diff options
-rw-r--r-- | main/linux-grsec/APKBUILD | 18 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.9.9-201307050017.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch) | 706 |
2 files changed, 360 insertions, 364 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 7e148c4015..832099d91f 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,12 +2,12 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.9.8 +pkgver=3.9.9 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac -pkgrel=1 +pkgrel=0 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.9.8-201306302052.patch + grsecurity-2.9.1-3.9.9-201307050017.patch 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch @@ -149,8 +149,8 @@ dev() { } md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -c5f2166686a913abf550bfed8b77df27 patch-3.9.8.xz -647f77555169969b4245c62c0fd0f1ab grsecurity-2.9.1-3.9.8-201306302052.patch +41f350c2fd6aa14414bf39f173a8e6a3 patch-3.9.9.xz +f3b3db991845d216a1f60921f5fd650e grsecurity-2.9.1-3.9.9-201307050017.patch a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -160,8 +160,8 @@ aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-p d89089b3c7eb94dd9f65cf8a357fc36d kernelconfig.x86 eb147f09fef5996a488c247790205cd6 kernelconfig.x86_64" sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz -2eda9068e81269467e3c247f3343a146731fc45284b12b4bc546bc44dbb263e7 patch-3.9.8.xz -b111346072b7907d3a284f12a08c490cbfe35592537bc59442014c95080c3a33 grsecurity-2.9.1-3.9.8-201306302052.patch +4ae653db69190a10b842f05c19499a528ae29898e4f2dfbdb420ef5d26112f3b patch-3.9.9.xz +d864bb3e745101f5a624a2b716a03ec1b5dc31e4b3ddec6c9741426bcbbd1e53 grsecurity-2.9.1-3.9.9-201307050017.patch 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -171,8 +171,8 @@ fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use- de3c17420664ae4e52826c6e602aade0deeae94f72253f85b3e48771491ed5d6 kernelconfig.x86 e1cce320f207cc2ba72b9d154c7060c8cbed52c664319dfd21f24e8956d0bf3e kernelconfig.x86_64" sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz -60b7d694d39faf937e7b732eb3117b8442059c5c8857c9d439eec8a87d5bc185505e64062f5ae02c3512acf5af778caf615c35d3499cb8089a4569c05da65b9c patch-3.9.8.xz -81912f5c19b8bc891a1ad8ed57bfe91d79c6c301410eb4ef9e58f57caefba2661d9732b306d695e712fd8e7c9b5bbb67659759fade26f4ec853d9cb96d347df9 grsecurity-2.9.1-3.9.8-201306302052.patch +51fa4e20b23c9900078e90ace0c4cc38e419e5028a88b63443fafa66c07ad28aab77cb0f56ceb9c8416bfde848ceba64e95f608f0f64ab4634386a161cbc7994 patch-3.9.9.xz +a16dde6d53649aecfa9eb47b969dbc5d147909c48191cc44a666c8f946181688344ac7512330e08fc47c48073010dd4154aac7b572d6301acaf39f5ad6e1b0df grsecurity-2.9.1-3.9.9-201307050017.patch 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.9-201307050017.patch index 9c80933310..1ae3c82aef 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.9.9-201307050017.patch @@ -263,7 +263,7 @@ index 8ccbf27..afffeb4 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index b013cbe..4ca639b 100644 +index 9591325..1457ef3 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -1475,7 +1475,7 @@ index 75fe66b..ba3dee4 100644 #endif diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h -index e1489c5..d418304 100644 +index 738fcba..7a43500 100644 --- a/arch/arm/include/asm/cacheflush.h +++ b/arch/arm/include/asm/cacheflush.h @@ -116,7 +116,7 @@ struct cpu_cache_fns { @@ -2102,7 +2102,7 @@ index cddda1f..ff357f7 100644 /* * Change these and you break ASM code in entry-common.S diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h -index 7e1f760..752fcb7 100644 +index 7e1f760..510061e 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h @@ -18,6 +18,7 @@ @@ -2113,15 +2113,21 @@ index 7e1f760..752fcb7 100644 #define VERIFY_READ 0 #define VERIFY_WRITE 1 -@@ -60,10 +61,34 @@ extern int __put_user_bad(void); - #define USER_DS TASK_SIZE - #define get_fs() (current_thread_info()->addr_limit) +@@ -63,11 +64,35 @@ extern int __put_user_bad(void); + static inline void set_fs(mm_segment_t fs) + { + current_thread_info()->addr_limit = fs; +- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER); ++ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER); + } + + #define segment_eq(a,b) ((a) == (b)) +static inline void pax_open_userland(void) +{ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (get_fs() == USER_DS) { ++ if (segment_eq(get_fs(), USER_DS) { + BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF)); + modify_domain(DOMAIN_USER, DOMAIN_UDEREF); + } @@ -2133,7 +2139,7 @@ index 7e1f760..752fcb7 100644 +{ + +#ifdef CONFIG_PAX_MEMORY_UDEREF -+ if (get_fs() == USER_DS) { ++ if (segment_eq(get_fs(), USER_DS) { + BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS)); + modify_domain(DOMAIN_USER, DOMAIN_NOACCESS); + } @@ -2141,14 +2147,9 @@ index 7e1f760..752fcb7 100644 + +} + - static inline void set_fs(mm_segment_t fs) - { - current_thread_info()->addr_limit = fs; -- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER); -+ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER); - } - - #define segment_eq(a,b) ((a) == (b)) + #define __addr_ok(addr) ({ \ + unsigned long flag; \ + __asm__("cmp %2, %0; movlo %0, #0" \ @@ -143,8 +168,12 @@ extern int __get_user_4(void *); #define get_user(x,p) \ @@ -2295,9 +2296,18 @@ index 96ee092..37f1844 100644 #define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */ diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c -index 60d3b73..d27ee09 100644 +index 60d3b73..e5a0f22 100644 --- a/arch/arm/kernel/armksyms.c +++ b/arch/arm/kernel/armksyms.c +@@ -53,7 +53,7 @@ EXPORT_SYMBOL(arm_delay_ops); + + /* networking */ + EXPORT_SYMBOL(csum_partial); +-EXPORT_SYMBOL(csum_partial_copy_from_user); ++EXPORT_SYMBOL(__csum_partial_copy_from_user); + EXPORT_SYMBOL(csum_partial_copy_nocheck); + EXPORT_SYMBOL(__csum_ipv6_magic); + @@ -89,9 +89,9 @@ EXPORT_SYMBOL(__memzero); #ifdef CONFIG_MMU EXPORT_SYMBOL(copy_page); @@ -3453,7 +3463,7 @@ index bddce2b..3eb04e2 100644 extern void ux500_cpu_die(unsigned int cpu); diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig -index 4045c49..4e26c79 100644 +index 4045c49..0263c07 100644 --- a/arch/arm/mm/Kconfig +++ b/arch/arm/mm/Kconfig @@ -425,7 +425,7 @@ config CPU_32v5 @@ -3461,7 +3471,7 @@ index 4045c49..4e26c79 100644 config CPU_32v6 bool - select CPU_USE_DOMAINS if CPU_V6 && MMU -+ select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC ++ select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF select TLS_REG_EMUL if !CPU_32v6K && !MMU config CPU_32v6K @@ -11545,7 +11555,7 @@ index cf1a471..3bc4cf8 100644 err |= copy_siginfo_to_user32(&frame->info, &ksig->info); diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S -index 474dc1b..be7bff5 100644 +index 474dc1b..24aaa3e 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -15,8 +15,10 @@ @@ -11583,11 +11593,11 @@ index 474dc1b..be7bff5 100644 +#endif + .endm + -+.macro pax_erase_kstack ++ .macro pax_erase_kstack +#ifdef CONFIG_PAX_MEMORY_STACKLEAK + call pax_erase_kstack +#endif -+.endm ++ .endm + /* * 32bit SYSENTER instruction entry. @@ -14091,6 +14101,18 @@ index c0fa356..07a498a 100644 void unregister_nmi_handler(unsigned int, const char *); +diff --git a/arch/x86/include/asm/page.h b/arch/x86/include/asm/page.h +index c878924..21f4889 100644 +--- a/arch/x86/include/asm/page.h ++++ b/arch/x86/include/asm/page.h +@@ -52,6 +52,7 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr, + __phys_addr_symbol(__phys_reloc_hide((unsigned long)(x))) + + #define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET)) ++#define __early_va(x) ((void *)((unsigned long)(x)+__START_KERNEL_map - phys_base)) + + #define __boot_va(x) __va(x) + #define __boot_pa(x) __pa(x) diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h index 0f1ddee..e2fc3d1 100644 --- a/arch/x86/include/asm/page_64.h @@ -18228,7 +18250,7 @@ index 9b9f18b..9fcaa04 100644 #include <asm/processor.h> #include <asm/fcntl.h> diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S -index 8f3e2de..934870f 100644 +index 8f3e2de..caecc4e 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -177,13 +177,153 @@ @@ -18326,11 +18348,11 @@ index 8f3e2de..934870f 100644 +ENDPROC(pax_exit_kernel) +#endif + -+.macro pax_erase_kstack ++ .macro pax_erase_kstack +#ifdef CONFIG_PAX_MEMORY_STACKLEAK + call pax_erase_kstack +#endif -+.endm ++ .endm + +#ifdef CONFIG_PAX_MEMORY_STACKLEAK +/* @@ -18988,7 +19010,7 @@ index 8f3e2de..934870f 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index c1d01e6..7f633850 100644 +index c1d01e6..a88cf02 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -59,6 +59,8 @@ @@ -19326,11 +19348,11 @@ index c1d01e6..7f633850 100644 +#endif + .endm + -+.macro pax_erase_kstack ++ .macro pax_erase_kstack +#ifdef CONFIG_PAX_MEMORY_STACKLEAK + call pax_erase_kstack +#endif -+.endm ++ .endm + +#ifdef CONFIG_PAX_MEMORY_STACKLEAK +ENTRY(pax_erase_kstack) @@ -19900,9 +19922,12 @@ index c1d01e6..7f633850 100644 apicinterrupt HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1498,16 +1907,31 @@ ENTRY(paranoid_exit) +@@ -1496,18 +1905,33 @@ ENTRY(paranoid_exit) + DEFAULT_FRAME + DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF_DEBUG - testl %ebx,%ebx /* swapgs needed? */ +- testl %ebx,%ebx /* swapgs needed? */ ++ testl $1,%ebx /* swapgs needed? */ jnz paranoid_restore - testl $3,CS(%rsp) + testb $3,CS(%rsp) @@ -19966,6 +19991,15 @@ index c1d01e6..7f633850 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ +@@ -1606,7 +2031,7 @@ ENTRY(error_exit) + DISABLE_INTERRUPTS(CLBR_NONE) + TRACE_IRQS_OFF + GET_THREAD_INFO(%rcx) +- testl %eax,%eax ++ testl $1,%eax + jne retint_kernel + LOCKDEP_SYS_EXIT_IRQ + movl TI_flags(%rcx),%edx @@ -1615,7 +2040,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs @@ -20118,9 +20152,50 @@ index 42a392a..fbbd930 100644 return -EFAULT; diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c -index 8f3201d..aa860bf 100644 +index 8f3201d..6898c0c 100644 --- a/arch/x86/kernel/head64.c +++ b/arch/x86/kernel/head64.c +@@ -67,12 +67,12 @@ again: + pgd = *pgd_p; + + /* +- * The use of __START_KERNEL_map rather than __PAGE_OFFSET here is +- * critical -- __PAGE_OFFSET would point us back into the dynamic ++ * The use of __early_va rather than __va here is critical: ++ * __va would point us back into the dynamic + * range and we might end up looping forever... + */ + if (pgd) +- pud_p = (pudval_t *)((pgd & PTE_PFN_MASK) + __START_KERNEL_map - phys_base); ++ pud_p = (pudval_t *)(__early_va(pgd & PTE_PFN_MASK)); + else { + if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) { + reset_early_page_tables(); +@@ -82,13 +82,13 @@ again: + pud_p = (pudval_t *)early_dynamic_pgts[next_early_pgt++]; + for (i = 0; i < PTRS_PER_PUD; i++) + pud_p[i] = 0; +- *pgd_p = (pgdval_t)pud_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE; ++ *pgd_p = (pgdval_t)__pa(pud_p) + _KERNPG_TABLE; + } + pud_p += pud_index(address); + pud = *pud_p; + + if (pud) +- pmd_p = (pmdval_t *)((pud & PTE_PFN_MASK) + __START_KERNEL_map - phys_base); ++ pmd_p = (pmdval_t *)(__early_va(pud & PTE_PFN_MASK)); + else { + if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) { + reset_early_page_tables(); +@@ -98,7 +98,7 @@ again: + pmd_p = (pmdval_t *)early_dynamic_pgts[next_early_pgt++]; + for (i = 0; i < PTRS_PER_PMD; i++) + pmd_p[i] = 0; +- *pud_p = (pudval_t)pmd_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE; ++ *pud_p = (pudval_t)__pa(pmd_p) + _KERNPG_TABLE; + } + pmd = (physaddr & PMD_MASK) + early_pmd_flags; + pmd_p[pmd_index(address)] = pmd; @@ -175,7 +175,6 @@ void __init x86_64_start_kernel(char * real_mode_data) if (console_loglevel == 10) early_printk("Kernel alive\n"); @@ -20562,7 +20637,7 @@ index 73afd11..d1670f5 100644 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index 321d65e..7830f05 100644 +index 321d65e..ad8817d 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -20,6 +20,8 @@ @@ -20587,23 +20662,34 @@ index 321d65e..7830f05 100644 .text __HEAD -@@ -89,11 +97,15 @@ startup_64: +@@ -89,11 +97,23 @@ startup_64: * Fixup the physical addresses in the page table */ addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip) ++ addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip) + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip) + addq %rbp, init_level4_pgt + (L4_VMALLOC_END*8)(%rip) + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip) ++ addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip) - addq %rbp, level3_kernel_pgt + (510*8)(%rip) - addq %rbp, level3_kernel_pgt + (511*8)(%rip) +- addq %rbp, level3_kernel_pgt + (510*8)(%rip) +- addq %rbp, level3_kernel_pgt + (511*8)(%rip) ++ addq %rbp, level3_ident_pgt + (0*8)(%rip) ++#ifndef CONFIG_XEN ++ addq %rbp, level3_ident_pgt + (1*8)(%rip) ++#endif - addq %rbp, level2_fixmap_pgt + (506*8)(%rip) +- addq %rbp, level2_fixmap_pgt + (506*8)(%rip) ++ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip) ++ ++ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip) ++ addq %rbp, level3_kernel_pgt + ((L3_START_KERNEL+1)*8)(%rip) ++ + addq %rbp, level2_fixmap_pgt + (507*8)(%rip) /* * Set up the identity mapping for the switchover. These -@@ -177,8 +189,8 @@ ENTRY(secondary_startup_64) +@@ -177,8 +197,8 @@ ENTRY(secondary_startup_64) movq $(init_level4_pgt - __START_KERNEL_map), %rax 1: @@ -20614,7 +20700,7 @@ index 321d65e..7830f05 100644 movq %rcx, %cr4 /* Setup early boot stage 4 level pagetables. */ -@@ -199,10 +211,18 @@ ENTRY(secondary_startup_64) +@@ -199,10 +219,18 @@ ENTRY(secondary_startup_64) movl $MSR_EFER, %ecx rdmsr btsl $_EFER_SCE, %eax /* Enable System Call */ @@ -20634,7 +20720,7 @@ index 321d65e..7830f05 100644 1: wrmsr /* Make changes effective */ /* Setup cr0 */ -@@ -282,6 +302,7 @@ ENTRY(secondary_startup_64) +@@ -282,6 +310,7 @@ ENTRY(secondary_startup_64) * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect, * address given in m16:64. */ @@ -20642,7 +20728,7 @@ index 321d65e..7830f05 100644 movq initial_code(%rip),%rax pushq $0 # fake return address to stop unwinder pushq $__KERNEL_CS # set correct cs -@@ -388,7 +409,7 @@ ENTRY(early_idt_handler) +@@ -388,7 +417,7 @@ ENTRY(early_idt_handler) call dump_stack #ifdef CONFIG_KALLSYMS leaq early_idt_ripmsg(%rip),%rdi @@ -20651,7 +20737,7 @@ index 321d65e..7830f05 100644 call __print_symbol #endif #endif /* EARLY_PRINTK */ -@@ -416,6 +437,7 @@ ENDPROC(early_idt_handler) +@@ -416,6 +445,7 @@ ENDPROC(early_idt_handler) early_recursion_flag: .long 0 @@ -20659,9 +20745,12 @@ index 321d65e..7830f05 100644 #ifdef CONFIG_EARLY_PRINTK early_idt_msg: .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" -@@ -445,27 +467,50 @@ NEXT_PAGE(early_dynamic_pgts) +@@ -443,29 +473,52 @@ NEXT_PAGE(early_level4_pgt) + NEXT_PAGE(early_dynamic_pgts) + .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0 - .data +- .data ++ .section .rodata,"a",@progbits -#ifndef CONFIG_XEN NEXT_PAGE(init_level4_pgt) @@ -20718,7 +20807,7 @@ index 321d65e..7830f05 100644 NEXT_PAGE(level3_kernel_pgt) .fill L3_START_KERNEL,8,0 -@@ -473,6 +518,9 @@ NEXT_PAGE(level3_kernel_pgt) +@@ -473,6 +526,9 @@ NEXT_PAGE(level3_kernel_pgt) .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE @@ -20728,7 +20817,7 @@ index 321d65e..7830f05 100644 NEXT_PAGE(level2_kernel_pgt) /* * 512 MB kernel mapping. We spend a full page on this pagetable -@@ -488,39 +536,64 @@ NEXT_PAGE(level2_kernel_pgt) +@@ -488,39 +544,64 @@ NEXT_PAGE(level2_kernel_pgt) KERNEL_IMAGE_SIZE/PMD_SIZE) NEXT_PAGE(level2_fixmap_pgt) @@ -28081,7 +28170,7 @@ index ae1aa71..d9bea75 100644 #endif /*HAVE_ARCH_HUGETLB_UNMAPPED_AREA*/ diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c -index 0c13708..689fe7f 100644 +index 0c13708..ca05f23 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -4,6 +4,7 @@ @@ -28101,7 +28190,23 @@ index 0c13708..689fe7f 100644 #include "mm_internal.h" -@@ -464,10 +467,40 @@ void __init init_mem_mapping(void) +@@ -448,7 +451,15 @@ void __init init_mem_mapping(void) + early_ioremap_page_table_range_init(); + #endif + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++ load_cr3(get_cpu_pgd(0)); ++#else + load_cr3(swapper_pg_dir); ++#endif ++ + __flush_tlb_all(); + + early_memtest(0, max_pfn_mapped << PAGE_SHIFT); +@@ -464,10 +475,40 @@ void __init init_mem_mapping(void) * Access has to be given to non-kernel-ram areas as well, these contain the PCI * mmio resources as well as potential bios/acpi data regions. */ @@ -28143,7 +28248,7 @@ index 0c13708..689fe7f 100644 if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) return 0; if (!page_is_ram(pagenr)) -@@ -524,8 +557,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) +@@ -524,8 +565,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) #endif } @@ -28262,7 +28367,7 @@ index 0c13708..689fe7f 100644 (unsigned long)(&__init_begin), (unsigned long)(&__init_end)); diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c -index 2d19001..6a1046c 100644 +index 2d19001..e549d98 100644 --- a/arch/x86/mm/init_32.c +++ b/arch/x86/mm/init_32.c @@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void); @@ -28476,20 +28581,7 @@ index 2d19001..6a1046c 100644 EXPORT_SYMBOL_GPL(__supported_pte_mask); /* user-defined highmem size */ -@@ -752,6 +754,12 @@ void __init mem_init(void) - - pci_iommu_alloc(); - -+#ifdef CONFIG_PAX_PER_CPU_PGD -+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY, -+ swapper_pg_dir + KERNEL_PGD_BOUNDARY, -+ KERNEL_PGD_PTRS); -+#endif -+ - #ifdef CONFIG_FLATMEM - BUG_ON(!mem_map); - #endif -@@ -780,7 +788,7 @@ void __init mem_init(void) +@@ -780,7 +782,7 @@ void __init mem_init(void) after_bootmem = 1; codesize = (unsigned long) &_etext - (unsigned long) &_text; @@ -28498,7 +28590,7 @@ index 2d19001..6a1046c 100644 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin; printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, " -@@ -821,10 +829,10 @@ void __init mem_init(void) +@@ -821,10 +823,10 @@ void __init mem_init(void) ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10, @@ -28512,7 +28604,7 @@ index 2d19001..6a1046c 100644 ((unsigned long)&_etext - (unsigned long)&_text) >> 10); /* -@@ -914,6 +922,7 @@ void set_kernel_text_rw(void) +@@ -914,6 +916,7 @@ void set_kernel_text_rw(void) if (!kernel_set_to_readonly) return; @@ -28520,7 +28612,7 @@ index 2d19001..6a1046c 100644 pr_debug("Set kernel text: %lx - %lx for read write\n", start, start+size); -@@ -928,6 +937,7 @@ void set_kernel_text_ro(void) +@@ -928,6 +931,7 @@ void set_kernel_text_ro(void) if (!kernel_set_to_readonly) return; @@ -28528,7 +28620,7 @@ index 2d19001..6a1046c 100644 pr_debug("Set kernel text: %lx - %lx for read only\n", start, start+size); -@@ -956,6 +966,7 @@ void mark_rodata_ro(void) +@@ -956,6 +960,7 @@ void mark_rodata_ro(void) unsigned long start = PFN_ALIGN(_text); unsigned long size = PFN_ALIGN(_etext) - start; @@ -28537,7 +28629,7 @@ index 2d19001..6a1046c 100644 printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index 474e28f..647dd12 100644 +index 474e28f..f016b6e 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -150,7 +150,7 @@ early_param("gbpages", parse_direct_gbpages_on); @@ -28654,20 +28746,7 @@ index 474e28f..647dd12 100644 spin_unlock(&init_mm.page_table_lock); pgd_changed = true; } -@@ -1065,6 +1079,12 @@ void __init mem_init(void) - - pci_iommu_alloc(); - -+#ifdef CONFIG_PAX_PER_CPU_PGD -+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY, -+ swapper_pg_dir + KERNEL_PGD_BOUNDARY, -+ KERNEL_PGD_PTRS); -+#endif -+ - /* clear_bss() already clear the empty_zero_page */ - - reservedpages = 0; -@@ -1224,8 +1244,8 @@ int kern_addr_valid(unsigned long addr) +@@ -1224,8 +1238,8 @@ int kern_addr_valid(unsigned long addr) static struct vm_area_struct gate_vma = { .vm_start = VSYSCALL_START, .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE), @@ -28678,7 +28757,7 @@ index 474e28f..647dd12 100644 }; struct vm_area_struct *get_gate_vma(struct mm_struct *mm) -@@ -1259,7 +1279,7 @@ int in_gate_area_no_mm(unsigned long addr) +@@ -1259,7 +1273,7 @@ int in_gate_area_no_mm(unsigned long addr) const char *arch_vma_name(struct vm_area_struct *vma) { @@ -30390,7 +30469,7 @@ index c77b24a..c979855 100644 } EXPORT_SYMBOL(pcibios_set_irq_routing); diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c -index 40e4469..1ab536e 100644 +index 40e4469..0592924 100644 --- a/arch/x86/platform/efi/efi_32.c +++ b/arch/x86/platform/efi/efi_32.c @@ -44,11 +44,22 @@ void efi_call_phys_prelog(void) @@ -30416,7 +30495,7 @@ index 40e4469..1ab536e 100644 gdt_descr.address = __pa(get_cpu_gdt_table(0)); gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); -@@ -58,6 +69,14 @@ void efi_call_phys_epilog(void) +@@ -58,11 +69,24 @@ void efi_call_phys_epilog(void) { struct desc_ptr gdt_descr; @@ -30431,6 +30510,44 @@ index 40e4469..1ab536e 100644 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0); gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ load_cr3(get_cpu_pgd(smp_processor_id())); ++#else + load_cr3(swapper_pg_dir); ++#endif ++ + __flush_tlb_all(); + + local_irq_restore(efi_rt_eflags); +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c +index 2b20038..eaf558f 100644 +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -75,6 +75,11 @@ void __init efi_call_phys_prelog(void) + vaddress = (unsigned long)__va(pgd * PGDIR_SIZE); + set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress)); + } ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ load_cr3(swapper_pg_dir); ++#endif ++ + __flush_tlb_all(); + } + +@@ -88,6 +93,11 @@ void __init efi_call_phys_epilog(void) + for (pgd = 0; pgd < n_pgds; pgd++) + set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]); + kfree(save_pgd); ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ load_cr3(get_cpu_pgd(smp_processor_id())); ++#endif ++ + __flush_tlb_all(); + local_irq_restore(efi_flags); + early_code_mapping_set_exec(0); diff --git a/arch/x86/platform/efi/efi_stub_32.S b/arch/x86/platform/efi/efi_stub_32.S index fbe66e6..eae5e38 100644 --- a/arch/x86/platform/efi/efi_stub_32.S @@ -31988,7 +32105,7 @@ index 34c8216..f56c828 100644 unsigned long timeout_msec) { diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index cf15aee..e0b7078 100644 +index 8038ee3..a19a6e6 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -4792,7 +4792,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) @@ -37624,10 +37741,10 @@ index b972d43..8943713 100644 /** diff --git a/drivers/iommu/irq_remapping.c b/drivers/iommu/irq_remapping.c -index 7c11ff3..a2a0457 100644 +index dcfea4e..f4226b2 100644 --- a/drivers/iommu/irq_remapping.c +++ b/drivers/iommu/irq_remapping.c -@@ -348,7 +348,7 @@ int setup_hpet_msi_remapped(unsigned int irq, unsigned int id) +@@ -354,7 +354,7 @@ int setup_hpet_msi_remapped(unsigned int irq, unsigned int id) void panic_if_irq_remap(const char *msg) { if (irq_remapping_enabled) @@ -37636,7 +37753,7 @@ index 7c11ff3..a2a0457 100644 } static void ir_ack_apic_edge(struct irq_data *data) -@@ -369,10 +369,12 @@ static void ir_print_prefix(struct irq_data *data, struct seq_file *p) +@@ -375,10 +375,12 @@ static void ir_print_prefix(struct irq_data *data, struct seq_file *p) void irq_remap_modify_chip_defaults(struct irq_chip *chip) { @@ -40388,62 +40505,6 @@ index a4fe5f1..6c9e77f 100644 .kind = "vxlan", .maxtype = IFLA_VXLAN_MAX, .policy = vxlan_policy, -diff --git a/drivers/net/wan/dlci.c b/drivers/net/wan/dlci.c -index 147614e..6a8a382 100644 ---- a/drivers/net/wan/dlci.c -+++ b/drivers/net/wan/dlci.c -@@ -384,21 +384,37 @@ static int dlci_del(struct dlci_add *dlci) - struct frad_local *flp; - struct net_device *master, *slave; - int err; -+ bool found = false; -+ -+ rtnl_lock(); - - /* validate slave device */ - master = __dev_get_by_name(&init_net, dlci->devname); -- if (!master) -- return -ENODEV; -+ if (!master) { -+ err = -ENODEV; -+ goto out; -+ } -+ -+ list_for_each_entry(dlp, &dlci_devs, list) { -+ if (dlp->master == master) { -+ found = true; -+ break; -+ } -+ } -+ if (!found) { -+ err = -ENODEV; -+ goto out; -+ } - - if (netif_running(master)) { -- return -EBUSY; -+ err = -EBUSY; -+ goto out; - } - - dlp = netdev_priv(master); - slave = dlp->slave; - flp = netdev_priv(slave); - -- rtnl_lock(); - err = (*flp->deassoc)(slave, master); - if (!err) { - list_del(&dlp->list); -@@ -407,8 +423,8 @@ static int dlci_del(struct dlci_add *dlci) - - dev_put(slave); - } -+out: - rtnl_unlock(); -- - return err; - } - diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c index 5ac5f7a..5f82012 100644 --- a/drivers/net/wireless/at76c50x-usb.c @@ -50560,7 +50621,7 @@ index 6a16053..2155147 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 6d56ff2..f65b4ca 100644 +index 0d5c76f..3d4585e 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,8 +55,20 @@ @@ -50584,7 +50645,7 @@ index 6d56ff2..f65b4ca 100644 #include <asm/mmu_context.h> #include <asm/tlb.h> -@@ -66,6 +78,18 @@ +@@ -66,17 +78,32 @@ #include <trace/events/sched.h> @@ -50603,7 +50664,12 @@ index 6d56ff2..f65b4ca 100644 int suid_dumpable = 0; static LIST_HEAD(formats); -@@ -75,8 +99,8 @@ void __register_binfmt(struct linux_binfmt * fmt, int insert) + static DEFINE_RWLOCK(binfmt_lock); + ++extern int gr_process_kernel_exec_ban(void); ++extern int gr_process_suid_exec_ban(const struct linux_binprm *bprm); ++ + void __register_binfmt(struct linux_binfmt * fmt, int insert) { BUG_ON(!fmt); write_lock(&binfmt_lock); @@ -50614,7 +50680,7 @@ index 6d56ff2..f65b4ca 100644 write_unlock(&binfmt_lock); } -@@ -85,7 +109,7 @@ EXPORT_SYMBOL(__register_binfmt); +@@ -85,7 +112,7 @@ EXPORT_SYMBOL(__register_binfmt); void unregister_binfmt(struct linux_binfmt * fmt) { write_lock(&binfmt_lock); @@ -50623,7 +50689,7 @@ index 6d56ff2..f65b4ca 100644 write_unlock(&binfmt_lock); } -@@ -180,18 +204,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, +@@ -180,18 +207,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, int write) { struct page *page; @@ -50645,7 +50711,7 @@ index 6d56ff2..f65b4ca 100644 return NULL; if (write) { -@@ -207,6 +223,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, +@@ -207,6 +226,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, if (size <= ARG_MAX) return page; @@ -50663,7 +50729,7 @@ index 6d56ff2..f65b4ca 100644 /* * Limit to 1/4-th the stack size for the argv+env strings. * This ensures that: -@@ -266,6 +293,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm) +@@ -266,6 +296,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm) vma->vm_end = STACK_TOP_MAX; vma->vm_start = vma->vm_end - PAGE_SIZE; vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP; @@ -50675,7 +50741,7 @@ index 6d56ff2..f65b4ca 100644 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); INIT_LIST_HEAD(&vma->anon_vma_chain); -@@ -276,6 +308,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm) +@@ -276,6 +311,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm) mm->stack_vm = mm->total_vm = 1; up_write(&mm->mmap_sem); bprm->p = vma->vm_end - sizeof(void *); @@ -50688,7 +50754,7 @@ index 6d56ff2..f65b4ca 100644 return 0; err: up_write(&mm->mmap_sem); -@@ -396,7 +434,7 @@ struct user_arg_ptr { +@@ -396,7 +437,7 @@ struct user_arg_ptr { } ptr; }; @@ -50697,7 +50763,7 @@ index 6d56ff2..f65b4ca 100644 { const char __user *native; -@@ -405,14 +443,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) +@@ -405,14 +446,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr) compat_uptr_t compat; if (get_user(compat, argv.ptr.compat + nr)) @@ -50714,7 +50780,7 @@ index 6d56ff2..f65b4ca 100644 return native; } -@@ -431,7 +469,7 @@ static int count(struct user_arg_ptr argv, int max) +@@ -431,7 +472,7 @@ static int count(struct user_arg_ptr argv, int max) if (!p) break; @@ -50723,7 +50789,7 @@ index 6d56ff2..f65b4ca 100644 return -EFAULT; if (i >= max) -@@ -466,7 +504,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv, +@@ -466,7 +507,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv, ret = -EFAULT; str = get_user_arg_ptr(argv, argc); @@ -50732,7 +50798,7 @@ index 6d56ff2..f65b4ca 100644 goto out; len = strnlen_user(str, MAX_ARG_STRLEN); -@@ -548,7 +586,7 @@ int copy_strings_kernel(int argc, const char *const *__argv, +@@ -548,7 +589,7 @@ int copy_strings_kernel(int argc, const char *const *__argv, int r; mm_segment_t oldfs = get_fs(); struct user_arg_ptr argv = { @@ -50741,7 +50807,7 @@ index 6d56ff2..f65b4ca 100644 }; set_fs(KERNEL_DS); -@@ -583,7 +621,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) +@@ -583,7 +624,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) unsigned long new_end = old_end - shift; struct mmu_gather tlb; @@ -50751,7 +50817,7 @@ index 6d56ff2..f65b4ca 100644 /* * ensure there are no vmas between where we want to go -@@ -592,6 +631,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) +@@ -592,6 +634,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) if (vma != find_vma(mm, new_start)) return -EFAULT; @@ -50762,7 +50828,7 @@ index 6d56ff2..f65b4ca 100644 /* * cover the whole range: [new_start, old_end) */ -@@ -672,10 +715,6 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -672,10 +718,6 @@ int setup_arg_pages(struct linux_binprm *bprm, stack_top = arch_align_stack(stack_top); stack_top = PAGE_ALIGN(stack_top); @@ -50773,7 +50839,7 @@ index 6d56ff2..f65b4ca 100644 stack_shift = vma->vm_end - stack_top; bprm->p -= stack_shift; -@@ -687,8 +726,28 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -687,8 +729,28 @@ int setup_arg_pages(struct linux_binprm *bprm, bprm->exec -= stack_shift; down_write(&mm->mmap_sem); @@ -50802,7 +50868,7 @@ index 6d56ff2..f65b4ca 100644 /* * Adjust stack execute permissions; explicitly enable for * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone -@@ -707,13 +766,6 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -707,13 +769,6 @@ int setup_arg_pages(struct linux_binprm *bprm, goto out_unlock; BUG_ON(prev != vma); @@ -50816,7 +50882,7 @@ index 6d56ff2..f65b4ca 100644 /* mprotect_fixup is overkill to remove the temporary stack flags */ vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP; -@@ -737,6 +789,27 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -737,6 +792,27 @@ int setup_arg_pages(struct linux_binprm *bprm, #endif current->mm->start_stack = bprm->p; ret = expand_stack(vma, stack_base); @@ -50844,7 +50910,7 @@ index 6d56ff2..f65b4ca 100644 if (ret) ret = -EFAULT; -@@ -772,6 +845,8 @@ struct file *open_exec(const char *name) +@@ -772,6 +848,8 @@ struct file *open_exec(const char *name) fsnotify_open(file); @@ -50853,7 +50919,7 @@ index 6d56ff2..f65b4ca 100644 err = deny_write_access(file); if (err) goto exit; -@@ -795,7 +870,7 @@ int kernel_read(struct file *file, loff_t offset, +@@ -795,7 +873,7 @@ int kernel_read(struct file *file, loff_t offset, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -50862,37 +50928,7 @@ index 6d56ff2..f65b4ca 100644 set_fs(old_fs); return result; } -@@ -1136,13 +1211,6 @@ void setup_new_exec(struct linux_binprm * bprm) - set_dumpable(current->mm, suid_dumpable); - } - -- /* -- * Flush performance counters when crossing a -- * security domain: -- */ -- if (!get_dumpable(current->mm)) -- perf_event_exit_task(current); -- - /* An exec changes our domain. We are no longer part of the thread - group */ - -@@ -1206,6 +1274,15 @@ void install_exec_creds(struct linux_binprm *bprm) - - commit_creds(bprm->cred); - bprm->cred = NULL; -+ -+ /* -+ * Disable monitoring for regular users -+ * when executing setuid binaries. Must -+ * wait until new credentials are committed -+ * by commit_creds() above -+ */ -+ if (get_dumpable(current->mm) != SUID_DUMP_USER) -+ perf_event_exit_task(current); - /* - * cred_guard_mutex must be held at least to this point to prevent - * ptrace_attach() from altering our determination of the task's -@@ -1250,7 +1327,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1252,7 +1330,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -50901,7 +50937,7 @@ index 6d56ff2..f65b4ca 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1450,6 +1527,31 @@ int search_binary_handler(struct linux_binprm *bprm) +@@ -1452,6 +1530,31 @@ int search_binary_handler(struct linux_binprm *bprm) EXPORT_SYMBOL(search_binary_handler); @@ -50933,7 +50969,7 @@ index 6d56ff2..f65b4ca 100644 /* * sys_execve() executes a new program. */ -@@ -1457,6 +1559,11 @@ static int do_execve_common(const char *filename, +@@ -1459,6 +1562,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr argv, struct user_arg_ptr envp) { @@ -50945,7 +50981,7 @@ index 6d56ff2..f65b4ca 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1464,6 +1571,8 @@ static int do_execve_common(const char *filename, +@@ -1466,6 +1574,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -50954,7 +50990,7 @@ index 6d56ff2..f65b4ca 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1504,12 +1613,27 @@ static int do_execve_common(const char *filename, +@@ -1506,12 +1616,22 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -50969,11 +51005,6 @@ index 6d56ff2..f65b4ca 100644 bprm->filename = filename; bprm->interp = filename; -+ if (gr_process_user_ban()) { -+ retval = -EPERM; -+ goto out_file; -+ } -+ + if (!gr_acl_handle_execve(file->f_path.dentry, file->f_path.mnt)) { + retval = -EACCES; + goto out_file; @@ -50982,7 +51013,7 @@ index 6d56ff2..f65b4ca 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1526,24 +1650,65 @@ static int do_execve_common(const char *filename, +@@ -1528,24 +1648,70 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -51002,6 +51033,11 @@ index 6d56ff2..f65b4ca 100644 + current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024; +#endif + ++ if (gr_process_kernel_exec_ban() || gr_process_suid_exec_ban(bprm)) { ++ retval = -EPERM; ++ goto out_fail; ++ } ++ + if (!gr_tpe_allow(file)) { + retval = -EACCES; + goto out_fail; @@ -51052,7 +51088,7 @@ index 6d56ff2..f65b4ca 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1552,6 +1717,14 @@ static int do_execve_common(const char *filename, +@@ -1554,6 +1720,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -51067,7 +51103,7 @@ index 6d56ff2..f65b4ca 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1700,3 +1873,283 @@ asmlinkage long compat_sys_execve(const char __user * filename, +@@ -1702,3 +1876,283 @@ asmlinkage long compat_sys_execve(const char __user * filename, return error; } #endif @@ -56788,67 +56824,6 @@ index 69d4889..a810bd4 100644 { if (sbi->s_bytesex == BYTESEX_PDP) return PDP_swab((__force __u32)n); -diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c -index de08c92f..732cd63 100644 ---- a/fs/ubifs/dir.c -+++ b/fs/ubifs/dir.c -@@ -364,6 +364,24 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir) - */ - return 0; - -+ if (file->f_version == 0) { -+ /* -+ * The file was seek'ed, which means that @file->private_data -+ * is now invalid. This may also be just the first -+ * 'ubifs_readdir()' invocation, in which case -+ * @file->private_data is NULL, and the below code is -+ * basically a no-op. -+ */ -+ kfree(file->private_data); -+ file->private_data = NULL; -+ } -+ -+ /* -+ * 'generic_file_llseek()' unconditionally sets @file->f_version to -+ * zero, and we use this for detecting whether the file was seek'ed. -+ */ -+ file->f_version = 1; -+ - /* File positions 0 and 1 correspond to "." and ".." */ - if (file->f_pos == 0) { - ubifs_assert(!file->private_data); -@@ -438,6 +456,14 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir) - file->f_pos = key_hash_flash(c, &dent->key); - file->private_data = dent; - cond_resched(); -+ -+ if (file->f_version == 0) -+ /* -+ * The file was seek'ed meanwhile, lets return and start -+ * reading direntries from the new position on the next -+ * invocation. -+ */ -+ return 0; - } - - out: -@@ -448,15 +474,13 @@ out: - - kfree(file->private_data); - file->private_data = NULL; -+ /* 2 is a special value indicating that there are no more direntries */ - file->f_pos = 2; - return 0; - } - --/* If a directory is seeked, we have to free saved readdir() state */ - static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int whence) - { -- kfree(file->private_data); -- file->private_data = NULL; - return generic_file_llseek(file, offset, whence); - } - diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c index e18b988..f1d4ad0f 100644 --- a/fs/ubifs/io.c @@ -57091,10 +57066,10 @@ index ca9ecaa..60100c7 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..4fb1dde +index 0000000..c9c4ac3 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1053 @@ +@@ -0,0 +1,1054 @@ +# +# grecurity configuration +# @@ -57251,8 +57226,9 @@ index 0000000..4fb1dde + fork until the administrator is able to assess the situation and + restart the daemon. + In the suid/sgid case, the attempt is logged, the user has all their -+ processes terminated, and they are prevented from executing any further -+ processes for 15 minutes. ++ existing instances of the suid/sgid binary terminated and will ++ be unable to execute any suid/sgid binaries for 15 minutes. ++ + It is recommended that you also enable signal logging in the auditing + section so that logs are generated when a process triggers a suspicious + signal. @@ -58194,7 +58170,7 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..1248ee0 +index 0000000..0d5c602 --- /dev/null +++ b/grsecurity/gracl.c @@ -0,0 +1,4073 @@ @@ -60545,7 +60521,7 @@ index 0000000..1248ee0 + return; +} + -+extern int __gr_process_user_ban(struct user_struct *user); ++extern int gr_process_kernel_setuid_ban(struct user_struct *user); + +int +gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs) @@ -60559,7 +60535,7 @@ index 0000000..1248ee0 + int fsok = 0; + uid_t globalreal, globaleffective, globalfs; + -+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE) ++#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) + struct user_struct *user; + + if (!uid_valid(real)) @@ -60573,7 +60549,7 @@ index 0000000..1248ee0 + if (user == NULL) + goto skipit; + -+ if (__gr_process_user_ban(user)) { ++ if (gr_process_kernel_setuid_ban(user)) { + /* for find_user */ + free_uid(user); + return 1; @@ -63617,7 +63593,7 @@ index 0000000..39645c9 +} diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c new file mode 100644 -index 0000000..4dcc92a +index 0000000..3c38bfe --- /dev/null +++ b/grsecurity/gracl_segv.c @@ -0,0 +1,305 @@ @@ -63859,7 +63835,7 @@ index 0000000..4dcc92a + if (likely(tsk != task)) { + // if this thread has the same subject as the one that triggered + // RES_CRASH and it's the same binary, kill it -+ if (tsk->acl == task->acl && tsk->exec_file == task->exec_file) ++ if (tsk->acl == task->acl && gr_is_same_file(tsk->exec_file, task->exec_file)) + gr_fake_force_sig(SIGKILL, tsk); + } + } while_each_thread(tsk2, tsk); @@ -65944,12 +65920,13 @@ index 0000000..f7f29aa +} diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c new file mode 100644 -index 0000000..e09715a +index 0000000..4e29cc7 --- /dev/null +++ b/grsecurity/grsec_sig.c -@@ -0,0 +1,222 @@ +@@ -0,0 +1,246 @@ +#include <linux/kernel.h> +#include <linux/sched.h> ++#include <linux/fs.h> +#include <linux/delay.h> +#include <linux/grsecurity.h> +#include <linux/grinternal.h> @@ -66049,7 +66026,7 @@ index 0000000..e09715a + rcu_read_lock(); + read_lock(&tasklist_lock); + read_lock(&grsec_exec_file_lock); -+ if (p->real_parent && p->real_parent->exec_file == p->exec_file) { ++ if (p->real_parent && gr_is_same_file(p->real_parent->exec_file, p->exec_file)) { + p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME; + p->real_parent->brute = 1; + daemon = 1; @@ -66066,14 +66043,15 @@ index 0000000..e09715a + user = find_user(uid); + if (user == NULL) + goto unlock; -+ user->banned = 1; -+ user->ban_expires = get_seconds() + GR_USER_BAN_TIME; -+ if (user->ban_expires == ~0UL) -+ user->ban_expires--; ++ user->suid_banned = 1; ++ user->suid_ban_expires = get_seconds() + GR_USER_BAN_TIME; ++ if (user->suid_ban_expires == ~0UL) ++ user->suid_ban_expires--; + ++ /* only kill other threads of the same binary, from the same user */ + do_each_thread(tsk2, tsk) { + cred2 = __task_cred(tsk); -+ if (tsk != p && uid_eq(cred2->uid, uid)) ++ if (tsk != p && uid_eq(cred2->uid, uid) && gr_is_same_file(tsk->exec_file, p->exec_file)) + gr_fake_force_sig(SIGKILL, tsk); + } while_each_thread(tsk2, tsk); + } @@ -66084,8 +66062,7 @@ index 0000000..e09715a + rcu_read_unlock(); + + if (gr_is_global_nonroot(uid)) -+ printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", -+ GR_GLOBAL_UID(uid), GR_USER_BAN_TIME / 60); ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_BRUTE_SUID_MSG, p->exec_file->f_path.dentry, p->exec_file->f_path.mnt, GR_GLOBAL_UID(uid), GR_USER_BAN_TIME / 60); + else if (daemon) + gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG); + @@ -66132,11 +66109,10 @@ index 0000000..e09715a + GR_GLOBAL_UID(uid)); + /* we intentionally leak this ref */ + user = get_uid(current->cred->user); -+ if (user) { -+ user->banned = 1; -+ user->ban_expires = ~0UL; -+ } ++ if (user) ++ user->kernel_banned = 1; + ++ /* kill all processes of this user */ + read_lock(&tasklist_lock); + do_each_thread(tsk2, tsk) { + cred = __task_cred(tsk); @@ -66148,25 +66124,49 @@ index 0000000..e09715a +#endif +} + -+int __gr_process_user_ban(struct user_struct *user) ++#ifdef CONFIG_GRKERNSEC_BRUTE ++static bool suid_ban_expired(struct user_struct *user) +{ -+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE) -+ if (unlikely(user->banned)) { -+ if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) { -+ user->banned = 0; -+ user->ban_expires = 0; -+ free_uid(user); -+ } else -+ return -EPERM; ++ if (user->suid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->suid_ban_expires)) { ++ user->suid_banned = 0; ++ user->suid_ban_expires = 0; ++ free_uid(user); ++ return true; + } ++ ++ return false; ++} ++#endif ++ ++int gr_process_kernel_exec_ban(void) ++{ ++#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT ++ if (unlikely(current->cred->user->kernel_banned)) ++ return -EPERM; ++#endif ++ return 0; ++} ++ ++int gr_process_kernel_setuid_ban(struct user_struct *user) ++{ ++#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT ++ if (unlikely(user->kernel_banned)) ++ gr_fake_force_sig(SIGKILL, current); +#endif + return 0; +} + -+int gr_process_user_ban(void) ++int gr_process_suid_exec_ban(const struct linux_binprm *bprm) +{ -+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE) -+ return __gr_process_user_ban(current->cred->user); ++#ifdef CONFIG_GRKERNSEC_BRUTE ++ struct user_struct *user = current->cred->user; ++ if (unlikely(user->suid_banned)) { ++ if (suid_ban_expired(user)) ++ return 0; ++ /* disallow execution of suid binaries only */ ++ else if (!uid_eq(bprm->cred->euid, current->cred->uid)) ++ return -EPERM; ++ } +#endif + return 0; +} @@ -69201,10 +69201,10 @@ index 0000000..be66033 +#endif diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h new file mode 100644 -index 0000000..5402bce +index 0000000..12994b5 --- /dev/null +++ b/include/linux/grinternal.h -@@ -0,0 +1,215 @@ +@@ -0,0 +1,227 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H + @@ -69318,6 +69318,18 @@ index 0000000..5402bce + +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry) + ++static inline bool gr_is_same_file(const struct file *file1, const struct file *file2) ++{ ++ if (file1 && file2) { ++ const struct inode *inode1 = file1->f_path.dentry->d_inode; ++ const struct inode *inode2 = file2->f_path.dentry->d_inode; ++ if (inode1->i_ino == inode2->i_ino && inode1->i_sb->s_dev == inode2->i_sb->s_dev) ++ return true; ++ } ++ ++ return false; ++} ++ +#define GR_CHROOT_CAPS {{ \ + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \ + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \ @@ -69422,10 +69434,10 @@ index 0000000..5402bce +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..2bd4c8d +index 0000000..2f159b5 --- /dev/null +++ b/include/linux/grmsg.h -@@ -0,0 +1,111 @@ +@@ -0,0 +1,112 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -69537,12 +69549,13 @@ index 0000000..2bd4c8d +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by " +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by " +#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for " ++#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..d7ef0ac +index 0000000..d957f6d --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,242 @@ +@@ -0,0 +1,241 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -69567,7 +69580,6 @@ index 0000000..d7ef0ac +void gr_handle_brute_attach(unsigned long mm_flags); +void gr_handle_brute_check(void); +void gr_handle_kernel_exploit(void); -+int gr_process_user_ban(void); + +char gr_roletype_to_char(void); + @@ -71444,7 +71456,7 @@ index 6dacb93..6174423 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, struct vm_area_struct *next) diff --git a/include/linux/sched.h b/include/linux/sched.h -index be4e742..7f9d593 100644 +index be4e742..01f1387 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -62,6 +62,7 @@ struct bio_list; @@ -71501,19 +71513,22 @@ index be4e742..7f9d593 100644 #ifdef CONFIG_AUDIT unsigned audit_tty; struct tty_audit_buf *tty_audit_buf; -@@ -683,6 +707,11 @@ struct user_struct { +@@ -683,6 +707,14 @@ struct user_struct { struct key *session_keyring; /* UID's default session keyring */ #endif -+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE) -+ unsigned int banned; -+ unsigned long ban_expires; ++#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT ++ unsigned char kernel_banned; ++#endif ++#ifdef CONFIG_GRKERNSEC_BRUTE ++ unsigned char suid_banned; ++ unsigned long suid_ban_expires; +#endif + /* Hash table maintenance information */ struct hlist_node uidhash_node; kuid_t uid; -@@ -1082,7 +1111,7 @@ struct sched_class { +@@ -1082,7 +1114,7 @@ struct sched_class { #ifdef CONFIG_FAIR_GROUP_SCHED void (*task_move_group) (struct task_struct *p, int on_rq); #endif @@ -71522,7 +71537,7 @@ index be4e742..7f9d593 100644 struct load_weight { unsigned long weight, inv_weight; -@@ -1323,8 +1352,8 @@ struct task_struct { +@@ -1323,8 +1355,8 @@ struct task_struct { struct list_head thread_group; struct completion *vfork_done; /* for vfork() */ @@ -71533,7 +71548,7 @@ index be4e742..7f9d593 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1349,11 +1378,6 @@ struct task_struct { +@@ -1349,11 +1381,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -71545,7 +71560,7 @@ index be4e742..7f9d593 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1370,6 +1394,10 @@ struct task_struct { +@@ -1370,6 +1397,10 @@ struct task_struct { #endif /* CPU-specific state of this task */ struct thread_struct thread; @@ -71556,7 +71571,7 @@ index be4e742..7f9d593 100644 /* filesystem information */ struct fs_struct *fs; /* open file information */ -@@ -1443,6 +1471,10 @@ struct task_struct { +@@ -1443,6 +1474,10 @@ struct task_struct { gfp_t lockdep_reclaim_gfp; #endif @@ -71567,7 +71582,7 @@ index be4e742..7f9d593 100644 /* journalling filesystem info */ void *journal_info; -@@ -1481,6 +1513,10 @@ struct task_struct { +@@ -1481,6 +1516,10 @@ struct task_struct { /* cg_list protected by css_set_lock and tsk->alloc_lock */ struct list_head cg_list; #endif @@ -71578,7 +71593,7 @@ index be4e742..7f9d593 100644 #ifdef CONFIG_FUTEX struct robust_list_head __user *robust_list; #ifdef CONFIG_COMPAT -@@ -1577,8 +1613,74 @@ struct task_struct { +@@ -1577,8 +1616,74 @@ struct task_struct { #ifdef CONFIG_UPROBES struct uprobe_task *utask; #endif @@ -71653,7 +71668,7 @@ index be4e742..7f9d593 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -1637,7 +1739,7 @@ struct pid_namespace; +@@ -1637,7 +1742,7 @@ struct pid_namespace; pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type, struct pid_namespace *ns); @@ -71662,7 +71677,7 @@ index be4e742..7f9d593 100644 { return tsk->pid; } -@@ -2073,7 +2175,9 @@ void yield(void); +@@ -2073,7 +2178,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -71672,7 +71687,7 @@ index be4e742..7f9d593 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2106,6 +2210,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2106,6 +2213,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -71680,7 +71695,7 @@ index be4e742..7f9d593 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2272,7 +2377,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2272,7 +2380,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -71689,7 +71704,7 @@ index be4e742..7f9d593 100644 extern int allow_signal(int); extern int disallow_signal(int); -@@ -2463,9 +2568,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2463,9 +2571,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -82291,7 +82306,7 @@ index 79b7cf7..9944291 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 0dceed8..bfcaf45 100644 +index 0dceed8..a559c2e 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -33,6 +33,7 @@ @@ -82701,7 +82716,7 @@ index 0dceed8..bfcaf45 100644 +unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags) +{ + if ((mm->pax_flags & MF_PAX_RANDMMAP) && !filp && (flags & MAP_STACK)) -+ return (random32() & 0xFF) << PAGE_SHIFT; ++ return ((random32() & 0xFF) + 1) << PAGE_SHIFT; + + return 0; +} @@ -85978,20 +85993,10 @@ index 6a93614..1415549 100644 err = -EFAULT; break; diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index c5f9cd6..dfc8ec1 100644 +index 04b32e1..dfc8ec1 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c -@@ -2743,6 +2743,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code, - BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u", - conn, code, ident, dlen); - -+ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) -+ return NULL; -+ - len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; - count = min_t(unsigned int, conn->mtu, len); - -@@ -3395,8 +3398,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, +@@ -3398,8 +3398,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, break; case L2CAP_CONF_RFC: @@ -86004,15 +86009,6 @@ index c5f9cd6..dfc8ec1 100644 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && rfc.mode != chan->mode) -@@ -4221,7 +4226,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, - struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; - u16 type, result; - -- if (cmd_len != sizeof(*rsp)) -+ if (cmd_len < sizeof(*rsp)) - return -EPROTO; - - type = __le16_to_cpu(rsp->type); diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 1bcfb84..dad9f98 100644 --- a/net/bluetooth/l2cap_sock.c @@ -88850,7 +88846,7 @@ index 843d8c4..cb04fa1 100644 if (local->use_chanctx) *chandef = local->monitor_chandef; diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h -index 5672533..6738c93 100644 +index 4e74cd6..963b8a1 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -28,6 +28,7 @@ @@ -89008,7 +89004,7 @@ index c97a065..ff61928 100644 return p; diff --git a/net/mac80211/util.c b/net/mac80211/util.c -index 0f38f43..e53d4a8 100644 +index 1f4b908..c4def45 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1388,7 +1388,7 @@ int ieee80211_reconfig(struct ieee80211_local *local) |