aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/linux-grsec/APKBUILD10
-rw-r--r--main/linux-grsec/grsecurity-3.0-3.14.17-201408260041.patch (renamed from main/linux-grsec/grsecurity-3.0-3.14.17-201408140021.patch)744
2 files changed, 579 insertions, 175 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 9d8082ce70..a3f3a7b60d 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=0
+pkgrel=1
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-3.0-3.14.17-201408140021.patch
+ grsecurity-3.0-3.14.17-201408260041.patch
fix-memory-map-for-PIE-applications.patch
imx6q-no-unclocked-sleep.patch
@@ -166,7 +166,7 @@ dev() {
md5sums="b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz
a9a6539c8df7245c2ab9bfca56f2ef04 patch-3.14.17.xz
-bcd6ccef7af2981f9b7b08e31953d765 grsecurity-3.0-3.14.17-201408140021.patch
+25066c4bc665d172b980d09435f18432 grsecurity-3.0-3.14.17-201408260041.patch
c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch
1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch
dc5e04d422b807e740fd15b141b89a62 kernelconfig.x86
@@ -174,7 +174,7 @@ dc5e04d422b807e740fd15b141b89a62 kernelconfig.x86
0d71b1663f7cbfffc6e403deca4bbe86 kernelconfig.armhf"
sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa linux-3.14.tar.xz
50b0e2a6812597b401a417bd1269b5388fdd980b6009d564fff09605100f0df8 patch-3.14.17.xz
-ee21a2886acb87d01e14ab14e92d1235fe3d2dcc1f474fecba68d712b59a7394 grsecurity-3.0-3.14.17-201408140021.patch
+40352c8bd115d91089444670999925e2a383c66c42ae11d94ec295d656772caf grsecurity-3.0-3.14.17-201408260041.patch
500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch
148fe2f06c98716744139f0c92aa702665bb9da96ecc163ef56c8ba3084d534a kernelconfig.x86
@@ -182,7 +182,7 @@ ee21a2886acb87d01e14ab14e92d1235fe3d2dcc1f474fecba68d712b59a7394 grsecurity-3.0
3cddaac02211dd0f5eb4531aecc3a1427f29dcec7b31d9fe0042192d591bcdc8 kernelconfig.armhf"
sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e linux-3.14.tar.xz
03638215934a08a67e3d92d051b6a341e1874872388de910870021934f11f8ed20502a1afbff89a24f0e14053a02f4e40441e2f9878b099ddd1504159ff19872 patch-3.14.17.xz
-c02cf98ab7adae82574240dee155670b60b774cdae8c0b58620e4c9d689b36f998625e536878dbf7ef671317bafaa22d6c81497d17ffba320b0395932ba27b09 grsecurity-3.0-3.14.17-201408140021.patch
+6c54a9f120dd896b595239f984c326933e50ba2e324215fb8e4bb6092cb624771dc301e78424f7be3f1d42c542fda086e5d8fe84cf9e06dc8106d3b16c0a69bd grsecurity-3.0-3.14.17-201408260041.patch
4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch
65697a0652795bc2f57c74968b4e541b372bf9ebfd8effe9d17b75143f2444a76d41982dddee3c7cda28dc33c88f221b89964282d82761593ec697b5fa77f8d4 kernelconfig.x86
diff --git a/main/linux-grsec/grsecurity-3.0-3.14.17-201408140021.patch b/main/linux-grsec/grsecurity-3.0-3.14.17-201408260041.patch
index 1f1739cdbb..c27879a613 100644
--- a/main/linux-grsec/grsecurity-3.0-3.14.17-201408140021.patch
+++ b/main/linux-grsec/grsecurity-3.0-3.14.17-201408260041.patch
@@ -38844,28 +38844,10 @@ index 8320abd..ec48108 100644
if (cmd != SIOCWANDEV)
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 429b75b..a7f4145 100644
+index 429b75b..de805d0 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
-@@ -270,10 +270,17 @@
- /*
- * Configuration information
- */
-+#ifdef CONFIG_GRKERNSEC_RANDNET
-+#define INPUT_POOL_SHIFT 14
-+#define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5))
-+#define OUTPUT_POOL_SHIFT 12
-+#define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5))
-+#else
- #define INPUT_POOL_SHIFT 12
- #define INPUT_POOL_WORDS (1 << (INPUT_POOL_SHIFT-5))
- #define OUTPUT_POOL_SHIFT 10
- #define OUTPUT_POOL_WORDS (1 << (OUTPUT_POOL_SHIFT-5))
-+#endif
- #define SEC_XFER_SIZE 512
- #define EXTRACT_SIZE 10
-
-@@ -284,9 +291,6 @@
+@@ -284,9 +284,6 @@
/*
* To allow fractional bits to be tracked, the entropy_count field is
* denominated in units of 1/8th bits.
@@ -38875,27 +38857,7 @@ index 429b75b..a7f4145 100644
*/
#define ENTROPY_SHIFT 3
#define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT)
-@@ -361,12 +365,19 @@ static struct poolinfo {
- #define S(x) ilog2(x)+5, (x), (x)*4, (x)*32, (x) << (ENTROPY_SHIFT+5)
- int tap1, tap2, tap3, tap4, tap5;
- } poolinfo_table[] = {
-+#ifdef CONFIG_GRKERNSEC_RANDNET
-+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
-+ { S(512), 411, 308, 208, 104, 1 },
-+ /* x^128 + x^104 + x^76 + x^51 + x^25 + x + 1 -- 105 */
-+ { S(128), 104, 76, 51, 25, 1 },
-+#else
- /* was: x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 */
- /* x^128 + x^104 + x^76 + x^51 +x^25 + x + 1 */
- { S(128), 104, 76, 51, 25, 1 },
- /* was: x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 */
- /* x^32 + x^26 + x^19 + x^14 + x^7 + x + 1 */
- { S(32), 26, 19, 14, 7, 1 },
-+#endif
- #if 0
- /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
- { S(2048), 1638, 1231, 819, 411, 1 },
-@@ -433,9 +444,9 @@ struct entropy_store {
+@@ -433,9 +430,9 @@ struct entropy_store {
};
static void push_to_pool(struct work_struct *work);
@@ -38908,7 +38870,7 @@ index 429b75b..a7f4145 100644
static struct entropy_store input_pool = {
.poolinfo = &poolinfo_table[0],
-@@ -524,8 +535,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -524,8 +521,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in,
input_rotate = (input_rotate + (i ? 7 : 14)) & 31;
}
@@ -38919,7 +38881,7 @@ index 429b75b..a7f4145 100644
smp_wmb();
if (out)
-@@ -632,7 +643,7 @@ retry:
+@@ -632,7 +629,7 @@ retry:
/* The +2 corresponds to the /4 in the denominator */
do {
@@ -38928,7 +38890,7 @@ index 429b75b..a7f4145 100644
unsigned int add =
((pool_size - entropy_count)*anfrac*3) >> s;
-@@ -1151,7 +1162,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1151,7 +1148,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
extract_buf(r, tmp);
i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -38937,7 +38899,7 @@ index 429b75b..a7f4145 100644
ret = -EFAULT;
break;
}
-@@ -1507,7 +1518,7 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1507,7 +1504,7 @@ EXPORT_SYMBOL(generate_random_uuid);
#include <linux/sysctl.h>
static int min_read_thresh = 8, min_write_thresh;
@@ -38946,7 +38908,7 @@ index 429b75b..a7f4145 100644
static int max_write_thresh = INPUT_POOL_WORDS * 32;
static char sysctl_bootid[16];
-@@ -1523,7 +1534,7 @@ static char sysctl_bootid[16];
+@@ -1523,7 +1520,7 @@ static char sysctl_bootid[16];
static int proc_do_uuid(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -38955,7 +38917,7 @@ index 429b75b..a7f4145 100644
unsigned char buf[64], tmp_uuid[16], *uuid;
uuid = table->data;
-@@ -1553,7 +1564,7 @@ static int proc_do_uuid(struct ctl_table *table, int write,
+@@ -1553,7 +1550,7 @@ static int proc_do_uuid(struct ctl_table *table, int write,
static int proc_do_entropy(ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -41703,6 +41665,19 @@ index 6866448..2ad2b34 100644
{
/* copy over all the bus versions */
if (dev->bus && dev->bus->pm) {
+diff --git a/drivers/hid/hid-cherry.c b/drivers/hid/hid-cherry.c
+index 1bdcccc..f745d2c 100644
+--- a/drivers/hid/hid-cherry.c
++++ b/drivers/hid/hid-cherry.c
+@@ -28,7 +28,7 @@
+ static __u8 *ch_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int *rsize)
+ {
+- if (*rsize >= 17 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
++ if (*rsize >= 18 && rdesc[11] == 0x3c && rdesc[12] == 0x02) {
+ hid_info(hdev, "fixing up Cherry Cymotion report descriptor\n");
+ rdesc[11] = rdesc[16] = 0xff;
+ rdesc[12] = rdesc[17] = 0x03;
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 7cd42ea..a367c48 100644
--- a/drivers/hid/hid-core.c
@@ -41725,6 +41700,110 @@ index 7cd42ea..a367c48 100644
hid_debug_register(hdev, dev_name(&hdev->dev));
ret = device_add(&hdev->dev);
+diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
+index e776963..b92bf01 100644
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -300,7 +300,7 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ * - change the button usage range to 4-7 for the extra
+ * buttons
+ */
+- if (*rsize >= 74 &&
++ if (*rsize >= 75 &&
+ rdesc[61] == 0x05 && rdesc[62] == 0x08 &&
+ rdesc[63] == 0x19 && rdesc[64] == 0x08 &&
+ rdesc[65] == 0x29 && rdesc[66] == 0x0f &&
+diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
+index 9fe9d4a..b8207e0 100644
+--- a/drivers/hid/hid-lg.c
++++ b/drivers/hid/hid-lg.c
+@@ -345,14 +345,14 @@ static __u8 *lg_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ struct usb_device_descriptor *udesc;
+ __u16 bcdDevice, rev_maj, rev_min;
+
+- if ((drv_data->quirks & LG_RDESC) && *rsize >= 90 && rdesc[83] == 0x26 &&
++ if ((drv_data->quirks & LG_RDESC) && *rsize >= 91 && rdesc[83] == 0x26 &&
+ rdesc[84] == 0x8c && rdesc[85] == 0x02) {
+ hid_info(hdev,
+ "fixing up Logitech keyboard report descriptor\n");
+ rdesc[84] = rdesc[89] = 0x4d;
+ rdesc[85] = rdesc[90] = 0x10;
+ }
+- if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 50 &&
++ if ((drv_data->quirks & LG_RDESC_REL_ABS) && *rsize >= 51 &&
+ rdesc[32] == 0x81 && rdesc[33] == 0x06 &&
+ rdesc[49] == 0x81 && rdesc[50] == 0x06) {
+ hid_info(hdev,
+diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
+index f45279c..0b14d32 100644
+--- a/drivers/hid/hid-logitech-dj.c
++++ b/drivers/hid/hid-logitech-dj.c
+@@ -237,13 +237,6 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev,
+ return;
+ }
+
+- if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
+- (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
+- dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
+- __func__, dj_report->device_index);
+- return;
+- }
+-
+ if (djrcv_dev->paired_dj_devices[dj_report->device_index]) {
+ /* The device is already known. No need to reallocate it. */
+ dbg_hid("%s: device is already known\n", __func__);
+@@ -721,6 +714,12 @@ static int logi_dj_raw_event(struct hid_device *hdev,
+ * device (via hid_input_report() ) and return 1 so hid-core does not do
+ * anything else with it.
+ */
++ if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
++ (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
++ dev_err(&hdev->dev, "%s: invalid device index:%d\n",
++ __func__, dj_report->device_index);
++ return false;
++ }
+
+ spin_lock_irqsave(&djrcv_dev->lock, flags);
+ if (dj_report->report_id == REPORT_ID_DJ_SHORT) {
+diff --git a/drivers/hid/hid-monterey.c b/drivers/hid/hid-monterey.c
+index 9e14c00..25daf28 100644
+--- a/drivers/hid/hid-monterey.c
++++ b/drivers/hid/hid-monterey.c
+@@ -24,7 +24,7 @@
+ static __u8 *mr_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int *rsize)
+ {
+- if (*rsize >= 30 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
++ if (*rsize >= 31 && rdesc[29] == 0x05 && rdesc[30] == 0x09) {
+ hid_info(hdev, "fixing up button/consumer in HID report descriptor\n");
+ rdesc[30] = 0x0c;
+ }
+diff --git a/drivers/hid/hid-petalynx.c b/drivers/hid/hid-petalynx.c
+index 736b250..6aca4f2 100644
+--- a/drivers/hid/hid-petalynx.c
++++ b/drivers/hid/hid-petalynx.c
+@@ -25,7 +25,7 @@
+ static __u8 *pl_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int *rsize)
+ {
+- if (*rsize >= 60 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
++ if (*rsize >= 62 && rdesc[39] == 0x2a && rdesc[40] == 0xf5 &&
+ rdesc[41] == 0x00 && rdesc[59] == 0x26 &&
+ rdesc[60] == 0xf9 && rdesc[61] == 0x00) {
+ hid_info(hdev, "fixing up Petalynx Maxter Remote report descriptor\n");
+diff --git a/drivers/hid/hid-sunplus.c b/drivers/hid/hid-sunplus.c
+index 87fc91e..91072fa 100644
+--- a/drivers/hid/hid-sunplus.c
++++ b/drivers/hid/hid-sunplus.c
+@@ -24,7 +24,7 @@
+ static __u8 *sp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int *rsize)
+ {
+- if (*rsize >= 107 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
++ if (*rsize >= 112 && rdesc[104] == 0x26 && rdesc[105] == 0x80 &&
+ rdesc[106] == 0x03) {
+ hid_info(hdev, "fixing up Sunplus Wireless Desktop report descriptor\n");
+ rdesc[105] = rdesc[110] = 0x03;
diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c
index c13fb5b..55a3802 100644
--- a/drivers/hid/hid-wiimote-debug.c
@@ -44456,7 +44535,7 @@ index 56e24c0..e1c8e1f 100644
"md/raid1:%s: read error corrected "
"(%d sectors at %llu on %s)\n",
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index cb882aa..9bd076e 100644
+index cb882aa..cb8aeca 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1949,7 +1949,7 @@ static void end_sync_read(struct bio *bio, int error)
@@ -44518,8 +44597,25 @@ index cb882aa..9bd076e 100644
}
rdev_dec_pending(rdev, mddev);
+@@ -2954,6 +2954,7 @@ static sector_t sync_request(struct mddev *mddev, sector_t sector_nr,
+ */
+ if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery)) {
+ end_reshape(conf);
++ close_sync(conf);
+ return 0;
+ }
+
+@@ -4411,7 +4412,7 @@ read_more:
+ read_bio->bi_private = r10_bio;
+ read_bio->bi_end_io = end_sync_read;
+ read_bio->bi_rw = READ;
+- read_bio->bi_flags &= ~(BIO_POOL_MASK - 1);
++ read_bio->bi_flags &= (~0UL << BIO_RESET_BITS);
+ read_bio->bi_flags |= 1 << BIO_UPTODATE;
+ read_bio->bi_vcnt = 0;
+ read_bio->bi_iter.bi_size = 0;
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
-index 16f5c21..522b82e 100644
+index 16f5c21..c5d72c7 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -1707,6 +1707,10 @@ static int grow_one_stripe(struct r5conf *conf, int hash)
@@ -44580,6 +44676,15 @@ index 16f5c21..522b82e 100644
> conf->max_nr_stripes)
printk(KERN_WARNING
"md/raid:%s: Too many read errors, failing device %s.\n",
+@@ -3779,6 +3787,8 @@ static void handle_stripe(struct stripe_head *sh)
+ set_bit(R5_Wantwrite, &dev->flags);
+ if (prexor)
+ continue;
++ if (s.failed > 1)
++ continue;
+ if (!test_bit(R5_Insync, &dev->flags) ||
+ ((i == sh->pd_idx || i == sh->qd_idx) &&
+ s.failed == 0))
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index 983db75..ef9248c 100644
--- a/drivers/media/dvb-core/dvbdev.c
@@ -61787,6 +61892,185 @@ index e846a32..bb06bd0 100644
put_cpu_var(last_ino);
return res;
}
+diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c
+index 4a9e10e..a9daccb 100644
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -61,7 +61,7 @@ static void isofs_put_super(struct super_block *sb)
+ return;
+ }
+
+-static int isofs_read_inode(struct inode *);
++static int isofs_read_inode(struct inode *, int relocated);
+ static int isofs_statfs (struct dentry *, struct kstatfs *);
+
+ static struct kmem_cache *isofs_inode_cachep;
+@@ -1258,7 +1258,7 @@ out_toomany:
+ goto out;
+ }
+
+-static int isofs_read_inode(struct inode *inode)
++static int isofs_read_inode(struct inode *inode, int relocated)
+ {
+ struct super_block *sb = inode->i_sb;
+ struct isofs_sb_info *sbi = ISOFS_SB(sb);
+@@ -1403,7 +1403,7 @@ static int isofs_read_inode(struct inode *inode)
+ */
+
+ if (!high_sierra) {
+- parse_rock_ridge_inode(de, inode);
++ parse_rock_ridge_inode(de, inode, relocated);
+ /* if we want uid/gid set, override the rock ridge setting */
+ if (sbi->s_uid_set)
+ inode->i_uid = sbi->s_uid;
+@@ -1482,9 +1482,10 @@ static int isofs_iget5_set(struct inode *ino, void *data)
+ * offset that point to the underlying meta-data for the inode. The
+ * code below is otherwise similar to the iget() code in
+ * include/linux/fs.h */
+-struct inode *isofs_iget(struct super_block *sb,
+- unsigned long block,
+- unsigned long offset)
++struct inode *__isofs_iget(struct super_block *sb,
++ unsigned long block,
++ unsigned long offset,
++ int relocated)
+ {
+ unsigned long hashval;
+ struct inode *inode;
+@@ -1506,7 +1507,7 @@ struct inode *isofs_iget(struct super_block *sb,
+ return ERR_PTR(-ENOMEM);
+
+ if (inode->i_state & I_NEW) {
+- ret = isofs_read_inode(inode);
++ ret = isofs_read_inode(inode, relocated);
+ if (ret < 0) {
+ iget_failed(inode);
+ inode = ERR_PTR(ret);
+diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h
+index 9916723..0ac4c1f 100644
+--- a/fs/isofs/isofs.h
++++ b/fs/isofs/isofs.h
+@@ -107,7 +107,7 @@ extern int iso_date(char *, int);
+
+ struct inode; /* To make gcc happy */
+
+-extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *);
++extern int parse_rock_ridge_inode(struct iso_directory_record *, struct inode *, int relocated);
+ extern int get_rock_ridge_filename(struct iso_directory_record *, char *, struct inode *);
+ extern int isofs_name_translate(struct iso_directory_record *, char *, struct inode *);
+
+@@ -118,9 +118,24 @@ extern struct dentry *isofs_lookup(struct inode *, struct dentry *, unsigned int
+ extern struct buffer_head *isofs_bread(struct inode *, sector_t);
+ extern int isofs_get_blocks(struct inode *, sector_t, struct buffer_head **, unsigned long);
+
+-extern struct inode *isofs_iget(struct super_block *sb,
+- unsigned long block,
+- unsigned long offset);
++struct inode *__isofs_iget(struct super_block *sb,
++ unsigned long block,
++ unsigned long offset,
++ int relocated);
++
++static inline struct inode *isofs_iget(struct super_block *sb,
++ unsigned long block,
++ unsigned long offset)
++{
++ return __isofs_iget(sb, block, offset, 0);
++}
++
++static inline struct inode *isofs_iget_reloc(struct super_block *sb,
++ unsigned long block,
++ unsigned long offset)
++{
++ return __isofs_iget(sb, block, offset, 1);
++}
+
+ /* Because the inode number is no longer relevant to finding the
+ * underlying meta-data for an inode, we are free to choose a more
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index c0bf424..f488bba 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -288,12 +288,16 @@ eio:
+ goto out;
+ }
+
++#define RR_REGARD_XA 1
++#define RR_RELOC_DE 2
++
+ static int
+ parse_rock_ridge_inode_internal(struct iso_directory_record *de,
+- struct inode *inode, int regard_xa)
++ struct inode *inode, int flags)
+ {
+ int symlink_len = 0;
+ int cnt, sig;
++ unsigned int reloc_block;
+ struct inode *reloc;
+ struct rock_ridge *rr;
+ int rootflag;
+@@ -305,7 +309,7 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de,
+
+ init_rock_state(&rs, inode);
+ setup_rock_ridge(de, inode, &rs);
+- if (regard_xa) {
++ if (flags & RR_REGARD_XA) {
+ rs.chr += 14;
+ rs.len -= 14;
+ if (rs.len < 0)
+@@ -485,12 +489,22 @@ repeat:
+ "relocated directory\n");
+ goto out;
+ case SIG('C', 'L'):
+- ISOFS_I(inode)->i_first_extent =
+- isonum_733(rr->u.CL.location);
+- reloc =
+- isofs_iget(inode->i_sb,
+- ISOFS_I(inode)->i_first_extent,
+- 0);
++ if (flags & RR_RELOC_DE) {
++ printk(KERN_ERR
++ "ISOFS: Recursive directory relocation "
++ "is not supported\n");
++ goto eio;
++ }
++ reloc_block = isonum_733(rr->u.CL.location);
++ if (reloc_block == ISOFS_I(inode)->i_iget5_block &&
++ ISOFS_I(inode)->i_iget5_offset == 0) {
++ printk(KERN_ERR
++ "ISOFS: Directory relocation points to "
++ "itself\n");
++ goto eio;
++ }
++ ISOFS_I(inode)->i_first_extent = reloc_block;
++ reloc = isofs_iget_reloc(inode->i_sb, reloc_block, 0);
+ if (IS_ERR(reloc)) {
+ ret = PTR_ERR(reloc);
+ goto out;
+@@ -637,9 +651,11 @@ static char *get_symlink_chunk(char *rpnt, struct rock_ridge *rr, char *plimit)
+ return rpnt;
+ }
+
+-int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
++int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode,
++ int relocated)
+ {
+- int result = parse_rock_ridge_inode_internal(de, inode, 0);
++ int flags = relocated ? RR_RELOC_DE : 0;
++ int result = parse_rock_ridge_inode_internal(de, inode, flags);
+
+ /*
+ * if rockridge flag was reset and we didn't look for attributes
+@@ -647,7 +663,8 @@ int parse_rock_ridge_inode(struct iso_directory_record *de, struct inode *inode)
+ */
+ if ((ISOFS_SB(inode->i_sb)->s_rock_offset == -1)
+ && (ISOFS_SB(inode->i_sb)->s_rock == 2)) {
+- result = parse_rock_ridge_inode_internal(de, inode, 14);
++ result = parse_rock_ridge_inode_internal(de, inode,
++ flags | RR_REGARD_XA);
+ }
+ return result;
+ }
diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
index 4a6cf28..d3a29d3 100644
--- a/fs/jffs2/erase.c
@@ -65487,7 +65771,7 @@ index 467bb1c..cf9d65a 100644
return -EINVAL;
diff --git a/fs/seq_file.c b/fs/seq_file.c
-index 1d641bb..c2f4743 100644
+index 1d641bb..9ca7f61 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -10,6 +10,8 @@
@@ -65580,6 +65864,15 @@ index 1d641bb..c2f4743 100644
int res = -ENOMEM;
if (op) {
+@@ -605,7 +620,7 @@ EXPORT_SYMBOL(single_open);
+ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
+ void *data, size_t size)
+ {
+- char *buf = kmalloc(size, GFP_KERNEL);
++ char *buf = kmalloc(size, GFP_KERNEL | GFP_USERCOPY);
+ int ret;
+ if (!buf)
+ return -ENOMEM;
@@ -620,6 +635,17 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
}
EXPORT_SYMBOL(single_open_size);
@@ -66136,10 +66429,10 @@ index 78e62cc..eec3706 100644
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..bfd482c
+index 0000000..27cec32
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1176 @@
+@@ -0,0 +1,1166 @@
+#
+# grecurity configuration
+#
@@ -67072,16 +67365,6 @@ index 0000000..bfd482c
+menu "Network Protections"
+depends on GRKERNSEC
+
-+config GRKERNSEC_RANDNET
-+ bool "Larger entropy pools"
-+ default y if GRKERNSEC_CONFIG_AUTO
-+ help
-+ If you say Y here, the entropy pools used for many features of Linux
-+ and grsecurity will be doubled in size. Since several grsecurity
-+ features use additional randomness, it is recommended that you say Y
-+ here. Saying Y here has a similar effect as modifying
-+ /proc/sys/kernel/random/poolsize.
-+
+config GRKERNSEC_BLACKHOLE
+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
+ default y if GRKERNSEC_CONFIG_AUTO
@@ -70174,10 +70457,10 @@ index 0000000..18ffbbd
+}
diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c
new file mode 100644
-index 0000000..bdd51ea
+index 0000000..1a94c11
--- /dev/null
+++ b/grsecurity/gracl_cap.c
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,127 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -70188,6 +70471,29 @@ index 0000000..bdd51ea
+extern const char *captab_log[];
+extern int captab_log_entries;
+
++int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
++{
++ struct acl_subject_label *curracl;
++
++ if (!gr_acl_is_enabled())
++ return 1;
++
++ curracl = task->acl;
++
++ if (curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
++ task->role->roletype, GR_GLOBAL_UID(cred->uid),
++ GR_GLOBAL_GID(cred->gid), task->exec_file ?
++ gr_to_filename(task->exec_file->f_path.dentry,
++ task->exec_file->f_path.mnt) : curracl->filename,
++ curracl->filename, 0UL,
++ 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
++ return 1;
++ }
++
++ return 0;
++}
++
+int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
+{
+ struct acl_subject_label *curracl;
@@ -70224,19 +70530,13 @@ index 0000000..bdd51ea
+ return 1;
+ }
+
-+ curracl = task->acl;
-+
-+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
-+ && cap_raised(cred->cap_effective, cap)) {
-+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
-+ task->role->roletype, GR_GLOBAL_UID(cred->uid),
-+ GR_GLOBAL_GID(cred->gid), task->exec_file ?
-+ gr_to_filename(task->exec_file->f_path.dentry,
-+ task->exec_file->f_path.mnt) : curracl->filename,
-+ curracl->filename, 0UL,
-+ 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
++ /* only learn the capability use if the process has the capability in the
++ general case, the two uses in sys.c of gr_learn_cap are an exception
++ to this rule to ensure any role transition involves what the full-learned
++ policy believes in a privileged process
++ */
++ if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap))
+ return 1;
-+ }
+
+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
@@ -74259,10 +74559,10 @@ index 0000000..baa635c
+}
diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
new file mode 100644
-index 0000000..4d6fce8
+index 0000000..1e028d7
--- /dev/null
+++ b/grsecurity/grsec_disabled.c
-@@ -0,0 +1,433 @@
+@@ -0,0 +1,439 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -74304,6 +74604,12 @@ index 0000000..4d6fce8
+ return 0;
+}
+
++int
++gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
++{
++ return 0;
++}
++
+void
+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
+{
@@ -74698,10 +75004,10 @@ index 0000000..4d6fce8
+#endif
diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c
new file mode 100644
-index 0000000..f35f454
+index 0000000..14638ff
--- /dev/null
+++ b/grsecurity/grsec_exec.c
-@@ -0,0 +1,187 @@
+@@ -0,0 +1,188 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -74836,7 +75142,8 @@ index 0000000..f35f454
+ "CAP_MAC_OVERRIDE",
+ "CAP_MAC_ADMIN",
+ "CAP_SYSLOG",
-+ "CAP_WAKE_ALARM"
++ "CAP_WAKE_ALARM",
++ "CAP_BLOCK_SUSPEND"
+};
+
+int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
@@ -76944,10 +77251,10 @@ index 0000000..61b514e
+EXPORT_SYMBOL_GPL(gr_log_timechange);
diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
new file mode 100644
-index 0000000..ee57dcf
+index 0000000..d1953de
--- /dev/null
+++ b/grsecurity/grsec_tpe.c
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,78 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -76961,6 +77268,7 @@ index 0000000..ee57dcf
+{
+#ifdef CONFIG_GRKERNSEC
+ struct inode *inode = file->f_path.dentry->d_parent->d_inode;
++ struct inode *file_inode = file->f_path.dentry->d_inode;
+ const struct cred *cred = current_cred();
+ char *msg = NULL;
+ char *msg2 = NULL;
@@ -76993,6 +77301,8 @@ index 0000000..ee57dcf
+ msg2 = "file in world-writable directory";
+ else if (inode->i_mode & S_IWGRP)
+ msg2 = "file in group-writable directory";
++ else if (file_inode->i_mode & S_IWOTH)
++ msg2 = "file is world-writable";
+
+ if (msg && msg2) {
+ char fullmsg[70] = {0};
@@ -77012,6 +77322,8 @@ index 0000000..ee57dcf
+ msg = "file in world-writable directory";
+ else if (inode->i_mode & S_IWGRP)
+ msg = "file in group-writable directory";
++ else if (file_inode->i_mode & S_IWOTH)
++ msg = "file is world-writable";
+
+ if (msg) {
+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
@@ -80065,10 +80377,10 @@ index 0000000..b02ba9d
+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..b87dd26
+index 0000000..acda855
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,252 @@
+@@ -0,0 +1,254 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -80108,6 +80420,8 @@ index 0000000..b87dd26
+int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs);
+int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs);
+
++int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap);
++
+void gr_del_task_from_ip_table(struct task_struct *p);
+
+int gr_pid_is_chrooted(struct task_struct *p);
@@ -86036,10 +86350,25 @@ index 1191a44..7c81292 100644
+}
+EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog);
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
-index 0c753dd..dd7d3d6 100644
+index 0c753dd..3ce8cca 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
-@@ -5372,7 +5372,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v)
+@@ -5190,6 +5190,14 @@ static void cgroup_release_agent(struct work_struct *work)
+ release_list);
+ list_del_init(&cgrp->release_list);
+ raw_spin_unlock(&release_list_lock);
++
++ /*
++ * don't bother calling call_usermodehelper if we haven't
++ * configured a binary to execute
++ */
++ if (cgrp->root->release_agent_path[0] == '\0')
++ goto continue_free;
++
+ pathbuf = kmalloc(PAGE_SIZE, GFP_KERNEL);
+ if (!pathbuf)
+ goto continue_free;
+@@ -5372,7 +5380,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v)
struct css_set *cset = link->cset;
struct task_struct *task;
int count = 0;
@@ -90666,7 +90995,7 @@ index 490fcbb..1e502c6 100644
.thread_should_run = ksoftirqd_should_run,
.thread_fn = run_ksoftirqd,
diff --git a/kernel/sys.c b/kernel/sys.c
-index c0a58be..784c618 100644
+index c0a58be..95e292b 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -148,6 +148,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -90682,17 +91011,28 @@ index c0a58be..784c618 100644
no_nice = security_task_setnice(p, niceval);
if (no_nice) {
error = no_nice;
-@@ -351,6 +357,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
+@@ -351,6 +357,20 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
goto error;
}
+ if (gr_check_group_change(new->gid, new->egid, INVALID_GID))
+ goto error;
+
++ if (!gid_eq(new->gid, old->gid)) {
++ /* make sure we generate a learn log for what will
++ end up being a role transition after a full-learning
++ policy is generated
++ CAP_SETGID is required to perform a transition
++ we may not log a CAP_SETGID check above, e.g.
++ in the case where new rgid = old egid
++ */
++ gr_learn_cap(current, new, CAP_SETGID);
++ }
++
if (rgid != (gid_t) -1 ||
(egid != (gid_t) -1 && !gid_eq(kegid, old->gid)))
new->sgid = new->egid;
-@@ -386,6 +395,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
+@@ -386,6 +406,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
old = current_cred();
retval = -EPERM;
@@ -90703,7 +91043,7 @@ index c0a58be..784c618 100644
if (ns_capable(old->user_ns, CAP_SETGID))
new->gid = new->egid = new->sgid = new->fsgid = kgid;
else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid))
-@@ -403,7 +416,7 @@ error:
+@@ -403,7 +427,7 @@ error:
/*
* change the user struct in a credentials set to match the new UID
*/
@@ -90712,7 +91052,7 @@ index c0a58be..784c618 100644
{
struct user_struct *new_user;
-@@ -483,6 +496,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
+@@ -483,7 +507,18 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
goto error;
}
@@ -90720,9 +91060,18 @@ index c0a58be..784c618 100644
+ goto error;
+
if (!uid_eq(new->uid, old->uid)) {
++ /* make sure we generate a learn log for what will
++ end up being a role transition after a full-learning
++ policy is generated
++ CAP_SETUID is required to perform a transition
++ we may not log a CAP_SETUID check above, e.g.
++ in the case where new ruid = old euid
++ */
++ gr_learn_cap(current, new, CAP_SETUID);
retval = set_user(new);
if (retval < 0)
-@@ -533,6 +549,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
+ goto error;
+@@ -533,6 +568,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
old = current_cred();
retval = -EPERM;
@@ -90735,7 +91084,7 @@ index c0a58be..784c618 100644
if (ns_capable(old->user_ns, CAP_SETUID)) {
new->suid = new->uid = kuid;
if (!uid_eq(kuid, old->uid)) {
-@@ -602,6 +624,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
+@@ -602,6 +643,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
goto error;
}
@@ -90745,7 +91094,7 @@ index c0a58be..784c618 100644
if (ruid != (uid_t) -1) {
new->uid = kruid;
if (!uid_eq(kruid, old->uid)) {
-@@ -684,6 +709,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
+@@ -684,6 +728,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
goto error;
}
@@ -90755,7 +91104,7 @@ index c0a58be..784c618 100644
if (rgid != (gid_t) -1)
new->gid = krgid;
if (egid != (gid_t) -1)
-@@ -745,12 +773,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
+@@ -745,12 +792,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
uid_eq(kuid, old->suid) || uid_eq(kuid, old->fsuid) ||
ns_capable(old->user_ns, CAP_SETUID)) {
if (!uid_eq(kuid, old->fsuid)) {
@@ -90772,7 +91121,7 @@ index c0a58be..784c618 100644
abort_creds(new);
return old_fsuid;
-@@ -783,12 +815,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
+@@ -783,12 +834,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) ||
gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) ||
ns_capable(old->user_ns, CAP_SETGID)) {
@@ -90789,7 +91138,7 @@ index c0a58be..784c618 100644
abort_creds(new);
return old_fsgid;
-@@ -1167,19 +1203,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
+@@ -1167,19 +1222,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
return -EFAULT;
down_read(&uts_sem);
@@ -90814,7 +91163,7 @@ index c0a58be..784c618 100644
__OLD_UTS_LEN);
error |= __put_user(0, name->machine + __OLD_UTS_LEN);
up_read(&uts_sem);
-@@ -1381,6 +1417,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
+@@ -1381,6 +1436,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
*/
new_rlim->rlim_cur = 1;
}
@@ -94079,7 +94428,7 @@ index b1eb536..091d154 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 20ff0c3..a9eda98 100644
+index 20ff0c3..005dc47 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -36,6 +36,7 @@
@@ -94152,15 +94501,20 @@ index 20ff0c3..a9eda98 100644
if (vma->vm_ops && vma->vm_ops->close)
vma->vm_ops->close(vma);
if (vma->vm_file)
-@@ -290,6 +312,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
+@@ -290,6 +312,12 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
* not page aligned -Ram Gupta
*/
rlim = rlimit(RLIMIT_DATA);
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++ /* force a minimum 16MB brk heap on setuid/setgid binaries */
++ if (rlim < PAGE_SIZE && (get_dumpable(mm) != SUID_DUMP_USER) && gr_is_global_nonroot(current_uid()))
++ rlim = 4096 * PAGE_SIZE;
++#endif
+ gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
(mm->end_data - mm->start_data) > rlim)
goto out;
-@@ -940,6 +963,12 @@ static int
+@@ -940,6 +968,12 @@ static int
can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
{
@@ -94173,7 +94527,7 @@ index 20ff0c3..a9eda98 100644
if (is_mergeable_vma(vma, file, vm_flags) &&
is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
if (vma->vm_pgoff == vm_pgoff)
-@@ -959,6 +988,12 @@ static int
+@@ -959,6 +993,12 @@ static int
can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
{
@@ -94186,7 +94540,7 @@ index 20ff0c3..a9eda98 100644
if (is_mergeable_vma(vma, file, vm_flags) &&
is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
pgoff_t vm_pglen;
-@@ -1001,13 +1036,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
+@@ -1001,13 +1041,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
struct vm_area_struct *vma_merge(struct mm_struct *mm,
struct vm_area_struct *prev, unsigned long addr,
unsigned long end, unsigned long vm_flags,
@@ -94208,7 +94562,7 @@ index 20ff0c3..a9eda98 100644
/*
* We later require that vma->vm_flags == vm_flags,
* so this tests vma->vm_flags & VM_SPECIAL, too.
-@@ -1023,6 +1065,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+@@ -1023,6 +1070,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
if (next && next->vm_end == end) /* cases 6, 7, 8 */
next = next->vm_next;
@@ -94224,7 +94578,7 @@ index 20ff0c3..a9eda98 100644
/*
* Can it merge with the predecessor?
*/
-@@ -1042,9 +1093,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+@@ -1042,9 +1098,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
/* cases 1, 6 */
err = vma_adjust(prev, prev->vm_start,
next->vm_end, prev->vm_pgoff, NULL);
@@ -94250,7 +94604,7 @@ index 20ff0c3..a9eda98 100644
if (err)
return NULL;
khugepaged_enter_vma_merge(prev);
-@@ -1058,12 +1124,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+@@ -1058,12 +1129,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
mpol_equal(policy, vma_policy(next)) &&
can_vma_merge_before(next, vm_flags,
anon_vma, file, pgoff+pglen)) {
@@ -94280,7 +94634,7 @@ index 20ff0c3..a9eda98 100644
if (err)
return NULL;
khugepaged_enter_vma_merge(area);
-@@ -1172,8 +1253,10 @@ none:
+@@ -1172,8 +1258,10 @@ none:
void vm_stat_account(struct mm_struct *mm, unsigned long flags,
struct file *file, long pages)
{
@@ -94293,7 +94647,7 @@ index 20ff0c3..a9eda98 100644
mm->total_vm += pages;
-@@ -1181,7 +1264,7 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags,
+@@ -1181,7 +1269,7 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags,
mm->shared_vm += pages;
if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
mm->exec_vm += pages;
@@ -94302,7 +94656,7 @@ index 20ff0c3..a9eda98 100644
mm->stack_vm += pages;
}
#endif /* CONFIG_PROC_FS */
-@@ -1211,6 +1294,7 @@ static inline int mlock_future_check(struct mm_struct *mm,
+@@ -1211,6 +1299,7 @@ static inline int mlock_future_check(struct mm_struct *mm,
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
@@ -94310,7 +94664,7 @@ index 20ff0c3..a9eda98 100644
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
}
-@@ -1237,7 +1321,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1237,7 +1326,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
* (the exception is when the underlying filesystem is noexec
* mounted, in which case we dont add PROT_EXEC.)
*/
@@ -94319,7 +94673,7 @@ index 20ff0c3..a9eda98 100644
if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
prot |= PROT_EXEC;
-@@ -1263,7 +1347,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1263,7 +1352,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
/* Obtain the address to map to. we verify (or select) it and ensure
* that it represents a valid section of the address space.
*/
@@ -94328,7 +94682,7 @@ index 20ff0c3..a9eda98 100644
if (addr & ~PAGE_MASK)
return addr;
-@@ -1274,6 +1358,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1274,6 +1363,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
@@ -94372,7 +94726,7 @@ index 20ff0c3..a9eda98 100644
if (flags & MAP_LOCKED)
if (!can_do_mlock())
return -EPERM;
-@@ -1361,6 +1482,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1361,6 +1487,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
vm_flags |= VM_NORESERVE;
}
@@ -94382,7 +94736,7 @@ index 20ff0c3..a9eda98 100644
addr = mmap_region(file, addr, len, vm_flags, pgoff);
if (!IS_ERR_VALUE(addr) &&
((vm_flags & VM_LOCKED) ||
-@@ -1454,7 +1578,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
+@@ -1454,7 +1583,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
vm_flags_t vm_flags = vma->vm_flags;
/* If it was private or non-writable, the write bit is already clear */
@@ -94391,7 +94745,7 @@ index 20ff0c3..a9eda98 100644
return 0;
/* The backer wishes to know when pages are first written to? */
-@@ -1500,7 +1624,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1500,7 +1629,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
struct rb_node **rb_link, *rb_parent;
unsigned long charged = 0;
@@ -94414,7 +94768,7 @@ index 20ff0c3..a9eda98 100644
if (!may_expand_vm(mm, len >> PAGE_SHIFT)) {
unsigned long nr_pages;
-@@ -1519,11 +1658,10 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1519,11 +1663,10 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
/* Clear old maps */
error = -ENOMEM;
@@ -94427,7 +94781,7 @@ index 20ff0c3..a9eda98 100644
}
/*
-@@ -1554,6 +1692,16 @@ munmap_back:
+@@ -1554,6 +1697,16 @@ munmap_back:
goto unacct_error;
}
@@ -94444,7 +94798,7 @@ index 20ff0c3..a9eda98 100644
vma->vm_mm = mm;
vma->vm_start = addr;
vma->vm_end = addr + len;
-@@ -1573,6 +1721,13 @@ munmap_back:
+@@ -1573,6 +1726,13 @@ munmap_back:
if (error)
goto unmap_and_free_vma;
@@ -94458,7 +94812,7 @@ index 20ff0c3..a9eda98 100644
/* Can addr have changed??
*
* Answer: Yes, several device drivers can do it in their
-@@ -1606,6 +1761,12 @@ munmap_back:
+@@ -1606,6 +1766,12 @@ munmap_back:
}
vma_link(mm, vma, prev, rb_link, rb_parent);
@@ -94471,7 +94825,7 @@ index 20ff0c3..a9eda98 100644
/* Once vma denies write, undo our temporary denial count */
if (vm_flags & VM_DENYWRITE)
allow_write_access(file);
-@@ -1614,6 +1775,7 @@ out:
+@@ -1614,6 +1780,7 @@ out:
perf_event_mmap(vma);
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
@@ -94479,7 +94833,7 @@ index 20ff0c3..a9eda98 100644
if (vm_flags & VM_LOCKED) {
if (!((vm_flags & VM_SPECIAL) || is_vm_hugetlb_page(vma) ||
vma == get_gate_vma(current->mm)))
-@@ -1646,6 +1808,12 @@ unmap_and_free_vma:
+@@ -1646,6 +1813,12 @@ unmap_and_free_vma:
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
charged = 0;
free_vma:
@@ -94492,7 +94846,7 @@ index 20ff0c3..a9eda98 100644
kmem_cache_free(vm_area_cachep, vma);
unacct_error:
if (charged)
-@@ -1653,7 +1821,63 @@ unacct_error:
+@@ -1653,7 +1826,63 @@ unacct_error:
return error;
}
@@ -94557,7 +94911,7 @@ index 20ff0c3..a9eda98 100644
{
/*
* We implement the search by looking for an rbtree node that
-@@ -1701,11 +1925,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
+@@ -1701,11 +1930,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
}
}
@@ -94588,7 +94942,7 @@ index 20ff0c3..a9eda98 100644
if (gap_end >= low_limit && gap_end - gap_start >= length)
goto found;
-@@ -1755,7 +1997,7 @@ found:
+@@ -1755,7 +2002,7 @@ found:
return gap_start;
}
@@ -94597,7 +94951,7 @@ index 20ff0c3..a9eda98 100644
{
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
-@@ -1809,6 +2051,24 @@ check_current:
+@@ -1809,6 +2056,24 @@ check_current:
gap_end = vma->vm_start;
if (gap_end < low_limit)
return -ENOMEM;
@@ -94622,7 +94976,7 @@ index 20ff0c3..a9eda98 100644
if (gap_start <= high_limit && gap_end - gap_start >= length)
goto found;
-@@ -1872,6 +2132,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1872,6 +2137,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
struct vm_unmapped_area_info info;
@@ -94630,7 +94984,7 @@ index 20ff0c3..a9eda98 100644
if (len > TASK_SIZE - mmap_min_addr)
return -ENOMEM;
-@@ -1879,11 +2140,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1879,11 +2145,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
if (flags & MAP_FIXED)
return addr;
@@ -94647,7 +95001,7 @@ index 20ff0c3..a9eda98 100644
return addr;
}
-@@ -1892,6 +2157,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1892,6 +2162,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
info.low_limit = mm->mmap_base;
info.high_limit = TASK_SIZE;
info.align_mask = 0;
@@ -94655,7 +95009,7 @@ index 20ff0c3..a9eda98 100644
return vm_unmapped_area(&info);
}
#endif
-@@ -1910,6 +2176,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1910,6 +2181,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
struct mm_struct *mm = current->mm;
unsigned long addr = addr0;
struct vm_unmapped_area_info info;
@@ -94663,7 +95017,7 @@ index 20ff0c3..a9eda98 100644
/* requested length too big for entire address space */
if (len > TASK_SIZE - mmap_min_addr)
-@@ -1918,12 +2185,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1918,12 +2190,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
if (flags & MAP_FIXED)
return addr;
@@ -94681,7 +95035,7 @@ index 20ff0c3..a9eda98 100644
return addr;
}
-@@ -1932,6 +2203,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1932,6 +2208,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
info.low_limit = max(PAGE_SIZE, mmap_min_addr);
info.high_limit = mm->mmap_base;
info.align_mask = 0;
@@ -94689,7 +95043,7 @@ index 20ff0c3..a9eda98 100644
addr = vm_unmapped_area(&info);
/*
-@@ -1944,6 +2216,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1944,6 +2221,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
VM_BUG_ON(addr != -ENOMEM);
info.flags = 0;
info.low_limit = TASK_UNMAPPED_BASE;
@@ -94702,7 +95056,7 @@ index 20ff0c3..a9eda98 100644
info.high_limit = TASK_SIZE;
addr = vm_unmapped_area(&info);
}
-@@ -2045,6 +2323,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
+@@ -2045,6 +2328,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
return vma;
}
@@ -94731,7 +95085,7 @@ index 20ff0c3..a9eda98 100644
/*
* Verify that the stack growth is acceptable and
* update accounting. This is shared with both the
-@@ -2061,6 +2361,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2061,6 +2366,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
return -ENOMEM;
/* Stack limit test */
@@ -94739,7 +95093,7 @@ index 20ff0c3..a9eda98 100644
if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
return -ENOMEM;
-@@ -2071,6 +2372,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2071,6 +2377,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
locked = mm->locked_vm + grow;
limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
limit >>= PAGE_SHIFT;
@@ -94747,7 +95101,7 @@ index 20ff0c3..a9eda98 100644
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -2100,37 +2402,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2100,37 +2407,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
@@ -94805,7 +95159,7 @@ index 20ff0c3..a9eda98 100644
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -2165,6 +2478,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -2165,6 +2483,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
}
}
}
@@ -94814,7 +95168,7 @@ index 20ff0c3..a9eda98 100644
vma_unlock_anon_vma(vma);
khugepaged_enter_vma_merge(vma);
validate_mm(vma->vm_mm);
-@@ -2179,6 +2494,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2179,6 +2499,8 @@ int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
int error;
@@ -94823,7 +95177,7 @@ index 20ff0c3..a9eda98 100644
/*
* We must make sure the anon_vma is allocated
-@@ -2192,6 +2509,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2192,6 +2514,15 @@ int expand_downwards(struct vm_area_struct *vma,
if (error)
return error;
@@ -94839,7 +95193,7 @@ index 20ff0c3..a9eda98 100644
vma_lock_anon_vma(vma);
/*
-@@ -2201,9 +2527,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2201,9 +2532,17 @@ int expand_downwards(struct vm_area_struct *vma,
*/
/* Somebody else might have raced and expanded it already */
@@ -94858,7 +95212,7 @@ index 20ff0c3..a9eda98 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -2228,13 +2562,27 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2228,13 +2567,27 @@ int expand_downwards(struct vm_area_struct *vma,
vma->vm_pgoff -= grow;
anon_vma_interval_tree_post_update_vma(vma);
vma_gap_update(vma);
@@ -94886,7 +95240,7 @@ index 20ff0c3..a9eda98 100644
khugepaged_enter_vma_merge(vma);
validate_mm(vma->vm_mm);
return error;
-@@ -2332,6 +2680,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2332,6 +2685,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
@@ -94900,7 +95254,7 @@ index 20ff0c3..a9eda98 100644
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2376,6 +2731,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2376,6 +2736,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -94917,7 +95271,7 @@ index 20ff0c3..a9eda98 100644
vma_rb_erase(vma, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -2401,14 +2766,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2401,14 +2771,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
struct vm_area_struct *new;
int err = -ENOMEM;
@@ -94951,7 +95305,7 @@ index 20ff0c3..a9eda98 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -2421,6 +2805,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2421,6 +2810,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -94974,7 +95328,7 @@ index 20ff0c3..a9eda98 100644
err = vma_dup_policy(vma, new);
if (err)
goto out_free_vma;
-@@ -2440,6 +2840,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2440,6 +2845,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -95013,7 +95367,7 @@ index 20ff0c3..a9eda98 100644
/* Success. */
if (!err)
return 0;
-@@ -2449,10 +2881,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2449,10 +2886,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_ops->close(new);
if (new->vm_file)
fput(new->vm_file);
@@ -95033,7 +95387,7 @@ index 20ff0c3..a9eda98 100644
kmem_cache_free(vm_area_cachep, new);
out_err:
return err;
-@@ -2465,6 +2905,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2465,6 +2910,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
@@ -95049,7 +95403,7 @@ index 20ff0c3..a9eda98 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2476,11 +2925,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2476,11 +2930,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -95080,7 +95434,7 @@ index 20ff0c3..a9eda98 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2555,6 +3023,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2555,6 +3028,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -95089,7 +95443,7 @@ index 20ff0c3..a9eda98 100644
return 0;
}
-@@ -2563,6 +3033,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2563,6 +3038,13 @@ int vm_munmap(unsigned long start, size_t len)
int ret;
struct mm_struct *mm = current->mm;
@@ -95103,7 +95457,7 @@ index 20ff0c3..a9eda98 100644
down_write(&mm->mmap_sem);
ret = do_munmap(mm, start, len);
up_write(&mm->mmap_sem);
-@@ -2576,16 +3053,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2576,16 +3058,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
return vm_munmap(addr, len);
}
@@ -95120,7 +95474,7 @@ index 20ff0c3..a9eda98 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2599,6 +3066,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2599,6 +3071,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -95128,7 +95482,7 @@ index 20ff0c3..a9eda98 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2606,10 +3074,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2606,10 +3079,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -95153,7 +95507,7 @@ index 20ff0c3..a9eda98 100644
error = mlock_future_check(mm, mm->def_flags, len);
if (error)
return error;
-@@ -2623,21 +3105,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2623,21 +3110,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -95178,7 +95532,7 @@ index 20ff0c3..a9eda98 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2651,7 +3132,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2651,7 +3137,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -95187,7 +95541,7 @@ index 20ff0c3..a9eda98 100644
return -ENOMEM;
}
-@@ -2665,10 +3146,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2665,10 +3151,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
perf_event_mmap(vma);
@@ -95201,7 +95555,7 @@ index 20ff0c3..a9eda98 100644
return addr;
}
-@@ -2730,6 +3212,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2730,6 +3217,7 @@ void exit_mmap(struct mm_struct *mm)
while (vma) {
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += vma_pages(vma);
@@ -95209,7 +95563,7 @@ index 20ff0c3..a9eda98 100644
vma = remove_vma(vma);
}
vm_unacct_memory(nr_accounted);
-@@ -2747,6 +3230,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2747,6 +3235,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
struct vm_area_struct *prev;
struct rb_node **rb_link, *rb_parent;
@@ -95223,7 +95577,7 @@ index 20ff0c3..a9eda98 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2770,7 +3260,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2770,7 +3265,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -95245,7 +95599,7 @@ index 20ff0c3..a9eda98 100644
return 0;
}
-@@ -2789,6 +3293,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2789,6 +3298,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct rb_node **rb_link, *rb_parent;
bool faulted_in_anon_vma = true;
@@ -95254,7 +95608,7 @@ index 20ff0c3..a9eda98 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2853,6 +3359,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2853,6 +3364,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return NULL;
}
@@ -95294,7 +95648,7 @@ index 20ff0c3..a9eda98 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2864,6 +3403,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2864,6 +3408,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
@@ -95302,7 +95656,7 @@ index 20ff0c3..a9eda98 100644
if (cur + npages > lim)
return 0;
return 1;
-@@ -2934,6 +3474,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2934,6 +3479,22 @@ int install_special_mapping(struct mm_struct *mm,
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -102153,10 +102507,18 @@ index b74aa07..d41926e 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 48a6a93..0b0496e 100644
+index 48a6a93..d2c096b 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
-@@ -1845,7 +1845,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -635,6 +635,7 @@ static void init_prb_bdqc(struct packet_sock *po,
+ p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov);
+ p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv;
+
++ p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv);
+ prb_init_ft_ops(p1, req_u);
+ prb_setup_retire_blk_timer(po, tx_ring);
+ prb_open_block(p1, pbd);
+@@ -1845,7 +1846,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
spin_lock(&sk->sk_receive_queue.lock);
po->stats.stats1.tp_packets++;
@@ -102165,7 +102527,7 @@ index 48a6a93..0b0496e 100644
__skb_queue_tail(&sk->sk_receive_queue, skb);
spin_unlock(&sk->sk_receive_queue.lock);
sk->sk_data_ready(sk, skb->len);
-@@ -1854,7 +1854,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1854,7 +1855,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
drop_n_acct:
spin_lock(&sk->sk_receive_queue.lock);
po->stats.stats1.tp_drops++;
@@ -102174,7 +102536,26 @@ index 48a6a93..0b0496e 100644
spin_unlock(&sk->sk_receive_queue.lock);
drop_n_restore:
-@@ -3449,7 +3449,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -1946,6 +1947,18 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ if ((int)snaplen < 0)
+ snaplen = 0;
+ }
++ } else if (unlikely(macoff + snaplen >
++ GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
++ u32 nval;
++
++ nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff;
++ pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n",
++ snaplen, nval, macoff);
++ snaplen = nval;
++ if (unlikely((int)snaplen < 0)) {
++ snaplen = 0;
++ macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
++ }
+ }
+ spin_lock(&sk->sk_receive_queue.lock);
+ h.raw = packet_current_rx_frame(po, skb,
+@@ -3449,7 +3462,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -102183,7 +102564,7 @@ index 48a6a93..0b0496e 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3495,7 +3495,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3495,7 +3508,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
len = lv;
if (put_user(len, optlen))
return -EFAULT;
@@ -102192,6 +102573,29 @@ index 48a6a93..0b0496e 100644
return -EFAULT;
return 0;
}
+@@ -3779,6 +3792,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ goto out;
+ if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
+ goto out;
++ if (po->tp_version >= TPACKET_V3 &&
++ (int)(req->tp_block_size -
++ BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
++ goto out;
+ if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ po->tp_reserve))
+ goto out;
+diff --git a/net/packet/internal.h b/net/packet/internal.h
+index eb9580a..cdddf6a 100644
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -29,6 +29,7 @@ struct tpacket_kbdq_core {
+ char *pkblk_start;
+ char *pkblk_end;
+ int kblk_size;
++ unsigned int max_frame_len;
+ unsigned int knum_blocks;
+ uint64_t knxt_seq_num;
+ char *prev;
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index e774117..900b8b7 100644
--- a/net/phonet/pep.c