diff options
Diffstat (limited to 'main')
-rw-r--r-- | main/linux-grsec/APKBUILD | 28 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.7-201306231443.patch) | 1224 | ||||
-rw-r--r-- | main/linux-grsec/kernelconfig.x86 | 3 | ||||
-rw-r--r-- | main/linux-grsec/kernelconfig.x86_64 | 3 |
4 files changed, 516 insertions, 742 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 1b93d5b90a..ebbddba2a3 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,7 +2,7 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.9.7 +pkgver=3.9.8 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; @@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.9.7-201306231443.patch + grsecurity-2.9.1-3.9.8-201306272057.patch 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch @@ -149,35 +149,35 @@ dev() { } md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -74005c469fbd309ab631d981e2d3a6e7 patch-3.9.7.xz -a5db3ef848185c32ad4b0bbfe19106aa grsecurity-2.9.1-3.9.7-201306231443.patch +c5f2166686a913abf550bfed8b77df27 patch-3.9.8.xz +53d60133a86b812060b048275f928041 grsecurity-2.9.1-3.9.8-201306272057.patch a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 2a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch -bfb5ddcfbc1c9f30253de200ec2a0eb0 kernelconfig.x86 -0b6534366d8abbd36c40744163c81e5a kernelconfig.x86_64" +d89089b3c7eb94dd9f65cf8a357fc36d kernelconfig.x86 +eb147f09fef5996a488c247790205cd6 kernelconfig.x86_64" sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz -23db9de5ffa2f8f36d61da85ee46656a3373f8868415c1f3c77c51c41fabfda8 patch-3.9.7.xz -0aa3ec9d60640ee06ca6c6aed877ce2ee99c2b8a2ee8be50ad92c43ed6570617 grsecurity-2.9.1-3.9.7-201306231443.patch +2eda9068e81269467e3c247f3343a146731fc45284b12b4bc546bc44dbb263e7 patch-3.9.8.xz +587022b1fc72157e43011551404c7d664dcc3b6c95b72a853ef2ce721e474057 grsecurity-2.9.1-3.9.8-201306272057.patch 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch 260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch -c017c0a47fa0dfdefe148aa73e8a19fabb1957dc699de0f94d8d4d9a45bf5abe kernelconfig.x86 -aafae208fc72eaad9d09fcd8220e0d70379d8c7c7f658c10aa96990dc0b36207 kernelconfig.x86_64" +de3c17420664ae4e52826c6e602aade0deeae94f72253f85b3e48771491ed5d6 kernelconfig.x86 +e1cce320f207cc2ba72b9d154c7060c8cbed52c664319dfd21f24e8956d0bf3e kernelconfig.x86_64" sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz -dcf38bca1ee1b90bffd97c74c00720613dbab9183aa600401a821fe20ea665629bc43544053bd2ffe18ebfe1ee2d72d139f22d2f070374f5e231831ed6c89251 patch-3.9.7.xz -73f819bd44c724bbdc2e01ed4154c9fd53d0a8d1099ffabf56e995d82a9dbcb03c742e1c048cae9b0052d43dbda4d1c2150f6c14a1b958c25eef8b5571047f80 grsecurity-2.9.1-3.9.7-201306231443.patch +60b7d694d39faf937e7b732eb3117b8442059c5c8857c9d439eec8a87d5bc185505e64062f5ae02c3512acf5af778caf615c35d3499cb8089a4569c05da65b9c patch-3.9.8.xz +4ca36180a1fc325a558acf73ec9fe3808542498a8f808f73b87a9f6b05ff290d5a5ab20ce39c547a18ce37d093a9857f5c77c495796e62fef986dfa301a9e566 grsecurity-2.9.1-3.9.8-201306272057.patch 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch 28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch -bcf675bafd3aac174195a2d38571b9b54f4b6e0635ab3363699ae8845794dc44bcfe952585fae881d81065d4a25333a3e033808c99c977aa4a797b81e5a36c3f kernelconfig.x86 -a8bf4cc1cdb4d1bde9fe4cd4040a596a52a24817fad15b29785ba10ab1d80fd4ae9589ac92f98c8b6b3b5e5510f01b9c9b96b11a2cf05c9684eb0bd62ee6676e kernelconfig.x86_64" +c51ac429c3e811976318a7ca2a4f7fc48bcf290e885ceeb09a1a56ee32c37b673f6e789789cf36876747bd54e4dc55d340ad888ba0eb8e7f45f60e8ef7ea67b4 kernelconfig.x86 +584e778f96a05388051b05eb6f1c20377bc8aad72d0cd678323af7aaaab85ecc992244fe6bf3f27ab88131903490fd8af3c3fb56062490dd90dca1ba91d4da21 kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.7-201306231443.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch index 5af3232471..3efd0e4c4b 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.9.7-201306231443.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch @@ -263,7 +263,7 @@ index 8ccbf27..afffeb4 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index a129b15..548231d 100644 +index b013cbe..4ca639b 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -811,10 +811,10 @@ index 0c4132d..88f0d53 100644 /* Allow reads even for write-only mappings */ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index 1cacda4..2cef624 100644 +index 70cd012..71b82cd 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig -@@ -1850,7 +1850,7 @@ config ALIGNMENT_TRAP +@@ -1860,7 +1860,7 @@ config ALIGNMENT_TRAP config UACCESS_WITH_MEMCPY bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()" @@ -3799,7 +3799,7 @@ index 04d9006..c547d85 100644 return __arm_ioremap_caller(phys_addr, size, mtype, __builtin_return_address(0)); diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c -index 10062ce..cd34fb9 100644 +index 10062ce..8695745 100644 --- a/arch/arm/mm/mmap.c +++ b/arch/arm/mm/mmap.c @@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, @@ -3876,20 +3876,7 @@ index 10062ce..cd34fb9 100644 addr = vm_unmapped_area(&info); /* -@@ -162,6 +172,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, - VM_BUG_ON(addr != -ENOMEM); - info.flags = 0; - info.low_limit = mm->mmap_base; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ info.low_limit += mm->delta_mmap; -+#endif -+ - info.high_limit = TASK_SIZE; - addr = vm_unmapped_area(&info); - } -@@ -173,6 +189,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -173,6 +183,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm) { unsigned long random_factor = 0UL; @@ -3900,7 +3887,7 @@ index 10062ce..cd34fb9 100644 /* 8 bits of randomness in 20 address space bits */ if ((current->flags & PF_RANDOMIZE) && !(current->personality & ADDR_NO_RANDOMIZE)) -@@ -180,10 +200,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -180,10 +194,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) if (mmap_is_legacy()) { mm->mmap_base = TASK_UNMAPPED_BASE + random_factor; @@ -5767,19 +5754,6 @@ index e0a8235..ce2f1e1 100644 ret = __copy_from_user(to, from, n); else copy_from_user_overflow(); -diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c -index 5709c5e..14285ca 100644 ---- a/arch/parisc/kernel/drivers.c -+++ b/arch/parisc/kernel/drivers.c -@@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath); - static void setup_bus_id(struct parisc_device *padev) - { - struct hardware_path path; -- char name[20]; -+ char name[28]; - char *output = name; - int i; - diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c index 2a625fb..9908930 100644 --- a/arch/parisc/kernel/module.c @@ -5883,20 +5857,6 @@ index 2a625fb..9908930 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); -diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c -index a3328c2..3b812eb 100644 ---- a/arch/parisc/kernel/setup.c -+++ b/arch/parisc/kernel/setup.c -@@ -69,7 +69,8 @@ void __init setup_cmdline(char **cmdline_p) - /* called from hpux boot loader */ - boot_command_line[0] = '\0'; - } else { -- strcpy(boot_command_line, (char *)__va(boot_args[1])); -+ strlcpy(boot_command_line, (char *)__va(boot_args[1]), -+ COMMAND_LINE_SIZE); - - #ifdef CONFIG_BLK_DEV_INITRD - if (boot_args[2] != 0) /* did palo pass us a ramdisk? */ diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c index 5dfd248..64914ac 100644 --- a/arch/parisc/kernel/sys_parisc.c @@ -5972,10 +5932,10 @@ index 5dfd248..64914ac 100644 return addr; } diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c -index aeb8f8f..27a6c2f 100644 +index c6ae9f5..e9c3cf4 100644 --- a/arch/parisc/kernel/traps.c +++ b/arch/parisc/kernel/traps.c -@@ -732,9 +732,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) +@@ -733,9 +733,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) down_read(¤t->mm->mmap_sem); vma = find_vma(current->mm,regs->iaoq[0]); @@ -10285,7 +10245,7 @@ index ad8f795..2c7eec6 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 6ef2a37..74ad6ad 100644 +index de80b33..c0f0899 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -243,7 +243,7 @@ config X86_HT @@ -19028,7 +18988,7 @@ index 8f3e2de..934870f 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index c1d01e6..1bef85a 100644 +index c1d01e6..7f633850 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -59,6 +59,8 @@ @@ -19115,7 +19075,7 @@ index c1d01e6..1bef85a 100644 #endif -@@ -284,6 +293,311 @@ ENTRY(native_usergs_sysret64) +@@ -284,6 +293,309 @@ ENTRY(native_usergs_sysret64) ENDPROC(native_usergs_sysret64) #endif /* CONFIG_PARAVIRT */ @@ -19245,9 +19205,9 @@ index c1d01e6..1bef85a 100644 + sub phys_base(%rip),%rbx + +#ifdef CONFIG_PARAVIRT -+ pushq %rdi + cmpl $0, pv_info+PARAVIRT_enabled + jz 1f ++ pushq %rdi + i = 0 + .rept USER_PGD_PTRS + mov i*8(%rbx),%rsi @@ -19256,6 +19216,7 @@ index c1d01e6..1bef85a 100644 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched) + i = i + 1 + .endr ++ popq %rdi + jmp 2f +1: +#endif @@ -19267,7 +19228,7 @@ index c1d01e6..1bef85a 100644 + .endr + +#ifdef CONFIG_PARAVIRT -+2: popq %rdi ++2: +#endif + SET_RDI_INTO_CR3 + @@ -19308,7 +19269,6 @@ index c1d01e6..1bef85a 100644 + sub phys_base(%rip),%rbx + +#ifdef CONFIG_PARAVIRT -+ pushq %rdi + cmpl $0, pv_info+PARAVIRT_enabled + jz 1f + i = 0 @@ -19319,8 +19279,6 @@ index c1d01e6..1bef85a 100644 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched) + i = i + 1 + .endr -+ popq %rdi -+ PV_RESTORE_REGS(CLBR_RDI) + jmp 2f +1: +#endif @@ -19332,7 +19290,7 @@ index c1d01e6..1bef85a 100644 + .endr + +#ifdef CONFIG_PARAVIRT -+2: ++2: PV_RESTORE_REGS(CLBR_RDI) +#endif + + popq %rbx @@ -19350,8 +19308,8 @@ index c1d01e6..1bef85a 100644 +#ifdef CONFIG_PAX_KERNEXEC + GET_CR0_INTO_RDI + bts $16,%rdi -+ SET_RDI_INTO_CR0 + jc 110f ++ SET_RDI_INTO_CR0 + or $2,%ebx +110: +#endif @@ -19359,8 +19317,8 @@ index c1d01e6..1bef85a 100644 + + .macro pax_exit_kernel_nmi +#ifdef CONFIG_PAX_KERNEXEC -+ test $2,%ebx -+ jz 110f ++ btr $1,%ebx ++ jnc 110f + GET_CR0_INTO_RDI + btr $16,%rdi + SET_RDI_INTO_CR0 @@ -19427,7 +19385,7 @@ index c1d01e6..1bef85a 100644 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET #ifdef CONFIG_TRACE_IRQFLAGS -@@ -375,8 +689,8 @@ ENDPROC(native_usergs_sysret64) +@@ -375,8 +687,8 @@ ENDPROC(native_usergs_sysret64) .endm .macro UNFAKE_STACK_FRAME @@ -19438,7 +19396,7 @@ index c1d01e6..1bef85a 100644 .endm /* -@@ -463,7 +777,7 @@ ENDPROC(native_usergs_sysret64) +@@ -463,7 +775,7 @@ ENDPROC(native_usergs_sysret64) movq %rsp, %rsi leaq -RBP(%rsp),%rdi /* arg1 for handler */ @@ -19447,7 +19405,7 @@ index c1d01e6..1bef85a 100644 je 1f SWAPGS /* -@@ -498,9 +812,10 @@ ENTRY(save_rest) +@@ -498,9 +810,10 @@ ENTRY(save_rest) movq_cfi r15, R15+16 movq %r11, 8(%rsp) /* return address */ FIXUP_TOP_OF_STACK %r11, 16 @@ -19459,7 +19417,7 @@ index c1d01e6..1bef85a 100644 /* save complete stack frame */ .pushsection .kprobes.text, "ax" -@@ -529,9 +844,10 @@ ENTRY(save_paranoid) +@@ -529,9 +842,10 @@ ENTRY(save_paranoid) js 1f /* negative -> in kernel */ SWAPGS xorl %ebx,%ebx @@ -19472,7 +19430,7 @@ index c1d01e6..1bef85a 100644 .popsection /* -@@ -553,7 +869,7 @@ ENTRY(ret_from_fork) +@@ -553,7 +867,7 @@ ENTRY(ret_from_fork) RESTORE_REST @@ -19481,7 +19439,7 @@ index c1d01e6..1bef85a 100644 jz 1f testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET -@@ -571,7 +887,7 @@ ENTRY(ret_from_fork) +@@ -571,7 +885,7 @@ ENTRY(ret_from_fork) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19490,7 +19448,7 @@ index c1d01e6..1bef85a 100644 /* * System call entry. Up to 6 arguments in registers are supported. -@@ -608,7 +924,7 @@ END(ret_from_fork) +@@ -608,7 +922,7 @@ END(ret_from_fork) ENTRY(system_call) CFI_STARTPROC simple CFI_SIGNAL_FRAME @@ -19499,7 +19457,7 @@ index c1d01e6..1bef85a 100644 CFI_REGISTER rip,rcx /*CFI_REGISTER rflags,r11*/ SWAPGS_UNSAFE_STACK -@@ -621,16 +937,23 @@ GLOBAL(system_call_after_swapgs) +@@ -621,16 +935,23 @@ GLOBAL(system_call_after_swapgs) movq %rsp,PER_CPU_VAR(old_rsp) movq PER_CPU_VAR(kernel_stack),%rsp @@ -19525,7 +19483,7 @@ index c1d01e6..1bef85a 100644 jnz tracesys system_call_fastpath: #if __SYSCALL_MASK == ~0 -@@ -640,7 +963,7 @@ system_call_fastpath: +@@ -640,7 +961,7 @@ system_call_fastpath: cmpl $__NR_syscall_max,%eax #endif ja badsys @@ -19534,7 +19492,7 @@ index c1d01e6..1bef85a 100644 call *sys_call_table(,%rax,8) # XXX: rip relative movq %rax,RAX-ARGOFFSET(%rsp) /* -@@ -654,10 +977,13 @@ sysret_check: +@@ -654,10 +975,13 @@ sysret_check: LOCKDEP_SYS_EXIT DISABLE_INTERRUPTS(CLBR_NONE) TRACE_IRQS_OFF @@ -19549,7 +19507,7 @@ index c1d01e6..1bef85a 100644 /* * sysretq will re-enable interrupts: */ -@@ -709,14 +1035,18 @@ badsys: +@@ -709,14 +1033,18 @@ badsys: * jump back to the normal fast path. */ auditsys: @@ -19569,7 +19527,7 @@ index c1d01e6..1bef85a 100644 jmp system_call_fastpath /* -@@ -737,7 +1067,7 @@ sysret_audit: +@@ -737,7 +1065,7 @@ sysret_audit: /* Do syscall tracing */ tracesys: #ifdef CONFIG_AUDITSYSCALL @@ -19578,7 +19536,7 @@ index c1d01e6..1bef85a 100644 jz auditsys #endif SAVE_REST -@@ -745,12 +1075,16 @@ tracesys: +@@ -745,12 +1073,16 @@ tracesys: FIXUP_TOP_OF_STACK %rdi movq %rsp,%rdi call syscall_trace_enter @@ -19595,7 +19553,7 @@ index c1d01e6..1bef85a 100644 RESTORE_REST #if __SYSCALL_MASK == ~0 cmpq $__NR_syscall_max,%rax -@@ -759,7 +1093,7 @@ tracesys: +@@ -759,7 +1091,7 @@ tracesys: cmpl $__NR_syscall_max,%eax #endif ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */ @@ -19604,7 +19562,7 @@ index c1d01e6..1bef85a 100644 call *sys_call_table(,%rax,8) movq %rax,RAX-ARGOFFSET(%rsp) /* Use IRET because user could have changed frame */ -@@ -780,7 +1114,9 @@ GLOBAL(int_with_check) +@@ -780,7 +1112,9 @@ GLOBAL(int_with_check) andl %edi,%edx jnz int_careful andl $~TS_COMPAT,TI_status(%rcx) @@ -19615,7 +19573,7 @@ index c1d01e6..1bef85a 100644 /* Either reschedule or signal or syscall exit tracking needed. */ /* First do a reschedule test. */ -@@ -826,7 +1162,7 @@ int_restore_rest: +@@ -826,7 +1160,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -19624,7 +19582,7 @@ index c1d01e6..1bef85a 100644 .macro FORK_LIKE func ENTRY(stub_\func) -@@ -839,9 +1175,10 @@ ENTRY(stub_\func) +@@ -839,9 +1173,10 @@ ENTRY(stub_\func) DEFAULT_FRAME 0 8 /* offset 8: return address */ call sys_\func RESTORE_TOP_OF_STACK %r11, 8 @@ -19636,7 +19594,7 @@ index c1d01e6..1bef85a 100644 .endm .macro FIXED_FRAME label,func -@@ -851,9 +1188,10 @@ ENTRY(\label) +@@ -851,9 +1186,10 @@ ENTRY(\label) FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET call \func RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET @@ -19648,7 +19606,7 @@ index c1d01e6..1bef85a 100644 .endm FORK_LIKE clone -@@ -870,9 +1208,10 @@ ENTRY(ptregscall_common) +@@ -870,9 +1206,10 @@ ENTRY(ptregscall_common) movq_cfi_restore R12+8, r12 movq_cfi_restore RBP+8, rbp movq_cfi_restore RBX+8, rbx @@ -19660,7 +19618,7 @@ index c1d01e6..1bef85a 100644 ENTRY(stub_execve) CFI_STARTPROC -@@ -885,7 +1224,7 @@ ENTRY(stub_execve) +@@ -885,7 +1222,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19669,7 +19627,7 @@ index c1d01e6..1bef85a 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -902,7 +1241,7 @@ ENTRY(stub_rt_sigreturn) +@@ -902,7 +1239,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19678,7 +19636,7 @@ index c1d01e6..1bef85a 100644 #ifdef CONFIG_X86_X32_ABI ENTRY(stub_x32_rt_sigreturn) -@@ -916,7 +1255,7 @@ ENTRY(stub_x32_rt_sigreturn) +@@ -916,7 +1253,7 @@ ENTRY(stub_x32_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19687,7 +19645,7 @@ index c1d01e6..1bef85a 100644 ENTRY(stub_x32_execve) CFI_STARTPROC -@@ -930,7 +1269,7 @@ ENTRY(stub_x32_execve) +@@ -930,7 +1267,7 @@ ENTRY(stub_x32_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -19696,7 +19654,7 @@ index c1d01e6..1bef85a 100644 #endif -@@ -967,7 +1306,7 @@ vector=vector+1 +@@ -967,7 +1304,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -19705,7 +19663,7 @@ index c1d01e6..1bef85a 100644 .previous END(interrupt) -@@ -987,6 +1326,16 @@ END(interrupt) +@@ -987,6 +1324,16 @@ END(interrupt) subq $ORIG_RAX-RBP, %rsp CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP SAVE_ARGS_IRQ @@ -19722,7 +19680,7 @@ index c1d01e6..1bef85a 100644 call \func .endm -@@ -1019,7 +1368,7 @@ ret_from_intr: +@@ -1019,7 +1366,7 @@ ret_from_intr: exit_intr: GET_THREAD_INFO(%rcx) @@ -19731,7 +19689,7 @@ index c1d01e6..1bef85a 100644 je retint_kernel /* Interrupt came from user space */ -@@ -1041,12 +1390,16 @@ retint_swapgs: /* return to user-space */ +@@ -1041,12 +1388,16 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) @@ -19748,7 +19706,7 @@ index c1d01e6..1bef85a 100644 /* * The iretq could re-enable interrupts: */ -@@ -1129,7 +1482,7 @@ ENTRY(retint_kernel) +@@ -1129,7 +1480,7 @@ ENTRY(retint_kernel) #endif CFI_ENDPROC @@ -19757,7 +19715,7 @@ index c1d01e6..1bef85a 100644 /* * End of kprobes section */ -@@ -1147,7 +1500,7 @@ ENTRY(\sym) +@@ -1147,7 +1498,7 @@ ENTRY(\sym) interrupt \do_sym jmp ret_from_intr CFI_ENDPROC @@ -19766,7 +19724,7 @@ index c1d01e6..1bef85a 100644 .endm #ifdef CONFIG_SMP -@@ -1203,12 +1556,22 @@ ENTRY(\sym) +@@ -1203,12 +1554,22 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -19790,7 +19748,7 @@ index c1d01e6..1bef85a 100644 .endm .macro paranoidzeroentry sym do_sym -@@ -1221,15 +1584,25 @@ ENTRY(\sym) +@@ -1221,15 +1582,25 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF @@ -19818,7 +19776,7 @@ index c1d01e6..1bef85a 100644 .macro paranoidzeroentry_ist sym do_sym ist ENTRY(\sym) INTR_FRAME -@@ -1240,14 +1613,30 @@ ENTRY(\sym) +@@ -1240,14 +1611,30 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call save_paranoid TRACE_IRQS_OFF_DEBUG @@ -19850,7 +19808,7 @@ index c1d01e6..1bef85a 100644 .endm .macro errorentry sym do_sym -@@ -1259,13 +1648,23 @@ ENTRY(\sym) +@@ -1259,13 +1646,23 @@ ENTRY(\sym) CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15 call error_entry DEFAULT_FRAME 0 @@ -19875,7 +19833,7 @@ index c1d01e6..1bef85a 100644 .endm /* error code is on the stack already */ -@@ -1279,13 +1678,23 @@ ENTRY(\sym) +@@ -1279,13 +1676,23 @@ ENTRY(\sym) call save_paranoid DEFAULT_FRAME 0 TRACE_IRQS_OFF @@ -19900,7 +19858,7 @@ index c1d01e6..1bef85a 100644 .endm zeroentry divide_error do_divide_error -@@ -1315,9 +1724,10 @@ gs_change: +@@ -1315,9 +1722,10 @@ gs_change: 2: mfence /* workaround */ SWAPGS popfq_cfi @@ -19912,7 +19870,7 @@ index c1d01e6..1bef85a 100644 _ASM_EXTABLE(gs_change,bad_gs) .section .fixup,"ax" -@@ -1345,9 +1755,10 @@ ENTRY(call_softirq) +@@ -1345,9 +1753,10 @@ ENTRY(call_softirq) CFI_DEF_CFA_REGISTER rsp CFI_ADJUST_CFA_OFFSET -8 decl PER_CPU_VAR(irq_count) @@ -19924,7 +19882,7 @@ index c1d01e6..1bef85a 100644 #ifdef CONFIG_XEN zeroentry xen_hypervisor_callback xen_do_hypervisor_callback -@@ -1385,7 +1796,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) +@@ -1385,7 +1794,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs) decl PER_CPU_VAR(irq_count) jmp error_exit CFI_ENDPROC @@ -19933,7 +19891,7 @@ index c1d01e6..1bef85a 100644 /* * Hypervisor uses this for application faults while it executes. -@@ -1444,7 +1855,7 @@ ENTRY(xen_failsafe_callback) +@@ -1444,7 +1853,7 @@ ENTRY(xen_failsafe_callback) SAVE_ALL jmp error_exit CFI_ENDPROC @@ -19942,7 +19900,7 @@ index c1d01e6..1bef85a 100644 apicinterrupt HYPERVISOR_CALLBACK_VECTOR \ xen_hvm_callback_vector xen_evtchn_do_upcall -@@ -1498,16 +1909,31 @@ ENTRY(paranoid_exit) +@@ -1498,16 +1907,31 @@ ENTRY(paranoid_exit) TRACE_IRQS_OFF_DEBUG testl %ebx,%ebx /* swapgs needed? */ jnz paranoid_restore @@ -19975,7 +19933,7 @@ index c1d01e6..1bef85a 100644 jmp irq_return paranoid_userspace: GET_THREAD_INFO(%rcx) -@@ -1536,7 +1962,7 @@ paranoid_schedule: +@@ -1536,7 +1960,7 @@ paranoid_schedule: TRACE_IRQS_OFF jmp paranoid_userspace CFI_ENDPROC @@ -19984,7 +19942,7 @@ index c1d01e6..1bef85a 100644 /* * Exception entry point. This expects an error code/orig_rax on the stack. -@@ -1563,12 +1989,13 @@ ENTRY(error_entry) +@@ -1563,12 +1987,13 @@ ENTRY(error_entry) movq_cfi r14, R14+8 movq_cfi r15, R15+8 xorl %ebx,%ebx @@ -19999,7 +19957,7 @@ index c1d01e6..1bef85a 100644 ret /* -@@ -1595,7 +2022,7 @@ bstep_iret: +@@ -1595,7 +2020,7 @@ bstep_iret: movq %rcx,RIP+8(%rsp) jmp error_swapgs CFI_ENDPROC @@ -20008,7 +19966,7 @@ index c1d01e6..1bef85a 100644 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */ -@@ -1615,7 +2042,7 @@ ENTRY(error_exit) +@@ -1615,7 +2040,7 @@ ENTRY(error_exit) jnz retint_careful jmp retint_swapgs CFI_ENDPROC @@ -20017,7 +19975,7 @@ index c1d01e6..1bef85a 100644 /* * Test if a given stack is an NMI stack or not. -@@ -1673,9 +2100,11 @@ ENTRY(nmi) +@@ -1673,9 +2098,11 @@ ENTRY(nmi) * If %cs was not the kernel segment, then the NMI triggered in user * space, which means it is definitely not nested. */ @@ -20030,7 +19988,7 @@ index c1d01e6..1bef85a 100644 /* * Check the special variable on the stack to see if NMIs are * executing. -@@ -1709,8 +2138,7 @@ nested_nmi: +@@ -1709,8 +2136,7 @@ nested_nmi: 1: /* Set up the interrupted NMIs stack to jump to repeat_nmi */ @@ -20040,7 +19998,7 @@ index c1d01e6..1bef85a 100644 CFI_ADJUST_CFA_OFFSET 1*8 leaq -10*8(%rsp), %rdx pushq_cfi $__KERNEL_DS -@@ -1728,6 +2156,7 @@ nested_nmi_out: +@@ -1728,6 +2154,7 @@ nested_nmi_out: CFI_RESTORE rdx /* No need to check faults here */ @@ -20048,7 +20006,7 @@ index c1d01e6..1bef85a 100644 INTERRUPT_RETURN CFI_RESTORE_STATE -@@ -1844,6 +2273,8 @@ end_repeat_nmi: +@@ -1844,6 +2271,8 @@ end_repeat_nmi: */ movq %cr2, %r12 @@ -20057,7 +20015,7 @@ index c1d01e6..1bef85a 100644 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp,%rdi movq $-1,%rsi -@@ -1856,26 +2287,31 @@ end_repeat_nmi: +@@ -1856,26 +2285,31 @@ end_repeat_nmi: movq %r12, %cr2 1: @@ -20604,7 +20562,7 @@ index 73afd11..d1670f5 100644 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S -index 321d65e..e9437f7 100644 +index 321d65e..7830f05 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -20,6 +20,8 @@ @@ -20770,7 +20728,7 @@ index 321d65e..e9437f7 100644 NEXT_PAGE(level2_kernel_pgt) /* * 512 MB kernel mapping. We spend a full page on this pagetable -@@ -488,38 +536,64 @@ NEXT_PAGE(level2_kernel_pgt) +@@ -488,39 +536,64 @@ NEXT_PAGE(level2_kernel_pgt) KERNEL_IMAGE_SIZE/PMD_SIZE) NEXT_PAGE(level2_fixmap_pgt) @@ -20844,8 +20802,9 @@ index 321d65e..e9437f7 100644 - .skip IDT_ENTRIES * 16 + .fill 512,8,0 - __PAGE_ALIGNED_BSS +- __PAGE_ALIGNED_BSS NEXT_PAGE(empty_zero_page) + .skip PAGE_SIZE diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c index 0fa6912..37fce70 100644 --- a/arch/x86/kernel/i386_ksyms_32.c @@ -22601,7 +22560,7 @@ index f2bb9c9..bed145d7 100644 1: diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index fae9134..f8e4a47 100644 +index fae9134..8fcd87c 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -111,6 +111,7 @@ @@ -22644,7 +22603,7 @@ index fae9134..f8e4a47 100644 void __init setup_arch(char **cmdline_p) { +#ifdef CONFIG_X86_32 -+ memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - ____LOAD_PHYSICAL_ADDR); ++ memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - LOAD_PHYSICAL_ADDR); +#else memblock_reserve(__pa_symbol(_text), (unsigned long)__bss_stop - (unsigned long)_text); @@ -22923,10 +22882,10 @@ index 9b4d51d..5d28b58 100644 switch (opcode[i]) { diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c new file mode 100644 -index 0000000..207bec6 +index 0000000..5877189 --- /dev/null +++ b/arch/x86/kernel/sys_i386_32.c -@@ -0,0 +1,250 @@ +@@ -0,0 +1,189 @@ +/* + * This file contains various random system calls that + * have a non-standard calling sequence on the Linux/i386 @@ -22947,6 +22906,7 @@ index 0000000..207bec6 +#include <linux/file.h> +#include <linux/utsname.h> +#include <linux/ipc.h> ++#include <linux/elf.h> + +#include <linux/uaccess.h> +#include <linux/unistd.h> @@ -22969,13 +22929,28 @@ index 0000000..207bec6 + return 0; +} + ++/* ++ * Align a virtual address to avoid aliasing in the I$ on AMD F15h. ++ */ ++static unsigned long get_align_mask(void) ++{ ++ if (va_align.flags < 0 || !(va_align.flags & ALIGN_VA_32)) ++ return 0; ++ ++ if (!(current->flags & PF_RANDOMIZE)) ++ return 0; ++ ++ return va_align.mask; ++} ++ +unsigned long +arch_get_unmapped_area(struct file *filp, unsigned long addr, + unsigned long len, unsigned long pgoff, unsigned long flags) +{ + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; -+ unsigned long start_addr, pax_task_size = TASK_SIZE; ++ unsigned long pax_task_size = TASK_SIZE; ++ struct vm_unmapped_area_info info; + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + +#ifdef CONFIG_PAX_SEGMEXEC @@ -23003,61 +22978,35 @@ index 0000000..207bec6 + return addr; + } + } -+ if (len > mm->cached_hole_size) { -+ start_addr = addr = mm->free_area_cache; -+ } else { -+ start_addr = addr = mm->mmap_base; -+ mm->cached_hole_size = 0; -+ } ++ ++ info.flags = 0; ++ info.length = len; ++ info.align_mask = filp ? get_align_mask() : 0; ++ info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; + +#ifdef CONFIG_PAX_PAGEEXEC -+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) { -+ start_addr = 0x00110000UL; ++ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) { ++ info.low_limit = 0x00110000UL; ++ info.high_limit = mm->start_code; + +#ifdef CONFIG_PAX_RANDMMAP + if (mm->pax_flags & MF_PAX_RANDMMAP) -+ start_addr += mm->delta_mmap & 0x03FFF000UL; ++ info.low_limit += mm->delta_mmap & 0x03FFF000UL; +#endif + -+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base) -+ start_addr = addr = mm->mmap_base; -+ else -+ addr = start_addr; -+ } ++ if (info.low_limit < info.high_limit) { ++ addr = vm_unmapped_area(&info); ++ if (!IS_ERR_VALUE(addr)) ++ return addr; ++ } ++ } else +#endif + -+full_search: -+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { -+ /* At this point: (!vma || addr < vma->vm_end). */ -+ if (pax_task_size - len < addr) { -+ /* -+ * Start a new search - just in case we missed -+ * some holes. -+ */ -+ if (start_addr != mm->mmap_base) { -+ start_addr = addr = mm->mmap_base; -+ mm->cached_hole_size = 0; -+ goto full_search; -+ } -+ return -ENOMEM; -+ } -+ if (check_heap_stack_gap(vma, addr, len, offset)) -+ break; -+ if (addr + mm->cached_hole_size < vma->vm_start) -+ mm->cached_hole_size = vma->vm_start - addr; -+ addr = vma->vm_end; -+ if (mm->start_brk <= addr && addr < mm->mmap_base) { -+ start_addr = addr = mm->mmap_base; -+ mm->cached_hole_size = 0; -+ goto full_search; -+ } -+ } ++ info.low_limit = mm->mmap_base; ++ info.high_limit = pax_task_size; + -+ /* -+ * Remember the place where we stopped the search: -+ */ -+ mm->free_area_cache = addr + len; -+ return addr; ++ return vm_unmapped_area(&info); +} + +unsigned long @@ -23067,7 +23016,8 @@ index 0000000..207bec6 +{ + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; -+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE; ++ unsigned long addr = addr0, pax_task_size = TASK_SIZE; ++ struct vm_unmapped_area_info info; + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags); + +#ifdef CONFIG_PAX_SEGMEXEC @@ -23103,46 +23053,18 @@ index 0000000..207bec6 + } + } + -+ /* check if free_area_cache is useful for us */ -+ if (len <= mm->cached_hole_size) { -+ mm->cached_hole_size = 0; -+ mm->free_area_cache = mm->mmap_base; -+ } -+ -+ /* either no address requested or can't fit in requested address hole */ -+ addr = mm->free_area_cache; -+ -+ /* make sure it can fit in the remaining address space */ -+ if (addr > len) { -+ vma = find_vma(mm, addr-len); -+ if (check_heap_stack_gap(vma, addr - len, len, offset)) -+ /* remember the address as a hint for next time */ -+ return (mm->free_area_cache = addr-len); -+ } -+ -+ if (mm->mmap_base < len) -+ goto bottomup; -+ -+ addr = mm->mmap_base-len; -+ -+ do { -+ /* -+ * Lookup failure means no vma is above this address, -+ * else if new region fits below vma->vm_start, -+ * return with success: -+ */ -+ vma = find_vma(mm, addr); -+ if (check_heap_stack_gap(vma, addr, len, offset)) -+ /* remember the address as a hint for next time */ -+ return (mm->free_area_cache = addr); -+ -+ /* remember the largest hole we saw so far */ -+ if (addr + mm->cached_hole_size < vma->vm_start) -+ mm->cached_hole_size = vma->vm_start - addr; ++ info.flags = VM_UNMAPPED_AREA_TOPDOWN; ++ info.length = len; ++ info.low_limit = PAGE_SIZE; ++ info.high_limit = mm->mmap_base; ++ info.align_mask = filp ? get_align_mask() : 0; ++ info.align_offset = pgoff << PAGE_SHIFT; ++ info.threadstack_offset = offset; + -+ /* try just below the current vma->vm_start */ -+ addr = skip_heap_stack_gap(vma, len, offset); -+ } while (!IS_ERR_VALUE(addr)); ++ addr = vm_unmapped_area(&info); ++ if (!(addr & ~PAGE_MASK)) ++ return addr; ++ VM_BUG_ON(addr != -ENOMEM); + +bottomup: + /* @@ -23151,31 +23073,7 @@ index 0000000..207bec6 + * can happen with large stack limits and large mmap() + * allocations. + */ -+ -+#ifdef CONFIG_PAX_SEGMEXEC -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE; -+ else -+#endif -+ -+ mm->mmap_base = TASK_UNMAPPED_BASE; -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ if (mm->pax_flags & MF_PAX_RANDMMAP) -+ mm->mmap_base += mm->delta_mmap; -+#endif -+ -+ mm->free_area_cache = mm->mmap_base; -+ mm->cached_hole_size = ~0UL; -+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags); -+ /* -+ * Restore the topdown base: -+ */ -+ mm->mmap_base = base; -+ mm->free_area_cache = base; -+ mm->cached_hole_size = ~0UL; -+ -+ return addr; ++ return arch_get_unmapped_area(filp, addr0, len, pgoff, flags); +} diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c index dbded5a..ace2781 100644 @@ -24301,10 +24199,10 @@ index 0af1807..06912bb 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index e172132..c3d3e27 100644 +index 8563b45..272f1fe 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -1686,8 +1686,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) +@@ -1685,8 +1685,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) { struct kvm *kvm = vcpu->kvm; int lm = is_long_mode(vcpu); @@ -24315,7 +24213,7 @@ index e172132..c3d3e27 100644 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 : kvm->arch.xen_hvm_config.blob_size_32; u32 page_num = data & ~PAGE_MASK; -@@ -2567,6 +2567,8 @@ long kvm_arch_dev_ioctl(struct file *filp, +@@ -2566,6 +2566,8 @@ long kvm_arch_dev_ioctl(struct file *filp, if (n < msr_list.nmsrs) goto out; r = -EFAULT; @@ -24324,7 +24222,7 @@ index e172132..c3d3e27 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -2696,7 +2698,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, +@@ -2695,7 +2697,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu, static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq) { @@ -24333,7 +24231,7 @@ index e172132..c3d3e27 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -5247,7 +5249,7 @@ static struct notifier_block pvclock_gtod_notifier = { +@@ -5246,7 +5248,7 @@ static struct notifier_block pvclock_gtod_notifier = { }; #endif @@ -30491,31 +30389,6 @@ index c77b24a..c979855 100644 return !(ret & 0xff00); } EXPORT_SYMBOL(pcibios_set_irq_routing); -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 90f3a52..714e825 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -1059,7 +1059,10 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) - * that by attempting to use more space than is available. - */ - unsigned long dummy_size = remaining_size + 1024; -- void *dummy = kmalloc(dummy_size, GFP_ATOMIC); -+ void *dummy = kzalloc(dummy_size, GFP_ATOMIC); -+ -+ if (!dummy) -+ return EFI_OUT_OF_RESOURCES; - - status = efi.set_variable(efi_dummy_name, &EFI_DUMMY_GUID, - EFI_VARIABLE_NON_VOLATILE | -@@ -1079,6 +1082,8 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) - 0, dummy); - } - -+ kfree(dummy); -+ - /* - * The runtime code may now have triggered a garbage collection - * run, so check the variable info again diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c index 40e4469..1ab536e 100644 --- a/arch/x86/platform/efi/efi_32.c @@ -37668,7 +37541,7 @@ index 04c69af..5f92d00 100644 #include <linux/input.h> #include <linux/gameport.h> diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c -index d6cbfe9..6225402 100644 +index fa061d4..4a6957c 100644 --- a/drivers/input/joystick/xpad.c +++ b/drivers/input/joystick/xpad.c @@ -735,7 +735,7 @@ static void xpad_led_set(struct led_classdev *led_cdev, @@ -38029,7 +37902,7 @@ index 64e204e..c6bf189 100644 .callback = ss4200_led_dmi_callback, .ident = "Intel SS4200-E", diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c -index a5ebc00..982886f 100644 +index a5ebc00..3de3364 100644 --- a/drivers/lguest/core.c +++ b/drivers/lguest/core.c @@ -92,9 +92,17 @@ static __init int map_switcher(void) @@ -38037,7 +37910,7 @@ index a5ebc00..982886f 100644 * allocates an extra guard page, so we need space for that. */ + -+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE, + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE); @@ -40147,7 +40020,7 @@ index b0c3de9..fc5857e 100644 return -EIO; } diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index 15ba8c4..3f56838 100644 +index 54fd2ef..33c8a4f 100644 --- a/drivers/net/ethernet/realtek/r8169.c +++ b/drivers/net/ethernet/realtek/r8169.c @@ -740,22 +740,22 @@ struct rtl8169_private { @@ -40290,10 +40163,23 @@ index 011062e..ada88e9 100644 }; diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index a449439..1e468fe 100644 +index acf6450..8f771b7 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c -@@ -1090,7 +1090,7 @@ static int macvtap_device_event(struct notifier_block *unused, +@@ -525,8 +525,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + return -EMSGSIZE; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if (num_pages != size) { +- for (i = 0; i < num_pages; i++) +- put_page(page[i]); ++ int j; ++ ++ for (j = 0; j < num_pages; j++) ++ put_page(page[i + j]); + return -EFAULT; + } + truesize = size * PAGE_SIZE; +@@ -1099,7 +1101,7 @@ static int macvtap_device_event(struct notifier_block *unused, return NOTIFY_DONE; } @@ -40350,7 +40236,7 @@ index 1252d9c..80e660b 100644 /* We've got a compressed packet; read the change byte */ diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c -index bf34192..fba3500 100644 +index 0017b67..ab8f595 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -2668,7 +2668,7 @@ static int team_device_event(struct notifier_block *unused, @@ -40363,10 +40249,23 @@ index bf34192..fba3500 100644 }; diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 755fa9e..631fdce 100644 +index 8ad822e..eb895f1 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c -@@ -1841,7 +1841,7 @@ unlock: +@@ -1013,8 +1013,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + return -EMSGSIZE; + num_pages = get_user_pages_fast(base, size, 0, &page[i]); + if (num_pages != size) { +- for (i = 0; i < num_pages; i++) +- put_page(page[i]); ++ int j; ++ ++ for (j = 0; j < num_pages; j++) ++ put_page(page[i + j]); + return -EFAULT; + } + truesize = size * PAGE_SIZE; +@@ -1859,7 +1861,7 @@ unlock: } static long __tun_chr_ioctl(struct file *file, unsigned int cmd, @@ -40375,7 +40274,7 @@ index 755fa9e..631fdce 100644 { struct tun_file *tfile = file->private_data; struct tun_struct *tun; -@@ -1853,6 +1853,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, +@@ -1871,6 +1873,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int vnet_hdr_sz; int ret; @@ -40477,10 +40376,10 @@ index e2dd324..be92fcf 100644 hso_start_serial_device(serial_table[i], GFP_NOIO); hso_kick_transmit(dev2ser(serial_table[i])); diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c -index 7cee7a3..1eb9f3b 100644 +index a4fe5f1..6c9e77f 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c -@@ -1443,7 +1443,7 @@ nla_put_failure: +@@ -1454,7 +1454,7 @@ nla_put_failure: return -EMSGSIZE; } @@ -40489,6 +40388,62 @@ index 7cee7a3..1eb9f3b 100644 .kind = "vxlan", .maxtype = IFLA_VXLAN_MAX, .policy = vxlan_policy, +diff --git a/drivers/net/wan/dlci.c b/drivers/net/wan/dlci.c +index 147614e..6a8a382 100644 +--- a/drivers/net/wan/dlci.c ++++ b/drivers/net/wan/dlci.c +@@ -384,21 +384,37 @@ static int dlci_del(struct dlci_add *dlci) + struct frad_local *flp; + struct net_device *master, *slave; + int err; ++ bool found = false; ++ ++ rtnl_lock(); + + /* validate slave device */ + master = __dev_get_by_name(&init_net, dlci->devname); +- if (!master) +- return -ENODEV; ++ if (!master) { ++ err = -ENODEV; ++ goto out; ++ } ++ ++ list_for_each_entry(dlp, &dlci_devs, list) { ++ if (dlp->master == master) { ++ found = true; ++ break; ++ } ++ } ++ if (!found) { ++ err = -ENODEV; ++ goto out; ++ } + + if (netif_running(master)) { +- return -EBUSY; ++ err = -EBUSY; ++ goto out; + } + + dlp = netdev_priv(master); + slave = dlp->slave; + flp = netdev_priv(slave); + +- rtnl_lock(); + err = (*flp->deassoc)(slave, master); + if (!err) { + list_del(&dlp->list); +@@ -407,8 +423,8 @@ static int dlci_del(struct dlci_add *dlci) + + dev_put(slave); + } ++out: + rtnl_unlock(); +- + return err; + } + diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c index 5ac5f7a..5f82012 100644 --- a/drivers/net/wireless/at76c50x-usb.c @@ -43581,10 +43536,10 @@ index 1f8cba6..47b06c2 100644 } EXPORT_SYMBOL_GPL(n_tty_inherit_ops); diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c -index 125e0fd..8c50690 100644 +index 74a5e8b..40c36a7 100644 --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c -@@ -800,8 +800,10 @@ static void __init unix98_pty_init(void) +@@ -797,8 +797,10 @@ static void __init unix98_pty_init(void) panic("Couldn't register Unix98 pts driver"); /* Now create the /dev/ptmx special device */ @@ -44398,7 +44353,7 @@ index a9af1b9a..1e08e7f 100644 ret = -EPERM; goto reterr; diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c -index c8b9262..7e824e6 100644 +index b645c47..a55c182 100644 --- a/drivers/uio/uio.c +++ b/drivers/uio/uio.c @@ -25,6 +25,7 @@ @@ -44431,7 +44386,7 @@ index c8b9262..7e824e6 100644 } static struct device_attribute uio_class_attributes[] = { -@@ -397,7 +398,7 @@ void uio_event_notify(struct uio_info *info) +@@ -398,7 +399,7 @@ void uio_event_notify(struct uio_info *info) { struct uio_device *idev = info->uio_dev; @@ -44440,7 +44395,7 @@ index c8b9262..7e824e6 100644 wake_up_interruptible(&idev->wait); kill_fasync(&idev->async_queue, SIGIO, POLL_IN); } -@@ -450,7 +451,7 @@ static int uio_open(struct inode *inode, struct file *filep) +@@ -451,7 +452,7 @@ static int uio_open(struct inode *inode, struct file *filep) } listener->dev = idev; @@ -44449,7 +44404,7 @@ index c8b9262..7e824e6 100644 filep->private_data = listener; if (idev->info->open) { -@@ -501,7 +502,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait) +@@ -502,7 +503,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait) return -EIO; poll_wait(filep, &idev->wait, wait); @@ -44458,7 +44413,7 @@ index c8b9262..7e824e6 100644 return POLLIN | POLLRDNORM; return 0; } -@@ -526,7 +527,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf, +@@ -527,7 +528,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf, do { set_current_state(TASK_INTERRUPTIBLE); @@ -44467,7 +44422,7 @@ index c8b9262..7e824e6 100644 if (event_count != listener->event_count) { if (copy_to_user(buf, &event_count, count)) retval = -EFAULT; -@@ -595,13 +596,13 @@ static int uio_find_mem_index(struct vm_area_struct *vma) +@@ -596,13 +597,13 @@ static int uio_find_mem_index(struct vm_area_struct *vma) static void uio_vma_open(struct vm_area_struct *vma) { struct uio_device *idev = vma->vm_private_data; @@ -44483,7 +44438,7 @@ index c8b9262..7e824e6 100644 } static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf) -@@ -808,7 +809,7 @@ int __uio_register_device(struct module *owner, +@@ -809,7 +810,7 @@ int __uio_register_device(struct module *owner, idev->owner = owner; idev->info = info; init_waitqueue_head(&idev->wait); @@ -57045,7 +57000,7 @@ index ca9ecaa..60100c7 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..ba9c5e3 +index 0000000..4fb1dde --- /dev/null +++ b/grsecurity/Kconfig @@ -0,0 +1,1053 @@ @@ -57156,7 +57111,7 @@ index 0000000..ba9c5e3 +config GRKERNSEC_RAND_THREADSTACK + bool "Insert random gaps between thread stacks" + default y if GRKERNSEC_CONFIG_AUTO -+ depends on PAX_RANDMMAP && !PPC && BROKEN ++ depends on PAX_RANDMMAP && !PPC + help + If you say Y here, a random-sized gap will be enforced between allocated + thread stacks. Glibc's NPTL and other threading libraries that @@ -70255,7 +70210,7 @@ index b8ba855..0148090 100644 u32 remainder; return div_u64_rem(dividend, divisor, &remainder); diff --git a/include/linux/mm.h b/include/linux/mm.h -index e2091b8..821db54 100644 +index e2091b8..3c7b38c 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -101,6 +101,11 @@ extern unsigned int kobjsize(const void *objp); @@ -70428,14 +70383,29 @@ index e2091b8..821db54 100644 #ifdef CONFIG_MMU extern int __mm_populate(unsigned long addr, unsigned long len, -@@ -1483,6 +1497,7 @@ struct vm_unmapped_area_info { +@@ -1483,10 +1497,11 @@ struct vm_unmapped_area_info { unsigned long high_limit; unsigned long align_mask; unsigned long align_offset; + unsigned long threadstack_offset; }; - extern unsigned long unmapped_area(struct vm_unmapped_area_info *info); +-extern unsigned long unmapped_area(struct vm_unmapped_area_info *info); +-extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info); ++extern unsigned long unmapped_area(const struct vm_unmapped_area_info *info); ++extern unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info); + + /* + * Search for an unmapped address range. +@@ -1498,7 +1513,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info); + * - satisfies (begin_addr & align_mask) == (align_offset & align_mask) + */ + static inline unsigned long +-vm_unmapped_area(struct vm_unmapped_area_info *info) ++vm_unmapped_area(const struct vm_unmapped_area_info *info) + { + if (!(info->flags & VM_UNMAPPED_AREA_TOPDOWN)) + return unmapped_area(info); @@ -1561,6 +1576,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr, struct vm_area_struct **pprev); @@ -70968,7 +70938,7 @@ index 45fc162..01a4068 100644 /** * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h -index 1d795df..b0a6449 100644 +index 2f522a3..494e45f 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -333,8 +333,8 @@ struct perf_event { @@ -70993,7 +70963,7 @@ index 1d795df..b0a6449 100644 /* * Protect attach/detach and child_list: -@@ -704,7 +704,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64 +@@ -703,7 +703,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64 entry->ip[entry->nr++] = ip; } @@ -71002,7 +70972,7 @@ index 1d795df..b0a6449 100644 extern int sysctl_perf_event_mlock; extern int sysctl_perf_event_sample_rate; -@@ -712,19 +712,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write, +@@ -711,19 +711,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); @@ -71030,7 +71000,7 @@ index 1d795df..b0a6449 100644 } extern void perf_event_init(void); -@@ -812,7 +817,7 @@ static inline void perf_restore_debug_store(void) { } +@@ -811,7 +816,7 @@ static inline void perf_restore_debug_store(void) { } */ #define perf_cpu_notifier(fn) \ do { \ @@ -71039,7 +71009,7 @@ index 1d795df..b0a6449 100644 { .notifier_call = fn, .priority = CPU_PRI_PERF }; \ unsigned long cpu = smp_processor_id(); \ unsigned long flags; \ -@@ -831,7 +836,7 @@ do { \ +@@ -830,7 +835,7 @@ do { \ struct perf_pmu_events_attr { struct device_attribute attr; u64 id; @@ -71702,7 +71672,7 @@ index 429c199..4d42e38 100644 /* shm_mode upper byte flags */ diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index b8292d8..96db310 100644 +index 1f2803c..4858a3d 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -599,7 +599,7 @@ extern bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, @@ -72023,20 +71993,6 @@ index e8d702e..0a56eb4 100644 int sock_diag_register(const struct sock_diag_handler *h); void sock_diag_unregister(const struct sock_diag_handler *h); -diff --git a/include/linux/socket.h b/include/linux/socket.h -index 2b9f74b..e897bdc 100644 ---- a/include/linux/socket.h -+++ b/include/linux/socket.h -@@ -321,6 +321,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data); - - struct timespec; - -+/* The __sys_...msg variants allow MSG_CMSG_COMPAT */ -+extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags); -+extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags); - extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - unsigned int flags, struct timespec *timeout); - extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, diff --git a/include/linux/sonet.h b/include/linux/sonet.h index 680f9a3..f13aeb0 100644 --- a/include/linux/sonet.h @@ -75189,7 +75145,7 @@ index 00eb8f7..d7e3244 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index 9fcb094..353baaaf 100644 +index f8ddcfb..77c06ec 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu; @@ -75218,7 +75174,7 @@ index 9fcb094..353baaaf 100644 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx, enum event_type_t event_type); -@@ -2677,7 +2684,7 @@ static void __perf_event_read(void *info) +@@ -2674,7 +2681,7 @@ static void __perf_event_read(void *info) static inline u64 perf_event_count(struct perf_event *event) { @@ -75227,7 +75183,7 @@ index 9fcb094..353baaaf 100644 } static u64 perf_event_read(struct perf_event *event) -@@ -3007,9 +3014,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) +@@ -3020,9 +3027,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) mutex_lock(&event->child_mutex); total += perf_event_read(event); *enabled += event->total_time_enabled + @@ -75239,7 +75195,7 @@ index 9fcb094..353baaaf 100644 list_for_each_entry(child, &event->child_list, child_list) { total += perf_event_read(child); -@@ -3412,10 +3419,10 @@ void perf_event_update_userpage(struct perf_event *event) +@@ -3408,10 +3415,10 @@ void perf_event_update_userpage(struct perf_event *event) userpg->offset -= local64_read(&event->hw.prev_count); userpg->time_enabled = enabled + @@ -75252,7 +75208,7 @@ index 9fcb094..353baaaf 100644 arch_perf_update_userpage(userpg, now); -@@ -3886,7 +3893,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, +@@ -3961,7 +3968,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, /* Data. */ sp = perf_user_stack_pointer(regs); @@ -75261,7 +75217,7 @@ index 9fcb094..353baaaf 100644 dyn_size = dump_size - rem; perf_output_skip(handle, rem); -@@ -3974,11 +3981,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, +@@ -4049,11 +4056,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, values[n++] = perf_event_count(event); if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { values[n++] = enabled + @@ -75275,7 +75231,7 @@ index 9fcb094..353baaaf 100644 } if (read_format & PERF_FORMAT_ID) values[n++] = primary_event_id(event); -@@ -4726,12 +4733,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) +@@ -4801,12 +4808,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) * need to add enough zero bytes after the string to handle * the 64bit alignment we do later. */ @@ -75290,7 +75246,7 @@ index 9fcb094..353baaaf 100644 if (IS_ERR(name)) { name = strncpy(tmp, "//toolong", sizeof(tmp)); goto got_name; -@@ -6167,7 +6174,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, +@@ -6242,7 +6249,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, event->parent = parent_event; event->ns = get_pid_ns(task_active_pid_ns(current)); @@ -75299,7 +75255,7 @@ index 9fcb094..353baaaf 100644 event->state = PERF_EVENT_STATE_INACTIVE; -@@ -6463,6 +6470,11 @@ SYSCALL_DEFINE5(perf_event_open, +@@ -6552,6 +6559,11 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; @@ -75311,7 +75267,7 @@ index 9fcb094..353baaaf 100644 err = perf_copy_attr(attr_uptr, &attr); if (err) return err; -@@ -6795,10 +6807,10 @@ static void sync_child_event(struct perf_event *child_event, +@@ -6884,10 +6896,10 @@ static void sync_child_event(struct perf_event *child_event, /* * Add back the child's count to the parent's count: */ @@ -75326,10 +75282,10 @@ index 9fcb094..353baaaf 100644 /* diff --git a/kernel/events/internal.h b/kernel/events/internal.h -index eb675c4..54912ff 100644 +index ca65997..cc8cee4 100644 --- a/kernel/events/internal.h +++ b/kernel/events/internal.h -@@ -77,10 +77,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb) +@@ -81,10 +81,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb) return rb->nr_pages << (PAGE_SHIFT + page_order(rb)); } @@ -75342,7 +75298,7 @@ index eb675c4..54912ff 100644 { \ unsigned long size, written; \ \ -@@ -112,17 +112,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n) +@@ -116,17 +116,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n) return n; } @@ -82244,7 +82200,7 @@ index 79b7cf7..9944291 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index 0dceed8..e7cfc40 100644 +index 0dceed8..bfcaf45 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -33,6 +33,7 @@ @@ -82645,10 +82601,11 @@ index 0dceed8..e7cfc40 100644 kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1584,6 +1744,62 @@ unacct_error: +@@ -1584,7 +1744,63 @@ unacct_error: return error; } +-unsigned long unmapped_area(struct vm_unmapped_area_info *info) +#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK +unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags) +{ @@ -82705,10 +82662,76 @@ index 0dceed8..e7cfc40 100644 + return -ENOMEM; +} + - unsigned long unmapped_area(struct vm_unmapped_area_info *info) ++unsigned long unmapped_area(const struct vm_unmapped_area_info *info) { /* -@@ -1803,6 +2019,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + * We implement the search by looking for an rbtree node that +@@ -1632,11 +1848,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info) + } + } + +- gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0; ++ gap_start = vma->vm_prev ? vma->vm_prev->vm_end: 0; + check_current: + /* Check if current node has a suitable gap */ + if (gap_start > high_limit) + return -ENOMEM; ++ ++ if (gap_end - gap_start > info->threadstack_offset) ++ gap_start += info->threadstack_offset; ++ else ++ gap_start = gap_end; ++ ++ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) { ++ if (gap_end - gap_start > sysctl_heap_stack_gap) ++ gap_start += sysctl_heap_stack_gap; ++ else ++ gap_start = gap_end; ++ } ++ if (vma->vm_flags & VM_GROWSDOWN) { ++ if (gap_end - gap_start > sysctl_heap_stack_gap) ++ gap_end -= sysctl_heap_stack_gap; ++ else ++ gap_end = gap_start; ++ } + if (gap_end >= low_limit && gap_end - gap_start >= length) + goto found; + +@@ -1686,7 +1920,7 @@ found: + return gap_start; + } + +-unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info) ++unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info) + { + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; +@@ -1740,6 +1974,24 @@ check_current: + gap_end = vma->vm_start; + if (gap_end < low_limit) + return -ENOMEM; ++ ++ if (gap_end - gap_start > info->threadstack_offset) ++ gap_end -= info->threadstack_offset; ++ else ++ gap_end = gap_start; ++ ++ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) { ++ if (gap_end - gap_start > sysctl_heap_stack_gap) ++ gap_start += sysctl_heap_stack_gap; ++ else ++ gap_start = gap_end; ++ } ++ if (vma->vm_flags & VM_GROWSDOWN) { ++ if (gap_end - gap_start > sysctl_heap_stack_gap) ++ gap_end -= sysctl_heap_stack_gap; ++ else ++ gap_end = gap_start; ++ } + if (gap_start <= high_limit && gap_end - gap_start >= length) + goto found; + +@@ -1803,6 +2055,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; struct vm_unmapped_area_info info; @@ -82716,7 +82739,7 @@ index 0dceed8..e7cfc40 100644 if (len > TASK_SIZE) return -ENOMEM; -@@ -1810,29 +2027,45 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, +@@ -1810,29 +2063,45 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, if (flags & MAP_FIXED) return addr; @@ -82765,7 +82788,7 @@ index 0dceed8..e7cfc40 100644 mm->free_area_cache = addr; } -@@ -1850,6 +2083,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1850,6 +2119,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, struct mm_struct *mm = current->mm; unsigned long addr = addr0; struct vm_unmapped_area_info info; @@ -82773,7 +82796,7 @@ index 0dceed8..e7cfc40 100644 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1858,12 +2092,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1858,12 +2128,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, if (flags & MAP_FIXED) return addr; @@ -82791,7 +82814,7 @@ index 0dceed8..e7cfc40 100644 return addr; } -@@ -1872,6 +2109,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1872,6 +2145,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, info.low_limit = PAGE_SIZE; info.high_limit = mm->mmap_base; info.align_mask = 0; @@ -82799,7 +82822,7 @@ index 0dceed8..e7cfc40 100644 addr = vm_unmapped_area(&info); /* -@@ -1884,6 +2122,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1884,6 +2158,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, VM_BUG_ON(addr != -ENOMEM); info.flags = 0; info.low_limit = TASK_UNMAPPED_BASE; @@ -82812,7 +82835,7 @@ index 0dceed8..e7cfc40 100644 info.high_limit = TASK_SIZE; addr = vm_unmapped_area(&info); } -@@ -1894,6 +2138,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, +@@ -1894,6 +2174,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -82825,7 +82848,7 @@ index 0dceed8..e7cfc40 100644 /* * Is this a new hole at the highest possible address? */ -@@ -1901,8 +2151,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) +@@ -1901,8 +2187,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -82837,7 +82860,7 @@ index 0dceed8..e7cfc40 100644 } unsigned long -@@ -2001,6 +2253,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr, +@@ -2001,6 +2289,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr, return vma; } @@ -82866,7 +82889,7 @@ index 0dceed8..e7cfc40 100644 /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -2017,6 +2291,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2017,6 +2327,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns return -ENOMEM; /* Stack limit test */ @@ -82874,7 +82897,7 @@ index 0dceed8..e7cfc40 100644 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -2027,6 +2302,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2027,6 +2338,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -82882,7 +82905,7 @@ index 0dceed8..e7cfc40 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -2056,37 +2332,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2056,37 +2368,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -82940,7 +82963,7 @@ index 0dceed8..e7cfc40 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -2121,6 +2408,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -2121,6 +2444,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) } } } @@ -82949,7 +82972,7 @@ index 0dceed8..e7cfc40 100644 vma_unlock_anon_vma(vma); khugepaged_enter_vma_merge(vma); validate_mm(vma->vm_mm); -@@ -2135,6 +2424,8 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2135,6 +2460,8 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -82958,7 +82981,7 @@ index 0dceed8..e7cfc40 100644 /* * We must make sure the anon_vma is allocated -@@ -2148,6 +2439,15 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2148,6 +2475,15 @@ int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -82974,7 +82997,7 @@ index 0dceed8..e7cfc40 100644 vma_lock_anon_vma(vma); /* -@@ -2157,9 +2457,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2157,9 +2493,17 @@ int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -82993,7 +83016,7 @@ index 0dceed8..e7cfc40 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -2184,13 +2492,27 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2184,13 +2528,27 @@ int expand_downwards(struct vm_area_struct *vma, vma->vm_pgoff -= grow; anon_vma_interval_tree_post_update_vma(vma); vma_gap_update(vma); @@ -83021,7 +83044,7 @@ index 0dceed8..e7cfc40 100644 khugepaged_enter_vma_merge(vma); validate_mm(vma->vm_mm); return error; -@@ -2288,6 +2610,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2288,6 +2646,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -83035,7 +83058,7 @@ index 0dceed8..e7cfc40 100644 if (vma->vm_flags & VM_ACCOUNT) nr_accounted += nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); -@@ -2333,6 +2662,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2333,6 +2698,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -83052,7 +83075,7 @@ index 0dceed8..e7cfc40 100644 vma_rb_erase(vma, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -2364,14 +2703,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2364,14 +2739,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct *new; int err = -ENOMEM; @@ -83086,7 +83109,7 @@ index 0dceed8..e7cfc40 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -2384,6 +2742,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2384,6 +2778,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -83109,7 +83132,7 @@ index 0dceed8..e7cfc40 100644 pol = mpol_dup(vma_policy(vma)); if (IS_ERR(pol)) { err = PTR_ERR(pol); -@@ -2406,6 +2780,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2406,6 +2816,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -83146,7 +83169,7 @@ index 0dceed8..e7cfc40 100644 /* Success. */ if (!err) return 0; -@@ -2415,10 +2819,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2415,10 +2855,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_ops->close(new); if (new->vm_file) fput(new->vm_file); @@ -83166,7 +83189,7 @@ index 0dceed8..e7cfc40 100644 kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2431,6 +2843,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2431,6 +2879,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -83182,7 +83205,7 @@ index 0dceed8..e7cfc40 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2442,11 +2863,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2442,11 +2899,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -83213,7 +83236,7 @@ index 0dceed8..e7cfc40 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2521,6 +2961,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2521,6 +2997,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -83222,7 +83245,7 @@ index 0dceed8..e7cfc40 100644 return 0; } -@@ -2529,6 +2971,13 @@ int vm_munmap(unsigned long start, size_t len) +@@ -2529,6 +3007,13 @@ int vm_munmap(unsigned long start, size_t len) int ret; struct mm_struct *mm = current->mm; @@ -83236,7 +83259,7 @@ index 0dceed8..e7cfc40 100644 down_write(&mm->mmap_sem); ret = do_munmap(mm, start, len); up_write(&mm->mmap_sem); -@@ -2542,16 +2991,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -2542,16 +3027,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) return vm_munmap(addr, len); } @@ -83253,7 +83276,7 @@ index 0dceed8..e7cfc40 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2565,6 +3004,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2565,6 +3040,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -83261,7 +83284,7 @@ index 0dceed8..e7cfc40 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2572,16 +3012,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2572,16 +3048,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -83293,7 +83316,7 @@ index 0dceed8..e7cfc40 100644 locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; -@@ -2598,21 +3052,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2598,21 +3088,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -83318,7 +83341,7 @@ index 0dceed8..e7cfc40 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2626,7 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2626,7 +3115,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -83327,7 +83350,7 @@ index 0dceed8..e7cfc40 100644 return -ENOMEM; } -@@ -2640,9 +3093,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2640,9 +3129,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -83340,7 +83363,7 @@ index 0dceed8..e7cfc40 100644 return addr; } -@@ -2704,6 +3158,7 @@ void exit_mmap(struct mm_struct *mm) +@@ -2704,6 +3194,7 @@ void exit_mmap(struct mm_struct *mm) while (vma) { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); @@ -83348,7 +83371,7 @@ index 0dceed8..e7cfc40 100644 vma = remove_vma(vma); } vm_unacct_memory(nr_accounted); -@@ -2720,6 +3175,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2720,6 +3211,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) struct vm_area_struct *prev; struct rb_node **rb_link, *rb_parent; @@ -83362,7 +83385,7 @@ index 0dceed8..e7cfc40 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2743,7 +3205,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2743,7 +3241,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -83384,7 +83407,7 @@ index 0dceed8..e7cfc40 100644 return 0; } -@@ -2763,6 +3239,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2763,6 +3275,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct mempolicy *pol; bool faulted_in_anon_vma = true; @@ -83393,7 +83416,7 @@ index 0dceed8..e7cfc40 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2829,6 +3307,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2829,6 +3343,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return NULL; } @@ -83433,7 +83456,7 @@ index 0dceed8..e7cfc40 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2840,6 +3351,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2840,6 +3387,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -83441,7 +83464,7 @@ index 0dceed8..e7cfc40 100644 if (cur + npages > lim) return 0; return 1; -@@ -2910,6 +3422,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2910,6 +3458,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; @@ -85864,10 +85887,20 @@ index 6a93614..1415549 100644 err = -EFAULT; break; diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index c5f9cd6..8d23158 100644 +index c5f9cd6..dfc8ec1 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c -@@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, +@@ -2743,6 +2743,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code, + BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u", + conn, code, ident, dlen); + ++ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE) ++ return NULL; ++ + len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen; + count = min_t(unsigned int, conn->mtu, len); + +@@ -3395,8 +3398,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, break; case L2CAP_CONF_RFC: @@ -85880,6 +85913,15 @@ index c5f9cd6..8d23158 100644 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && rfc.mode != chan->mode) +@@ -4221,7 +4226,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, + struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; + u16 type, result; + +- if (cmd_len != sizeof(*rsp)) ++ if (cmd_len < sizeof(*rsp)) + return -EPROTO; + + type = __le16_to_cpu(rsp->type); diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index 1bcfb84..dad9f98 100644 --- a/net/bluetooth/l2cap_sock.c @@ -86111,7 +86153,7 @@ index 117814a..ad4fb73 100644 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) { diff --git a/net/compat.c b/net/compat.c -index 79ae884..0541331 100644 +index f0a1ba6..0541331 100644 --- a/net/compat.c +++ b/net/compat.c @@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -86241,45 +86283,7 @@ index 79ae884..0541331 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -734,19 +734,25 @@ static unsigned char nas[21] = { - - asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) - { -- return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); - } - - asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg, - unsigned int vlen, unsigned int flags) - { -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; - return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT); - } - - asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags) - { -- return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT); - } - - asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags) -@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, - int datagrams; - struct timespec ktspec; - -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ - if (COMPAT_USE_64BIT_TIME) - return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, - flags | MSG_CMSG_COMPAT, -@@ -796,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -805,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -86302,7 +86306,7 @@ index 368f9c3..f82d4a3 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 9a278e9..15f2b9e 100644 +index c9eb9e6..922c789 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1617,7 +1617,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) @@ -86332,7 +86336,7 @@ index 9a278e9..15f2b9e 100644 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) -@@ -3093,7 +3093,7 @@ enqueue: +@@ -3099,7 +3099,7 @@ enqueue: local_irq_restore(flags); @@ -86341,7 +86345,7 @@ index 9a278e9..15f2b9e 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3165,7 +3165,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3171,7 +3171,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -86350,7 +86354,7 @@ index 9a278e9..15f2b9e 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); -@@ -3490,7 +3490,7 @@ ncls: +@@ -3496,7 +3496,7 @@ ncls: ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { drop: @@ -86359,7 +86363,7 @@ index 9a278e9..15f2b9e 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -4095,7 +4095,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -4101,7 +4101,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -86368,7 +86372,7 @@ index 9a278e9..15f2b9e 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -5522,7 +5522,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -5528,7 +5528,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -86639,7 +86643,7 @@ index e61a8bb..6a2f13c 100644 #ifdef CONFIG_INET static u32 seq_scale(u32 seq) diff --git a/net/core/sock.c b/net/core/sock.c -index 1432266..1a0d4a1 100644 +index 684c37d..b541900 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -390,7 +390,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -87168,7 +87172,7 @@ index 52c273e..579060b 100644 return -ENOMEM; } diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index 91d66db..4af7d99 100644 +index c7e8c04..56cb4c1 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -124,7 +124,7 @@ static bool log_ecn_error = true; @@ -87298,7 +87302,7 @@ index bf6c5cf..ab2e9c6 100644 return res; } diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c -index 8f024d4..8b3500c 100644 +index 7533846..d2361d1 100644 --- a/net/ipv4/ipip.c +++ b/net/ipv4/ipip.c @@ -138,7 +138,7 @@ struct ipip_net { @@ -87486,10 +87490,10 @@ index dd44e0a..06dcca4 100644 static int raw_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index 6e28514..5e1b055 100644 +index cfede9a..22248f9 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c -@@ -2553,34 +2553,34 @@ static struct ctl_table ipv4_route_flush_table[] = { +@@ -2558,34 +2558,34 @@ static struct ctl_table ipv4_route_flush_table[] = { .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -87532,7 +87536,7 @@ index 6e28514..5e1b055 100644 err_dup: return -ENOMEM; } -@@ -2603,7 +2603,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { +@@ -2608,7 +2608,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = { static __net_init int rt_genid_init(struct net *net) { @@ -87681,29 +87685,11 @@ index 960fd29..d55bf64 100644 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); if (hdr == NULL) -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index e220207..cdeb839 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3383,8 +3383,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp, - - for (i = 0; i < shi->nr_frags; ++i) { - const struct skb_frag_struct *f = &shi->frags[i]; -- struct page *page = skb_frag_page(f); -- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset); -+ unsigned int offset = f->page_offset; -+ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT); -+ -+ sg_set_page(&sg, page, skb_frag_size(f), -+ offset_in_page(offset)); - if (crypto_hash_update(desc, &sg, skb_frag_size(f))) - return 1; - } diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 13b9c08..d33a8d0 100644 +index 59163c8..8277c51 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -4724,7 +4724,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -4727,7 +4727,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -87712,7 +87698,7 @@ index 13b9c08..d33a8d0 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { -@@ -5838,6 +5838,7 @@ discard: +@@ -5841,6 +5841,7 @@ discard: tcp_paws_reject(&tp->rx_opt, 0)) goto discard_and_undo; @@ -87720,7 +87706,7 @@ index 13b9c08..d33a8d0 100644 if (th->syn) { /* We see SYN without ACK. It is attempt of * simultaneous connect with crossed SYNs. -@@ -5888,6 +5889,7 @@ discard: +@@ -5891,6 +5892,7 @@ discard: goto discard; #endif } @@ -87728,7 +87714,7 @@ index 13b9c08..d33a8d0 100644 /* "fifth, if neither of the SYN or RST bits is set then * drop the segment and return." */ -@@ -5932,7 +5934,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5935,7 +5937,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -88023,7 +88009,7 @@ index 9a459be..086b866 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index dae802c..bfa4baa 100644 +index 50a4c7c..50a27e6 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -2274,7 +2274,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) @@ -88035,7 +88021,7 @@ index dae802c..bfa4baa 100644 if (ops->ndo_do_ioctl) { mm_segment_t oldfs = get_fs(); -@@ -4410,7 +4410,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write, +@@ -4412,7 +4412,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -88044,7 +88030,7 @@ index dae802c..bfa4baa 100644 int ret; /* -@@ -4492,7 +4492,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write, +@@ -4494,7 +4494,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write, int *valp = ctl->data; int val = *valp; loff_t pos = *ppos; @@ -88107,18 +88093,28 @@ index 95d13c7..791fe2f 100644 .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 155eccf..851fdae 100644 +index 851fdae..9d4d1fd 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c -@@ -1147,7 +1147,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, - if (WARN_ON(np->cork.opt)) - return -EINVAL; +@@ -822,11 +822,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk, + const struct flowi6 *fl6) + { + struct ipv6_pinfo *np = inet6_sk(sk); +- struct rt6_info *rt = (struct rt6_info *)dst; ++ struct rt6_info *rt; -- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation); -+ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation); - if (unlikely(np->cork.opt == NULL)) - return -ENOBUFS; + if (!dst) + goto out; ++ if (dst->ops->family != AF_INET6) { ++ dst_release(dst); ++ return NULL; ++ } ++ ++ rt = (struct rt6_info *)dst; + /* Yes, checking route validity in not connected + * case is not very simple. Take into account, + * that we do not support routing by source, TOS, diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index fff83cb..82d49dd 100644 --- a/net/ipv6/ip6_tunnel.c @@ -88697,10 +88693,26 @@ index 4fe76ff..426a904 100644 }; diff --git a/net/key/af_key.c b/net/key/af_key.c -index 5b1e5af..2358147 100644 +index 5b1e5af..1b929e7 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c -@@ -3041,10 +3041,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc +@@ -1710,6 +1710,7 @@ static int key_notify_sa_flush(const struct km_event *c) + hdr->sadb_msg_version = PF_KEY_V2; + hdr->sadb_msg_errno = (uint8_t) 0; + hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t)); ++ hdr->sadb_msg_reserved = 0; + + pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net); + +@@ -2695,6 +2696,7 @@ static int key_notify_policy_flush(const struct km_event *c) + hdr->sadb_msg_errno = (uint8_t) 0; + hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC; + hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t)); ++ hdr->sadb_msg_reserved = 0; + pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net); + return 0; + +@@ -3041,10 +3043,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc static u32 get_acqseq(void) { u32 res; @@ -88713,33 +88725,6 @@ index 5b1e5af..2358147 100644 } while (!res); return res; } -diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c -index 637a341..8dec687 100644 ---- a/net/l2tp/l2tp_ppp.c -+++ b/net/l2tp/l2tp_ppp.c -@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh - skb_put(skb, 2); - - /* Copy user data into skb */ -- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len); -+ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov, -+ total_len); - if (error < 0) { - kfree_skb(skb); - goto error_put_sess_tun; - } -- skb_put(skb, total_len); - - l2tp_xmit_skb(session, skb, session->hdr_len); - - sock_put(ps->tunnel_sock); - sock_put(sk); - -- return error; -+ return total_len; - - error_put_sess_tun: - sock_put(ps->tunnel_sock); diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 843d8c4..cb04fa1 100644 --- a/net/mac80211/cfg.c @@ -89356,6 +89341,22 @@ index 9e31269..bc4c1b7 100644 mutex_unlock(&nf_log_mutex); } +diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c +index 96ccdf7..dac11f7 100644 +--- a/net/netfilter/nf_nat_sip.c ++++ b/net/netfilter/nf_nat_sip.c +@@ -230,9 +230,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff, + &ct->tuplehash[!dir].tuple.src.u3, + false); + if (!mangle_packet(skb, protoff, dataoff, dptr, datalen, +- poff, plen, buffer, buflen)) ++ poff, plen, buffer, buflen)) { + nf_ct_helper_log(skb, ct, "cannot mangle received"); + return NF_DROP; ++ } + } + + /* The rport= parameter (RFC 3581) contains the port number diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c index f042ae5..30ea486 100644 --- a/net/netfilter/nf_sockopt.c @@ -89576,10 +89577,10 @@ index 103bd70..f21aad3 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index f83e172..223ffe1 100644 +index e50f72a..f71867d 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c -@@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1578,7 +1578,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_packets++; @@ -89588,7 +89589,7 @@ index f83e172..223ffe1 100644 __skb_queue_tail(&sk->sk_receive_queue, skb); spin_unlock(&sk->sk_receive_queue.lock); sk->sk_data_ready(sk, skb->len); -@@ -1580,7 +1580,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, +@@ -1587,7 +1587,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, drop_n_acct: spin_lock(&sk->sk_receive_queue.lock); po->stats.tp_drops++; @@ -89597,7 +89598,7 @@ index f83e172..223ffe1 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -2558,6 +2558,7 @@ out: +@@ -2579,6 +2579,7 @@ out: static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) { @@ -89605,7 +89606,7 @@ index f83e172..223ffe1 100644 struct sock_exterr_skb *serr; struct sk_buff *skb, *skb2; int copied, err; -@@ -2579,8 +2580,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) +@@ -2600,8 +2601,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) sock_recv_timestamp(msg, sk, skb); serr = SKB_EXT_ERR(skb); @@ -89616,22 +89617,7 @@ index f83e172..223ffe1 100644 msg->msg_flags |= MSG_ERRQUEUE; err = copied; -@@ -2769,12 +2771,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, - return -EOPNOTSUPP; - - uaddr->sa_family = AF_PACKET; -+ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); - rcu_read_lock(); - dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); - if (dev) -- strncpy(uaddr->sa_data, dev->name, 14); -- else -- memset(uaddr->sa_data, 0, 14); -+ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); - rcu_read_unlock(); - *uaddr_len = sizeof(*uaddr); - -@@ -3205,7 +3206,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3225,7 +3227,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -89640,7 +89626,7 @@ index f83e172..223ffe1 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3247,7 +3248,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3267,7 +3269,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, len = lv; if (put_user(len, optlen)) return -EFAULT; @@ -90176,33 +90162,6 @@ index 391a245..296b3d7 100644 } /* Initialize IPv6 support and register with socket layer. */ -diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c -index 01dca75..e9426bb 100644 ---- a/net/sctp/outqueue.c -+++ b/net/sctp/outqueue.c -@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary, - */ - void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q) - { -+ memset(q, 0, sizeof(struct sctp_outq)); -+ - q->asoc = asoc; - INIT_LIST_HEAD(&q->out_chunk_list); - INIT_LIST_HEAD(&q->control_chunk_list); -@@ -213,13 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q) - INIT_LIST_HEAD(&q->sacked); - INIT_LIST_HEAD(&q->abandoned); - -- q->fast_rtx = 0; -- q->outstanding_bytes = 0; - q->empty = 1; -- q->cork = 0; -- -- q->malloced = 0; -- q->out_qlen = 0; - } - - /* Free the outqueue structure and any related pending chunks. diff --git a/net/sctp/probe.c b/net/sctp/probe.c index ad0dba8..e62c225 100644 --- a/net/sctp/probe.c @@ -90287,7 +90246,7 @@ index 8aab894..f6b7e7d 100644 sctp_generate_t1_cookie_event, sctp_generate_t1_init_event, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index b907073..7bea2ca 100644 +index 02c43e4..7bea2ca 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval, @@ -90305,20 +90264,7 @@ index b907073..7bea2ca 100644 /* * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT, -@@ -4002,6 +4004,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk) - - /* Release our hold on the endpoint. */ - sp = sctp_sk(sk); -+ /* This could happen during socket init, thus we bail out -+ * early, since the rest of the below is not setup either. -+ */ -+ if (sp->ep == NULL) -+ return; -+ - if (sp->do_auto_asconf) { - sp->do_auto_asconf = 0; - list_del(&sp->auto_asconf_list); -@@ -4215,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, +@@ -4221,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -90336,7 +90282,7 @@ index b907073..7bea2ca 100644 return -EFAULT; return 0; } -@@ -4239,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, +@@ -4245,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, */ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -90345,7 +90291,7 @@ index b907073..7bea2ca 100644 /* Applicable to UDP-style socket only */ if (sctp_style(sk, TCP)) return -EOPNOTSUPP; -@@ -4247,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv +@@ -4253,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; @@ -90355,7 +90301,7 @@ index b907073..7bea2ca 100644 return -EFAULT; return 0; } -@@ -4619,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, +@@ -4625,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len, */ static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen) { @@ -90372,7 +90318,7 @@ index b907073..7bea2ca 100644 return -EFAULT; return 0; } -@@ -4665,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4671,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; @@ -90404,7 +90350,7 @@ index bf3c6e8..376d8d0 100644 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL); diff --git a/net/socket.c b/net/socket.c -index 88f759a..74be616 100644 +index e216502..74be616 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -90575,16 +90521,7 @@ index 88f759a..74be616 100644 int err, err2; int fput_needed; -@@ -1978,7 +2040,7 @@ struct used_address { - unsigned int name_len; - }; - --static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, -+static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, - struct msghdr *msg_sys, unsigned int flags, - struct used_address *used_address) - { -@@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2045,7 +2107,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -90593,83 +90530,7 @@ index 88f759a..74be616 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2093,20 +2155,28 @@ out: - * BSD sendmsg interface - */ - -+long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags) -+{ -+ int fput_needed, err; -+ struct msghdr msg_sys; -+ struct socket *sock; -+ -+ sock = sockfd_lookup_light(fd, &err, &fput_needed); -+ if (!sock) -+ goto out; -+ -+ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL); -+ -+ fput_light(sock->file, fput_needed); -+out: -+ return err; -+} -+ - SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags) - { -- int fput_needed, err; -- struct msghdr msg_sys; -- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed); -- -- if (!sock) -- goto out; -- -- err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL); -- -- fput_light(sock->file, fput_needed); --out: -- return err; -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ return __sys_sendmsg(fd, msg, flags); - } - - /* -@@ -2139,15 +2209,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - - while (datagrams < vlen) { - if (MSG_CMSG_COMPAT & flags) { -- err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry, -- &msg_sys, flags, &used_address); -+ err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry, -+ &msg_sys, flags, &used_address); - if (err < 0) - break; - err = __put_user(err, &compat_entry->msg_len); - ++compat_entry; - } else { -- err = __sys_sendmsg(sock, (struct msghdr __user *)entry, -- &msg_sys, flags, &used_address); -+ err = ___sys_sendmsg(sock, -+ (struct msghdr __user *)entry, -+ &msg_sys, flags, &used_address); - if (err < 0) - break; - err = put_user(err, &entry->msg_len); -@@ -2171,10 +2242,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg, - unsigned int, vlen, unsigned int, flags) - { -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; - return __sys_sendmmsg(fd, mmsg, vlen, flags); - } - --static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, -+static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - struct msghdr *msg_sys, unsigned int flags, int nosec) - { - struct compat_msghdr __user *msg_compat = -@@ -2185,7 +2258,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2196,7 +2258,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, int err, total_len, len; /* kernel mode address */ @@ -90678,7 +90539,7 @@ index 88f759a..74be616 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2213,7 +2286,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2224,7 +2286,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, * kernel msghdr to use the kernel address space) */ @@ -90687,84 +90548,7 @@ index 88f759a..74be616 100644 uaddr_len = COMPAT_NAMELEN(msg); if (MSG_CMSG_COMPAT & flags) { err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); -@@ -2266,21 +2339,29 @@ out: - * BSD recvmsg interface - */ - -+long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags) -+{ -+ int fput_needed, err; -+ struct msghdr msg_sys; -+ struct socket *sock; -+ -+ sock = sockfd_lookup_light(fd, &err, &fput_needed); -+ if (!sock) -+ goto out; -+ -+ err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0); -+ -+ fput_light(sock->file, fput_needed); -+out: -+ return err; -+} -+ - SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg, - unsigned int, flags) - { -- int fput_needed, err; -- struct msghdr msg_sys; -- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed); -- -- if (!sock) -- goto out; -- -- err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0); -- -- fput_light(sock->file, fput_needed); --out: -- return err; -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ return __sys_recvmsg(fd, msg, flags); - } - - /* -@@ -2320,17 +2401,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, - * No need to ask LSM for more than the first datagram. - */ - if (MSG_CMSG_COMPAT & flags) { -- err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry, -- &msg_sys, flags & ~MSG_WAITFORONE, -- datagrams); -+ err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry, -+ &msg_sys, flags & ~MSG_WAITFORONE, -+ datagrams); - if (err < 0) - break; - err = __put_user(err, &compat_entry->msg_len); - ++compat_entry; - } else { -- err = __sys_recvmsg(sock, (struct msghdr __user *)entry, -- &msg_sys, flags & ~MSG_WAITFORONE, -- datagrams); -+ err = ___sys_recvmsg(sock, -+ (struct msghdr __user *)entry, -+ &msg_sys, flags & ~MSG_WAITFORONE, -+ datagrams); - if (err < 0) - break; - err = put_user(err, &entry->msg_len); -@@ -2397,6 +2479,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, - int datagrams; - struct timespec timeout_sys; - -+ if (flags & MSG_CMSG_COMPAT) -+ return -EINVAL; -+ - if (!timeout) - return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL); - -@@ -2952,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2975,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -90773,7 +90557,7 @@ index 88f759a..74be616 100644 set_fs(old_fs); return err; -@@ -3061,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -3084,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -90782,7 +90566,7 @@ index 88f759a..74be616 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3166,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3189,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -90791,7 +90575,7 @@ index 88f759a..74be616 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3392,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3415,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -90802,7 +90586,7 @@ index 88f759a..74be616 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3413,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3436,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -91300,18 +91084,6 @@ index c8717c1..08539f5 100644 err = handler(dev, info, (union iwreq_data *) iwp, extra); iwp->length += essid_compat; -diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c -index bcfda89..0cf003d 100644 ---- a/net/xfrm/xfrm_output.c -+++ b/net/xfrm/xfrm_output.c -@@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err) - - if (unlikely(x->km.state != XFRM_STATE_VALID)) { - XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID); -+ err = -EINVAL; - goto error; - } - diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 167c67d..3f2ae427 100644 --- a/net/xfrm/xfrm_policy.c diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86 index 3f50316571..de622fca84 100644 --- a/main/linux-grsec/kernelconfig.x86 +++ b/main/linux-grsec/kernelconfig.x86 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.9.7 Kernel Configuration +# Linux/x86 3.9.8 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -5523,6 +5523,7 @@ CONFIG_GRKERNSEC_KMEM=y # CONFIG_GRKERNSEC_VM86 is not set # CONFIG_GRKERNSEC_IO is not set CONFIG_GRKERNSEC_PERF_HARDEN=y +# CONFIG_GRKERNSEC_RAND_THREADSTACK is not set CONFIG_GRKERNSEC_PROC_MEMMAP=y # CONFIG_GRKERNSEC_BRUTE is not set # CONFIG_GRKERNSEC_MODHARDEN is not set diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64 index f338d7ad0b..feaf716d88 100644 --- a/main/linux-grsec/kernelconfig.x86_64 +++ b/main/linux-grsec/kernelconfig.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.9.7 Kernel Configuration +# Linux/x86 3.9.8 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -5460,6 +5460,7 @@ CONFIG_GRKERNSEC_KMEM=y # CONFIG_GRKERNSEC_IO is not set CONFIG_GRKERNSEC_JIT_HARDEN=y CONFIG_GRKERNSEC_PERF_HARDEN=y +# CONFIG_GRKERNSEC_RAND_THREADSTACK is not set CONFIG_GRKERNSEC_PROC_MEMMAP=y # CONFIG_GRKERNSEC_BRUTE is not set # CONFIG_GRKERNSEC_MODHARDEN is not set |