diff options
-rw-r--r-- | main/linux-grsec/APKBUILD | 8 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9-3.3.3-201204231833.patch (renamed from main/linux-grsec/grsecurity-2.9-3.3.2-201204172135.patch) | 307 |
2 files changed, 183 insertions, 132 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index eea3d28fdf..dd212592f3 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,7 +2,7 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.3.2 +pkgver=3.3.3 _kernver=3.3 pkgrel=0 pkgdesc="Linux kernel with grsecurity" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9-3.3.2-201204172135.patch + grsecurity-2.9-3.3.3-201204231833.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -138,8 +138,8 @@ dev() { } md5sums="7133f5a2086a7d7ef97abac610c094f5 linux-3.3.tar.xz -68907107b0f62a19608588bdb6b29e20 patch-3.3.2.xz -8449f14948e6a7bc0de34f404d48a88d grsecurity-2.9-3.3.2-201204172135.patch +634a088d3789870885dc6ee1eb9627d4 patch-3.3.3.xz +be1a42f051803149e2074cdb557de55e grsecurity-2.9-3.3.3-201204231833.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch 5d2818cb5329aec600ee8ffc3896a728 kernelconfig.x86 39552b468a33a04678113c12ec6c1a91 kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.9-3.3.2-201204172135.patch b/main/linux-grsec/grsecurity-2.9-3.3.3-201204231833.patch index 22c20492f9..8309b6eb6a 100644 --- a/main/linux-grsec/grsecurity-2.9-3.3.2-201204172135.patch +++ b/main/linux-grsec/grsecurity-2.9-3.3.3-201204231833.patch @@ -195,7 +195,7 @@ index d99fd9c..8689fef 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index ddcb70a..32da20d 100644 +index 0acd141..865e73d 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -221,15 +221,17 @@ index ddcb70a..32da20d 100644 $(Q)$(MAKE) $(build)=scripts/basic $(Q)rm -f .tmp_quiet_recordmcount -@@ -564,6 +565,53 @@ else +@@ -564,6 +565,55 @@ else KBUILD_CFLAGS += -O2 endif +ifndef DISABLE_PAX_PLUGINS +ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y) +ifndef DISABLE_PAX_CONSTIFY_PLUGIN ++ifndef CONFIG_UML +CONSTIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN +endif ++endif +ifdef CONFIG_PAX_MEMORY_STACKLEAK +STACKLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN +STACKLEAK_PLUGIN_CFLAGS += -fplugin-arg-stackleak_plugin-track-lowest-sp=100 @@ -275,7 +277,7 @@ index ddcb70a..32da20d 100644 include $(srctree)/arch/$(SRCARCH)/Makefile ifneq ($(CONFIG_FRAME_WARN),0) -@@ -708,7 +756,7 @@ export mod_strip_cmd +@@ -708,7 +758,7 @@ export mod_strip_cmd ifeq ($(KBUILD_EXTMOD),) @@ -284,7 +286,7 @@ index ddcb70a..32da20d 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -932,6 +980,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE +@@ -932,6 +982,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE # The actual objects are generated when descending, # make sure no implicit rule kicks in @@ -293,7 +295,7 @@ index ddcb70a..32da20d 100644 $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -941,7 +991,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ; +@@ -941,7 +993,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -302,7 +304,7 @@ index ddcb70a..32da20d 100644 $(Q)$(MAKE) $(build)=$@ # Store (new) KERNELRELASE string in include/config/kernel.release -@@ -985,6 +1035,7 @@ prepare0: archprepare FORCE +@@ -985,6 +1037,7 @@ prepare0: archprepare FORCE $(Q)$(MAKE) $(build)=. # All the preparing.. @@ -310,7 +312,7 @@ index ddcb70a..32da20d 100644 prepare: prepare0 # Generate some files -@@ -1089,6 +1140,8 @@ all: modules +@@ -1089,6 +1142,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules @@ -319,7 +321,7 @@ index ddcb70a..32da20d 100644 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -1104,7 +1157,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -1104,7 +1159,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -328,7 +330,7 @@ index ddcb70a..32da20d 100644 # Target to install modules PHONY += modules_install -@@ -1201,6 +1254,7 @@ distclean: mrproper +@@ -1201,6 +1256,7 @@ distclean: mrproper \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ -o -name '.*.rej' \ @@ -336,7 +338,7 @@ index ddcb70a..32da20d 100644 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1361,6 +1415,8 @@ PHONY += $(module-dirs) modules +@@ -1361,6 +1417,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -345,7 +347,7 @@ index ddcb70a..32da20d 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1487,17 +1543,21 @@ else +@@ -1487,17 +1545,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -371,7 +373,7 @@ index ddcb70a..32da20d 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1507,11 +1567,15 @@ endif +@@ -1507,11 +1569,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -9650,7 +9652,7 @@ index 46fc474..b02b0f9 100644 if (len) diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h -index b3b7332..d81165b 100644 +index 99480e5..d81165b 100644 --- a/arch/x86/include/asm/cmpxchg.h +++ b/arch/x86/include/asm/cmpxchg.h @@ -14,8 +14,12 @@ extern void __cmpxchg_wrong_size(void) @@ -9666,15 +9668,6 @@ index b3b7332..d81165b 100644 /* * Constants for operation sizes. On 32-bit, the 64-bit size it set to -@@ -43,7 +47,7 @@ extern void __add_wrong_size(void) - switch (sizeof(*(ptr))) { \ - case __X86_CASE_B: \ - asm volatile (lock #op "b %b0, %1\n" \ -- : "+r" (__ret), "+m" (*(ptr)) \ -+ : "+q" (__ret), "+m" (*(ptr)) \ - : : "memory", "cc"); \ - break; \ - case __X86_CASE_W: \ @@ -67,6 +71,34 @@ extern void __add_wrong_size(void) __ret; \ }) @@ -9710,7 +9703,7 @@ index b3b7332..d81165b 100644 /* * Note: no "lock" prefix even on SMP: xchg always implies lock anyway. * Since this is generally used to protect other memory information, we -@@ -167,13 +199,16 @@ extern void __add_wrong_size(void) +@@ -167,6 +199,9 @@ extern void __add_wrong_size(void) #define xadd_sync(ptr, inc) __xadd((ptr), (inc), "lock; ") #define xadd_local(ptr, inc) __xadd((ptr), (inc), "") @@ -9720,14 +9713,6 @@ index b3b7332..d81165b 100644 #define __add(ptr, inc, lock) \ ({ \ __typeof__ (*(ptr)) __ret = (inc); \ - switch (sizeof(*(ptr))) { \ - case __X86_CASE_B: \ - asm volatile (lock "addb %b1, %0\n" \ -- : "+m" (*(ptr)) : "ri" (inc) \ -+ : "+m" (*(ptr)) : "qi" (inc) \ - : "memory", "cc"); \ - break; \ - case __X86_CASE_W: \ diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h index 8d67d42..183d0eb 100644 --- a/arch/x86/include/asm/cpufeature.h @@ -20097,18 +20082,10 @@ index 1561028..0ed7f14 100644 goto error; diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index e385214..029e9dd 100644 +index e385214..f8df033 100644 --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c -@@ -3051,6 +3051,7 @@ static int svm_set_vm_cr(struct kvm_vcpu *vcpu, u64 data) - return 0; - } - -+static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data) __size_overflow(3); - static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data) - { - struct vcpu_svm *svm = to_svm(vcpu); -@@ -3420,7 +3421,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) +@@ -3420,7 +3420,11 @@ static void reload_tss(struct kvm_vcpu *vcpu) int cpu = raw_smp_processor_id(); struct svm_cpu_data *sd = per_cpu(svm_data, cpu); @@ -20120,7 +20097,7 @@ index e385214..029e9dd 100644 load_TR_desc(); } -@@ -3798,6 +3803,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) +@@ -3798,6 +3802,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) #endif #endif @@ -30365,7 +30342,7 @@ index 5bd4361..0241a42 100644 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func); INIT_WORK(&dev_priv->error_work, i915_error_work_func); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 2163818..e536c3d 100644 +index 2163818..cede019 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -2238,7 +2238,7 @@ intel_pipe_set_base(struct drm_crtc *crtc, int x, int y, @@ -30395,7 +30372,22 @@ index 2163818..e536c3d 100644 wake_up(&dev_priv->pending_flip_queue); schedule_work(&work->work); -@@ -7461,7 +7461,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, +@@ -7354,7 +7354,13 @@ static int intel_gen6_queue_flip(struct drm_device *dev, + OUT_RING(fb->pitches[0] | obj->tiling_mode); + OUT_RING(obj->gtt_offset); + +- pf = I915_READ(PF_CTL(intel_crtc->pipe)) & PF_ENABLE; ++ /* Contrary to the suggestions in the documentation, ++ * "Enable Panel Fitter" does not seem to be required when page ++ * flipping with a non-native mode, and worse causes a normal ++ * modeset to fail. ++ * pf = I915_READ(PF_CTL(intel_crtc->pipe)) & PF_ENABLE; ++ */ ++ pf = 0; + pipesrc = I915_READ(PIPESRC(intel_crtc->pipe)) & 0x0fff0fff; + OUT_RING(pf | pipesrc); + ADVANCE_LP_RING(); +@@ -7461,7 +7467,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, /* Block clients from rendering to the new back buffer until * the flip occurs and the object is no longer visible. */ @@ -30404,7 +30396,7 @@ index 2163818..e536c3d 100644 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj); if (ret) -@@ -7475,7 +7475,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, +@@ -7475,7 +7481,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, return 0; cleanup_pending: @@ -33524,7 +33516,7 @@ index 1cbfc6b..56e1dbb 100644 /*----------------------------------------------------------------*/ diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index 118e0f6..210c4d7 100644 +index edc735a..e9b97f1 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c @@ -1645,7 +1645,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) @@ -33536,7 +33528,7 @@ index 118e0f6..210c4d7 100644 } sectors -= s; sect += s; -@@ -1858,7 +1858,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, +@@ -1859,7 +1859,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, test_bit(In_sync, &rdev->flags)) { if (r1_sync_page_io(rdev, sect, s, conf->tmppage, READ)) { @@ -33546,7 +33538,7 @@ index 118e0f6..210c4d7 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index be7101d..f23ba30 100644 +index 1898389..a3aa617 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -1636,7 +1636,7 @@ static void end_sync_read(struct bio *bio, int error) @@ -35249,6 +35241,19 @@ index 133b7fb..d58c559 100644 /* Ignore return since this msg is optional. */ rndis_filter_send_request(dev, request); +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 58dc117..f140c77 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -526,6 +526,8 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + } + base = (unsigned long)from->iov_base + offset1; + size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; ++ if (i + size >= MAX_SKB_FRAGS) ++ return -EFAULT; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if ((num_pages != size) || + (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags)) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index 486b404..0d6677d 100644 --- a/drivers/net/ppp/ppp_generic.c @@ -41612,7 +41617,7 @@ index a40c05e..785c583 100644 return count; } diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c -index e7f69ef..83af4fd 100644 +index 8408543..357841c 100644 --- a/drivers/video/uvesafb.c +++ b/drivers/video/uvesafb.c @@ -19,6 +19,7 @@ @@ -41665,7 +41670,24 @@ index e7f69ef..83af4fd 100644 printk(KERN_INFO "uvesafb: protected mode interface info at " "%04x:%04x\n", (u16)task->t.regs.es, (u16)task->t.regs.edi); -@@ -1821,6 +1844,11 @@ out: +@@ -816,13 +839,14 @@ static int __devinit uvesafb_vbe_init(struct fb_info *info) + par->ypan = ypan; + + if (par->pmi_setpal || par->ypan) { ++#if !defined(CONFIG_MODULES) || !defined(CONFIG_PAX_KERNEXEC) + if (__supported_pte_mask & _PAGE_NX) { + par->pmi_setpal = par->ypan = 0; + printk(KERN_WARNING "uvesafb: NX protection is actively." + "We have better not to use the PMI.\n"); +- } else { ++ } else ++#endif + uvesafb_vbe_getpmi(task, par); +- } + } + #else + /* The protected mode interface is not available on non-x86. */ +@@ -1828,6 +1852,11 @@ out: if (par->vbe_modes) kfree(par->vbe_modes); @@ -41677,7 +41699,7 @@ index e7f69ef..83af4fd 100644 framebuffer_release(info); return err; } -@@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platform_device *dev) +@@ -1854,6 +1883,12 @@ static int uvesafb_remove(struct platform_device *dev) kfree(par->vbe_state_orig); if (par->vbe_state_saved) kfree(par->vbe_state_saved); @@ -43036,7 +43058,7 @@ index 892b347..b3db246 100644 * If a file is moved, it will inherit the cow and compression flags of the new * directory. diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index d8b5471..e5463d7 100644 +index 1b36f19..5ac7360 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2783,9 +2783,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) @@ -44717,10 +44739,10 @@ index f9e2cd8..bfdc476 100644 if (free_clusters >= (nclusters + dirty_clusters)) return 1; diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 3ce6a0c..0311fe5 100644 +index 9983ba8..2a5272c 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h -@@ -1220,19 +1220,19 @@ struct ext4_sb_info { +@@ -1217,19 +1217,19 @@ struct ext4_sb_info { unsigned long s_mb_last_start; /* stats for buddy allocator */ @@ -62179,7 +62201,7 @@ index 9c07dce..a92fa71 100644 if (atomic_sub_and_test((int) count, &kref->refcount)) { release(kref); diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h -index 900c763..3287a0b 100644 +index 900c763..098aefa 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -326,7 +326,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu); @@ -62227,7 +62249,27 @@ index 900c763..3287a0b 100644 void kvm_arch_exit(void); int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu); -@@ -721,7 +721,7 @@ int kvm_setup_default_irq_routing(struct kvm *kvm); +@@ -593,6 +593,7 @@ void kvm_free_irq_source_id(struct kvm *kvm, int irq_source_id); + + #ifdef CONFIG_IOMMU_API + int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot); ++void kvm_iommu_unmap_pages(struct kvm *kvm, struct kvm_memory_slot *slot); + int kvm_iommu_map_guest(struct kvm *kvm); + int kvm_iommu_unmap_guest(struct kvm *kvm); + int kvm_assign_device(struct kvm *kvm, +@@ -606,6 +607,11 @@ static inline int kvm_iommu_map_pages(struct kvm *kvm, + return 0; + } + ++static inline void kvm_iommu_unmap_pages(struct kvm *kvm, ++ struct kvm_memory_slot *slot) ++{ ++} ++ + static inline int kvm_iommu_map_guest(struct kvm *kvm) + { + return -ENODEV; +@@ -721,7 +727,7 @@ int kvm_setup_default_irq_routing(struct kvm *kvm); int kvm_set_irq_routing(struct kvm *kvm, const struct kvm_irq_routing_entry *entries, unsigned nr, @@ -63642,6 +63684,27 @@ index de8832d..0147b46 100644 __SONET_ITEMS #undef __HANDLE_ITEM }; +diff --git a/include/linux/stddef.h b/include/linux/stddef.h +index 6a40c76..1747b67 100644 +--- a/include/linux/stddef.h ++++ b/include/linux/stddef.h +@@ -3,14 +3,10 @@ + + #include <linux/compiler.h> + ++#ifdef __KERNEL__ ++ + #undef NULL +-#if defined(__cplusplus) +-#define NULL 0 +-#else + #define NULL ((void *)0) +-#endif +- +-#ifdef __KERNEL__ + + enum { + false = 0, diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h index 2c5993a..b0e79f0 100644 --- a/include/linux/sunrpc/clnt.h @@ -66340,7 +66403,7 @@ index 26a7a67..a1053f9 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index 0677023..f3c3b79 100644 +index 866c9d5..5c5f828 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -66351,7 +66414,7 @@ index 0677023..f3c3b79 100644 #include <linux/signal.h> #include <linux/export.h> #include <linux/magic.h> -@@ -238,6 +239,11 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw) +@@ -239,6 +240,11 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw) struct page *page, *page_head; int err, ro = 0; @@ -66363,18 +66426,7 @@ index 0677023..f3c3b79 100644 /* * The futex address must be "naturally" aligned. */ -@@ -2459,6 +2465,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, - if (!p) - goto err_unlock; - ret = -EPERM; -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP -+ if (!ptrace_may_access(p, PTRACE_MODE_READ)) -+ goto err_unlock; -+#endif - pcred = __task_cred(p); - /* If victim is in different user_ns, then uids are not - comparable, so we must have CAP_SYS_PTRACE */ -@@ -2731,6 +2741,7 @@ static int __init futex_init(void) +@@ -2721,6 +2727,7 @@ static int __init futex_init(void) { u32 curval; int i; @@ -66382,7 +66434,7 @@ index 0677023..f3c3b79 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2742,8 +2753,11 @@ static int __init futex_init(void) +@@ -2732,8 +2739,11 @@ static int __init futex_init(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -66394,39 +66446,6 @@ index 0677023..f3c3b79 100644 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) { plist_head_init(&futex_queues[i].chain); -diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c -index 5f9e689..582d46d 100644 ---- a/kernel/futex_compat.c -+++ b/kernel/futex_compat.c -@@ -10,6 +10,7 @@ - #include <linux/compat.h> - #include <linux/nsproxy.h> - #include <linux/futex.h> -+#include <linux/ptrace.h> - - #include <asm/uaccess.h> - -@@ -136,7 +137,8 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr, - { - struct compat_robust_list_head __user *head; - unsigned long ret; -- const struct cred *cred = current_cred(), *pcred; -+ const struct cred *cred = current_cred(); -+ const struct cred *pcred; - - if (!futex_cmpxchg_enabled) - return -ENOSYS; -@@ -152,6 +154,10 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr, - if (!p) - goto err_unlock; - ret = -EPERM; -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP -+ if (!ptrace_may_access(p, PTRACE_MODE_READ)) -+ goto err_unlock; -+#endif - pcred = __task_cred(p); - /* If victim is in different user_ns, then uids are not - comparable, so we must have CAP_SYS_PTRACE */ diff --git a/kernel/gcov/base.c b/kernel/gcov/base.c index 9b22d03..6295b62 100644 --- a/kernel/gcov/base.c @@ -67691,18 +67710,9 @@ index b452599..5d68f4e 100644 atomic_set(&pd->refcnt, 0); pd->pinst = pinst; diff --git a/kernel/panic.c b/kernel/panic.c -index 80aed44..e83856a 100644 +index 8ed89a1..e83856a 100644 --- a/kernel/panic.c +++ b/kernel/panic.c -@@ -97,7 +97,7 @@ void panic(const char *fmt, ...) - /* - * Avoid nested stack-dumping if a panic occurs during oops processing - */ -- if (!oops_in_progress) -+ if (!test_taint(TAINT_DIE) && oops_in_progress <= 1) - dump_stack(); - #endif - @@ -402,7 +402,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, const char *board; @@ -70288,7 +70298,7 @@ index 8f7fc39..69bf1e9 100644 /* if an huge pmd materialized from under us just retry later */ if (unlikely(pmd_trans_huge(*pmd))) diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index a876871..132cde0 100644 +index a7cf829..d60e0e1 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2346,6 +2346,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, @@ -74543,7 +74553,7 @@ index 07d1c1d..7e9bea9 100644 frag2->seqno = htons(seqno); diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c -index 07bc69e..21e76b1 100644 +index 280953b..cd219bb 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -234,7 +234,7 @@ void hci_le_ltk_reply(struct hci_conn *conn, u8 ltk[16]) @@ -79335,18 +79345,18 @@ index 97ce8fa..23dad96 100644 .ptrace_access_check = apparmor_ptrace_access_check, diff --git a/security/commoncap.c b/security/commoncap.c -index 7ce191e..6c29c34 100644 +index b8d2bb9..980069e 100644 --- a/security/commoncap.c +++ b/security/commoncap.c -@@ -28,6 +28,7 @@ - #include <linux/prctl.h> +@@ -29,6 +29,7 @@ #include <linux/securebits.h> #include <linux/user_namespace.h> + #include <linux/personality.h> +#include <net/sock.h> /* * If a non-root user executes a setuid-root binary in -@@ -569,6 +570,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) +@@ -575,6 +576,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) { const struct cred *cred = current_cred(); @@ -80528,7 +80538,7 @@ index 0000000..ee950d0 +} diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c new file mode 100644 -index 0000000..704a564 +index 0000000..88a7438 --- /dev/null +++ b/tools/gcc/constify_plugin.c @@ -0,0 +1,303 @@ @@ -80791,7 +80801,7 @@ index 0000000..704a564 +// continue; + + if (walk_struct(type)) { -+ error("constified variable %qE cannot be local", var); ++ error_at(DECL_SOURCE_LOCATION(var), "constified variable %qE cannot be local", var); + return 1; + } + } @@ -86008,8 +86018,33 @@ index af0f22f..9a7d479 100644 } else break; } +diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c +index a457d21..fec1723 100644 +--- a/virt/kvm/iommu.c ++++ b/virt/kvm/iommu.c +@@ -310,6 +310,11 @@ static void kvm_iommu_put_pages(struct kvm *kvm, + } + } + ++void kvm_iommu_unmap_pages(struct kvm *kvm, struct kvm_memory_slot *slot) ++{ ++ kvm_iommu_put_pages(kvm, slot->base_gfn, slot->npages); ++} ++ + static int kvm_iommu_unmap_memslots(struct kvm *kvm) + { + int idx; +@@ -320,7 +325,7 @@ static int kvm_iommu_unmap_memslots(struct kvm *kvm) + slots = kvm_memslots(kvm); + + kvm_for_each_memslot(memslot, slots) +- kvm_iommu_put_pages(kvm, memslot->base_gfn, memslot->npages); ++ kvm_iommu_unmap_pages(kvm, memslot); + + srcu_read_unlock(&kvm->srcu, idx); + diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c -index a91f980..a58d32c 100644 +index a91f980..527711d 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -75,7 +75,7 @@ LIST_HEAD(vm_list); @@ -86021,7 +86056,23 @@ index a91f980..a58d32c 100644 struct kmem_cache *kvm_vcpu_cache; EXPORT_SYMBOL_GPL(kvm_vcpu_cache); -@@ -2312,7 +2312,7 @@ static void hardware_enable_nolock(void *junk) +@@ -873,12 +873,13 @@ skip_lpage: + if (r) + goto out_free; + +- /* map the pages in iommu page table */ ++ /* map/unmap the pages in iommu page table */ + if (npages) { + r = kvm_iommu_map_pages(kvm, &new); + if (r) + goto out_free; +- } ++ } else ++ kvm_iommu_unmap_pages(kvm, &old); + + r = -ENOMEM; + slots = kmemdup(kvm->memslots, sizeof(struct kvm_memslots), +@@ -2312,7 +2313,7 @@ static void hardware_enable_nolock(void *junk) if (r) { cpumask_clear_cpu(cpu, cpus_hardware_enabled); @@ -86030,7 +86081,7 @@ index a91f980..a58d32c 100644 printk(KERN_INFO "kvm: enabling virtualization on " "CPU%d failed\n", cpu); } -@@ -2366,10 +2366,10 @@ static int hardware_enable_all(void) +@@ -2366,10 +2367,10 @@ static int hardware_enable_all(void) kvm_usage_count++; if (kvm_usage_count == 1) { @@ -86043,7 +86094,7 @@ index a91f980..a58d32c 100644 hardware_disable_all_nolock(); r = -EBUSY; } -@@ -2732,7 +2732,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, +@@ -2732,7 +2733,7 @@ static void kvm_sched_out(struct preempt_notifier *pn, kvm_arch_vcpu_put(vcpu); } @@ -86052,7 +86103,7 @@ index a91f980..a58d32c 100644 struct module *module) { int r; -@@ -2795,7 +2795,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2795,7 +2796,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (!vcpu_align) vcpu_align = __alignof__(struct kvm_vcpu); kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align, @@ -86061,7 +86112,7 @@ index a91f980..a58d32c 100644 if (!kvm_vcpu_cache) { r = -ENOMEM; goto out_free_3; -@@ -2805,9 +2805,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, +@@ -2805,9 +2806,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, if (r) goto out_free; |