1; } @@ -94079,7 +94428,7 @@ index b1eb536..091d154 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 20ff0c3..a9eda98 100644 +index 20ff0c3..005dc47 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -36,6 +36,7 @@ @@ -94152,15 +94501,20 @@ index 20ff0c3..a9eda98 100644 if (vma->vm_ops && vma->vm_ops->close) vma->vm_ops->close(vma); if (vma->vm_file) -@@ -290,6 +312,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) +@@ -290,6 +312,12 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) * not page aligned -Ram Gupta */ rlim = rlimit(RLIMIT_DATA); ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ /* force a minimum 16MB brk heap on setuid/setgid binaries */ ++ if (rlim < PAGE_SIZE && (get_dumpable(mm) != SUID_DUMP_USER) && gr_is_global_nonroot(current_uid())) ++ rlim = 4096 * PAGE_SIZE; ++#endif + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1); if (rlim < RLIM_INFINITY && (brk - mm->start_brk) + (mm->end_data - mm->start_data) > rlim) goto out; -@@ -940,6 +963,12 @@ static int +@@ -940,6 +968,12 @@ static int can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -94173,7 +94527,7 @@ index 20ff0c3..a9eda98 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) { if (vma->vm_pgoff == vm_pgoff) -@@ -959,6 +988,12 @@ static int +@@ -959,6 +993,12 @@ static int can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff) { @@ -94186,7 +94540,7 @@ index 20ff0c3..a9eda98 100644 if (is_mergeable_vma(vma, file, vm_flags) && is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) { pgoff_t vm_pglen; -@@ -1001,13 +1036,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, +@@ -1001,13 +1041,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags, struct vm_area_struct *vma_merge(struct mm_struct *mm, struct vm_area_struct *prev, unsigned long addr, unsigned long end, unsigned long vm_flags, @@ -94208,7 +94562,7 @@ index 20ff0c3..a9eda98 100644 /* * We later require that vma->vm_flags == vm_flags, * so this tests vma->vm_flags & VM_SPECIAL, too. -@@ -1023,6 +1065,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -1023,6 +1070,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, if (next && next->vm_end == end) /* cases 6, 7, 8 */ next = next->vm_next; @@ -94224,7 +94578,7 @@ index 20ff0c3..a9eda98 100644 /* * Can it merge with the predecessor? */ -@@ -1042,9 +1093,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -1042,9 +1098,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, /* cases 1, 6 */ err = vma_adjust(prev, prev->vm_start, next->vm_end, prev->vm_pgoff, NULL); @@ -94250,7 +94604,7 @@ index 20ff0c3..a9eda98 100644 if (err) return NULL; khugepaged_enter_vma_merge(prev); -@@ -1058,12 +1124,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, +@@ -1058,12 +1129,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm, mpol_equal(policy, vma_policy(next)) && can_vma_merge_before(next, vm_flags, anon_vma, file, pgoff+pglen)) { @@ -94280,7 +94634,7 @@ index 20ff0c3..a9eda98 100644 if (err) return NULL; khugepaged_enter_vma_merge(area); -@@ -1172,8 +1253,10 @@ none: +@@ -1172,8 +1258,10 @@ none: void vm_stat_account(struct mm_struct *mm, unsigned long flags, struct file *file, long pages) { @@ -94293,7 +94647,7 @@ index 20ff0c3..a9eda98 100644 mm->total_vm += pages; -@@ -1181,7 +1264,7 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags, +@@ -1181,7 +1269,7 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags, mm->shared_vm += pages; if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC) mm->exec_vm += pages; @@ -94302,7 +94656,7 @@ index 20ff0c3..a9eda98 100644 mm->stack_vm += pages; } #endif /* CONFIG_PROC_FS */ -@@ -1211,6 +1294,7 @@ static inline int mlock_future_check(struct mm_struct *mm, +@@ -1211,6 +1299,7 @@ static inline int mlock_future_check(struct mm_struct *mm, locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; @@ -94310,7 +94664,7 @@ index 20ff0c3..a9eda98 100644 if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1237,7 +1321,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1237,7 +1326,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) */ @@ -94319,7 +94673,7 @@ index 20ff0c3..a9eda98 100644 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC))) prot |= PROT_EXEC; -@@ -1263,7 +1347,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1263,7 +1352,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ @@ -94328,7 +94682,7 @@ index 20ff0c3..a9eda98 100644 if (addr & ~PAGE_MASK) return addr; -@@ -1274,6 +1358,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1274,6 +1363,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; @@ -94372,7 +94726,7 @@ index 20ff0c3..a9eda98 100644 if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -1361,6 +1482,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, +@@ -1361,6 +1487,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, vm_flags |= VM_NORESERVE; } @@ -94382,7 +94736,7 @@ index 20ff0c3..a9eda98 100644 addr = mmap_region(file, addr, len, vm_flags, pgoff); if (!IS_ERR_VALUE(addr) && ((vm_flags & VM_LOCKED) || -@@ -1454,7 +1578,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) +@@ -1454,7 +1583,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma) vm_flags_t vm_flags = vma->vm_flags; /* If it was private or non-writable, the write bit is already clear */ @@ -94391,7 +94745,7 @@ index 20ff0c3..a9eda98 100644 return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1500,7 +1624,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1500,7 +1629,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr, struct rb_node **rb_link, *rb_parent; unsigned long charged = 0; @@ -94414,7 +94768,7 @@ index 20ff0c3..a9eda98 100644 if (!may_expand_vm(mm, len >> PAGE_SHIFT)) { unsigned long nr_pages; -@@ -1519,11 +1658,10 @@ unsigned long mmap_region(struct file *file, unsigned long addr, +@@ -1519,11 +1663,10 @@ unsigned long mmap_region(struct file *file, unsigned long addr, /* Clear old maps */ error = -ENOMEM; @@ -94427,7 +94781,7 @@ index 20ff0c3..a9eda98 100644 } /* -@@ -1554,6 +1692,16 @@ munmap_back: +@@ -1554,6 +1697,16 @@ munmap_back: goto unacct_error; } @@ -94444,7 +94798,7 @@ index 20ff0c3..a9eda98 100644 vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1573,6 +1721,13 @@ munmap_back: +@@ -1573,6 +1726,13 @@ munmap_back: if (error) goto unmap_and_free_vma; @@ -94458,7 +94812,7 @@ index 20ff0c3..a9eda98 100644 /* Can addr have changed?? * * Answer: Yes, several device drivers can do it in their -@@ -1606,6 +1761,12 @@ munmap_back: +@@ -1606,6 +1766,12 @@ munmap_back: } vma_link(mm, vma, prev, rb_link, rb_parent); @@ -94471,7 +94825,7 @@ index 20ff0c3..a9eda98 100644 /* Once vma denies write, undo our temporary denial count */ if (vm_flags & VM_DENYWRITE) allow_write_access(file); -@@ -1614,6 +1775,7 @@ out: +@@ -1614,6 +1780,7 @@ out: perf_event_mmap(vma); vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -94479,7 +94833,7 @@ index 20ff0c3..a9eda98 100644 if (vm_flags & VM_LOCKED) { if (!((vm_flags & VM_SPECIAL) || is_vm_hugetlb_page(vma) || vma == get_gate_vma(current->mm))) -@@ -1646,6 +1808,12 @@ unmap_and_free_vma: +@@ -1646,6 +1813,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -94492,7 +94846,7 @@ index 20ff0c3..a9eda98 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1653,7 +1821,63 @@ unacct_error: +@@ -1653,7 +1826,63 @@ unacct_error: return error; } @@ -94557,7 +94911,7 @@ index 20ff0c3..a9eda98 100644 { /* * We implement the search by looking for an rbtree node that -@@ -1701,11 +1925,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info) +@@ -1701,11 +1930,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info) } } @@ -94588,7 +94942,7 @@ index 20ff0c3..a9eda98 100644 if (gap_end >= low_limit && gap_end - gap_start >= length) goto found; -@@ -1755,7 +1997,7 @@ found: +@@ -1755,7 +2002,7 @@ found: return gap_start; } @@ -94597,7 +94951,7 @@ index 20ff0c3..a9eda98 100644 { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; -@@ -1809,6 +2051,24 @@ check_current: +@@ -1809,6 +2056,24 @@ check_current: gap_end = vma->vm_start; if (gap_end < low_limit) return -ENOMEM; @@ -94622,7 +94976,7 @@ index 20ff0c3..a9eda98 100644 if (gap_start <= high_limit && gap_end - gap_start >= length) goto found; -@@ -1872,6 +2132,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1872,6 +2137,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; struct vm_unmapped_area_info info; @@ -94630,7 +94984,7 @@ index 20ff0c3..a9eda98 100644 if (len > TASK_SIZE - mmap_min_addr) return -ENOMEM; -@@ -1879,11 +2140,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1879,11 +2145,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -94647,7 +95001,7 @@ index 20ff0c3..a9eda98 100644 return addr; } -@@ -1892,6 +2157,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1892,6 +2162,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, info.low_limit = mm->mmap_base; info.high_limit = TASK_SIZE; info.align_mask = 0; @@ -94655,7 +95009,7 @@ index 20ff0c3..a9eda98 100644 return vm_unmapped_area(&info); } #endif -@@ -1910,6 +2176,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1910,6 +2181,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, struct mm_struct *mm = current->mm; unsigned long addr = addr0; struct vm_unmapped_area_info info; @@ -94663,7 +95017,7 @@ index 20ff0c3..a9eda98 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE - mmap_min_addr) -@@ -1918,12 +2185,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1918,12 +2190,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -94681,7 +95035,7 @@ index 20ff0c3..a9eda98 100644 return addr; } -@@ -1932,6 +2203,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1932,6 +2208,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, info.low_limit = max(PAGE_SIZE, mmap_min_addr); info.high_limit = mm->mmap_base; info.align_mask = 0; @@ -94689,7 +95043,7 @@ index 20ff0c3..a9eda98 100644 addr = vm_unmapped_area(&info); /* -@@ -1944,6 +2216,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1944,6 +2221,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, VM_BUG_ON(addr != -ENOMEM); info.flags = 0; info.low_limit = TASK_UNMAPPED_BASE; @@ -94702,7 +95056,7 @@ index 20ff0c3..a9eda98 100644 info.high_limit = TASK_SIZE; addr = vm_unmapped_area(&info); } -@@ -2045,6 +2323,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr, +@@ -2045,6 +2328,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr, return vma; } @@ -94731,7 +95085,7 @@ index 20ff0c3..a9eda98 100644 /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -2061,6 +2361,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2061,6 +2366,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns return -ENOMEM; /* Stack limit test */ @@ -94739,7 +95093,7 @@ index 20ff0c3..a9eda98 100644 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -2071,6 +2372,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2071,6 +2377,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -94747,7 +95101,7 @@ index 20ff0c3..a9eda98 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -2100,37 +2402,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2100,37 +2407,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -94805,7 +95159,7 @@ index 20ff0c3..a9eda98 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -2165,6 +2478,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -2165,6 +2483,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) } } } @@ -94814,7 +95168,7 @@ index 20ff0c3..a9eda98 100644 vma_unlock_anon_vma(vma); khugepaged_enter_vma_merge(vma); validate_mm(vma->vm_mm); -@@ -2179,6 +2494,8 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2179,6 +2499,8 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -94823,7 +95177,7 @@ index 20ff0c3..a9eda98 100644 /* * We must make sure the anon_vma is allocated -@@ -2192,6 +2509,15 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2192,6 +2514,15 @@ int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -94839,7 +95193,7 @@ index 20ff0c3..a9eda98 100644 vma_lock_anon_vma(vma); /* -@@ -2201,9 +2527,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2201,9 +2532,17 @@ int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -94858,7 +95212,7 @@ index 20ff0c3..a9eda98 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -2228,13 +2562,27 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2228,13 +2567,27 @@ int expand_downwards(struct vm_area_struct *vma, vma->vm_pgoff -= grow; anon_vma_interval_tree_post_update_vma(vma); vma_gap_update(vma); @@ -94886,7 +95240,7 @@ index 20ff0c3..a9eda98 100644 khugepaged_enter_vma_merge(vma); validate_mm(vma->vm_mm); return error; -@@ -2332,6 +2680,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2332,6 +2685,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -94900,7 +95254,7 @@ index 20ff0c3..a9eda98 100644 if (vma->vm_flags & VM_ACCOUNT) nr_accounted += nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); -@@ -2376,6 +2731,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2376,6 +2736,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -94917,7 +95271,7 @@ index 20ff0c3..a9eda98 100644 vma_rb_erase(vma, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -2401,14 +2766,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2401,14 +2771,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct *new; int err = -ENOMEM; @@ -94951,7 +95305,7 @@ index 20ff0c3..a9eda98 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -2421,6 +2805,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2421,6 +2810,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -94974,7 +95328,7 @@ index 20ff0c3..a9eda98 100644 err = vma_dup_policy(vma, new); if (err) goto out_free_vma; -@@ -2440,6 +2840,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2440,6 +2845,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -95013,7 +95367,7 @@ index 20ff0c3..a9eda98 100644 /* Success. */ if (!err) return 0; -@@ -2449,10 +2881,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2449,10 +2886,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_ops->close(new); if (new->vm_file) fput(new->vm_file); @@ -95033,7 +95387,7 @@ index 20ff0c3..a9eda98 100644 kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2465,6 +2905,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2465,6 +2910,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -95049,7 +95403,7 @@ index 20ff0c3..a9eda98 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2476,11 +2925,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2476,11 +2930,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -95080,7 +95434,7 @@ index 20ff0c3..a9eda98 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2555,6 +3023,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2555,6 +3028,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -95089,7 +95443,7 @@ index 20ff0c3..a9eda98 100644 return 0; } -@@ -2563,6 +3033,13 @@ int vm_munmap(unsigned long start, size_t len) +@@ -2563,6 +3038,13 @@ int vm_munmap(unsigned long start, size_t len) int ret; struct mm_struct *mm = current->mm; @@ -95103,7 +95457,7 @@ index 20ff0c3..a9eda98 100644 down_write(&mm->mmap_sem); ret = do_munmap(mm, start, len); up_write(&mm->mmap_sem); -@@ -2576,16 +3053,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -2576,16 +3058,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) return vm_munmap(addr, len); } @@ -95120,7 +95474,7 @@ index 20ff0c3..a9eda98 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2599,6 +3066,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2599,6 +3071,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -95128,7 +95482,7 @@ index 20ff0c3..a9eda98 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2606,10 +3074,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2606,10 +3079,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -95153,7 +95507,7 @@ index 20ff0c3..a9eda98 100644 error = mlock_future_check(mm, mm->def_flags, len); if (error) return error; -@@ -2623,21 +3105,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2623,21 +3110,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -95178,7 +95532,7 @@ index 20ff0c3..a9eda98 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2651,7 +3132,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2651,7 +3137,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -95187,7 +95541,7 @@ index 20ff0c3..a9eda98 100644 return -ENOMEM; } -@@ -2665,10 +3146,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2665,10 +3151,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -95201,7 +95555,7 @@ index 20ff0c3..a9eda98 100644 return addr; } -@@ -2730,6 +3212,7 @@ void exit_mmap(struct mm_struct *mm) +@@ -2730,6 +3217,7 @@ void exit_mmap(struct mm_struct *mm) while (vma) { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); @@ -95209,7 +95563,7 @@ index 20ff0c3..a9eda98 100644 vma = remove_vma(vma); } vm_unacct_memory(nr_accounted); -@@ -2747,6 +3230,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2747,6 +3235,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) struct vm_area_struct *prev; struct rb_node **rb_link, *rb_parent; @@ -95223,7 +95577,7 @@ index 20ff0c3..a9eda98 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2770,7 +3260,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2770,7 +3265,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -95245,7 +95599,7 @@ index 20ff0c3..a9eda98 100644 return 0; } -@@ -2789,6 +3293,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2789,6 +3298,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; bool faulted_in_anon_vma = true; @@ -95254,7 +95608,7 @@ index 20ff0c3..a9eda98 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2853,6 +3359,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2853,6 +3364,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return NULL; } @@ -95294,7 +95648,7 @@ index 20ff0c3..a9eda98 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2864,6 +3403,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2864,6 +3408,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -95302,7 +95656,7 @@ index 20ff0c3..a9eda98 100644 if (cur + npages > lim) return 0; return 1; -@@ -2934,6 +3474,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2934,6 +3479,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; @@ -102153,10 +102507,18 @@ index b74aa07..d41926e 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 48a6a93..0b0496e 100644 +index 48a6a93..d2c096b 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c -@@ -1845,7 +1845,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -635,6 +635,7 @@ static void init_prb_bdqc(struct packet_sock *po, + p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov); + p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv; + ++ p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv); + prb_init_ft_ops(p1, req_u); + prb_setup_retire_blk_timer(po, tx_ring); + prb_open_block(p1, pbd); +@@ -1845,7 +1846,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_packets++; @@ -102165,7 +102527,7 @@ index 48a6a93..0b0496e 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk, skb->len); -@@ -1854,7 +1854,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1854,7 +1855,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.stats1.tp_drops++; @@ -102174,7 +102536,26 @@ index 48a6a93..0b0496e 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -3449,7 +3449,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -1946,6 +1947,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if ((int)snaplen < 0) + snaplen = 0; + } ++ } else if (unlikely(macoff + snaplen > ++ GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) { ++ u32 nval; ++ ++ nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff; ++ pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n", ++ snaplen, nval, macoff); ++ snaplen = nval; ++ if (unlikely((int)snaplen < 0)) { ++ snaplen = 0; ++ macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len; ++ } + } + spin_lock(&sk->sk_receive_queue.lock); + h.raw = packet_current_rx_frame(po, skb, +@@ -3449,7 +3462,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -102183,7 +102564,7 @@ index 48a6a93..0b0496e 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3495,7 +3495,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3495,7 +3508,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -102192,6 +102573,29 @@ index 48a6a93..0b0496e 100644 return -EFAULT; return 0; } +@@ -3779,6 +3792,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + goto out; + if (unlikely(req->tp_block_size & (PAGE_SIZE - 1))) + goto out; ++ if (po->tp_version >= TPACKET_V3 && ++ (int)(req->tp_block_size - ++ BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0) ++ goto out; + if (unlikely(req->tp_frame_size < po->tp_hdrlen + + po->tp_reserve)) + goto out; +diff --git a/net/packet/internal.h b/net/packet/internal.h +index eb9580a..cdddf6a 100644 +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -29,6 +29,7 @@ struct tpacket_kbdq_core { + char *pkblk_start; + char *pkblk_end; + int kblk_size; ++ unsigned int max_frame_len; + unsigned int knum_blocks; + uint64_t knxt_seq_num; + char *prev; diff --git a/net/phonet/pep.c b/net/phonet/pep.c index e774117..900b8b7 100644 --- a/net/phonet/pep.c |