diff options
-rw-r--r-- | main/linux-grsec/APKBUILD | 28 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-3.1-3.14.37-201504051405.patch (renamed from main/linux-grsec/grsecurity-3.1-3.14.37-201503270048.patch) | 588 | ||||
-rw-r--r-- | main/linux-grsec/kernelconfig.armhf | 27 | ||||
-rw-r--r-- | main/linux-grsec/kernelconfig.x86 | 7 | ||||
-rw-r--r-- | main/linux-grsec/kernelconfig.x86_64 | 7 |
5 files changed, 547 insertions, 110 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 3996e6ef9c..c44d3258b1 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -7,7 +7,7 @@ case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac -pkgrel=1 +pkgrel=2 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-3.1-3.14.37-201503270048.patch + grsecurity-3.1-3.14.37-201504051405.patch fix-memory-map-for-PIE-applications.patch imx6q-no-unclocked-sleep.patch @@ -166,25 +166,25 @@ dev() { md5sums="b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz cbc19671d2c8bab0eaf18bf3afa54f7b patch-3.14.37.xz -0d1341b1b8588274baa747e40db8df57 grsecurity-3.1-3.14.37-201503270048.patch +16c2185b59f85b66ba9679eb5f389104 grsecurity-3.1-3.14.37-201504051405.patch c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch 1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch -509a706cb2f0d40b3fe1ceaba4c8b47c kernelconfig.x86 -e451ad5c3e590e4bd73ef45704428ee8 kernelconfig.x86_64 -e18158a62b940c4b12bafbacd1e00639 kernelconfig.armhf" +78060d5fe4d22f3ff8ebdad76f2a99f0 kernelconfig.x86 +6af32d44523b76b23714fd8eb6d7ee27 kernelconfig.x86_64 +2088fe977722158d7989f928084d52ca kernelconfig.armhf" sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa linux-3.14.tar.xz ae2c25e7c53bffaf4e6f951a56eaa8ca645e7125cd28f16f870b7dc8aaa66b49 patch-3.14.37.xz -0e533151c70a94084f6c408c3d77ed2c61e8bf96c347cc29e655a4511382dde7 grsecurity-3.1-3.14.37-201503270048.patch +43ffb9159085c7194a6f3e767cb9fcd6b7a99ec4a79e187714a2714e5ef93970 grsecurity-3.1-3.14.37-201504051405.patch 500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch 21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch -cb737416dbd1ff03372c924e3fa52ddaba5209adb46a82dd19ce20774753f7a9 kernelconfig.x86 -61a463b7595e34728fd002589713555a7084d8595ee878e5a0e9429a5d620d3b kernelconfig.x86_64 -655e230d216896c769ec184cb7ec4f95aea3a13326251ffdf35c17426687d1b9 kernelconfig.armhf" +66196a945d55ce0a164dc5a4303db77c1f47641ab8bf7b53e87f3f39bf23f356 kernelconfig.x86 +77ef1ce8fb80c93aaa9a1c629d5708a409184a72de480cd219f777eaec02caaf kernelconfig.x86_64 +636419c6970c24ae6e02889f641aff606eb237c0ac1796efd992c545f77bc579 kernelconfig.armhf" sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e linux-3.14.tar.xz 40439c1262331ffd594a110bab6c2da04abd7718fb3f79661de46e0c7cd99d4d8e003bb412be2348df843d7d9abe310caf1e3cc1ec5343e4b92f0769b9cfada4 patch-3.14.37.xz -139ed90ebf47aeb7f0bfd4c64a3e8c1b387641500f9ec4a972ec1ed2b9583b4b4e9618502b025dc83bbe08ab12735d78e1998c22c682c04b322ccd01db616bc5 grsecurity-3.1-3.14.37-201503270048.patch +a5cd91d5aed495a34393fe0d4a944b4d8f7b7beabdf007c079711699f4d8b8dfa573827aa0358ad9efd4aef49192fa978567ec4f4de93982cf8afd63a90dec63 grsecurity-3.1-3.14.37-201504051405.patch 4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch 87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch -1aed15e4b3db162e13ed1e17f19251c995e42623590a5dd112398fe16e34d1bd0e31da212993685836891d6b0063a6fab5175f90dcefe1872462d682510e3fb2 kernelconfig.x86 -e4d84befd2af779ce94d1a4b96bd0dc154718efcf1a418fab4e2d83ff16d3fb2e44d2173a6e7d71125a4b243337ead7d582379c556561476d7724069a80b65d2 kernelconfig.x86_64 -a324821ce93d4c7a019bb0760baca2ca8a009b168acfb4d9ffcde8185411fac930327cc52d75ca4431fb65cf60ea03d4b539f7477f24b84fa8ab80d502c65f86 kernelconfig.armhf" +63b99a936f8ca561e42590ec639b2a86face1198c6a05d3450ff275ae3651f142e1a08795064562be7ad228097687f3fd745b19c1cdb0f48dcd1eeb2634fd46c kernelconfig.x86 +d1e5c64796e29bbed2c6460e6a240cb31ec0cb6c2a6467a459efa14a620a6c0003c01cc925e3de8e272bbf8a82d6afa639d7703f895d5d3ccea069ea82db5104 kernelconfig.x86_64 +2b8d7afc769398b32eb03850069bde6ddb06ea54deea08d6c85356fb9c9d1d851ff3e72cf55d598aa2c56608efbf1b10e5051f1e07f0178dff5f1aa886fc843d kernelconfig.armhf" diff --git a/main/linux-grsec/grsecurity-3.1-3.14.37-201503270048.patch b/main/linux-grsec/grsecurity-3.1-3.14.37-201504051405.patch index e462e33ba7..b383085465 100644 --- a/main/linux-grsec/grsecurity-3.1-3.14.37-201503270048.patch +++ b/main/linux-grsec/grsecurity-3.1-3.14.37-201504051405.patch @@ -235,21 +235,24 @@ index b89a739..e289b9b 100644 +zconf.lex.c zoffset.h diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 5d91ba1..935a4e7 100644 +index 5d91ba1..ef1d374 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt -@@ -1084,6 +1084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -1084,6 +1084,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Format: <unsigned int> such that (rxsize & ~0x1fffc0) == 0. Default: 1024 + grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to + ignore grsecurity's /proc restrictions + ++ grsec_sysfs_restrict= Format: 0 | 1 ++ Default: 1 ++ Disables GRKERNSEC_SYSFS_RESTRICT if enabled in config + hashdist= [KNL,NUMA] Large hashes allocated during boot are distributed across NUMA nodes. Defaults on for 64-bit NUMA, off otherwise. -@@ -2081,6 +2085,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -2081,6 +2088,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. noexec=on: enable non-executable mappings (default) noexec=off: disable non-executable mappings @@ -260,7 +263,7 @@ index 5d91ba1..935a4e7 100644 nosmap [X86] Disable SMAP (Supervisor Mode Access Prevention) even if it is supported by processor. -@@ -2348,6 +2356,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -2348,6 +2359,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. the specified number of seconds. This is to be used if your oopses keep scrolling off the screen. @@ -10165,10 +10168,18 @@ index 0167d26..767bb0c 100644 #include <asm/uaccess_64.h> #else diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h -index 53a28dd..50c38c3 100644 +index 53a28dd..6e11369 100644 --- a/arch/sparc/include/asm/uaccess_32.h +++ b/arch/sparc/include/asm/uaccess_32.h -@@ -250,27 +250,46 @@ extern unsigned long __copy_user(void __user *to, const void __user *from, unsig +@@ -47,6 +47,7 @@ + #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; }) + #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS)) + #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size))) ++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size)) + #define access_ok(type, addr, size) \ + ({ (void)(type); __access_ok((unsigned long)(addr), size); }) + +@@ -250,27 +251,46 @@ extern unsigned long __copy_user(void __user *to, const void __user *from, unsig static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n) { @@ -10220,7 +10231,7 @@ index 53a28dd..50c38c3 100644 } diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h -index ad7e178..c9e7423 100644 +index ad7e178..26cd4a7 100644 --- a/arch/sparc/include/asm/uaccess_64.h +++ b/arch/sparc/include/asm/uaccess_64.h @@ -10,6 +10,7 @@ @@ -10231,7 +10242,19 @@ index ad7e178..c9e7423 100644 #include <asm/asi.h> #include <asm/spitfire.h> #include <asm-generic/uaccess-unaligned.h> -@@ -214,8 +215,15 @@ extern unsigned long copy_from_user_fixup(void *to, const void __user *from, +@@ -54,6 +55,11 @@ static inline int __access_ok(const void __user * addr, unsigned long size) + return 1; + } + ++static inline int access_ok_noprefault(int type, const void __user * addr, unsigned long size) ++{ ++ return 1; ++} ++ + static inline int access_ok(int type, const void __user * addr, unsigned long size) + { + return 1; +@@ -214,8 +220,15 @@ extern unsigned long copy_from_user_fixup(void *to, const void __user *from, static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long size) { @@ -10248,7 +10271,7 @@ index ad7e178..c9e7423 100644 if (unlikely(ret)) ret = copy_from_user_fixup(to, from, size); -@@ -231,8 +239,15 @@ extern unsigned long copy_to_user_fixup(void __user *to, const void *from, +@@ -231,8 +244,15 @@ extern unsigned long copy_to_user_fixup(void __user *to, const void *from, static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long size) { @@ -21150,7 +21173,7 @@ index c005fdd..e33da29 100644 if (c->x86_model == 3 && c->x86_mask == 0) size = 64; diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index e6bddd5..517213d 100644 +index e6bddd5..5b0c55c 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -88,60 +88,6 @@ static const struct cpu_dev default_cpu = { @@ -21283,10 +21306,20 @@ index e6bddd5..517213d 100644 gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); /* Reload the per-cpu base */ -@@ -885,6 +884,10 @@ static void identify_cpu(struct cpuinfo_x86 *c) +@@ -885,6 +884,20 @@ static void identify_cpu(struct cpuinfo_x86 *c) setup_smep(c); setup_smap(c); ++#ifdef CONFIG_X86_32 ++#ifdef CONFIG_PAX_PAGEEXEC ++ if (!(__supported_pte_mask & _PAGE_NX)) ++ clear_cpu_cap(c, X86_FEATURE_PSE); ++#endif ++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ++ clear_cpu_cap(c, X86_FEATURE_SEP); ++#endif ++#endif ++ +#ifdef CONFIG_X86_64 + setup_pcid(c); +#endif @@ -21294,18 +21327,7 @@ index e6bddd5..517213d 100644 /* * The vendor-specific functions might have changed features. * Now we do "generic changes." -@@ -893,6 +896,10 @@ static void identify_cpu(struct cpuinfo_x86 *c) - /* Filter out anything that depends on CPUID levels we don't have */ - filter_cpuid_features(c, true); - -+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)) -+ setup_clear_cpu_cap(X86_FEATURE_SEP); -+#endif -+ - /* If the model name is still unset, do table lookup. */ - if (!c->x86_model_id[0]) { - const char *p; -@@ -1080,10 +1087,12 @@ static __init int setup_disablecpuid(char *arg) +@@ -1080,10 +1093,12 @@ static __init int setup_disablecpuid(char *arg) } __setup("clearcpuid=", setup_disablecpuid); @@ -21321,7 +21343,7 @@ index e6bddd5..517213d 100644 DEFINE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __aligned(PAGE_SIZE) __visible; -@@ -1097,7 +1106,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = +@@ -1097,7 +1112,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned = EXPORT_PER_CPU_SYMBOL(current_task); DEFINE_PER_CPU(unsigned long, kernel_stack) = @@ -21330,7 +21352,7 @@ index e6bddd5..517213d 100644 EXPORT_PER_CPU_SYMBOL(kernel_stack); DEFINE_PER_CPU(char *, irq_stack_ptr) = -@@ -1247,7 +1256,7 @@ void cpu_init(void) +@@ -1247,7 +1262,7 @@ void cpu_init(void) load_ucode_ap(); cpu = stack_smp_processor_id(); @@ -21339,7 +21361,7 @@ index e6bddd5..517213d 100644 oist = &per_cpu(orig_ist, cpu); #ifdef CONFIG_NUMA -@@ -1282,7 +1291,6 @@ void cpu_init(void) +@@ -1282,7 +1297,6 @@ void cpu_init(void) wrmsrl(MSR_KERNEL_GS_BASE, 0); barrier(); @@ -21347,7 +21369,7 @@ index e6bddd5..517213d 100644 enable_x2apic(); /* -@@ -1334,7 +1342,7 @@ void cpu_init(void) +@@ -1334,7 +1348,7 @@ void cpu_init(void) { int cpu = smp_processor_id(); struct task_struct *curr = current; @@ -30219,7 +30241,7 @@ index 7609e0e..b449b98 100644 } EXPORT_SYMBOL(csum_partial_copy_to_user); diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S -index a451235..1daa956 100644 +index a451235..a74bfa3 100644 --- a/arch/x86/lib/getuser.S +++ b/arch/x86/lib/getuser.S @@ -33,17 +33,40 @@ @@ -30244,8 +30266,6 @@ index a451235..1daa956 100644 GET_THREAD_INFO(%_ASM_DX) cmp TI_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user - ASM_STAC --1: movzbl (%_ASM_AX),%edx + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + mov pax_user_shadow_base,%_ASM_DX @@ -30257,6 +30277,8 @@ index a451235..1daa956 100644 + +#endif + + ASM_STAC +-1: movzbl (%_ASM_AX),%edx +1: __copyuser_seg movzbl (%_ASM_AX),%edx xor %eax,%eax ASM_CLAC @@ -30274,8 +30296,6 @@ index a451235..1daa956 100644 GET_THREAD_INFO(%_ASM_DX) cmp TI_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user - ASM_STAC --2: movzwl -1(%_ASM_AX),%edx + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + mov pax_user_shadow_base,%_ASM_DX @@ -30287,6 +30307,8 @@ index a451235..1daa956 100644 + +#endif + + ASM_STAC +-2: movzwl -1(%_ASM_AX),%edx +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx xor %eax,%eax ASM_CLAC @@ -30304,8 +30326,6 @@ index a451235..1daa956 100644 GET_THREAD_INFO(%_ASM_DX) cmp TI_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user - ASM_STAC --3: movl -3(%_ASM_AX),%edx + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + mov pax_user_shadow_base,%_ASM_DX @@ -30317,6 +30337,8 @@ index a451235..1daa956 100644 + +#endif + + ASM_STAC +-3: movl -3(%_ASM_AX),%edx +3: __copyuser_seg movl -3(%_ASM_AX),%edx xor %eax,%eax ASM_CLAC @@ -30895,7 +30917,7 @@ index f6d13ee..d789440 100644 3: CFI_RESTORE_STATE diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S -index fc6ba17..d4d989d 100644 +index fc6ba17..14ad9a5 100644 --- a/arch/x86/lib/putuser.S +++ b/arch/x86/lib/putuser.S @@ -16,7 +16,9 @@ @@ -30943,8 +30965,6 @@ index fc6ba17..d4d989d 100644 + GET_THREAD_INFO(%_ASM_BX) cmp TI_addr_limit(%_ASM_BX),%_ASM_CX jae bad_put_user - ASM_STAC --1: movb %al,(%_ASM_CX) + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + mov pax_user_shadow_base,%_ASM_BX @@ -30956,6 +30976,8 @@ index fc6ba17..d4d989d 100644 + +#endif + + ASM_STAC +-1: movb %al,(%_ASM_CX) +1: __copyuser_seg movb %al,(_DEST) xor %eax,%eax EXIT @@ -30970,8 +30992,6 @@ index fc6ba17..d4d989d 100644 sub $1,%_ASM_BX cmp %_ASM_BX,%_ASM_CX jae bad_put_user - ASM_STAC --2: movw %ax,(%_ASM_CX) + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + mov pax_user_shadow_base,%_ASM_BX @@ -30983,6 +31003,8 @@ index fc6ba17..d4d989d 100644 + +#endif + + ASM_STAC +-2: movw %ax,(%_ASM_CX) +2: __copyuser_seg movw %ax,(_DEST) xor %eax,%eax EXIT @@ -30997,8 +31019,6 @@ index fc6ba17..d4d989d 100644 sub $3,%_ASM_BX cmp %_ASM_BX,%_ASM_CX jae bad_put_user - ASM_STAC --3: movl %eax,(%_ASM_CX) + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + mov pax_user_shadow_base,%_ASM_BX @@ -31010,6 +31030,8 @@ index fc6ba17..d4d989d 100644 + +#endif + + ASM_STAC +-3: movl %eax,(%_ASM_CX) +3: __copyuser_seg movl %eax,(_DEST) xor %eax,%eax EXIT @@ -31024,8 +31046,6 @@ index fc6ba17..d4d989d 100644 sub $7,%_ASM_BX cmp %_ASM_BX,%_ASM_CX jae bad_put_user - ASM_STAC --4: mov %_ASM_AX,(%_ASM_CX) + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + mov pax_user_shadow_base,%_ASM_BX @@ -31037,6 +31057,8 @@ index fc6ba17..d4d989d 100644 + +#endif + + ASM_STAC +-4: mov %_ASM_AX,(%_ASM_CX) +4: __copyuser_seg mov %_ASM_AX,(_DEST) #ifdef CONFIG_X86_32 -5: movl %edx,4(%_ASM_CX) @@ -43391,6 +43413,20 @@ index a841123..055ebeb 100644 if (!can_do_mlock()) return ERR_PTR(-EPERM); +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index 2adc143..619e970 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -923,6 +923,9 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file, + if (copy_from_user(&cmd, buf, sizeof cmd)) + return -EFAULT; + ++ if (!access_ok_noprefault(VERIFY_READ, cmd.start, cmd.length)) ++ return -EFAULT; ++ + INIT_UDATA(&udata, buf + sizeof cmd, + (unsigned long) cmd.response + sizeof resp, + in_len - sizeof cmd, out_len - sizeof resp); diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c index 41b1195..27971a0 100644 --- a/drivers/infiniband/hw/cxgb4/mem.c @@ -61038,21 +61074,32 @@ index 4366127..b8c2cf9 100644 dcache_init(); inode_init(); diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c -index 1ff8fe5..5bf8b25 100644 +index 1ff8fe5..31407fe 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c -@@ -424,7 +424,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); +@@ -422,10 +422,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); + * If debugfs is not enabled in the kernel, the value -%ENODEV will be + * returned. */ ++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT ++extern int grsec_enable_sysfs_restrict; ++#endif ++ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) { +- return __create_file(name, S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO, +- parent, NULL, NULL); ++ umode_t mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; ++ +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT -+ return __create_file(name, S_IFDIR | S_IRWXU, -+#else - return __create_file(name, S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO, ++ if (grsec_enable_sysfs_restrict) ++ mode = S_IFDIR | S_IRWXU; +#endif - parent, NULL, NULL); ++ ++ return __create_file(name, mode, parent, NULL, NULL); } EXPORT_SYMBOL_GPL(debugfs_create_dir); + diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c index a85ceb7..5097313b 100644 --- a/fs/ecryptfs/inode.c @@ -68319,10 +68366,21 @@ index ae0c3ce..9ee641c 100644 generic_fillattr(inode, stat); return 0; diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c -index ee0d761..b346c58 100644 +index ee0d761..2f33d21 100644 --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c -@@ -62,9 +62,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name) +@@ -54,6 +54,10 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name) + kfree(path); + } + ++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT ++extern int grsec_enable_sysfs_restrict; ++#endif ++ + /** + * sysfs_create_dir_ns - create a directory for an object with a namespace tag + * @kobj: object we're creating directory for +@@ -62,9 +66,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name) int sysfs_create_dir_ns(struct kobject *kobj, const void *ns) { struct kernfs_node *parent, *kn; @@ -68339,7 +68397,7 @@ index ee0d761..b346c58 100644 if (kobj->parent) parent = kobj->parent->sd; else -@@ -73,11 +80,22 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void *ns) +@@ -73,11 +84,24 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void *ns) if (!parent) return -ENOENT; @@ -68354,6 +68412,8 @@ index ee0d761..b346c58 100644 + (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse") || !strcmp(name, "ecryptfs"))) || + (!strcmp(parent_name, "system") && !strcmp(name, "cpu"))) + mode = S_IRWXU | S_IRUGO | S_IXUGO; ++ if (!grsec_enable_sysfs_restrict) ++ mode = S_IRWXU | S_IRUGO | S_IXUGO; +#endif + + kn = kernfs_create_dir_ns(parent, name, @@ -88618,6 +88678,26 @@ index ef6103b..d4e65dd 100644 #define ELFMAG0 0x7f /* EI_MAG */ #define ELFMAG1 'E' #define ELFMAG2 'L' +diff --git a/include/uapi/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h +index f165609..d1366f0 100644 +--- a/include/uapi/linux/netfilter/xt_connlimit.h ++++ b/include/uapi/linux/netfilter/xt_connlimit.h +@@ -22,8 +22,13 @@ struct xt_connlimit_info { + #endif + }; + unsigned int limit; +- /* revision 1 */ +- __u32 flags; ++ union { ++ /* revision 0 */ ++ unsigned int inverse; ++ ++ /* revision 1 */ ++ __u32 flags; ++ }; + + /* Used internally by the kernel */ + struct xt_connlimit_data *data __attribute__((aligned(8))); diff --git a/include/uapi/linux/personality.h b/include/uapi/linux/personality.h index aa169c4..6a2771d 100644 --- a/include/uapi/linux/personality.h @@ -89117,7 +89197,7 @@ index 93b6139..8d628b7 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index 58c132d..ac3f3b0 100644 +index 58c132d..310b5fa 100644 --- a/init/main.c +++ b/init/main.c @@ -97,6 +97,8 @@ extern void radix_tree_init(void); @@ -89129,7 +89209,7 @@ index 58c132d..ac3f3b0 100644 /* * Debug helper: via this flag we know that we are in 'early bootup code' * where only the boot processor is running with IRQ disabled. This means -@@ -158,6 +160,75 @@ static int __init set_reset_devices(char *str) +@@ -158,6 +160,85 @@ static int __init set_reset_devices(char *str) __setup("reset_devices", set_reset_devices); @@ -89142,6 +89222,16 @@ index 58c132d..ac3f3b0 100644 +} +__setup("grsec_proc_gid=", setup_grsec_proc_gid); +#endif ++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT ++int grsec_enable_sysfs_restrict = 1; ++static int __init setup_grsec_sysfs_restrict(char *str) ++{ ++ if (!simple_strtol(str, NULL, 0)) ++ grsec_enable_sysfs_restrict = 0; ++ return 1; ++} ++__setup("grsec_sysfs_restrict", setup_grsec_sysfs_restrict); ++#endif + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) +unsigned long pax_user_shadow_base __read_only; @@ -89205,7 +89295,7 @@ index 58c132d..ac3f3b0 100644 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; static const char *panic_later, *panic_param; -@@ -692,25 +763,24 @@ int __init_or_module do_one_initcall(initcall_t fn) +@@ -692,25 +773,24 @@ int __init_or_module do_one_initcall(initcall_t fn) { int count = preempt_count(); int ret; @@ -89236,7 +89326,7 @@ index 58c132d..ac3f3b0 100644 return ret; } -@@ -817,8 +887,8 @@ static int run_init_process(const char *init_filename) +@@ -817,8 +897,8 @@ static int run_init_process(const char *init_filename) { argv_init[0] = init_filename; return do_execve(getname_kernel(init_filename), @@ -89247,7 +89337,7 @@ index 58c132d..ac3f3b0 100644 } static int try_to_run_init_process(const char *init_filename) -@@ -835,6 +905,10 @@ static int try_to_run_init_process(const char *init_filename) +@@ -835,6 +915,10 @@ static int try_to_run_init_process(const char *init_filename) return ret; } @@ -89258,7 +89348,7 @@ index 58c132d..ac3f3b0 100644 static noinline void __init kernel_init_freeable(void); static int __ref kernel_init(void *unused) -@@ -859,6 +933,11 @@ static int __ref kernel_init(void *unused) +@@ -859,6 +943,11 @@ static int __ref kernel_init(void *unused) ramdisk_execute_command, ret); } @@ -89270,7 +89360,7 @@ index 58c132d..ac3f3b0 100644 /* * We try each of these until one succeeds. * -@@ -914,7 +993,7 @@ static noinline void __init kernel_init_freeable(void) +@@ -914,7 +1003,7 @@ static noinline void __init kernel_init_freeable(void) do_basic_setup(); /* Open the /dev/console on the rootfs, this should never fail */ @@ -89279,7 +89369,7 @@ index 58c132d..ac3f3b0 100644 pr_err("Warning: unable to open an initial console.\n"); (void) sys_dup(0); -@@ -927,11 +1006,13 @@ static noinline void __init kernel_init_freeable(void) +@@ -927,11 +1016,13 @@ static noinline void __init kernel_init_freeable(void) if (!ramdisk_execute_command) ramdisk_execute_command = "/init"; @@ -95201,7 +95291,7 @@ index e3be87e..abc908f 100644 /* make curr_ret_stack visible before we add the ret_stack */ smp_wmb(); diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c -index 774a080..7fa60b1 100644 +index 774a080..d09b170 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -352,9 +352,9 @@ struct buffer_data_page { @@ -95216,17 +95306,22 @@ index 774a080..7fa60b1 100644 unsigned long real_end; /* real end of data */ struct buffer_data_page *page; /* Actual data page */ }; -@@ -473,8 +473,8 @@ struct ring_buffer_per_cpu { +@@ -473,11 +473,11 @@ struct ring_buffer_per_cpu { unsigned long last_overrun; local_t entries_bytes; local_t entries; - local_t overrun; - local_t commit_overrun; +- local_t dropped_events; + local_unchecked_t overrun; + local_unchecked_t commit_overrun; - local_t dropped_events; ++ local_unchecked_t dropped_events; local_t committing; - local_t commits; +- local_t commits; ++ local_unchecked_t commits; + unsigned long read; + unsigned long read_bytes; + u64 write_stamp; @@ -1005,8 +1005,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer, * * We add a counter to the write field to denote this. @@ -95318,6 +95413,15 @@ index 774a080..7fa60b1 100644 goto out_reset; } +@@ -2330,7 +2330,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, + * this is easy, just stop here. + */ + if (!(buffer->flags & RB_FL_OVERWRITE)) { +- local_inc(&cpu_buffer->dropped_events); ++ local_inc_unchecked(&cpu_buffer->dropped_events); + goto out_reset; + } + @@ -2356,7 +2356,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, cpu_buffer->tail_page) && (cpu_buffer->commit_page == @@ -95363,6 +95467,42 @@ index 774a080..7fa60b1 100644 if (index == old_index) { /* update counters */ local_sub(event_length, &cpu_buffer->entries_bytes); +@@ -2486,7 +2486,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, + static void rb_start_commit(struct ring_buffer_per_cpu *cpu_buffer) + { + local_inc(&cpu_buffer->committing); +- local_inc(&cpu_buffer->commits); ++ local_inc_unchecked(&cpu_buffer->commits); + } + + static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer) +@@ -2498,7 +2498,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer) + return; + + again: +- commits = local_read(&cpu_buffer->commits); ++ commits = local_read_unchecked(&cpu_buffer->commits); + /* synchronize with interrupts */ + barrier(); + if (local_read(&cpu_buffer->committing) == 1) +@@ -2514,7 +2514,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer) + * updating of the commit page and the clearing of the + * committing counter. + */ +- if (unlikely(local_read(&cpu_buffer->commits) != commits) && ++ if (unlikely(local_read_unchecked(&cpu_buffer->commits) != commits) && + !local_read(&cpu_buffer->committing)) { + local_inc(&cpu_buffer->committing); + goto again; +@@ -2544,7 +2544,7 @@ rb_reserve_next_event(struct ring_buffer *buffer, + barrier(); + if (unlikely(ACCESS_ONCE(cpu_buffer->buffer) != buffer)) { + local_dec(&cpu_buffer->committing); +- local_dec(&cpu_buffer->commits); ++ local_dec_unchecked(&cpu_buffer->commits); + return NULL; + } + #endif @@ -2863,7 +2863,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, /* Do the likely case first */ @@ -95408,6 +95548,15 @@ index 774a080..7fa60b1 100644 return ret; } +@@ -3293,7 +3293,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer *buffer, int cpu) + return 0; + + cpu_buffer = buffer->buffers[cpu]; +- ret = local_read(&cpu_buffer->dropped_events); ++ ret = local_read_unchecked(&cpu_buffer->dropped_events); + + return ret; + } @@ -3356,7 +3356,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) /* if you care about this being correct, lock the buffer */ for_each_buffer_cpu(buffer, cpu) { @@ -95448,7 +95597,7 @@ index 774a080..7fa60b1 100644 local_set(&cpu_buffer->head_page->page->commit, 0); cpu_buffer->head_page->read = 0; -@@ -4145,14 +4145,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) +@@ -4145,18 +4145,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) INIT_LIST_HEAD(&cpu_buffer->reader_page->list); INIT_LIST_HEAD(&cpu_buffer->new_pages); @@ -95462,11 +95611,17 @@ index 774a080..7fa60b1 100644 local_set(&cpu_buffer->entries_bytes, 0); - local_set(&cpu_buffer->overrun, 0); - local_set(&cpu_buffer->commit_overrun, 0); +- local_set(&cpu_buffer->dropped_events, 0); + local_set_unchecked(&cpu_buffer->overrun, 0); + local_set_unchecked(&cpu_buffer->commit_overrun, 0); - local_set(&cpu_buffer->dropped_events, 0); ++ local_set_unchecked(&cpu_buffer->dropped_events, 0); local_set(&cpu_buffer->entries, 0); local_set(&cpu_buffer->committing, 0); +- local_set(&cpu_buffer->commits, 0); ++ local_set_unchecked(&cpu_buffer->commits, 0); + cpu_buffer->read = 0; + cpu_buffer->read_bytes = 0; + @@ -4557,8 +4557,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, rb_init_page(bpage); bpage = reader->page; @@ -96410,6 +96565,22 @@ index f07a40d..0a445a7 100644 retval = 1; } spin_unlock(&lockref->lock); +diff --git a/lib/nlattr.c b/lib/nlattr.c +index 10ad042d..25b47b5 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -274,7 +274,11 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) + { + int minlen = min_t(int, count, nla_len(src)); + ++ BUG_ON(minlen < 0); ++ + memcpy(dest, nla_data(src), minlen); ++ if (count > minlen) ++ memset(dest + minlen, 0, count - minlen); + + return minlen; + } diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c index 963b703..438bc51 100644 --- a/lib/percpu-refcount.c @@ -103893,6 +104064,19 @@ index bf2cb4a..d83ba8a 100644 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW; p->rate_tokens = 0; /* 60*HZ is arbitrary, but chosen enough high so that the first +diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c +index ecb34b5..5c5ab40 100644 +--- a/net/ipv4/ip_forward.c ++++ b/net/ipv4/ip_forward.c +@@ -82,7 +82,7 @@ static int ip_forward_finish_gso(struct sk_buff *skb) + + features = netif_skb_dev_features(skb, dst->dev); + segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK); +- if (IS_ERR(segs)) { ++ if (IS_ERR_OR_NULL(segs)) { + kfree_skb(skb); + return -ENOMEM; + } diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index 9ff497d..877a388 100644 --- a/net/ipv4/ip_fragment.c @@ -106767,6 +106951,19 @@ index 6ff12a1..d1815b6 100644 goto nla_put_failure; if (data_len) { +diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c +index 108120f..5b169db 100644 +--- a/net/netfilter/nfnetlink_queue_core.c ++++ b/net/netfilter/nfnetlink_queue_core.c +@@ -665,7 +665,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) + * returned by nf_queue. For instance, callers rely on -ECANCELED to + * mean 'ignore this hook'. + */ +- if (IS_ERR(segs)) ++ if (IS_ERR_OR_NULL(segs)) + goto out_err; + queued = 0; + err = 0; diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c index 7350723..c58f861 100644 --- a/net/netfilter/nft_compat.c @@ -106789,6 +106986,60 @@ index 7350723..c58f861 100644 set_fs(old_fs); ret = nla_put(skb, NFTA_MATCH_INFO, XT_ALIGN(m->matchsize), out); kfree(out); +diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c +index c40b269..b73fd7d 100644 +--- a/net/netfilter/xt_connlimit.c ++++ b/net/netfilter/xt_connlimit.c +@@ -274,25 +274,38 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par) + kfree(info->data); + } + +-static struct xt_match connlimit_mt_reg __read_mostly = { +- .name = "connlimit", +- .revision = 1, +- .family = NFPROTO_UNSPEC, +- .checkentry = connlimit_mt_check, +- .match = connlimit_mt, +- .matchsize = sizeof(struct xt_connlimit_info), +- .destroy = connlimit_mt_destroy, +- .me = THIS_MODULE, ++static struct xt_match connlimit_mt_reg[] __read_mostly = { ++ { ++ .name = "connlimit", ++ .revision = 0, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = connlimit_mt_check, ++ .match = connlimit_mt, ++ .matchsize = sizeof(struct xt_connlimit_info), ++ .destroy = connlimit_mt_destroy, ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "connlimit", ++ .revision = 1, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = connlimit_mt_check, ++ .match = connlimit_mt, ++ .matchsize = sizeof(struct xt_connlimit_info), ++ .destroy = connlimit_mt_destroy, ++ .me = THIS_MODULE, ++ }, + }; + + static int __init connlimit_mt_init(void) + { +- return xt_register_match(&connlimit_mt_reg); ++ return xt_register_matches(connlimit_mt_reg, ++ ARRAY_SIZE(connlimit_mt_reg)); + } + + static void __exit connlimit_mt_exit(void) + { +- xt_unregister_match(&connlimit_mt_reg); ++ xt_unregister_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg)); + } + + module_init(connlimit_mt_init); diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c new file mode 100644 index 0000000..c566332 @@ -106945,6 +107196,19 @@ index b74aa07..d41926e 100644 sax->fsa_ax25.sax25_call = nr->source_addr; *uaddr_len = sizeof(struct sockaddr_ax25); } +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 270b77d..0a9d0981 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -314,6 +314,8 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb, + segs = __skb_gso_segment(skb, NETIF_F_SG, false); + if (IS_ERR(segs)) + return PTR_ERR(segs); ++ if (segs == NULL) ++ return -EINVAL; + + /* Queue all of the segments. */ + skb = segs; diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 48b1817..d2c096b 100644 --- a/net/packet/af_packet.c @@ -108758,6 +109022,19 @@ index 0917f04..f4e3d8c 100644 return -ENOMEM; if (!proc_create("x25/route", S_IRUGO, init_net.proc_net, +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c +index 3bb2cdc..616d812 100644 +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -157,6 +157,8 @@ static int xfrm_output_gso(struct sk_buff *skb) + kfree_skb(skb); + if (IS_ERR(segs)) + return PTR_ERR(segs); ++ if (segs == NULL) ++ return -EINVAL; + + do { + struct sk_buff *nskb = segs->next; diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 59cf325..e7fa6f0 100644 --- a/net/xfrm/xfrm_policy.c @@ -112954,10 +113231,10 @@ index 0000000..3b5af59 +} diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h new file mode 100644 -index 0000000..cd95c07 +index 0000000..14ec226 --- /dev/null +++ b/tools/gcc/gcc-common.h -@@ -0,0 +1,375 @@ +@@ -0,0 +1,520 @@ +#ifndef GCC_COMMON_H_INCLUDED +#define GCC_COMMON_H_INCLUDED + @@ -113038,6 +113315,10 @@ index 0000000..cd95c07 +#include "tree-cfgcleanup.h" +#endif + ++#if BUILDING_GCC_VERSION >= 4008 ++#include "is-a.h" ++#endif ++ +#include "diagnostic.h" +//#include "tree-diagnostic.h" +#include "tree-dump.h" @@ -113080,6 +113361,9 @@ index 0000000..cd95c07 +//#include "lto-streamer.h" +#endif +//#include "lto-compress.h" ++#if BUILDING_GCC_VERSION >= 5000 ++//#include "lto-section-names.h" ++#endif + +//#include "expr.h" where are you... +extern rtx emit_move_insn(rtx x, rtx y); @@ -113108,11 +113392,11 @@ index 0000000..cd95c07 +#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE) + +#if BUILDING_GCC_VERSION == 4005 -+#define FOR_EACH_VEC_ELT_REVERSE(T,V,I,P) for (I = VEC_length(T, (V)) - 1; VEC_iterate(T, (V), (I), (P)); (I)--) -+#define FOR_EACH_LOCAL_DECL(FUN, I, D) FOR_EACH_VEC_ELT_REVERSE(tree, (FUN)->local_decls, I, D) ++#define FOR_EACH_LOCAL_DECL(FUN, I, D) for (tree vars = (FUN)->local_decls; vars && (D = TREE_VALUE(vars)); vars = TREE_CHAIN(vars), I) +#define DECL_CHAIN(NODE) (TREE_CHAIN(DECL_MINIMAL_CHECK(NODE))) +#define FOR_EACH_VEC_ELT(T, V, I, P) for (I = 0; VEC_iterate(T, (V), (I), (P)); ++(I)) +#define TODO_rebuild_cgraph_edges 0 ++#define SCOPE_FILE_SCOPE_P(EXP) (!(EXP)) + +#ifndef O_BINARY +#define O_BINARY 0 @@ -113256,6 +113540,7 @@ index 0000000..cd95c07 +#define PROP_loops 0 +#define NODE_SYMBOL(node) (node) +#define NODE_DECL(node) (node)->decl ++#define INSN_LOCATION(INSN) RTL_LOCATION(INSN) + +static inline int bb_loop_depth(const_basic_block bb) +{ @@ -113276,6 +113561,13 @@ index 0000000..cd95c07 + cgraph_create_edge_including_clones((caller), (callee), (old_call_stmt), (call_stmt), (count), (freq), (reason)) +#endif + ++#if BUILDING_GCC_VERSION == 4007 || BUILDING_GCC_VERSION == 4008 ++static inline struct cgraph_node *cgraph_alias_target(struct cgraph_node *n) ++{ ++ return cgraph_alias_aliased_node(n); ++} ++#endif ++ +#if BUILDING_GCC_VERSION <= 4008 +#define ENTRY_BLOCK_PTR_FOR_FN(FN) ENTRY_BLOCK_PTR_FOR_FUNCTION(FN) +#define EXIT_BLOCK_PTR_FOR_FN(FN) EXIT_BLOCK_PTR_FOR_FUNCTION(FN) @@ -113295,6 +113587,11 @@ index 0000000..cd95c07 +} + +#define ipa_remove_stmt_references(cnode, stmt) ++typedef union gimple_statement_d gasm; ++typedef union gimple_statement_d gassign; ++typedef union gimple_statement_d gcall; ++typedef union gimple_statement_d gphi; ++typedef union gimple_statement_d greturn; +#endif + +#if BUILDING_GCC_VERSION == 4008 @@ -113312,6 +113609,29 @@ index 0000000..cd95c07 + +#if BUILDING_GCC_VERSION <= 4009 +#define TODO_verify_il 0 ++#define AVAIL_INTERPOSABLE AVAIL_OVERWRITABLE ++#endif ++ ++#if BUILDING_GCC_VERSION == 4009 ++typedef struct gimple_statement_base gasm; ++typedef struct gimple_statement_base gassign; ++typedef struct gimple_statement_base gcall; ++typedef struct gimple_statement_base gphi; ++typedef struct gimple_statement_base greturn; ++#endif ++ ++#if BUILDING_GCC_VERSION <= 4009 ++typedef struct rtx_def rtx_insn; ++ ++static inline gasm *as_a_gasm(gimple stmt) ++{ ++ return stmt; ++} ++ ++static inline gcall *as_a_gcall(gimple stmt) ++{ ++ return stmt; ++} +#endif + +#if BUILDING_GCC_VERSION >= 4009 @@ -113328,8 +113648,110 @@ index 0000000..cd95c07 +#define TODO_verify_stmts TODO_verify_il +#define TODO_verify_rtl_sharing TODO_verify_il + ++#define TREE_INT_CST_HIGH(NODE) ({ TREE_INT_CST_EXT_NUNITS(NODE) > 1 ? (unsigned HOST_WIDE_INT)TREE_INT_CST_ELT(NODE, 1) : 0; }) ++ ++#define INSN_DELETED_P(insn) (insn)->deleted() ++ ++extern bool is_simple_builtin(tree); ++ ++// symtab/cgraph related +#define debug_cgraph_node(node) (node)->debug() +#define cgraph_get_node(decl) cgraph_node::get(decl) ++#define cgraph_n_nodes symtab->cgraph_count ++#define cgraph_max_uid symtab->cgraph_max_uid ++ ++typedef struct cgraph_node *cgraph_node_ptr; ++typedef struct cgraph_edge *cgraph_edge_p; ++ ++static inline void change_decl_assembler_name(tree decl, tree name) ++{ ++ symtab->change_decl_assembler_name(decl, name); ++} ++ ++static inline void varpool_finalize_decl(tree decl) ++{ ++ varpool_node::finalize_decl(decl); ++} ++ ++static inline cgraph_node_ptr cgraph_function_node(cgraph_node_ptr node, enum availability *availability) ++{ ++ return node->function_symbol(availability); ++} ++ ++static inline cgraph_node_ptr cgraph_function_or_thunk_node(cgraph_node_ptr node, enum availability *availability = NULL) ++{ ++ return node->ultimate_alias_target(availability); ++} ++ ++static inline bool cgraph_only_called_directly_p(cgraph_node_ptr node) ++{ ++ return node->only_called_directly_p(); ++} ++ ++static inline enum availability cgraph_function_body_availability(cgraph_node_ptr node) ++{ ++ return node->get_availability(); ++} ++ ++static inline cgraph_node_ptr cgraph_alias_target(cgraph_node_ptr node) ++{ ++ return node->get_alias_target(); ++} ++ ++static inline struct cgraph_node_hook_list *cgraph_add_function_insertion_hook(cgraph_node_hook hook, void *data) ++{ ++ return symtab->add_cgraph_insertion_hook(hook, data); ++} ++ ++static inline void cgraph_remove_function_insertion_hook(struct cgraph_node_hook_list *entry) ++{ ++ symtab->remove_cgraph_insertion_hook(entry); ++} ++ ++static inline struct cgraph_node_hook_list *cgraph_add_node_removal_hook(cgraph_node_hook hook, void *data) ++{ ++ return symtab->add_cgraph_removal_hook(hook, data); ++} ++ ++static inline void cgraph_remove_node_removal_hook(struct cgraph_node_hook_list *entry) ++{ ++ symtab->remove_cgraph_removal_hook(entry); ++} ++ ++static inline struct cgraph_2node_hook_list *cgraph_add_node_duplication_hook(cgraph_2node_hook hook, void *data) ++{ ++ return symtab->add_cgraph_duplication_hook(hook, data); ++} ++ ++static inline void cgraph_remove_node_duplication_hook(struct cgraph_2node_hook_list *entry) ++{ ++ symtab->remove_cgraph_duplication_hook(entry); ++} ++ ++// gimple related ++static inline gimple gimple_build_assign_with_ops(enum tree_code subcode, tree lhs, tree op1, tree op2 MEM_STAT_DECL) ++{ ++ return gimple_build_assign(lhs, subcode, op1, op2 PASS_MEM_STAT); ++} ++ ++static inline gasm *as_a_gasm(gimple stmt) ++{ ++ return as_a<gasm *>(stmt); ++} ++ ++static inline gcall *as_a_gcall(gimple stmt) ++{ ++ return as_a<gcall *>(stmt); ++} ++ ++// IPA/LTO related ++#define ipa_ref_list_referring_iterate(L,I,P) (L)->referring.iterate((I), &(P)) ++#define ipa_ref_list_reference_iterate(L,I,P) (L)->reference.iterate((I), &(P)) ++ ++static inline cgraph_node_ptr ipa_ref_referring_node(struct ipa_ref *ref) ++{ ++ return dyn_cast<cgraph_node_ptr>(ref->referring); ++} +#endif + +#endif @@ -114066,10 +114488,10 @@ index 0000000..89f256d +} diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c new file mode 100644 -index 0000000..e48b323 +index 0000000..2a39357 --- /dev/null +++ b/tools/gcc/latent_entropy_plugin.c -@@ -0,0 +1,466 @@ +@@ -0,0 +1,467 @@ +/* + * Copyright 2012-2014 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -114095,7 +114517,7 @@ index 0000000..e48b323 + +int plugin_is_GPL_compatible; + -+static tree latent_entropy_decl; ++static GTY(()) tree latent_entropy_decl; + +static struct plugin_info latent_entropy_plugin_info = { + .version = "201409101820", @@ -114440,6 +114862,7 @@ index 0000000..e48b323 + TREE_STATIC(latent_entropy_decl) = 1; + TREE_PUBLIC(latent_entropy_decl) = 1; + TREE_USED(latent_entropy_decl) = 1; ++ DECL_PRESERVE_P(latent_entropy_decl) = 1; + TREE_THIS_VOLATILE(latent_entropy_decl) = 1; + DECL_EXTERNAL(latent_entropy_decl) = 1; + DECL_ARTIFICIAL(latent_entropy_decl) = 1; @@ -119546,7 +119969,7 @@ index 0000000..7c9e6d1 + diff --git a/tools/gcc/size_overflow_plugin/size_overflow.h b/tools/gcc/size_overflow_plugin/size_overflow.h new file mode 100644 -index 0000000..e5b4e50 +index 0000000..37f8fc3 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow.h @@ -0,0 +1,127 @@ @@ -119579,11 +120002,11 @@ index 0000000..e5b4e50 +}; + +// size_overflow_plugin.c -+extern tree report_size_overflow_decl; -+extern tree size_overflow_type_HI; -+extern tree size_overflow_type_SI; -+extern tree size_overflow_type_DI; -+extern tree size_overflow_type_TI; ++extern GTY(()) tree report_size_overflow_decl; ++extern GTY(()) tree size_overflow_type_HI; ++extern GTY(()) tree size_overflow_type_SI; ++extern GTY(()) tree size_overflow_type_DI; ++extern GTY(()) tree size_overflow_type_TI; + + +// size_overflow_plugin_hash.c @@ -126597,10 +127020,10 @@ index 0000000..0888f6c + diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c new file mode 100644 -index 0000000..924652b +index 0000000..90125d6 --- /dev/null +++ b/tools/gcc/stackleak_plugin.c -@@ -0,0 +1,395 @@ +@@ -0,0 +1,396 @@ +/* + * Copyright 2011-2014 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -126628,7 +127051,8 @@ index 0000000..924652b +static int track_frame_size = -1; +static const char track_function[] = "pax_track_stack"; +static const char check_function[] = "pax_check_alloca"; -+static tree track_function_decl, check_function_decl; ++static GTY(()) tree track_function_decl; ++static GTY(()) tree check_function_decl; +static bool init_locals; + +static struct plugin_info stackleak_plugin_info = { diff --git a/main/linux-grsec/kernelconfig.armhf b/main/linux-grsec/kernelconfig.armhf index f1815b9ea4..1824327983 100644 --- a/main/linux-grsec/kernelconfig.armhf +++ b/main/linux-grsec/kernelconfig.armhf @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 3.14.33 Kernel Configuration +# Linux/arm 3.14.37 Kernel Configuration # CONFIG_ARM=y CONFIG_MIGHT_HAVE_PCI=y @@ -2566,6 +2566,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_BATTERY_MAX17040 is not set # CONFIG_BATTERY_MAX17042 is not set # CONFIG_CHARGER_PCF50633 is not set +# CONFIG_CHARGER_ISP1704 is not set # CONFIG_CHARGER_MAX8903 is not set # CONFIG_CHARGER_LP8727 is not set # CONFIG_CHARGER_GPIO is not set @@ -2815,6 +2816,7 @@ CONFIG_MFD_SYSCON=y # CONFIG_MFD_TI_AM335X_TSCADC is not set # CONFIG_MFD_LP3943 is not set # CONFIG_MFD_LP8788 is not set +CONFIG_MFD_OMAP_USB_HOST=y # CONFIG_MFD_PALMAS is not set # CONFIG_TPS6105X is not set CONFIG_TPS65010=m @@ -3564,19 +3566,26 @@ CONFIG_USB_WUSB_CBAF=m # CONFIG_USB_C67X00_HCD=m CONFIG_USB_XHCI_HCD=m -# CONFIG_USB_EHCI_HCD is not set +CONFIG_USB_EHCI_HCD=m +CONFIG_USB_EHCI_ROOT_HUB_TT=y +CONFIG_USB_EHCI_TT_NEWSCHED=y +CONFIG_USB_EHCI_MXC=m +CONFIG_USB_EHCI_HCD_OMAP=m +CONFIG_USB_EHCI_HCD_PLATFORM=m CONFIG_USB_OXU210HP_HCD=m CONFIG_USB_ISP116X_HCD=m CONFIG_USB_ISP1760_HCD=m CONFIG_USB_ISP1362_HCD=m # CONFIG_USB_FUSBH200_HCD is not set # CONFIG_USB_FOTG210_HCD is not set -# CONFIG_USB_OHCI_HCD is not set +CONFIG_USB_OHCI_HCD=m +# CONFIG_USB_OHCI_HCD_SSB is not set +CONFIG_USB_OHCI_HCD_PLATFORM=m CONFIG_USB_U132_HCD=m CONFIG_USB_SL811_HCD=m CONFIG_USB_SL811_HCD_ISO=y CONFIG_USB_R8A66597_HCD=m -# CONFIG_USB_IMX21_HCD is not set +CONFIG_USB_IMX21_HCD=m # CONFIG_USB_HCD_BCMA is not set CONFIG_USB_HCD_SSB=m # CONFIG_USB_HCD_TEST_MODE is not set @@ -3633,6 +3642,7 @@ CONFIG_MUSB_PIO_ONLY=y CONFIG_USB_DWC2=m # CONFIG_USB_DWC2_DEBUG is not set # CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set +# CONFIG_USB_CHIPIDEA is not set # # USB port drivers @@ -3728,9 +3738,9 @@ CONFIG_USB_XUSBATM=m # # USB Physical Layer drivers # -# CONFIG_USB_PHY is not set +CONFIG_USB_PHY=y # CONFIG_USB_OTG_FSM is not set -# CONFIG_NOP_USB_XCEIV is not set +CONFIG_NOP_USB_XCEIV=m # CONFIG_OMAP_CONTROL_USB is not set # CONFIG_OMAP_USB3 is not set # CONFIG_AM335X_PHY_USB is not set @@ -4085,6 +4095,7 @@ CONFIG_RESET_CONTROLLER=y # CONFIG_GENERIC_PHY=y # CONFIG_PHY_EXYNOS_MIPI_VIDEO is not set +# CONFIG_OMAP_USB2 is not set # CONFIG_PHY_EXYNOS_DP_VIDEO is not set # CONFIG_BCM_KONA_USB2_PHY is not set # CONFIG_POWERCAP is not set @@ -4566,8 +4577,8 @@ CONFIG_PAX=y # CONFIG_PAX_SOFTMODE=y # CONFIG_PAX_EI_PAX is not set -CONFIG_PAX_PT_PAX_FLAGS=y -# CONFIG_PAX_XATTR_PAX_FLAGS is not set +# CONFIG_PAX_PT_PAX_FLAGS is not set +CONFIG_PAX_XATTR_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86 index 08cb790567..c168a72d86 100644 --- a/main/linux-grsec/kernelconfig.x86 +++ b/main/linux-grsec/kernelconfig.x86 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.14.33 Kernel Configuration +# Linux/x86 3.14.37 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -68,6 +68,7 @@ CONFIG_SWAP=y CONFIG_SYSVIPC=y CONFIG_SYSVIPC_SYSCTL=y CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y # CONFIG_FHANDLE is not set # CONFIG_AUDIT is not set @@ -5772,8 +5773,8 @@ CONFIG_PAX=y # CONFIG_PAX_SOFTMODE=y # CONFIG_PAX_EI_PAX is not set -CONFIG_PAX_PT_PAX_FLAGS=y -# CONFIG_PAX_XATTR_PAX_FLAGS is not set +# CONFIG_PAX_PT_PAX_FLAGS is not set +CONFIG_PAX_XATTR_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64 index dec4d20c0c..fcad3f6a12 100644 --- a/main/linux-grsec/kernelconfig.x86_64 +++ b/main/linux-grsec/kernelconfig.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.14.33 Kernel Configuration +# Linux/x86_64 3.14.37 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -69,6 +69,7 @@ CONFIG_SWAP=y CONFIG_SYSVIPC=y CONFIG_SYSVIPC_SYSCTL=y CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y # CONFIG_FHANDLE is not set # CONFIG_AUDIT is not set @@ -5652,8 +5653,8 @@ CONFIG_PAX=y # CONFIG_PAX_SOFTMODE=y # CONFIG_PAX_EI_PAX is not set -CONFIG_PAX_PT_PAX_FLAGS=y -# CONFIG_PAX_XATTR_PAX_FLAGS is not set +# CONFIG_PAX_PT_PAX_FLAGS is not set +CONFIG_PAX_XATTR_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set |