aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
Diffstat (limited to 'main')
-rw-r--r--main/linux-grsec/APKBUILD28
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.7-201306231443.patch)1224
-rw-r--r--main/linux-grsec/kernelconfig.x863
-rw-r--r--main/linux-grsec/kernelconfig.x86_643
4 files changed, 516 insertions, 742 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 1b93d5b90a..ebbddba2a3 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,7 +2,7 @@
_flavor=grsec
pkgname=linux-${_flavor}
-pkgver=3.9.7
+pkgver=3.9.8
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-2.9.1-3.9.7-201306231443.patch
+ grsecurity-2.9.1-3.9.8-201306272057.patch
0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
@@ -149,35 +149,35 @@ dev() {
}
md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
-74005c469fbd309ab631d981e2d3a6e7 patch-3.9.7.xz
-a5db3ef848185c32ad4b0bbfe19106aa grsecurity-2.9.1-3.9.7-201306231443.patch
+c5f2166686a913abf550bfed8b77df27 patch-3.9.8.xz
+53d60133a86b812060b048275f928041 grsecurity-2.9.1-3.9.8-201306272057.patch
a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
2a12a3717052e878c0cd42aa935bfcf4 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
6ce5fed63aad3f1a1ff1b9ba7b741822 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
1a5800a2122ba0cc0d06733cb3bb8b8f 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
-bfb5ddcfbc1c9f30253de200ec2a0eb0 kernelconfig.x86
-0b6534366d8abbd36c40744163c81e5a kernelconfig.x86_64"
+d89089b3c7eb94dd9f65cf8a357fc36d kernelconfig.x86
+eb147f09fef5996a488c247790205cd6 kernelconfig.x86_64"
sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz
-23db9de5ffa2f8f36d61da85ee46656a3373f8868415c1f3c77c51c41fabfda8 patch-3.9.7.xz
-0aa3ec9d60640ee06ca6c6aed877ce2ee99c2b8a2ee8be50ad92c43ed6570617 grsecurity-2.9.1-3.9.7-201306231443.patch
+2eda9068e81269467e3c247f3343a146731fc45284b12b4bc546bc44dbb263e7 patch-3.9.8.xz
+587022b1fc72157e43011551404c7d664dcc3b6c95b72a853ef2ce721e474057 grsecurity-2.9.1-3.9.8-201306272057.patch
6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
-c017c0a47fa0dfdefe148aa73e8a19fabb1957dc699de0f94d8d4d9a45bf5abe kernelconfig.x86
-aafae208fc72eaad9d09fcd8220e0d70379d8c7c7f658c10aa96990dc0b36207 kernelconfig.x86_64"
+de3c17420664ae4e52826c6e602aade0deeae94f72253f85b3e48771491ed5d6 kernelconfig.x86
+e1cce320f207cc2ba72b9d154c7060c8cbed52c664319dfd21f24e8956d0bf3e kernelconfig.x86_64"
sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz
-dcf38bca1ee1b90bffd97c74c00720613dbab9183aa600401a821fe20ea665629bc43544053bd2ffe18ebfe1ee2d72d139f22d2f070374f5e231831ed6c89251 patch-3.9.7.xz
-73f819bd44c724bbdc2e01ed4154c9fd53d0a8d1099ffabf56e995d82a9dbcb03c742e1c048cae9b0052d43dbda4d1c2150f6c14a1b958c25eef8b5571047f80 grsecurity-2.9.1-3.9.7-201306231443.patch
+60b7d694d39faf937e7b732eb3117b8442059c5c8857c9d439eec8a87d5bc185505e64062f5ae02c3512acf5af778caf615c35d3499cb8089a4569c05da65b9c patch-3.9.8.xz
+4ca36180a1fc325a558acf73ec9fe3808542498a8f808f73b87a9f6b05ff290d5a5ab20ce39c547a18ce37d093a9857f5c77c495796e62fef986dfa301a9e566 grsecurity-2.9.1-3.9.8-201306272057.patch
81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa 0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87 0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205 0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
-bcf675bafd3aac174195a2d38571b9b54f4b6e0635ab3363699ae8845794dc44bcfe952585fae881d81065d4a25333a3e033808c99c977aa4a797b81e5a36c3f kernelconfig.x86
-a8bf4cc1cdb4d1bde9fe4cd4040a596a52a24817fad15b29785ba10ab1d80fd4ae9589ac92f98c8b6b3b5e5510f01b9c9b96b11a2cf05c9684eb0bd62ee6676e kernelconfig.x86_64"
+c51ac429c3e811976318a7ca2a4f7fc48bcf290e885ceeb09a1a56ee32c37b673f6e789789cf36876747bd54e4dc55d340ad888ba0eb8e7f45f60e8ef7ea67b4 kernelconfig.x86
+584e778f96a05388051b05eb6f1c20377bc8aad72d0cd678323af7aaaab85ecc992244fe6bf3f27ab88131903490fd8af3c3fb56062490dd90dca1ba91d4da21 kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.7-201306231443.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch
index 5af3232471..3efd0e4c4b 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.9.7-201306231443.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch
@@ -263,7 +263,7 @@ index 8ccbf27..afffeb4 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index a129b15..548231d 100644
+index b013cbe..4ca639b 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -811,10 +811,10 @@ index 0c4132d..88f0d53 100644
/* Allow reads even for write-only mappings */
if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
-index 1cacda4..2cef624 100644
+index 70cd012..71b82cd 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
-@@ -1850,7 +1850,7 @@ config ALIGNMENT_TRAP
+@@ -1860,7 +1860,7 @@ config ALIGNMENT_TRAP
config UACCESS_WITH_MEMCPY
bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
@@ -3799,7 +3799,7 @@ index 04d9006..c547d85 100644
return __arm_ioremap_caller(phys_addr, size, mtype,
__builtin_return_address(0));
diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
-index 10062ce..cd34fb9 100644
+index 10062ce..8695745 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
@@ -3876,20 +3876,7 @@ index 10062ce..cd34fb9 100644
addr = vm_unmapped_area(&info);
/*
-@@ -162,6 +172,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- VM_BUG_ON(addr != -ENOMEM);
- info.flags = 0;
- info.low_limit = mm->mmap_base;
-+
-+#ifdef CONFIG_PAX_RANDMMAP
-+ if (mm->pax_flags & MF_PAX_RANDMMAP)
-+ info.low_limit += mm->delta_mmap;
-+#endif
-+
- info.high_limit = TASK_SIZE;
- addr = vm_unmapped_area(&info);
- }
-@@ -173,6 +189,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+@@ -173,6 +183,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
{
unsigned long random_factor = 0UL;
@@ -3900,7 +3887,7 @@ index 10062ce..cd34fb9 100644
/* 8 bits of randomness in 20 address space bits */
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE))
-@@ -180,10 +200,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+@@ -180,10 +194,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
if (mmap_is_legacy()) {
mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
@@ -5767,19 +5754,6 @@ index e0a8235..ce2f1e1 100644
ret = __copy_from_user(to, from, n);
else
copy_from_user_overflow();
-diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
-index 5709c5e..14285ca 100644
---- a/arch/parisc/kernel/drivers.c
-+++ b/arch/parisc/kernel/drivers.c
-@@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath);
- static void setup_bus_id(struct parisc_device *padev)
- {
- struct hardware_path path;
-- char name[20];
-+ char name[28];
- char *output = name;
- int i;
-
diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
index 2a625fb..9908930 100644
--- a/arch/parisc/kernel/module.c
@@ -5883,20 +5857,6 @@ index 2a625fb..9908930 100644
DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
me->arch.unwind_section, table, end, gp);
-diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c
-index a3328c2..3b812eb 100644
---- a/arch/parisc/kernel/setup.c
-+++ b/arch/parisc/kernel/setup.c
-@@ -69,7 +69,8 @@ void __init setup_cmdline(char **cmdline_p)
- /* called from hpux boot loader */
- boot_command_line[0] = '\0';
- } else {
-- strcpy(boot_command_line, (char *)__va(boot_args[1]));
-+ strlcpy(boot_command_line, (char *)__va(boot_args[1]),
-+ COMMAND_LINE_SIZE);
-
- #ifdef CONFIG_BLK_DEV_INITRD
- if (boot_args[2] != 0) /* did palo pass us a ramdisk? */
diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
index 5dfd248..64914ac 100644
--- a/arch/parisc/kernel/sys_parisc.c
@@ -5972,10 +5932,10 @@ index 5dfd248..64914ac 100644
return addr;
}
diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
-index aeb8f8f..27a6c2f 100644
+index c6ae9f5..e9c3cf4 100644
--- a/arch/parisc/kernel/traps.c
+++ b/arch/parisc/kernel/traps.c
-@@ -732,9 +732,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
+@@ -733,9 +733,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
down_read(&current->mm->mmap_sem);
vma = find_vma(current->mm,regs->iaoq[0]);
@@ -10285,7 +10245,7 @@ index ad8f795..2c7eec6 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 6ef2a37..74ad6ad 100644
+index de80b33..c0f0899 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -243,7 +243,7 @@ config X86_HT
@@ -19028,7 +18988,7 @@ index 8f3e2de..934870f 100644
/*
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index c1d01e6..1bef85a 100644
+index c1d01e6..7f633850 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -59,6 +59,8 @@
@@ -19115,7 +19075,7 @@ index c1d01e6..1bef85a 100644
#endif
-@@ -284,6 +293,311 @@ ENTRY(native_usergs_sysret64)
+@@ -284,6 +293,309 @@ ENTRY(native_usergs_sysret64)
ENDPROC(native_usergs_sysret64)
#endif /* CONFIG_PARAVIRT */
@@ -19245,9 +19205,9 @@ index c1d01e6..1bef85a 100644
+ sub phys_base(%rip),%rbx
+
+#ifdef CONFIG_PARAVIRT
-+ pushq %rdi
+ cmpl $0, pv_info+PARAVIRT_enabled
+ jz 1f
++ pushq %rdi
+ i = 0
+ .rept USER_PGD_PTRS
+ mov i*8(%rbx),%rsi
@@ -19256,6 +19216,7 @@ index c1d01e6..1bef85a 100644
+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
+ i = i + 1
+ .endr
++ popq %rdi
+ jmp 2f
+1:
+#endif
@@ -19267,7 +19228,7 @@ index c1d01e6..1bef85a 100644
+ .endr
+
+#ifdef CONFIG_PARAVIRT
-+2: popq %rdi
++2:
+#endif
+ SET_RDI_INTO_CR3
+
@@ -19308,7 +19269,6 @@ index c1d01e6..1bef85a 100644
+ sub phys_base(%rip),%rbx
+
+#ifdef CONFIG_PARAVIRT
-+ pushq %rdi
+ cmpl $0, pv_info+PARAVIRT_enabled
+ jz 1f
+ i = 0
@@ -19319,8 +19279,6 @@ index c1d01e6..1bef85a 100644
+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
+ i = i + 1
+ .endr
-+ popq %rdi
-+ PV_RESTORE_REGS(CLBR_RDI)
+ jmp 2f
+1:
+#endif
@@ -19332,7 +19290,7 @@ index c1d01e6..1bef85a 100644
+ .endr
+
+#ifdef CONFIG_PARAVIRT
-+2:
++2: PV_RESTORE_REGS(CLBR_RDI)
+#endif
+
+ popq %rbx
@@ -19350,8 +19308,8 @@ index c1d01e6..1bef85a 100644
+#ifdef CONFIG_PAX_KERNEXEC
+ GET_CR0_INTO_RDI
+ bts $16,%rdi
-+ SET_RDI_INTO_CR0
+ jc 110f
++ SET_RDI_INTO_CR0
+ or $2,%ebx
+110:
+#endif
@@ -19359,8 +19317,8 @@ index c1d01e6..1bef85a 100644
+
+ .macro pax_exit_kernel_nmi
+#ifdef CONFIG_PAX_KERNEXEC
-+ test $2,%ebx
-+ jz 110f
++ btr $1,%ebx
++ jnc 110f
+ GET_CR0_INTO_RDI
+ btr $16,%rdi
+ SET_RDI_INTO_CR0
@@ -19427,7 +19385,7 @@ index c1d01e6..1bef85a 100644
.macro TRACE_IRQS_IRETQ offset=ARGOFFSET
#ifdef CONFIG_TRACE_IRQFLAGS
-@@ -375,8 +689,8 @@ ENDPROC(native_usergs_sysret64)
+@@ -375,8 +687,8 @@ ENDPROC(native_usergs_sysret64)
.endm
.macro UNFAKE_STACK_FRAME
@@ -19438,7 +19396,7 @@ index c1d01e6..1bef85a 100644
.endm
/*
-@@ -463,7 +777,7 @@ ENDPROC(native_usergs_sysret64)
+@@ -463,7 +775,7 @@ ENDPROC(native_usergs_sysret64)
movq %rsp, %rsi
leaq -RBP(%rsp),%rdi /* arg1 for handler */
@@ -19447,7 +19405,7 @@ index c1d01e6..1bef85a 100644
je 1f
SWAPGS
/*
-@@ -498,9 +812,10 @@ ENTRY(save_rest)
+@@ -498,9 +810,10 @@ ENTRY(save_rest)
movq_cfi r15, R15+16
movq %r11, 8(%rsp) /* return address */
FIXUP_TOP_OF_STACK %r11, 16
@@ -19459,7 +19417,7 @@ index c1d01e6..1bef85a 100644
/* save complete stack frame */
.pushsection .kprobes.text, "ax"
-@@ -529,9 +844,10 @@ ENTRY(save_paranoid)
+@@ -529,9 +842,10 @@ ENTRY(save_paranoid)
js 1f /* negative -> in kernel */
SWAPGS
xorl %ebx,%ebx
@@ -19472,7 +19430,7 @@ index c1d01e6..1bef85a 100644
.popsection
/*
-@@ -553,7 +869,7 @@ ENTRY(ret_from_fork)
+@@ -553,7 +867,7 @@ ENTRY(ret_from_fork)
RESTORE_REST
@@ -19481,7 +19439,7 @@ index c1d01e6..1bef85a 100644
jz 1f
testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
-@@ -571,7 +887,7 @@ ENTRY(ret_from_fork)
+@@ -571,7 +885,7 @@ ENTRY(ret_from_fork)
RESTORE_REST
jmp int_ret_from_sys_call
CFI_ENDPROC
@@ -19490,7 +19448,7 @@ index c1d01e6..1bef85a 100644
/*
* System call entry. Up to 6 arguments in registers are supported.
-@@ -608,7 +924,7 @@ END(ret_from_fork)
+@@ -608,7 +922,7 @@ END(ret_from_fork)
ENTRY(system_call)
CFI_STARTPROC simple
CFI_SIGNAL_FRAME
@@ -19499,7 +19457,7 @@ index c1d01e6..1bef85a 100644
CFI_REGISTER rip,rcx
/*CFI_REGISTER rflags,r11*/
SWAPGS_UNSAFE_STACK
-@@ -621,16 +937,23 @@ GLOBAL(system_call_after_swapgs)
+@@ -621,16 +935,23 @@ GLOBAL(system_call_after_swapgs)
movq %rsp,PER_CPU_VAR(old_rsp)
movq PER_CPU_VAR(kernel_stack),%rsp
@@ -19525,7 +19483,7 @@ index c1d01e6..1bef85a 100644
jnz tracesys
system_call_fastpath:
#if __SYSCALL_MASK == ~0
-@@ -640,7 +963,7 @@ system_call_fastpath:
+@@ -640,7 +961,7 @@ system_call_fastpath:
cmpl $__NR_syscall_max,%eax
#endif
ja badsys
@@ -19534,7 +19492,7 @@ index c1d01e6..1bef85a 100644
call *sys_call_table(,%rax,8) # XXX: rip relative
movq %rax,RAX-ARGOFFSET(%rsp)
/*
-@@ -654,10 +977,13 @@ sysret_check:
+@@ -654,10 +975,13 @@ sysret_check:
LOCKDEP_SYS_EXIT
DISABLE_INTERRUPTS(CLBR_NONE)
TRACE_IRQS_OFF
@@ -19549,7 +19507,7 @@ index c1d01e6..1bef85a 100644
/*
* sysretq will re-enable interrupts:
*/
-@@ -709,14 +1035,18 @@ badsys:
+@@ -709,14 +1033,18 @@ badsys:
* jump back to the normal fast path.
*/
auditsys:
@@ -19569,7 +19527,7 @@ index c1d01e6..1bef85a 100644
jmp system_call_fastpath
/*
-@@ -737,7 +1067,7 @@ sysret_audit:
+@@ -737,7 +1065,7 @@ sysret_audit:
/* Do syscall tracing */
tracesys:
#ifdef CONFIG_AUDITSYSCALL
@@ -19578,7 +19536,7 @@ index c1d01e6..1bef85a 100644
jz auditsys
#endif
SAVE_REST
-@@ -745,12 +1075,16 @@ tracesys:
+@@ -745,12 +1073,16 @@ tracesys:
FIXUP_TOP_OF_STACK %rdi
movq %rsp,%rdi
call syscall_trace_enter
@@ -19595,7 +19553,7 @@ index c1d01e6..1bef85a 100644
RESTORE_REST
#if __SYSCALL_MASK == ~0
cmpq $__NR_syscall_max,%rax
-@@ -759,7 +1093,7 @@ tracesys:
+@@ -759,7 +1091,7 @@ tracesys:
cmpl $__NR_syscall_max,%eax
#endif
ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */
@@ -19604,7 +19562,7 @@ index c1d01e6..1bef85a 100644
call *sys_call_table(,%rax,8)
movq %rax,RAX-ARGOFFSET(%rsp)
/* Use IRET because user could have changed frame */
-@@ -780,7 +1114,9 @@ GLOBAL(int_with_check)
+@@ -780,7 +1112,9 @@ GLOBAL(int_with_check)
andl %edi,%edx
jnz int_careful
andl $~TS_COMPAT,TI_status(%rcx)
@@ -19615,7 +19573,7 @@ index c1d01e6..1bef85a 100644
/* Either reschedule or signal or syscall exit tracking needed. */
/* First do a reschedule test. */
-@@ -826,7 +1162,7 @@ int_restore_rest:
+@@ -826,7 +1160,7 @@ int_restore_rest:
TRACE_IRQS_OFF
jmp int_with_check
CFI_ENDPROC
@@ -19624,7 +19582,7 @@ index c1d01e6..1bef85a 100644
.macro FORK_LIKE func
ENTRY(stub_\func)
-@@ -839,9 +1175,10 @@ ENTRY(stub_\func)
+@@ -839,9 +1173,10 @@ ENTRY(stub_\func)
DEFAULT_FRAME 0 8 /* offset 8: return address */
call sys_\func
RESTORE_TOP_OF_STACK %r11, 8
@@ -19636,7 +19594,7 @@ index c1d01e6..1bef85a 100644
.endm
.macro FIXED_FRAME label,func
-@@ -851,9 +1188,10 @@ ENTRY(\label)
+@@ -851,9 +1186,10 @@ ENTRY(\label)
FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET
call \func
RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET
@@ -19648,7 +19606,7 @@ index c1d01e6..1bef85a 100644
.endm
FORK_LIKE clone
-@@ -870,9 +1208,10 @@ ENTRY(ptregscall_common)
+@@ -870,9 +1206,10 @@ ENTRY(ptregscall_common)
movq_cfi_restore R12+8, r12
movq_cfi_restore RBP+8, rbp
movq_cfi_restore RBX+8, rbx
@@ -19660,7 +19618,7 @@ index c1d01e6..1bef85a 100644
ENTRY(stub_execve)
CFI_STARTPROC
-@@ -885,7 +1224,7 @@ ENTRY(stub_execve)
+@@ -885,7 +1222,7 @@ ENTRY(stub_execve)
RESTORE_REST
jmp int_ret_from_sys_call
CFI_ENDPROC
@@ -19669,7 +19627,7 @@ index c1d01e6..1bef85a 100644
/*
* sigreturn is special because it needs to restore all registers on return.
-@@ -902,7 +1241,7 @@ ENTRY(stub_rt_sigreturn)
+@@ -902,7 +1239,7 @@ ENTRY(stub_rt_sigreturn)
RESTORE_REST
jmp int_ret_from_sys_call
CFI_ENDPROC
@@ -19678,7 +19636,7 @@ index c1d01e6..1bef85a 100644
#ifdef CONFIG_X86_X32_ABI
ENTRY(stub_x32_rt_sigreturn)
-@@ -916,7 +1255,7 @@ ENTRY(stub_x32_rt_sigreturn)
+@@ -916,7 +1253,7 @@ ENTRY(stub_x32_rt_sigreturn)
RESTORE_REST
jmp int_ret_from_sys_call
CFI_ENDPROC
@@ -19687,7 +19645,7 @@ index c1d01e6..1bef85a 100644
ENTRY(stub_x32_execve)
CFI_STARTPROC
-@@ -930,7 +1269,7 @@ ENTRY(stub_x32_execve)
+@@ -930,7 +1267,7 @@ ENTRY(stub_x32_execve)
RESTORE_REST
jmp int_ret_from_sys_call
CFI_ENDPROC
@@ -19696,7 +19654,7 @@ index c1d01e6..1bef85a 100644
#endif
-@@ -967,7 +1306,7 @@ vector=vector+1
+@@ -967,7 +1304,7 @@ vector=vector+1
2: jmp common_interrupt
.endr
CFI_ENDPROC
@@ -19705,7 +19663,7 @@ index c1d01e6..1bef85a 100644
.previous
END(interrupt)
-@@ -987,6 +1326,16 @@ END(interrupt)
+@@ -987,6 +1324,16 @@ END(interrupt)
subq $ORIG_RAX-RBP, %rsp
CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
SAVE_ARGS_IRQ
@@ -19722,7 +19680,7 @@ index c1d01e6..1bef85a 100644
call \func
.endm
-@@ -1019,7 +1368,7 @@ ret_from_intr:
+@@ -1019,7 +1366,7 @@ ret_from_intr:
exit_intr:
GET_THREAD_INFO(%rcx)
@@ -19731,7 +19689,7 @@ index c1d01e6..1bef85a 100644
je retint_kernel
/* Interrupt came from user space */
-@@ -1041,12 +1390,16 @@ retint_swapgs: /* return to user-space */
+@@ -1041,12 +1388,16 @@ retint_swapgs: /* return to user-space */
* The iretq could re-enable interrupts:
*/
DISABLE_INTERRUPTS(CLBR_ANY)
@@ -19748,7 +19706,7 @@ index c1d01e6..1bef85a 100644
/*
* The iretq could re-enable interrupts:
*/
-@@ -1129,7 +1482,7 @@ ENTRY(retint_kernel)
+@@ -1129,7 +1480,7 @@ ENTRY(retint_kernel)
#endif
CFI_ENDPROC
@@ -19757,7 +19715,7 @@ index c1d01e6..1bef85a 100644
/*
* End of kprobes section
*/
-@@ -1147,7 +1500,7 @@ ENTRY(\sym)
+@@ -1147,7 +1498,7 @@ ENTRY(\sym)
interrupt \do_sym
jmp ret_from_intr
CFI_ENDPROC
@@ -19766,7 +19724,7 @@ index c1d01e6..1bef85a 100644
.endm
#ifdef CONFIG_SMP
-@@ -1203,12 +1556,22 @@ ENTRY(\sym)
+@@ -1203,12 +1554,22 @@ ENTRY(\sym)
CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
call error_entry
DEFAULT_FRAME 0
@@ -19790,7 +19748,7 @@ index c1d01e6..1bef85a 100644
.endm
.macro paranoidzeroentry sym do_sym
-@@ -1221,15 +1584,25 @@ ENTRY(\sym)
+@@ -1221,15 +1582,25 @@ ENTRY(\sym)
CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
call save_paranoid
TRACE_IRQS_OFF
@@ -19818,7 +19776,7 @@ index c1d01e6..1bef85a 100644
.macro paranoidzeroentry_ist sym do_sym ist
ENTRY(\sym)
INTR_FRAME
-@@ -1240,14 +1613,30 @@ ENTRY(\sym)
+@@ -1240,14 +1611,30 @@ ENTRY(\sym)
CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
call save_paranoid
TRACE_IRQS_OFF_DEBUG
@@ -19850,7 +19808,7 @@ index c1d01e6..1bef85a 100644
.endm
.macro errorentry sym do_sym
-@@ -1259,13 +1648,23 @@ ENTRY(\sym)
+@@ -1259,13 +1646,23 @@ ENTRY(\sym)
CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
call error_entry
DEFAULT_FRAME 0
@@ -19875,7 +19833,7 @@ index c1d01e6..1bef85a 100644
.endm
/* error code is on the stack already */
-@@ -1279,13 +1678,23 @@ ENTRY(\sym)
+@@ -1279,13 +1676,23 @@ ENTRY(\sym)
call save_paranoid
DEFAULT_FRAME 0
TRACE_IRQS_OFF
@@ -19900,7 +19858,7 @@ index c1d01e6..1bef85a 100644
.endm
zeroentry divide_error do_divide_error
-@@ -1315,9 +1724,10 @@ gs_change:
+@@ -1315,9 +1722,10 @@ gs_change:
2: mfence /* workaround */
SWAPGS
popfq_cfi
@@ -19912,7 +19870,7 @@ index c1d01e6..1bef85a 100644
_ASM_EXTABLE(gs_change,bad_gs)
.section .fixup,"ax"
-@@ -1345,9 +1755,10 @@ ENTRY(call_softirq)
+@@ -1345,9 +1753,10 @@ ENTRY(call_softirq)
CFI_DEF_CFA_REGISTER rsp
CFI_ADJUST_CFA_OFFSET -8
decl PER_CPU_VAR(irq_count)
@@ -19924,7 +19882,7 @@ index c1d01e6..1bef85a 100644
#ifdef CONFIG_XEN
zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1385,7 +1796,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs)
+@@ -1385,7 +1794,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs)
decl PER_CPU_VAR(irq_count)
jmp error_exit
CFI_ENDPROC
@@ -19933,7 +19891,7 @@ index c1d01e6..1bef85a 100644
/*
* Hypervisor uses this for application faults while it executes.
-@@ -1444,7 +1855,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1444,7 +1853,7 @@ ENTRY(xen_failsafe_callback)
SAVE_ALL
jmp error_exit
CFI_ENDPROC
@@ -19942,7 +19900,7 @@ index c1d01e6..1bef85a 100644
apicinterrupt HYPERVISOR_CALLBACK_VECTOR \
xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1498,16 +1909,31 @@ ENTRY(paranoid_exit)
+@@ -1498,16 +1907,31 @@ ENTRY(paranoid_exit)
TRACE_IRQS_OFF_DEBUG
testl %ebx,%ebx /* swapgs needed? */
jnz paranoid_restore
@@ -19975,7 +19933,7 @@ index c1d01e6..1bef85a 100644
jmp irq_return
paranoid_userspace:
GET_THREAD_INFO(%rcx)
-@@ -1536,7 +1962,7 @@ paranoid_schedule:
+@@ -1536,7 +1960,7 @@ paranoid_schedule:
TRACE_IRQS_OFF
jmp paranoid_userspace
CFI_ENDPROC
@@ -19984,7 +19942,7 @@ index c1d01e6..1bef85a 100644
/*
* Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1563,12 +1989,13 @@ ENTRY(error_entry)
+@@ -1563,12 +1987,13 @@ ENTRY(error_entry)
movq_cfi r14, R14+8
movq_cfi r15, R15+8
xorl %ebx,%ebx
@@ -19999,7 +19957,7 @@ index c1d01e6..1bef85a 100644
ret
/*
-@@ -1595,7 +2022,7 @@ bstep_iret:
+@@ -1595,7 +2020,7 @@ bstep_iret:
movq %rcx,RIP+8(%rsp)
jmp error_swapgs
CFI_ENDPROC
@@ -20008,7 +19966,7 @@ index c1d01e6..1bef85a 100644
/* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1615,7 +2042,7 @@ ENTRY(error_exit)
+@@ -1615,7 +2040,7 @@ ENTRY(error_exit)
jnz retint_careful
jmp retint_swapgs
CFI_ENDPROC
@@ -20017,7 +19975,7 @@ index c1d01e6..1bef85a 100644
/*
* Test if a given stack is an NMI stack or not.
-@@ -1673,9 +2100,11 @@ ENTRY(nmi)
+@@ -1673,9 +2098,11 @@ ENTRY(nmi)
* If %cs was not the kernel segment, then the NMI triggered in user
* space, which means it is definitely not nested.
*/
@@ -20030,7 +19988,7 @@ index c1d01e6..1bef85a 100644
/*
* Check the special variable on the stack to see if NMIs are
* executing.
-@@ -1709,8 +2138,7 @@ nested_nmi:
+@@ -1709,8 +2136,7 @@ nested_nmi:
1:
/* Set up the interrupted NMIs stack to jump to repeat_nmi */
@@ -20040,7 +19998,7 @@ index c1d01e6..1bef85a 100644
CFI_ADJUST_CFA_OFFSET 1*8
leaq -10*8(%rsp), %rdx
pushq_cfi $__KERNEL_DS
-@@ -1728,6 +2156,7 @@ nested_nmi_out:
+@@ -1728,6 +2154,7 @@ nested_nmi_out:
CFI_RESTORE rdx
/* No need to check faults here */
@@ -20048,7 +20006,7 @@ index c1d01e6..1bef85a 100644
INTERRUPT_RETURN
CFI_RESTORE_STATE
-@@ -1844,6 +2273,8 @@ end_repeat_nmi:
+@@ -1844,6 +2271,8 @@ end_repeat_nmi:
*/
movq %cr2, %r12
@@ -20057,7 +20015,7 @@ index c1d01e6..1bef85a 100644
/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
movq %rsp,%rdi
movq $-1,%rsi
-@@ -1856,26 +2287,31 @@ end_repeat_nmi:
+@@ -1856,26 +2285,31 @@ end_repeat_nmi:
movq %r12, %cr2
1:
@@ -20604,7 +20562,7 @@ index 73afd11..d1670f5 100644
+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
+ .endr
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index 321d65e..e9437f7 100644
+index 321d65e..7830f05 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -20,6 +20,8 @@
@@ -20770,7 +20728,7 @@ index 321d65e..e9437f7 100644
NEXT_PAGE(level2_kernel_pgt)
/*
* 512 MB kernel mapping. We spend a full page on this pagetable
-@@ -488,38 +536,64 @@ NEXT_PAGE(level2_kernel_pgt)
+@@ -488,39 +536,64 @@ NEXT_PAGE(level2_kernel_pgt)
KERNEL_IMAGE_SIZE/PMD_SIZE)
NEXT_PAGE(level2_fixmap_pgt)
@@ -20844,8 +20802,9 @@ index 321d65e..e9437f7 100644
- .skip IDT_ENTRIES * 16
+ .fill 512,8,0
- __PAGE_ALIGNED_BSS
+- __PAGE_ALIGNED_BSS
NEXT_PAGE(empty_zero_page)
+ .skip PAGE_SIZE
diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
index 0fa6912..37fce70 100644
--- a/arch/x86/kernel/i386_ksyms_32.c
@@ -22601,7 +22560,7 @@ index f2bb9c9..bed145d7 100644
1:
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index fae9134..f8e4a47 100644
+index fae9134..8fcd87c 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -111,6 +111,7 @@
@@ -22644,7 +22603,7 @@ index fae9134..f8e4a47 100644
void __init setup_arch(char **cmdline_p)
{
+#ifdef CONFIG_X86_32
-+ memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - ____LOAD_PHYSICAL_ADDR);
++ memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - LOAD_PHYSICAL_ADDR);
+#else
memblock_reserve(__pa_symbol(_text),
(unsigned long)__bss_stop - (unsigned long)_text);
@@ -22923,10 +22882,10 @@ index 9b4d51d..5d28b58 100644
switch (opcode[i]) {
diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
new file mode 100644
-index 0000000..207bec6
+index 0000000..5877189
--- /dev/null
+++ b/arch/x86/kernel/sys_i386_32.c
-@@ -0,0 +1,250 @@
+@@ -0,0 +1,189 @@
+/*
+ * This file contains various random system calls that
+ * have a non-standard calling sequence on the Linux/i386
@@ -22947,6 +22906,7 @@ index 0000000..207bec6
+#include <linux/file.h>
+#include <linux/utsname.h>
+#include <linux/ipc.h>
++#include <linux/elf.h>
+
+#include <linux/uaccess.h>
+#include <linux/unistd.h>
@@ -22969,13 +22929,28 @@ index 0000000..207bec6
+ return 0;
+}
+
++/*
++ * Align a virtual address to avoid aliasing in the I$ on AMD F15h.
++ */
++static unsigned long get_align_mask(void)
++{
++ if (va_align.flags < 0 || !(va_align.flags & ALIGN_VA_32))
++ return 0;
++
++ if (!(current->flags & PF_RANDOMIZE))
++ return 0;
++
++ return va_align.mask;
++}
++
+unsigned long
+arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ unsigned long len, unsigned long pgoff, unsigned long flags)
+{
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma;
-+ unsigned long start_addr, pax_task_size = TASK_SIZE;
++ unsigned long pax_task_size = TASK_SIZE;
++ struct vm_unmapped_area_info info;
+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
+
+#ifdef CONFIG_PAX_SEGMEXEC
@@ -23003,61 +22978,35 @@ index 0000000..207bec6
+ return addr;
+ }
+ }
-+ if (len > mm->cached_hole_size) {
-+ start_addr = addr = mm->free_area_cache;
-+ } else {
-+ start_addr = addr = mm->mmap_base;
-+ mm->cached_hole_size = 0;
-+ }
++
++ info.flags = 0;
++ info.length = len;
++ info.align_mask = filp ? get_align_mask() : 0;
++ info.align_offset = pgoff << PAGE_SHIFT;
++ info.threadstack_offset = offset;
+
+#ifdef CONFIG_PAX_PAGEEXEC
-+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
-+ start_addr = 0x00110000UL;
++ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) {
++ info.low_limit = 0x00110000UL;
++ info.high_limit = mm->start_code;
+
+#ifdef CONFIG_PAX_RANDMMAP
+ if (mm->pax_flags & MF_PAX_RANDMMAP)
-+ start_addr += mm->delta_mmap & 0x03FFF000UL;
++ info.low_limit += mm->delta_mmap & 0x03FFF000UL;
+#endif
+
-+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
-+ start_addr = addr = mm->mmap_base;
-+ else
-+ addr = start_addr;
-+ }
++ if (info.low_limit < info.high_limit) {
++ addr = vm_unmapped_area(&info);
++ if (!IS_ERR_VALUE(addr))
++ return addr;
++ }
++ } else
+#endif
+
-+full_search:
-+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
-+ /* At this point: (!vma || addr < vma->vm_end). */
-+ if (pax_task_size - len < addr) {
-+ /*
-+ * Start a new search - just in case we missed
-+ * some holes.
-+ */
-+ if (start_addr != mm->mmap_base) {
-+ start_addr = addr = mm->mmap_base;
-+ mm->cached_hole_size = 0;
-+ goto full_search;
-+ }
-+ return -ENOMEM;
-+ }
-+ if (check_heap_stack_gap(vma, addr, len, offset))
-+ break;
-+ if (addr + mm->cached_hole_size < vma->vm_start)
-+ mm->cached_hole_size = vma->vm_start - addr;
-+ addr = vma->vm_end;
-+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
-+ start_addr = addr = mm->mmap_base;
-+ mm->cached_hole_size = 0;
-+ goto full_search;
-+ }
-+ }
++ info.low_limit = mm->mmap_base;
++ info.high_limit = pax_task_size;
+
-+ /*
-+ * Remember the place where we stopped the search:
-+ */
-+ mm->free_area_cache = addr + len;
-+ return addr;
++ return vm_unmapped_area(&info);
+}
+
+unsigned long
@@ -23067,7 +23016,8 @@ index 0000000..207bec6
+{
+ struct vm_area_struct *vma;
+ struct mm_struct *mm = current->mm;
-+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
++ unsigned long addr = addr0, pax_task_size = TASK_SIZE;
++ struct vm_unmapped_area_info info;
+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
+
+#ifdef CONFIG_PAX_SEGMEXEC
@@ -23103,46 +23053,18 @@ index 0000000..207bec6
+ }
+ }
+
-+ /* check if free_area_cache is useful for us */
-+ if (len <= mm->cached_hole_size) {
-+ mm->cached_hole_size = 0;
-+ mm->free_area_cache = mm->mmap_base;
-+ }
-+
-+ /* either no address requested or can't fit in requested address hole */
-+ addr = mm->free_area_cache;
-+
-+ /* make sure it can fit in the remaining address space */
-+ if (addr > len) {
-+ vma = find_vma(mm, addr-len);
-+ if (check_heap_stack_gap(vma, addr - len, len, offset))
-+ /* remember the address as a hint for next time */
-+ return (mm->free_area_cache = addr-len);
-+ }
-+
-+ if (mm->mmap_base < len)
-+ goto bottomup;
-+
-+ addr = mm->mmap_base-len;
-+
-+ do {
-+ /*
-+ * Lookup failure means no vma is above this address,
-+ * else if new region fits below vma->vm_start,
-+ * return with success:
-+ */
-+ vma = find_vma(mm, addr);
-+ if (check_heap_stack_gap(vma, addr, len, offset))
-+ /* remember the address as a hint for next time */
-+ return (mm->free_area_cache = addr);
-+
-+ /* remember the largest hole we saw so far */
-+ if (addr + mm->cached_hole_size < vma->vm_start)
-+ mm->cached_hole_size = vma->vm_start - addr;
++ info.flags = VM_UNMAPPED_AREA_TOPDOWN;
++ info.length = len;
++ info.low_limit = PAGE_SIZE;
++ info.high_limit = mm->mmap_base;
++ info.align_mask = filp ? get_align_mask() : 0;
++ info.align_offset = pgoff << PAGE_SHIFT;
++ info.threadstack_offset = offset;
+
-+ /* try just below the current vma->vm_start */
-+ addr = skip_heap_stack_gap(vma, len, offset);
-+ } while (!IS_ERR_VALUE(addr));
++ addr = vm_unmapped_area(&info);
++ if (!(addr & ~PAGE_MASK))
++ return addr;
++ VM_BUG_ON(addr != -ENOMEM);
+
+bottomup:
+ /*
@@ -23151,31 +23073,7 @@ index 0000000..207bec6
+ * can happen with large stack limits and large mmap()
+ * allocations.
+ */
-+
-+#ifdef CONFIG_PAX_SEGMEXEC
-+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
-+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
-+ else
-+#endif
-+
-+ mm->mmap_base = TASK_UNMAPPED_BASE;
-+
-+#ifdef CONFIG_PAX_RANDMMAP
-+ if (mm->pax_flags & MF_PAX_RANDMMAP)
-+ mm->mmap_base += mm->delta_mmap;
-+#endif
-+
-+ mm->free_area_cache = mm->mmap_base;
-+ mm->cached_hole_size = ~0UL;
-+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
-+ /*
-+ * Restore the topdown base:
-+ */
-+ mm->mmap_base = base;
-+ mm->free_area_cache = base;
-+ mm->cached_hole_size = ~0UL;
-+
-+ return addr;
++ return arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
+}
diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
index dbded5a..ace2781 100644
@@ -24301,10 +24199,10 @@ index 0af1807..06912bb 100644
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index e172132..c3d3e27 100644
+index 8563b45..272f1fe 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -1686,8 +1686,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
+@@ -1685,8 +1685,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
{
struct kvm *kvm = vcpu->kvm;
int lm = is_long_mode(vcpu);
@@ -24315,7 +24213,7 @@ index e172132..c3d3e27 100644
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
: kvm->arch.xen_hvm_config.blob_size_32;
u32 page_num = data & ~PAGE_MASK;
-@@ -2567,6 +2567,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
+@@ -2566,6 +2566,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
if (n < msr_list.nmsrs)
goto out;
r = -EFAULT;
@@ -24324,7 +24222,7 @@ index e172132..c3d3e27 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -2696,7 +2698,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
+@@ -2695,7 +2697,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
struct kvm_interrupt *irq)
{
@@ -24333,7 +24231,7 @@ index e172132..c3d3e27 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -5247,7 +5249,7 @@ static struct notifier_block pvclock_gtod_notifier = {
+@@ -5246,7 +5248,7 @@ static struct notifier_block pvclock_gtod_notifier = {
};
#endif
@@ -30491,31 +30389,6 @@ index c77b24a..c979855 100644
return !(ret & 0xff00);
}
EXPORT_SYMBOL(pcibios_set_irq_routing);
-diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
-index 90f3a52..714e825 100644
---- a/arch/x86/platform/efi/efi.c
-+++ b/arch/x86/platform/efi/efi.c
-@@ -1059,7 +1059,10 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size)
- * that by attempting to use more space than is available.
- */
- unsigned long dummy_size = remaining_size + 1024;
-- void *dummy = kmalloc(dummy_size, GFP_ATOMIC);
-+ void *dummy = kzalloc(dummy_size, GFP_ATOMIC);
-+
-+ if (!dummy)
-+ return EFI_OUT_OF_RESOURCES;
-
- status = efi.set_variable(efi_dummy_name, &EFI_DUMMY_GUID,
- EFI_VARIABLE_NON_VOLATILE |
-@@ -1079,6 +1082,8 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size)
- 0, dummy);
- }
-
-+ kfree(dummy);
-+
- /*
- * The runtime code may now have triggered a garbage collection
- * run, so check the variable info again
diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
index 40e4469..1ab536e 100644
--- a/arch/x86/platform/efi/efi_32.c
@@ -37668,7 +37541,7 @@ index 04c69af..5f92d00 100644
#include <linux/input.h>
#include <linux/gameport.h>
diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
-index d6cbfe9..6225402 100644
+index fa061d4..4a6957c 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -735,7 +735,7 @@ static void xpad_led_set(struct led_classdev *led_cdev,
@@ -38029,7 +37902,7 @@ index 64e204e..c6bf189 100644
.callback = ss4200_led_dmi_callback,
.ident = "Intel SS4200-E",
diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
-index a5ebc00..982886f 100644
+index a5ebc00..3de3364 100644
--- a/drivers/lguest/core.c
+++ b/drivers/lguest/core.c
@@ -92,9 +92,17 @@ static __init int map_switcher(void)
@@ -38037,7 +37910,7 @@ index a5ebc00..982886f 100644
* allocates an extra guard page, so we need space for that.
*/
+
-+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
+ VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
@@ -40147,7 +40020,7 @@ index b0c3de9..fc5857e 100644
return -EIO;
}
diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
-index 15ba8c4..3f56838 100644
+index 54fd2ef..33c8a4f 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -740,22 +740,22 @@ struct rtl8169_private {
@@ -40290,10 +40163,23 @@ index 011062e..ada88e9 100644
};
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index a449439..1e468fe 100644
+index acf6450..8f771b7 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
-@@ -1090,7 +1090,7 @@ static int macvtap_device_event(struct notifier_block *unused,
+@@ -525,8 +525,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
+ return -EMSGSIZE;
+ num_pages = get_user_pages_fast(base, size, 0, &page[i]);
+ if (num_pages != size) {
+- for (i = 0; i < num_pages; i++)
+- put_page(page[i]);
++ int j;
++
++ for (j = 0; j < num_pages; j++)
++ put_page(page[i + j]);
+ return -EFAULT;
+ }
+ truesize = size * PAGE_SIZE;
+@@ -1099,7 +1101,7 @@ static int macvtap_device_event(struct notifier_block *unused,
return NOTIFY_DONE;
}
@@ -40350,7 +40236,7 @@ index 1252d9c..80e660b 100644
/* We've got a compressed packet; read the change byte */
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
-index bf34192..fba3500 100644
+index 0017b67..ab8f595 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -2668,7 +2668,7 @@ static int team_device_event(struct notifier_block *unused,
@@ -40363,10 +40249,23 @@ index bf34192..fba3500 100644
};
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index 755fa9e..631fdce 100644
+index 8ad822e..eb895f1 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
-@@ -1841,7 +1841,7 @@ unlock:
+@@ -1013,8 +1013,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
+ return -EMSGSIZE;
+ num_pages = get_user_pages_fast(base, size, 0, &page[i]);
+ if (num_pages != size) {
+- for (i = 0; i < num_pages; i++)
+- put_page(page[i]);
++ int j;
++
++ for (j = 0; j < num_pages; j++)
++ put_page(page[i + j]);
+ return -EFAULT;
+ }
+ truesize = size * PAGE_SIZE;
+@@ -1859,7 +1861,7 @@ unlock:
}
static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
@@ -40375,7 +40274,7 @@ index 755fa9e..631fdce 100644
{
struct tun_file *tfile = file->private_data;
struct tun_struct *tun;
-@@ -1853,6 +1853,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+@@ -1871,6 +1873,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
int vnet_hdr_sz;
int ret;
@@ -40477,10 +40376,10 @@ index e2dd324..be92fcf 100644
hso_start_serial_device(serial_table[i], GFP_NOIO);
hso_kick_transmit(dev2ser(serial_table[i]));
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
-index 7cee7a3..1eb9f3b 100644
+index a4fe5f1..6c9e77f 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
-@@ -1443,7 +1443,7 @@ nla_put_failure:
+@@ -1454,7 +1454,7 @@ nla_put_failure:
return -EMSGSIZE;
}
@@ -40489,6 +40388,62 @@ index 7cee7a3..1eb9f3b 100644
.kind = "vxlan",
.maxtype = IFLA_VXLAN_MAX,
.policy = vxlan_policy,
+diff --git a/drivers/net/wan/dlci.c b/drivers/net/wan/dlci.c
+index 147614e..6a8a382 100644
+--- a/drivers/net/wan/dlci.c
++++ b/drivers/net/wan/dlci.c
+@@ -384,21 +384,37 @@ static int dlci_del(struct dlci_add *dlci)
+ struct frad_local *flp;
+ struct net_device *master, *slave;
+ int err;
++ bool found = false;
++
++ rtnl_lock();
+
+ /* validate slave device */
+ master = __dev_get_by_name(&init_net, dlci->devname);
+- if (!master)
+- return -ENODEV;
++ if (!master) {
++ err = -ENODEV;
++ goto out;
++ }
++
++ list_for_each_entry(dlp, &dlci_devs, list) {
++ if (dlp->master == master) {
++ found = true;
++ break;
++ }
++ }
++ if (!found) {
++ err = -ENODEV;
++ goto out;
++ }
+
+ if (netif_running(master)) {
+- return -EBUSY;
++ err = -EBUSY;
++ goto out;
+ }
+
+ dlp = netdev_priv(master);
+ slave = dlp->slave;
+ flp = netdev_priv(slave);
+
+- rtnl_lock();
+ err = (*flp->deassoc)(slave, master);
+ if (!err) {
+ list_del(&dlp->list);
+@@ -407,8 +423,8 @@ static int dlci_del(struct dlci_add *dlci)
+
+ dev_put(slave);
+ }
++out:
+ rtnl_unlock();
+-
+ return err;
+ }
+
diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
index 5ac5f7a..5f82012 100644
--- a/drivers/net/wireless/at76c50x-usb.c
@@ -43581,10 +43536,10 @@ index 1f8cba6..47b06c2 100644
}
EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
-index 125e0fd..8c50690 100644
+index 74a5e8b..40c36a7 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
-@@ -800,8 +800,10 @@ static void __init unix98_pty_init(void)
+@@ -797,8 +797,10 @@ static void __init unix98_pty_init(void)
panic("Couldn't register Unix98 pts driver");
/* Now create the /dev/ptmx special device */
@@ -44398,7 +44353,7 @@ index a9af1b9a..1e08e7f 100644
ret = -EPERM;
goto reterr;
diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
-index c8b9262..7e824e6 100644
+index b645c47..a55c182 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -25,6 +25,7 @@
@@ -44431,7 +44386,7 @@ index c8b9262..7e824e6 100644
}
static struct device_attribute uio_class_attributes[] = {
-@@ -397,7 +398,7 @@ void uio_event_notify(struct uio_info *info)
+@@ -398,7 +399,7 @@ void uio_event_notify(struct uio_info *info)
{
struct uio_device *idev = info->uio_dev;
@@ -44440,7 +44395,7 @@ index c8b9262..7e824e6 100644
wake_up_interruptible(&idev->wait);
kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
}
-@@ -450,7 +451,7 @@ static int uio_open(struct inode *inode, struct file *filep)
+@@ -451,7 +452,7 @@ static int uio_open(struct inode *inode, struct file *filep)
}
listener->dev = idev;
@@ -44449,7 +44404,7 @@ index c8b9262..7e824e6 100644
filep->private_data = listener;
if (idev->info->open) {
-@@ -501,7 +502,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait)
+@@ -502,7 +503,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait)
return -EIO;
poll_wait(filep, &idev->wait, wait);
@@ -44458,7 +44413,7 @@ index c8b9262..7e824e6 100644
return POLLIN | POLLRDNORM;
return 0;
}
-@@ -526,7 +527,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf,
+@@ -527,7 +528,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf,
do {
set_current_state(TASK_INTERRUPTIBLE);
@@ -44467,7 +44422,7 @@ index c8b9262..7e824e6 100644
if (event_count != listener->event_count) {
if (copy_to_user(buf, &event_count, count))
retval = -EFAULT;
-@@ -595,13 +596,13 @@ static int uio_find_mem_index(struct vm_area_struct *vma)
+@@ -596,13 +597,13 @@ static int uio_find_mem_index(struct vm_area_struct *vma)
static void uio_vma_open(struct vm_area_struct *vma)
{
struct uio_device *idev = vma->vm_private_data;
@@ -44483,7 +44438,7 @@ index c8b9262..7e824e6 100644
}
static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
-@@ -808,7 +809,7 @@ int __uio_register_device(struct module *owner,
+@@ -809,7 +810,7 @@ int __uio_register_device(struct module *owner,
idev->owner = owner;
idev->info = info;
init_waitqueue_head(&idev->wait);
@@ -57045,7 +57000,7 @@ index ca9ecaa..60100c7 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..ba9c5e3
+index 0000000..4fb1dde
--- /dev/null
+++ b/grsecurity/Kconfig
@@ -0,0 +1,1053 @@
@@ -57156,7 +57111,7 @@ index 0000000..ba9c5e3
+config GRKERNSEC_RAND_THREADSTACK
+ bool "Insert random gaps between thread stacks"
+ default y if GRKERNSEC_CONFIG_AUTO
-+ depends on PAX_RANDMMAP && !PPC && BROKEN
++ depends on PAX_RANDMMAP && !PPC
+ help
+ If you say Y here, a random-sized gap will be enforced between allocated
+ thread stacks. Glibc's NPTL and other threading libraries that
@@ -70255,7 +70210,7 @@ index b8ba855..0148090 100644
u32 remainder;
return div_u64_rem(dividend, divisor, &remainder);
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index e2091b8..821db54 100644
+index e2091b8..3c7b38c 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -101,6 +101,11 @@ extern unsigned int kobjsize(const void *objp);
@@ -70428,14 +70383,29 @@ index e2091b8..821db54 100644
#ifdef CONFIG_MMU
extern int __mm_populate(unsigned long addr, unsigned long len,
-@@ -1483,6 +1497,7 @@ struct vm_unmapped_area_info {
+@@ -1483,10 +1497,11 @@ struct vm_unmapped_area_info {
unsigned long high_limit;
unsigned long align_mask;
unsigned long align_offset;
+ unsigned long threadstack_offset;
};
- extern unsigned long unmapped_area(struct vm_unmapped_area_info *info);
+-extern unsigned long unmapped_area(struct vm_unmapped_area_info *info);
+-extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
++extern unsigned long unmapped_area(const struct vm_unmapped_area_info *info);
++extern unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info);
+
+ /*
+ * Search for an unmapped address range.
+@@ -1498,7 +1513,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
+ * - satisfies (begin_addr & align_mask) == (align_offset & align_mask)
+ */
+ static inline unsigned long
+-vm_unmapped_area(struct vm_unmapped_area_info *info)
++vm_unmapped_area(const struct vm_unmapped_area_info *info)
+ {
+ if (!(info->flags & VM_UNMAPPED_AREA_TOPDOWN))
+ return unmapped_area(info);
@@ -1561,6 +1576,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
struct vm_area_struct **pprev);
@@ -70968,7 +70938,7 @@ index 45fc162..01a4068 100644
/**
* struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
-index 1d795df..b0a6449 100644
+index 2f522a3..494e45f 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -333,8 +333,8 @@ struct perf_event {
@@ -70993,7 +70963,7 @@ index 1d795df..b0a6449 100644
/*
* Protect attach/detach and child_list:
-@@ -704,7 +704,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64
+@@ -703,7 +703,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64
entry->ip[entry->nr++] = ip;
}
@@ -71002,7 +70972,7 @@ index 1d795df..b0a6449 100644
extern int sysctl_perf_event_mlock;
extern int sysctl_perf_event_sample_rate;
-@@ -712,19 +712,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
+@@ -711,19 +711,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp,
loff_t *ppos);
@@ -71030,7 +71000,7 @@ index 1d795df..b0a6449 100644
}
extern void perf_event_init(void);
-@@ -812,7 +817,7 @@ static inline void perf_restore_debug_store(void) { }
+@@ -811,7 +816,7 @@ static inline void perf_restore_debug_store(void) { }
*/
#define perf_cpu_notifier(fn) \
do { \
@@ -71039,7 +71009,7 @@ index 1d795df..b0a6449 100644
{ .notifier_call = fn, .priority = CPU_PRI_PERF }; \
unsigned long cpu = smp_processor_id(); \
unsigned long flags; \
-@@ -831,7 +836,7 @@ do { \
+@@ -830,7 +835,7 @@ do { \
struct perf_pmu_events_attr {
struct device_attribute attr;
u64 id;
@@ -71702,7 +71672,7 @@ index 429c199..4d42e38 100644
/* shm_mode upper byte flags */
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index b8292d8..96db310 100644
+index 1f2803c..4858a3d 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -599,7 +599,7 @@ extern bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
@@ -72023,20 +71993,6 @@ index e8d702e..0a56eb4 100644
int sock_diag_register(const struct sock_diag_handler *h);
void sock_diag_unregister(const struct sock_diag_handler *h);
-diff --git a/include/linux/socket.h b/include/linux/socket.h
-index 2b9f74b..e897bdc 100644
---- a/include/linux/socket.h
-+++ b/include/linux/socket.h
-@@ -321,6 +321,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data);
-
- struct timespec;
-
-+/* The __sys_...msg variants allow MSG_CMSG_COMPAT */
-+extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags);
-+extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
- extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
- unsigned int flags, struct timespec *timeout);
- extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg,
diff --git a/include/linux/sonet.h b/include/linux/sonet.h
index 680f9a3..f13aeb0 100644
--- a/include/linux/sonet.h
@@ -75189,7 +75145,7 @@ index 00eb8f7..d7e3244 100644
#ifdef CONFIG_MODULE_UNLOAD
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9fcb094..353baaaf 100644
+index f8ddcfb..77c06ec 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu;
@@ -75218,7 +75174,7 @@ index 9fcb094..353baaaf 100644
static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
enum event_type_t event_type);
-@@ -2677,7 +2684,7 @@ static void __perf_event_read(void *info)
+@@ -2674,7 +2681,7 @@ static void __perf_event_read(void *info)
static inline u64 perf_event_count(struct perf_event *event)
{
@@ -75227,7 +75183,7 @@ index 9fcb094..353baaaf 100644
}
static u64 perf_event_read(struct perf_event *event)
-@@ -3007,9 +3014,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
+@@ -3020,9 +3027,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
mutex_lock(&event->child_mutex);
total += perf_event_read(event);
*enabled += event->total_time_enabled +
@@ -75239,7 +75195,7 @@ index 9fcb094..353baaaf 100644
list_for_each_entry(child, &event->child_list, child_list) {
total += perf_event_read(child);
-@@ -3412,10 +3419,10 @@ void perf_event_update_userpage(struct perf_event *event)
+@@ -3408,10 +3415,10 @@ void perf_event_update_userpage(struct perf_event *event)
userpg->offset -= local64_read(&event->hw.prev_count);
userpg->time_enabled = enabled +
@@ -75252,7 +75208,7 @@ index 9fcb094..353baaaf 100644
arch_perf_update_userpage(userpg, now);
-@@ -3886,7 +3893,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
+@@ -3961,7 +3968,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
/* Data. */
sp = perf_user_stack_pointer(regs);
@@ -75261,7 +75217,7 @@ index 9fcb094..353baaaf 100644
dyn_size = dump_size - rem;
perf_output_skip(handle, rem);
-@@ -3974,11 +3981,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
+@@ -4049,11 +4056,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
values[n++] = perf_event_count(event);
if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
values[n++] = enabled +
@@ -75275,7 +75231,7 @@ index 9fcb094..353baaaf 100644
}
if (read_format & PERF_FORMAT_ID)
values[n++] = primary_event_id(event);
-@@ -4726,12 +4733,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
+@@ -4801,12 +4808,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
* need to add enough zero bytes after the string to handle
* the 64bit alignment we do later.
*/
@@ -75290,7 +75246,7 @@ index 9fcb094..353baaaf 100644
if (IS_ERR(name)) {
name = strncpy(tmp, "//toolong", sizeof(tmp));
goto got_name;
-@@ -6167,7 +6174,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
+@@ -6242,7 +6249,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
event->parent = parent_event;
event->ns = get_pid_ns(task_active_pid_ns(current));
@@ -75299,7 +75255,7 @@ index 9fcb094..353baaaf 100644
event->state = PERF_EVENT_STATE_INACTIVE;
-@@ -6463,6 +6470,11 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -6552,6 +6559,11 @@ SYSCALL_DEFINE5(perf_event_open,
if (flags & ~PERF_FLAG_ALL)
return -EINVAL;
@@ -75311,7 +75267,7 @@ index 9fcb094..353baaaf 100644
err = perf_copy_attr(attr_uptr, &attr);
if (err)
return err;
-@@ -6795,10 +6807,10 @@ static void sync_child_event(struct perf_event *child_event,
+@@ -6884,10 +6896,10 @@ static void sync_child_event(struct perf_event *child_event,
/*
* Add back the child's count to the parent's count:
*/
@@ -75326,10 +75282,10 @@ index 9fcb094..353baaaf 100644
/*
diff --git a/kernel/events/internal.h b/kernel/events/internal.h
-index eb675c4..54912ff 100644
+index ca65997..cc8cee4 100644
--- a/kernel/events/internal.h
+++ b/kernel/events/internal.h
-@@ -77,10 +77,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb)
+@@ -81,10 +81,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb)
return rb->nr_pages << (PAGE_SHIFT + page_order(rb));
}
@@ -75342,7 +75298,7 @@ index eb675c4..54912ff 100644
{ \
unsigned long size, written; \
\
-@@ -112,17 +112,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n)
+@@ -116,17 +116,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n)
return n;
}
@@ -82244,7 +82200,7 @@ index 79b7cf7..9944291 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 0dceed8..e7cfc40 100644
+index 0dceed8..bfcaf45 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -33,6 +33,7 @@
@@ -82645,10 +82601,11 @@ index 0dceed8..e7cfc40 100644
kmem_cache_free(vm_area_cachep, vma);
unacct_error:
if (charged)
-@@ -1584,6 +1744,62 @@ unacct_error:
+@@ -1584,7 +1744,63 @@ unacct_error:
return error;
}
+-unsigned long unmapped_area(struct vm_unmapped_area_info *info)
+#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
+unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
+{
@@ -82705,10 +82662,76 @@ index 0dceed8..e7cfc40 100644
+ return -ENOMEM;
+}
+
- unsigned long unmapped_area(struct vm_unmapped_area_info *info)
++unsigned long unmapped_area(const struct vm_unmapped_area_info *info)
{
/*
-@@ -1803,6 +2019,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ * We implement the search by looking for an rbtree node that
+@@ -1632,11 +1848,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
+ }
+ }
+
+- gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
++ gap_start = vma->vm_prev ? vma->vm_prev->vm_end: 0;
+ check_current:
+ /* Check if current node has a suitable gap */
+ if (gap_start > high_limit)
+ return -ENOMEM;
++
++ if (gap_end - gap_start > info->threadstack_offset)
++ gap_start += info->threadstack_offset;
++ else
++ gap_start = gap_end;
++
++ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
++ if (gap_end - gap_start > sysctl_heap_stack_gap)
++ gap_start += sysctl_heap_stack_gap;
++ else
++ gap_start = gap_end;
++ }
++ if (vma->vm_flags & VM_GROWSDOWN) {
++ if (gap_end - gap_start > sysctl_heap_stack_gap)
++ gap_end -= sysctl_heap_stack_gap;
++ else
++ gap_end = gap_start;
++ }
+ if (gap_end >= low_limit && gap_end - gap_start >= length)
+ goto found;
+
+@@ -1686,7 +1920,7 @@ found:
+ return gap_start;
+ }
+
+-unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
++unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info)
+ {
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma;
+@@ -1740,6 +1974,24 @@ check_current:
+ gap_end = vma->vm_start;
+ if (gap_end < low_limit)
+ return -ENOMEM;
++
++ if (gap_end - gap_start > info->threadstack_offset)
++ gap_end -= info->threadstack_offset;
++ else
++ gap_end = gap_start;
++
++ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
++ if (gap_end - gap_start > sysctl_heap_stack_gap)
++ gap_start += sysctl_heap_stack_gap;
++ else
++ gap_start = gap_end;
++ }
++ if (vma->vm_flags & VM_GROWSDOWN) {
++ if (gap_end - gap_start > sysctl_heap_stack_gap)
++ gap_end -= sysctl_heap_stack_gap;
++ else
++ gap_end = gap_start;
++ }
+ if (gap_start <= high_limit && gap_end - gap_start >= length)
+ goto found;
+
+@@ -1803,6 +2055,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
struct vm_unmapped_area_info info;
@@ -82716,7 +82739,7 @@ index 0dceed8..e7cfc40 100644
if (len > TASK_SIZE)
return -ENOMEM;
-@@ -1810,29 +2027,45 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1810,29 +2063,45 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
if (flags & MAP_FIXED)
return addr;
@@ -82765,7 +82788,7 @@ index 0dceed8..e7cfc40 100644
mm->free_area_cache = addr;
}
-@@ -1850,6 +2083,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1850,6 +2119,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
struct mm_struct *mm = current->mm;
unsigned long addr = addr0;
struct vm_unmapped_area_info info;
@@ -82773,7 +82796,7 @@ index 0dceed8..e7cfc40 100644
/* requested length too big for entire address space */
if (len > TASK_SIZE)
-@@ -1858,12 +2092,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1858,12 +2128,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
if (flags & MAP_FIXED)
return addr;
@@ -82791,7 +82814,7 @@ index 0dceed8..e7cfc40 100644
return addr;
}
-@@ -1872,6 +2109,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1872,6 +2145,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
info.low_limit = PAGE_SIZE;
info.high_limit = mm->mmap_base;
info.align_mask = 0;
@@ -82799,7 +82822,7 @@ index 0dceed8..e7cfc40 100644
addr = vm_unmapped_area(&info);
/*
-@@ -1884,6 +2122,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1884,6 +2158,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
VM_BUG_ON(addr != -ENOMEM);
info.flags = 0;
info.low_limit = TASK_UNMAPPED_BASE;
@@ -82812,7 +82835,7 @@ index 0dceed8..e7cfc40 100644
info.high_limit = TASK_SIZE;
addr = vm_unmapped_area(&info);
}
-@@ -1894,6 +2138,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1894,6 +2174,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
{
@@ -82825,7 +82848,7 @@ index 0dceed8..e7cfc40 100644
/*
* Is this a new hole at the highest possible address?
*/
-@@ -1901,8 +2151,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
+@@ -1901,8 +2187,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
mm->free_area_cache = addr;
/* dont allow allocations above current base */
@@ -82837,7 +82860,7 @@ index 0dceed8..e7cfc40 100644
}
unsigned long
-@@ -2001,6 +2253,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
+@@ -2001,6 +2289,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
return vma;
}
@@ -82866,7 +82889,7 @@ index 0dceed8..e7cfc40 100644
/*
* Verify that the stack growth is acceptable and
* update accounting. This is shared with both the
-@@ -2017,6 +2291,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2017,6 +2327,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
return -ENOMEM;
/* Stack limit test */
@@ -82874,7 +82897,7 @@ index 0dceed8..e7cfc40 100644
if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
return -ENOMEM;
-@@ -2027,6 +2302,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2027,6 +2338,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
locked = mm->locked_vm + grow;
limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
limit >>= PAGE_SHIFT;
@@ -82882,7 +82905,7 @@ index 0dceed8..e7cfc40 100644
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -2056,37 +2332,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2056,37 +2368,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
@@ -82940,7 +82963,7 @@ index 0dceed8..e7cfc40 100644
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -2121,6 +2408,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -2121,6 +2444,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
}
}
}
@@ -82949,7 +82972,7 @@ index 0dceed8..e7cfc40 100644
vma_unlock_anon_vma(vma);
khugepaged_enter_vma_merge(vma);
validate_mm(vma->vm_mm);
-@@ -2135,6 +2424,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2135,6 +2460,8 @@ int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
int error;
@@ -82958,7 +82981,7 @@ index 0dceed8..e7cfc40 100644
/*
* We must make sure the anon_vma is allocated
-@@ -2148,6 +2439,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2148,6 +2475,15 @@ int expand_downwards(struct vm_area_struct *vma,
if (error)
return error;
@@ -82974,7 +82997,7 @@ index 0dceed8..e7cfc40 100644
vma_lock_anon_vma(vma);
/*
-@@ -2157,9 +2457,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2157,9 +2493,17 @@ int expand_downwards(struct vm_area_struct *vma,
*/
/* Somebody else might have raced and expanded it already */
@@ -82993,7 +83016,7 @@ index 0dceed8..e7cfc40 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -2184,13 +2492,27 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2184,13 +2528,27 @@ int expand_downwards(struct vm_area_struct *vma,
vma->vm_pgoff -= grow;
anon_vma_interval_tree_post_update_vma(vma);
vma_gap_update(vma);
@@ -83021,7 +83044,7 @@ index 0dceed8..e7cfc40 100644
khugepaged_enter_vma_merge(vma);
validate_mm(vma->vm_mm);
return error;
-@@ -2288,6 +2610,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2288,6 +2646,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
@@ -83035,7 +83058,7 @@ index 0dceed8..e7cfc40 100644
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2333,6 +2662,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2333,6 +2698,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -83052,7 +83075,7 @@ index 0dceed8..e7cfc40 100644
vma_rb_erase(vma, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -2364,14 +2703,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2364,14 +2739,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
struct vm_area_struct *new;
int err = -ENOMEM;
@@ -83086,7 +83109,7 @@ index 0dceed8..e7cfc40 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -2384,6 +2742,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2384,6 +2778,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -83109,7 +83132,7 @@ index 0dceed8..e7cfc40 100644
pol = mpol_dup(vma_policy(vma));
if (IS_ERR(pol)) {
err = PTR_ERR(pol);
-@@ -2406,6 +2780,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2406,6 +2816,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -83146,7 +83169,7 @@ index 0dceed8..e7cfc40 100644
/* Success. */
if (!err)
return 0;
-@@ -2415,10 +2819,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2415,10 +2855,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_ops->close(new);
if (new->vm_file)
fput(new->vm_file);
@@ -83166,7 +83189,7 @@ index 0dceed8..e7cfc40 100644
kmem_cache_free(vm_area_cachep, new);
out_err:
return err;
-@@ -2431,6 +2843,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2431,6 +2879,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
@@ -83182,7 +83205,7 @@ index 0dceed8..e7cfc40 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2442,11 +2863,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2442,11 +2899,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -83213,7 +83236,7 @@ index 0dceed8..e7cfc40 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2521,6 +2961,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2521,6 +2997,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -83222,7 +83245,7 @@ index 0dceed8..e7cfc40 100644
return 0;
}
-@@ -2529,6 +2971,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2529,6 +3007,13 @@ int vm_munmap(unsigned long start, size_t len)
int ret;
struct mm_struct *mm = current->mm;
@@ -83236,7 +83259,7 @@ index 0dceed8..e7cfc40 100644
down_write(&mm->mmap_sem);
ret = do_munmap(mm, start, len);
up_write(&mm->mmap_sem);
-@@ -2542,16 +2991,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2542,16 +3027,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
return vm_munmap(addr, len);
}
@@ -83253,7 +83276,7 @@ index 0dceed8..e7cfc40 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2565,6 +3004,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2565,6 +3040,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -83261,7 +83284,7 @@ index 0dceed8..e7cfc40 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2572,16 +3012,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2572,16 +3048,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -83293,7 +83316,7 @@ index 0dceed8..e7cfc40 100644
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
-@@ -2598,21 +3052,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2598,21 +3088,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -83318,7 +83341,7 @@ index 0dceed8..e7cfc40 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2626,7 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2626,7 +3115,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -83327,7 +83350,7 @@ index 0dceed8..e7cfc40 100644
return -ENOMEM;
}
-@@ -2640,9 +3093,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2640,9 +3129,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
perf_event_mmap(vma);
@@ -83340,7 +83363,7 @@ index 0dceed8..e7cfc40 100644
return addr;
}
-@@ -2704,6 +3158,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2704,6 +3194,7 @@ void exit_mmap(struct mm_struct *mm)
while (vma) {
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += vma_pages(vma);
@@ -83348,7 +83371,7 @@ index 0dceed8..e7cfc40 100644
vma = remove_vma(vma);
}
vm_unacct_memory(nr_accounted);
-@@ -2720,6 +3175,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2720,6 +3211,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
struct vm_area_struct *prev;
struct rb_node **rb_link, *rb_parent;
@@ -83362,7 +83385,7 @@ index 0dceed8..e7cfc40 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2743,7 +3205,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2743,7 +3241,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -83384,7 +83407,7 @@ index 0dceed8..e7cfc40 100644
return 0;
}
-@@ -2763,6 +3239,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2763,6 +3275,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct mempolicy *pol;
bool faulted_in_anon_vma = true;
@@ -83393,7 +83416,7 @@ index 0dceed8..e7cfc40 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2829,6 +3307,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2829,6 +3343,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return NULL;
}
@@ -83433,7 +83456,7 @@ index 0dceed8..e7cfc40 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2840,6 +3351,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2840,6 +3387,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
@@ -83441,7 +83464,7 @@ index 0dceed8..e7cfc40 100644
if (cur + npages > lim)
return 0;
return 1;
-@@ -2910,6 +3422,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2910,6 +3458,22 @@ int install_special_mapping(struct mm_struct *mm,
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -85864,10 +85887,20 @@ index 6a93614..1415549 100644
err = -EFAULT;
break;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index c5f9cd6..8d23158 100644
+index c5f9cd6..dfc8ec1 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
-@@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
+@@ -2743,6 +2743,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
+ BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
+ conn, code, ident, dlen);
+
++ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
++ return NULL;
++
+ len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
+ count = min_t(unsigned int, conn->mtu, len);
+
+@@ -3395,8 +3398,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
break;
case L2CAP_CONF_RFC:
@@ -85880,6 +85913,15 @@ index c5f9cd6..8d23158 100644
if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
rfc.mode != chan->mode)
+@@ -4221,7 +4226,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn,
+ struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
+ u16 type, result;
+
+- if (cmd_len != sizeof(*rsp))
++ if (cmd_len < sizeof(*rsp))
+ return -EPROTO;
+
+ type = __le16_to_cpu(rsp->type);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 1bcfb84..dad9f98 100644
--- a/net/bluetooth/l2cap_sock.c
@@ -86111,7 +86153,7 @@ index 117814a..ad4fb73 100644
if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
diff --git a/net/compat.c b/net/compat.c
-index 79ae884..0541331 100644
+index f0a1ba6..0541331 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -86241,45 +86283,7 @@ index 79ae884..0541331 100644
struct group_filter __user *kgf;
int __user *koptlen;
u32 interface, fmode, numsrc;
-@@ -734,19 +734,25 @@ static unsigned char nas[21] = {
-
- asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
- {
-- return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
-+ if (flags & MSG_CMSG_COMPAT)
-+ return -EINVAL;
-+ return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
- }
-
- asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
- unsigned int vlen, unsigned int flags)
- {
-+ if (flags & MSG_CMSG_COMPAT)
-+ return -EINVAL;
- return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
- flags | MSG_CMSG_COMPAT);
- }
-
- asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
- {
-- return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
-+ if (flags & MSG_CMSG_COMPAT)
-+ return -EINVAL;
-+ return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
- }
-
- asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags)
-@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
- int datagrams;
- struct timespec ktspec;
-
-+ if (flags & MSG_CMSG_COMPAT)
-+ return -EINVAL;
-+
- if (COMPAT_USE_64BIT_TIME)
- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
- flags | MSG_CMSG_COMPAT,
-@@ -796,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+@@ -805,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
if (call < SYS_SOCKET || call > SYS_SENDMMSG)
return -EINVAL;
@@ -86302,7 +86306,7 @@ index 368f9c3..f82d4a3 100644
return err;
diff --git a/net/core/dev.c b/net/core/dev.c
-index 9a278e9..15f2b9e 100644
+index c9eb9e6..922c789 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1617,7 +1617,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
@@ -86332,7 +86336,7 @@ index 9a278e9..15f2b9e 100644
#define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
-@@ -3093,7 +3093,7 @@ enqueue:
+@@ -3099,7 +3099,7 @@ enqueue:
local_irq_restore(flags);
@@ -86341,7 +86345,7 @@ index 9a278e9..15f2b9e 100644
kfree_skb(skb);
return NET_RX_DROP;
}
-@@ -3165,7 +3165,7 @@ int netif_rx_ni(struct sk_buff *skb)
+@@ -3171,7 +3171,7 @@ int netif_rx_ni(struct sk_buff *skb)
}
EXPORT_SYMBOL(netif_rx_ni);
@@ -86350,7 +86354,7 @@ index 9a278e9..15f2b9e 100644
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
-@@ -3490,7 +3490,7 @@ ncls:
+@@ -3496,7 +3496,7 @@ ncls:
ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
} else {
drop:
@@ -86359,7 +86363,7 @@ index 9a278e9..15f2b9e 100644
kfree_skb(skb);
/* Jamal, now you will not able to escape explaining
* me how you were going to use this. :-)
-@@ -4095,7 +4095,7 @@ void netif_napi_del(struct napi_struct *napi)
+@@ -4101,7 +4101,7 @@ void netif_napi_del(struct napi_struct *napi)
}
EXPORT_SYMBOL(netif_napi_del);
@@ -86368,7 +86372,7 @@ index 9a278e9..15f2b9e 100644
{
struct softnet_data *sd = &__get_cpu_var(softnet_data);
unsigned long time_limit = jiffies + 2;
-@@ -5522,7 +5522,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5528,7 +5528,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
} else {
netdev_stats_to_stats64(storage, &dev->stats);
}
@@ -86639,7 +86643,7 @@ index e61a8bb..6a2f13c 100644
#ifdef CONFIG_INET
static u32 seq_scale(u32 seq)
diff --git a/net/core/sock.c b/net/core/sock.c
-index 1432266..1a0d4a1 100644
+index 684c37d..b541900 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -390,7 +390,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
@@ -87168,7 +87172,7 @@ index 52c273e..579060b 100644
return -ENOMEM;
}
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
-index 91d66db..4af7d99 100644
+index c7e8c04..56cb4c1 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -124,7 +124,7 @@ static bool log_ecn_error = true;
@@ -87298,7 +87302,7 @@ index bf6c5cf..ab2e9c6 100644
return res;
}
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
-index 8f024d4..8b3500c 100644
+index 7533846..d2361d1 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -138,7 +138,7 @@ struct ipip_net {
@@ -87486,10 +87490,10 @@ index dd44e0a..06dcca4 100644
static int raw_seq_show(struct seq_file *seq, void *v)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
-index 6e28514..5e1b055 100644
+index cfede9a..22248f9 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
-@@ -2553,34 +2553,34 @@ static struct ctl_table ipv4_route_flush_table[] = {
+@@ -2558,34 +2558,34 @@ static struct ctl_table ipv4_route_flush_table[] = {
.maxlen = sizeof(int),
.mode = 0200,
.proc_handler = ipv4_sysctl_rtcache_flush,
@@ -87532,7 +87536,7 @@ index 6e28514..5e1b055 100644
err_dup:
return -ENOMEM;
}
-@@ -2603,7 +2603,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
+@@ -2608,7 +2608,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
static __net_init int rt_genid_init(struct net *net)
{
@@ -87681,29 +87685,11 @@ index 960fd29..d55bf64 100644
hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table);
if (hdr == NULL)
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index e220207..cdeb839 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -3383,8 +3383,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp,
-
- for (i = 0; i < shi->nr_frags; ++i) {
- const struct skb_frag_struct *f = &shi->frags[i];
-- struct page *page = skb_frag_page(f);
-- sg_set_page(&sg, page, skb_frag_size(f), f->page_offset);
-+ unsigned int offset = f->page_offset;
-+ struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
-+
-+ sg_set_page(&sg, page, skb_frag_size(f),
-+ offset_in_page(offset));
- if (crypto_hash_update(desc, &sg, skb_frag_size(f)))
- return 1;
- }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index 13b9c08..d33a8d0 100644
+index 59163c8..8277c51 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
-@@ -4724,7 +4724,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
+@@ -4727,7 +4727,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
* simplifies code)
*/
static void
@@ -87712,7 +87698,7 @@ index 13b9c08..d33a8d0 100644
struct sk_buff *head, struct sk_buff *tail,
u32 start, u32 end)
{
-@@ -5838,6 +5838,7 @@ discard:
+@@ -5841,6 +5841,7 @@ discard:
tcp_paws_reject(&tp->rx_opt, 0))
goto discard_and_undo;
@@ -87720,7 +87706,7 @@ index 13b9c08..d33a8d0 100644
if (th->syn) {
/* We see SYN without ACK. It is attempt of
* simultaneous connect with crossed SYNs.
-@@ -5888,6 +5889,7 @@ discard:
+@@ -5891,6 +5892,7 @@ discard:
goto discard;
#endif
}
@@ -87728,7 +87714,7 @@ index 13b9c08..d33a8d0 100644
/* "fifth, if neither of the SYN or RST bits is set then
* drop the segment and return."
*/
-@@ -5932,7 +5934,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5935,7 +5937,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
@@ -88023,7 +88009,7 @@ index 9a459be..086b866 100644
return -ENOMEM;
}
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index dae802c..bfa4baa 100644
+index 50a4c7c..50a27e6 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2274,7 +2274,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
@@ -88035,7 +88021,7 @@ index dae802c..bfa4baa 100644
if (ops->ndo_do_ioctl) {
mm_segment_t oldfs = get_fs();
-@@ -4410,7 +4410,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write,
+@@ -4412,7 +4412,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -88044,7 +88030,7 @@ index dae802c..bfa4baa 100644
int ret;
/*
-@@ -4492,7 +4492,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write,
+@@ -4494,7 +4494,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write,
int *valp = ctl->data;
int val = *valp;
loff_t pos = *ppos;
@@ -88107,18 +88093,28 @@ index 95d13c7..791fe2f 100644
.maxtype = IFLA_GRE_MAX,
.policy = ip6gre_policy,
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index 155eccf..851fdae 100644
+index 851fdae..9d4d1fd 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
-@@ -1147,7 +1147,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
- if (WARN_ON(np->cork.opt))
- return -EINVAL;
+@@ -822,11 +822,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
+ const struct flowi6 *fl6)
+ {
+ struct ipv6_pinfo *np = inet6_sk(sk);
+- struct rt6_info *rt = (struct rt6_info *)dst;
++ struct rt6_info *rt;
-- np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
-+ np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
- if (unlikely(np->cork.opt == NULL))
- return -ENOBUFS;
+ if (!dst)
+ goto out;
++ if (dst->ops->family != AF_INET6) {
++ dst_release(dst);
++ return NULL;
++ }
++
++ rt = (struct rt6_info *)dst;
+ /* Yes, checking route validity in not connected
+ * case is not very simple. Take into account,
+ * that we do not support routing by source, TOS,
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index fff83cb..82d49dd 100644
--- a/net/ipv6/ip6_tunnel.c
@@ -88697,10 +88693,26 @@ index 4fe76ff..426a904 100644
};
diff --git a/net/key/af_key.c b/net/key/af_key.c
-index 5b1e5af..2358147 100644
+index 5b1e5af..1b929e7 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
-@@ -3041,10 +3041,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
+@@ -1710,6 +1710,7 @@ static int key_notify_sa_flush(const struct km_event *c)
+ hdr->sadb_msg_version = PF_KEY_V2;
+ hdr->sadb_msg_errno = (uint8_t) 0;
+ hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++ hdr->sadb_msg_reserved = 0;
+
+ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+
+@@ -2695,6 +2696,7 @@ static int key_notify_policy_flush(const struct km_event *c)
+ hdr->sadb_msg_errno = (uint8_t) 0;
+ hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
+ hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++ hdr->sadb_msg_reserved = 0;
+ pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ return 0;
+
+@@ -3041,10 +3043,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
static u32 get_acqseq(void)
{
u32 res;
@@ -88713,33 +88725,6 @@ index 5b1e5af..2358147 100644
} while (!res);
return res;
}
-diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
-index 637a341..8dec687 100644
---- a/net/l2tp/l2tp_ppp.c
-+++ b/net/l2tp/l2tp_ppp.c
-@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
- skb_put(skb, 2);
-
- /* Copy user data into skb */
-- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
-+ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
-+ total_len);
- if (error < 0) {
- kfree_skb(skb);
- goto error_put_sess_tun;
- }
-- skb_put(skb, total_len);
-
- l2tp_xmit_skb(session, skb, session->hdr_len);
-
- sock_put(ps->tunnel_sock);
- sock_put(sk);
-
-- return error;
-+ return total_len;
-
- error_put_sess_tun:
- sock_put(ps->tunnel_sock);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 843d8c4..cb04fa1 100644
--- a/net/mac80211/cfg.c
@@ -89356,6 +89341,22 @@ index 9e31269..bc4c1b7 100644
mutex_unlock(&nf_log_mutex);
}
+diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
+index 96ccdf7..dac11f7 100644
+--- a/net/netfilter/nf_nat_sip.c
++++ b/net/netfilter/nf_nat_sip.c
+@@ -230,9 +230,10 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff,
+ &ct->tuplehash[!dir].tuple.src.u3,
+ false);
+ if (!mangle_packet(skb, protoff, dataoff, dptr, datalen,
+- poff, plen, buffer, buflen))
++ poff, plen, buffer, buflen)) {
+ nf_ct_helper_log(skb, ct, "cannot mangle received");
+ return NF_DROP;
++ }
+ }
+
+ /* The rport= parameter (RFC 3581) contains the port number
diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index f042ae5..30ea486 100644
--- a/net/netfilter/nf_sockopt.c
@@ -89576,10 +89577,10 @@ index 103bd70..f21aad3 100644
*uaddr_len = sizeof(struct sockaddr_ax25);
}
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index f83e172..223ffe1 100644
+index e50f72a..f71867d 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
-@@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1578,7 +1578,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
spin_lock(&sk->sk_receive_queue.lock);
po->stats.tp_packets++;
@@ -89588,7 +89589,7 @@ index f83e172..223ffe1 100644
__skb_queue_tail(&sk->sk_receive_queue, skb);
spin_unlock(&sk->sk_receive_queue.lock);
sk->sk_data_ready(sk, skb->len);
-@@ -1580,7 +1580,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1587,7 +1587,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
drop_n_acct:
spin_lock(&sk->sk_receive_queue.lock);
po->stats.tp_drops++;
@@ -89597,7 +89598,7 @@ index f83e172..223ffe1 100644
spin_unlock(&sk->sk_receive_queue.lock);
drop_n_restore:
-@@ -2558,6 +2558,7 @@ out:
+@@ -2579,6 +2579,7 @@ out:
static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
{
@@ -89605,7 +89606,7 @@ index f83e172..223ffe1 100644
struct sock_exterr_skb *serr;
struct sk_buff *skb, *skb2;
int copied, err;
-@@ -2579,8 +2580,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
+@@ -2600,8 +2601,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
sock_recv_timestamp(msg, sk, skb);
serr = SKB_EXT_ERR(skb);
@@ -89616,22 +89617,7 @@ index f83e172..223ffe1 100644
msg->msg_flags |= MSG_ERRQUEUE;
err = copied;
-@@ -2769,12 +2771,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
- return -EOPNOTSUPP;
-
- uaddr->sa_family = AF_PACKET;
-+ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
- rcu_read_lock();
- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
- if (dev)
-- strncpy(uaddr->sa_data, dev->name, 14);
-- else
-- memset(uaddr->sa_data, 0, 14);
-+ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
- rcu_read_unlock();
- *uaddr_len = sizeof(*uaddr);
-
-@@ -3205,7 +3206,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3225,7 +3227,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
case PACKET_HDRLEN:
if (len > sizeof(int))
len = sizeof(int);
@@ -89640,7 +89626,7 @@ index f83e172..223ffe1 100644
return -EFAULT;
switch (val) {
case TPACKET_V1:
-@@ -3247,7 +3248,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3267,7 +3269,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
len = lv;
if (put_user(len, optlen))
return -EFAULT;
@@ -90176,33 +90162,6 @@ index 391a245..296b3d7 100644
}
/* Initialize IPv6 support and register with socket layer. */
-diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
-index 01dca75..e9426bb 100644
---- a/net/sctp/outqueue.c
-+++ b/net/sctp/outqueue.c
-@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
- */
- void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
- {
-+ memset(q, 0, sizeof(struct sctp_outq));
-+
- q->asoc = asoc;
- INIT_LIST_HEAD(&q->out_chunk_list);
- INIT_LIST_HEAD(&q->control_chunk_list);
-@@ -213,13 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
- INIT_LIST_HEAD(&q->sacked);
- INIT_LIST_HEAD(&q->abandoned);
-
-- q->fast_rtx = 0;
-- q->outstanding_bytes = 0;
- q->empty = 1;
-- q->cork = 0;
--
-- q->malloced = 0;
-- q->out_qlen = 0;
- }
-
- /* Free the outqueue structure and any related pending chunks.
diff --git a/net/sctp/probe.c b/net/sctp/probe.c
index ad0dba8..e62c225 100644
--- a/net/sctp/probe.c
@@ -90287,7 +90246,7 @@ index 8aab894..f6b7e7d 100644
sctp_generate_t1_cookie_event,
sctp_generate_t1_init_event,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index b907073..7bea2ca 100644
+index 02c43e4..7bea2ca 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
@@ -90305,20 +90264,7 @@ index b907073..7bea2ca 100644
/*
* At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -4002,6 +4004,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
-
- /* Release our hold on the endpoint. */
- sp = sctp_sk(sk);
-+ /* This could happen during socket init, thus we bail out
-+ * early, since the rest of the below is not setup either.
-+ */
-+ if (sp->ep == NULL)
-+ return;
-+
- if (sp->do_auto_asconf) {
- sp->do_auto_asconf = 0;
- list_del(&sp->auto_asconf_list);
-@@ -4215,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4221,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
@@ -90336,7 +90282,7 @@ index b907073..7bea2ca 100644
return -EFAULT;
return 0;
}
-@@ -4239,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4245,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
*/
static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -90345,7 +90291,7 @@ index b907073..7bea2ca 100644
/* Applicable to UDP-style socket only */
if (sctp_style(sk, TCP))
return -EOPNOTSUPP;
-@@ -4247,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4253,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
len = sizeof(int);
if (put_user(len, optlen))
return -EFAULT;
@@ -90355,7 +90301,7 @@ index b907073..7bea2ca 100644
return -EFAULT;
return 0;
}
-@@ -4619,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4625,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
*/
static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
{
@@ -90372,7 +90318,7 @@ index b907073..7bea2ca 100644
return -EFAULT;
return 0;
}
-@@ -4665,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4671,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
if (space_left < addrlen)
return -ENOMEM;
@@ -90404,7 +90350,7 @@ index bf3c6e8..376d8d0 100644
table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
diff --git a/net/socket.c b/net/socket.c
-index 88f759a..74be616 100644
+index e216502..74be616 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -88,6 +88,7 @@
@@ -90575,16 +90521,7 @@ index 88f759a..74be616 100644
int err, err2;
int fput_needed;
-@@ -1978,7 +2040,7 @@ struct used_address {
- unsigned int name_len;
- };
-
--static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
-+static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
- struct msghdr *msg_sys, unsigned int flags,
- struct used_address *used_address)
- {
-@@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2045,7 +2107,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
* checking falls down on this.
*/
if (copy_from_user(ctl_buf,
@@ -90593,83 +90530,7 @@ index 88f759a..74be616 100644
ctl_len))
goto out_freectl;
msg_sys->msg_control = ctl_buf;
-@@ -2093,20 +2155,28 @@ out:
- * BSD sendmsg interface
- */
-
-+long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
-+{
-+ int fput_needed, err;
-+ struct msghdr msg_sys;
-+ struct socket *sock;
-+
-+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
-+ if (!sock)
-+ goto out;
-+
-+ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
-+
-+ fput_light(sock->file, fput_needed);
-+out:
-+ return err;
-+}
-+
- SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
- {
-- int fput_needed, err;
-- struct msghdr msg_sys;
-- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
--
-- if (!sock)
-- goto out;
--
-- err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
--
-- fput_light(sock->file, fput_needed);
--out:
-- return err;
-+ if (flags & MSG_CMSG_COMPAT)
-+ return -EINVAL;
-+ return __sys_sendmsg(fd, msg, flags);
- }
-
- /*
-@@ -2139,15 +2209,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
-
- while (datagrams < vlen) {
- if (MSG_CMSG_COMPAT & flags) {
-- err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
-- &msg_sys, flags, &used_address);
-+ err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
-+ &msg_sys, flags, &used_address);
- if (err < 0)
- break;
- err = __put_user(err, &compat_entry->msg_len);
- ++compat_entry;
- } else {
-- err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
-- &msg_sys, flags, &used_address);
-+ err = ___sys_sendmsg(sock,
-+ (struct msghdr __user *)entry,
-+ &msg_sys, flags, &used_address);
- if (err < 0)
- break;
- err = put_user(err, &entry->msg_len);
-@@ -2171,10 +2242,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
- SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
- unsigned int, vlen, unsigned int, flags)
- {
-+ if (flags & MSG_CMSG_COMPAT)
-+ return -EINVAL;
- return __sys_sendmmsg(fd, mmsg, vlen, flags);
- }
-
--static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
-+static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
- struct msghdr *msg_sys, unsigned int flags, int nosec)
- {
- struct compat_msghdr __user *msg_compat =
-@@ -2185,7 +2258,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2196,7 +2258,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
int err, total_len, len;
/* kernel mode address */
@@ -90678,7 +90539,7 @@ index 88f759a..74be616 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2213,7 +2286,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2224,7 +2286,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
* kernel msghdr to use the kernel address space)
*/
@@ -90687,84 +90548,7 @@ index 88f759a..74be616 100644
uaddr_len = COMPAT_NAMELEN(msg);
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
-@@ -2266,21 +2339,29 @@ out:
- * BSD recvmsg interface
- */
-
-+long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags)
-+{
-+ int fput_needed, err;
-+ struct msghdr msg_sys;
-+ struct socket *sock;
-+
-+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
-+ if (!sock)
-+ goto out;
-+
-+ err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);
-+
-+ fput_light(sock->file, fput_needed);
-+out:
-+ return err;
-+}
-+
- SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
- unsigned int, flags)
- {
-- int fput_needed, err;
-- struct msghdr msg_sys;
-- struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
--
-- if (!sock)
-- goto out;
--
-- err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0);
--
-- fput_light(sock->file, fput_needed);
--out:
-- return err;
-+ if (flags & MSG_CMSG_COMPAT)
-+ return -EINVAL;
-+ return __sys_recvmsg(fd, msg, flags);
- }
-
- /*
-@@ -2320,17 +2401,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
- * No need to ask LSM for more than the first datagram.
- */
- if (MSG_CMSG_COMPAT & flags) {
-- err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
-- &msg_sys, flags & ~MSG_WAITFORONE,
-- datagrams);
-+ err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
-+ &msg_sys, flags & ~MSG_WAITFORONE,
-+ datagrams);
- if (err < 0)
- break;
- err = __put_user(err, &compat_entry->msg_len);
- ++compat_entry;
- } else {
-- err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
-- &msg_sys, flags & ~MSG_WAITFORONE,
-- datagrams);
-+ err = ___sys_recvmsg(sock,
-+ (struct msghdr __user *)entry,
-+ &msg_sys, flags & ~MSG_WAITFORONE,
-+ datagrams);
- if (err < 0)
- break;
- err = put_user(err, &entry->msg_len);
-@@ -2397,6 +2479,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
- int datagrams;
- struct timespec timeout_sys;
-
-+ if (flags & MSG_CMSG_COMPAT)
-+ return -EINVAL;
-+
- if (!timeout)
- return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL);
-
-@@ -2952,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2975,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
err = dev_ioctl(net, cmd,
@@ -90773,7 +90557,7 @@ index 88f759a..74be616 100644
set_fs(old_fs);
return err;
-@@ -3061,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -3084,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
old_fs = get_fs();
set_fs(KERNEL_DS);
@@ -90782,7 +90566,7 @@ index 88f759a..74be616 100644
set_fs(old_fs);
if (cmd == SIOCGIFMAP && !err) {
-@@ -3166,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3189,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
ret |= __get_user(rtdev, &(ur4->rt_dev));
if (rtdev) {
ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -90791,7 +90575,7 @@ index 88f759a..74be616 100644
devname[15] = 0;
} else
r4.rt_dev = NULL;
-@@ -3392,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3415,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
int __user *uoptlen;
int err;
@@ -90802,7 +90586,7 @@ index 88f759a..74be616 100644
set_fs(KERNEL_DS);
if (level == SOL_SOCKET)
-@@ -3413,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3436,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
char __user *uoptval;
int err;
@@ -91300,18 +91084,6 @@ index c8717c1..08539f5 100644
err = handler(dev, info, (union iwreq_data *) iwp, extra);
iwp->length += essid_compat;
-diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
-index bcfda89..0cf003d 100644
---- a/net/xfrm/xfrm_output.c
-+++ b/net/xfrm/xfrm_output.c
-@@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
-
- if (unlikely(x->km.state != XFRM_STATE_VALID)) {
- XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID);
-+ err = -EINVAL;
- goto error;
- }
-
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 167c67d..3f2ae427 100644
--- a/net/xfrm/xfrm_policy.c
diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86
index 3f50316571..de622fca84 100644
--- a/main/linux-grsec/kernelconfig.x86
+++ b/main/linux-grsec/kernelconfig.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.9.7 Kernel Configuration
+# Linux/x86 3.9.8 Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -5523,6 +5523,7 @@ CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_VM86 is not set
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PERF_HARDEN=y
+# CONFIG_GRKERNSEC_RAND_THREADSTACK is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_MODHARDEN is not set
diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64
index f338d7ad0b..feaf716d88 100644
--- a/main/linux-grsec/kernelconfig.x86_64
+++ b/main/linux-grsec/kernelconfig.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.9.7 Kernel Configuration
+# Linux/x86 3.9.8 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -5460,6 +5460,7 @@ CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_JIT_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
+# CONFIG_GRKERNSEC_RAND_THREADSTACK is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_MODHARDEN is not set