diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2012-09-17 19:23:58 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-09-17 19:30:34 +0000 |
| commit | fd4ebdb299d5fbf2bb09168ce2c530364be16c9b (patch) | |
| tree | 7710260e056bfb3d88937bb232f9bfd8d97f30fa /testing/linux-virt-grsec | |
| parent | c2e5b06819796406457ef99bb3e0bffc2a96880b (diff) | |
| download | aports-fd4ebdb299d5fbf2bb09168ce2c530364be16c9b.tar.bz2 aports-fd4ebdb299d5fbf2bb09168ce2c530364be16c9b.tar.xz | |
testing/linux-virt-grsec: upgrade to 3.4.11
Diffstat (limited to 'testing/linux-virt-grsec')
| -rw-r--r-- | testing/linux-virt-grsec/APKBUILD | 14 | ||||
| -rw-r--r-- | testing/linux-virt-grsec/grsecurity-2.9.1-3.4.11-1.patch (renamed from testing/linux-virt-grsec/grsecurity-2.9.1-3.4.5-201207171624.patch) | 5252 | ||||
| -rw-r--r-- | testing/linux-virt-grsec/kernelconfig.x86 | 3 | ||||
| -rw-r--r-- | testing/linux-virt-grsec/kernelconfig.x86_64 | 3 |
4 files changed, 3881 insertions, 1391 deletions
diff --git a/testing/linux-virt-grsec/APKBUILD b/testing/linux-virt-grsec/APKBUILD index 92eae2421..a7870849e 100644 --- a/testing/linux-virt-grsec/APKBUILD +++ b/testing/linux-virt-grsec/APKBUILD @@ -2,9 +2,9 @@ _flavor=grsec pkgname=linux-virt-${_flavor} -pkgver=3.4.5 +pkgver=3.4.11 _kernver=3.4 -pkgrel=3 +pkgrel=0 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.4.5-201207171624.patch + grsecurity-2.9.1-$pkgver-1.patch xen-xsave.patch kernelconfig.x86 @@ -137,8 +137,8 @@ dev() { } md5sums="967f72983655e2479f951195953e8480 linux-3.4.tar.xz -e60f1d8032069d091f3692c1d7a89b8b patch-3.4.5.xz -2d4274ea6a7ebb913b989952155a14e1 grsecurity-2.9.1-3.4.5-201207171624.patch +2149df47fc96fec05787bf0197fb7b16 patch-3.4.11.xz +261e513021d40a01ebd18947fde0ab1d grsecurity-2.9.1-3.4.11-1.patch 0d095dbf194d5609ad260ecd3f0ab15d xen-xsave.patch -454b72a498ddc9c40bbe20594d04b2cb kernelconfig.x86 -0cdb1e4ea4045e2792e4331ac1ebea38 kernelconfig.x86_64" +edf0b2f99cb5391e424bd7edf6f88c6c kernelconfig.x86 +32cbb968820788def5fd2677b61351c1 kernelconfig.x86_64" diff --git a/testing/linux-virt-grsec/grsecurity-2.9.1-3.4.5-201207171624.patch b/testing/linux-virt-grsec/grsecurity-2.9.1-3.4.11-1.patch index a842b50b1..cb22897eb 100644 --- a/testing/linux-virt-grsec/grsecurity-2.9.1-3.4.5-201207171624.patch +++ b/testing/linux-virt-grsec/grsecurity-2.9.1-3.4.11-1.patch @@ -1,5 +1,5 @@ diff --git a/Documentation/dontdiff b/Documentation/dontdiff -index b4a898f..a0e01d0 100644 +index b4a898f..781c7ad 100644 --- a/Documentation/dontdiff +++ b/Documentation/dontdiff @@ -2,9 +2,11 @@ @@ -22,7 +22,7 @@ index b4a898f..a0e01d0 100644 *.grep *.grp *.gz -@@ -48,9 +51,11 @@ +@@ -48,14 +51,17 @@ *.tab.h *.tex *.ver @@ -34,7 +34,14 @@ index b4a898f..a0e01d0 100644 *_vga16.c *~ \#*# -@@ -69,6 +74,7 @@ Image + *.9 +-.* ++.[^g]* ++.gen* + .*.d + .mm + 53c700_d.h +@@ -69,6 +75,7 @@ Image Module.markers Module.symvers PENDING @@ -42,7 +49,7 @@ index b4a898f..a0e01d0 100644 SCCS System.map* TAGS -@@ -80,6 +86,7 @@ aic7*seq.h* +@@ -80,6 +87,7 @@ aic7*seq.h* aicasm aicdb.h* altivec*.c @@ -50,7 +57,7 @@ index b4a898f..a0e01d0 100644 asm-offsets.h asm_offsets.h autoconf.h* -@@ -92,19 +99,24 @@ bounds.h +@@ -92,19 +100,24 @@ bounds.h bsetup btfixupprep build @@ -75,7 +82,7 @@ index b4a898f..a0e01d0 100644 conmakehash consolemap_deftbl.c* cpustr.h -@@ -115,9 +127,11 @@ devlist.h* +@@ -115,9 +128,11 @@ devlist.h* dnotify_test docproc dslm @@ -87,7 +94,7 @@ index b4a898f..a0e01d0 100644 fixdep flask.h fore200e_mkfirm -@@ -125,12 +139,15 @@ fore200e_pca_fw.c* +@@ -125,12 +140,15 @@ fore200e_pca_fw.c* gconf gconf.glade.h gen-devlist @@ -103,7 +110,7 @@ index b4a898f..a0e01d0 100644 hpet_example hugepage-mmap hugepage-shm -@@ -145,7 +162,7 @@ int32.c +@@ -145,7 +163,7 @@ int32.c int4.c int8.c kallsyms @@ -112,7 +119,7 @@ index b4a898f..a0e01d0 100644 keywords.c ksym.c* ksym.h* -@@ -153,7 +170,7 @@ kxgettext +@@ -153,7 +171,7 @@ kxgettext lkc_defs.h lex.c lex.*.c @@ -121,7 +128,7 @@ index b4a898f..a0e01d0 100644 logo_*.c logo_*_clut224.c logo_*_mono.c -@@ -164,14 +181,15 @@ machtypes.h +@@ -164,14 +182,15 @@ machtypes.h map map_hugetlb maui_boot.h @@ -138,7 +145,7 @@ index b4a898f..a0e01d0 100644 mkprep mkregtable mktables -@@ -188,6 +206,7 @@ oui.c* +@@ -188,6 +207,7 @@ oui.c* page-types parse.c parse.h @@ -146,7 +153,7 @@ index b4a898f..a0e01d0 100644 patches* pca200e.bin pca200e_ecd.bin2 -@@ -197,6 +216,7 @@ perf-archive +@@ -197,6 +217,7 @@ perf-archive piggyback piggy.gzip piggy.S @@ -154,7 +161,7 @@ index b4a898f..a0e01d0 100644 pnmtologo ppc_defs.h* pss_boot.h -@@ -207,6 +227,7 @@ r300_reg_safe.h +@@ -207,6 +228,7 @@ r300_reg_safe.h r420_reg_safe.h r600_reg_safe.h recordmcount @@ -162,7 +169,7 @@ index b4a898f..a0e01d0 100644 relocs rlim_names.h rn50_reg_safe.h -@@ -216,7 +237,9 @@ series +@@ -216,7 +238,9 @@ series setup setup.bin setup.elf @@ -172,7 +179,7 @@ index b4a898f..a0e01d0 100644 sm_tbl* split-include syscalltab.h -@@ -227,6 +250,7 @@ tftpboot.img +@@ -227,6 +251,7 @@ tftpboot.img timeconst.h times.h* trix_boot.h @@ -180,7 +187,7 @@ index b4a898f..a0e01d0 100644 utsrelease.h* vdso-syms.lds vdso.lds -@@ -238,13 +262,17 @@ vdso32.lds +@@ -238,13 +263,17 @@ vdso32.lds vdso32.so.dbg vdso64.lds vdso64.so.dbg @@ -198,7 +205,7 @@ index b4a898f..a0e01d0 100644 vmlinuz voffset.h vsyscall.lds -@@ -252,9 +280,11 @@ vsyscall_32.lds +@@ -252,9 +281,11 @@ vsyscall_32.lds wanxlfw.inc uImage unifdef @@ -228,8 +235,41 @@ index c1601e5..08557ce 100644 pcbit= [HW,ISDN] pcd. [PARIDE] +diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt +index 88fd7f5..b318a78 100644 +--- a/Documentation/sysctl/fs.txt ++++ b/Documentation/sysctl/fs.txt +@@ -163,16 +163,22 @@ This value can be used to query and set the core dump mode for setuid + or otherwise protected/tainted binaries. The modes are + + 0 - (default) - traditional behaviour. Any process which has changed +- privilege levels or is execute only will not be dumped ++ privilege levels or is execute only will not be dumped. + 1 - (debug) - all processes dump core when possible. The core dump is + owned by the current user and no security is applied. This is + intended for system debugging situations only. Ptrace is unchecked. ++ This is insecure as it allows regular users to examine the memory ++ contents of privileged processes. + 2 - (suidsafe) - any binary which normally would not be dumped is dumped +- readable by root only. This allows the end user to remove +- such a dump but not access it directly. For security reasons +- core dumps in this mode will not overwrite one another or +- other files. This mode is appropriate when administrators are +- attempting to debug problems in a normal environment. ++ anyway, but only if the "core_pattern" kernel sysctl is set to ++ either a pipe handler or a fully qualified path. (For more details ++ on this limitation, see CVE-2006-2451.) This mode is appropriate ++ when administrators are attempting to debug problems in a normal ++ environment, and either have a core dump pipe handler that knows ++ to treat privileged core dumps with care, or specific directory ++ defined for catching core dumps. If a core dump happens without ++ a pipe handler or fully qualifid path, a message will be emitted ++ to syslog warning about the lack of a correct setting. + + ============================================================== + diff --git a/Makefile b/Makefile -index a2e69a0..cc487da 100644 +index 22345c0..33cbc29 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -255,7 +295,7 @@ index a2e69a0..cc487da 100644 $(Q)$(MAKE) $(build)=scripts/basic $(Q)rm -f .tmp_quiet_recordmcount -@@ -564,6 +565,56 @@ else +@@ -564,6 +565,60 @@ else KBUILD_CFLAGS += -O2 endif @@ -286,12 +326,16 @@ index a2e69a0..cc487da 100644 +endif +COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so +ifdef CONFIG_PAX_SIZE_OVERFLOW -+SIZE_OVERFLOW_PLUGIN := -fplugin=$(objtree)/tools/gcc/size_overflow_plugin.so -DSIZE_OVERFLOW_PLUGIN ++SIZE_OVERFLOW_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/size_overflow_plugin.so -DSIZE_OVERFLOW_PLUGIN ++endif ++ifdef CONFIG_PAX_LATENT_ENTROPY ++LATENT_ENTROPY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/latent_entropy_plugin.so -DLATENT_ENTROPY_PLUGIN +endif +GCC_PLUGINS_CFLAGS := $(CONSTIFY_PLUGIN_CFLAGS) $(STACKLEAK_PLUGIN_CFLAGS) $(KALLOCSTAT_PLUGIN_CFLAGS) -+GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS) $(SIZE_OVERFLOW_PLUGIN) ++GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS) ++GCC_PLUGINS_CFLAGS += $(SIZE_OVERFLOW_PLUGIN_CFLAGS) $(LATENT_ENTROPY_PLUGIN_CFLAGS) +GCC_PLUGINS_AFLAGS := $(KERNEXEC_PLUGIN_AFLAGS) -+export PLUGINCC CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN SIZE_OVERFLOW_PLUGIN ++export PLUGINCC CONSTIFY_PLUGIN +ifeq ($(KBUILD_EXTMOD),) +gcc-plugins: + $(Q)$(MAKE) $(build)=tools/gcc @@ -312,7 +356,7 @@ index a2e69a0..cc487da 100644 include $(srctree)/arch/$(SRCARCH)/Makefile ifneq ($(CONFIG_FRAME_WARN),0) -@@ -708,7 +759,7 @@ export mod_strip_cmd +@@ -708,7 +763,7 @@ export mod_strip_cmd ifeq ($(KBUILD_EXTMOD),) @@ -321,7 +365,7 @@ index a2e69a0..cc487da 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -932,6 +983,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE +@@ -932,6 +987,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE # The actual objects are generated when descending, # make sure no implicit rule kicks in @@ -330,7 +374,7 @@ index a2e69a0..cc487da 100644 $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -941,7 +994,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ; +@@ -941,7 +998,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -339,7 +383,7 @@ index a2e69a0..cc487da 100644 $(Q)$(MAKE) $(build)=$@ # Store (new) KERNELRELASE string in include/config/kernel.release -@@ -985,6 +1038,7 @@ prepare0: archprepare FORCE +@@ -985,6 +1042,7 @@ prepare0: archprepare FORCE $(Q)$(MAKE) $(build)=. # All the preparing.. @@ -347,7 +391,7 @@ index a2e69a0..cc487da 100644 prepare: prepare0 # Generate some files -@@ -1092,6 +1146,8 @@ all: modules +@@ -1092,6 +1150,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules @@ -356,7 +400,7 @@ index a2e69a0..cc487da 100644 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -1107,7 +1163,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -1107,7 +1167,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -365,7 +409,7 @@ index a2e69a0..cc487da 100644 # Target to install modules PHONY += modules_install -@@ -1166,7 +1222,7 @@ CLEAN_FILES += vmlinux System.map \ +@@ -1166,7 +1226,7 @@ CLEAN_FILES += vmlinux System.map \ MRPROPER_DIRS += include/config usr/include include/generated \ arch/*/include/generated MRPROPER_FILES += .config .config.old .version .old_version \ @@ -374,7 +418,7 @@ index a2e69a0..cc487da 100644 Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS # clean - Delete most, but leave enough to build external modules -@@ -1204,6 +1260,7 @@ distclean: mrproper +@@ -1204,6 +1264,7 @@ distclean: mrproper \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ -o -name '.*.rej' \ @@ -382,7 +426,7 @@ index a2e69a0..cc487da 100644 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1364,6 +1421,8 @@ PHONY += $(module-dirs) modules +@@ -1364,6 +1425,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) @@ -391,7 +435,7 @@ index a2e69a0..cc487da 100644 modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1490,17 +1549,21 @@ else +@@ -1490,17 +1553,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif @@ -417,7 +461,7 @@ index a2e69a0..cc487da 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1510,11 +1573,15 @@ endif +@@ -1510,11 +1577,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) @@ -748,7 +792,7 @@ index 5eecab1..609abc0 100644 /* Allow reads even for write-only mappings */ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h -index 68374ba..cff7196 100644 +index 68374ba..b095124 100644 --- a/arch/arm/include/asm/atomic.h +++ b/arch/arm/include/asm/atomic.h @@ -17,17 +17,35 @@ @@ -909,7 +953,7 @@ index 68374ba..cff7196 100644 -"1: ldrex %0, [%3]\n" -" sub %0, %0, %4\n" +"1: ldrex %1, [%3]\n" -+" sub %0, %1, %4\n" ++" subs %0, %1, %4\n" + +#ifdef CONFIG_PAX_REFCOUNT +" bvc 3f\n" @@ -1136,13 +1180,11 @@ index 68374ba..cff7196 100644 static inline u64 atomic64_add_return(u64 i, atomic64_t *v) { -- u64 result; -- unsigned long tmp; + u64 result, tmp; - - smp_mb(); - - __asm__ __volatile__("@ atomic64_add_return\n" ++ ++ smp_mb(); ++ ++ __asm__ __volatile__("@ atomic64_add_return\n" +"1: ldrexd %1, %H1, [%3]\n" +" adds %0, %1, %4\n" +" adcs %H0, %H1, %H4\n" @@ -1175,19 +1217,21 @@ index 68374ba..cff7196 100644 + +static inline u64 atomic64_add_return_unchecked(u64 i, atomic64_unchecked_t *v) +{ -+ u64 result; -+ unsigned long tmp; -+ -+ smp_mb(); -+ + u64 result; + unsigned long tmp; + + smp_mb(); + +- __asm__ __volatile__("@ atomic64_add_return\n" + __asm__ __volatile__("@ atomic64_add_return_unchecked\n" "1: ldrexd %0, %H0, [%3]\n" " adds %0, %0, %4\n" " adc %H0, %H0, %H4\n" -@@ -318,6 +607,36 @@ static inline void atomic64_sub(u64 i, atomic64_t *v) +@@ -318,23 +607,34 @@ static inline void atomic64_sub(u64 i, atomic64_t *v) __asm__ __volatile__("@ atomic64_sub\n" "1: ldrexd %0, %H0, [%3]\n" " subs %0, %0, %4\n" +-" sbc %H0, %H0, %H4\n" +" sbcs %H0, %H0, %H4\n" + +#ifdef CONFIG_PAX_REFCOUNT @@ -1196,48 +1240,49 @@ index 68374ba..cff7196 100644 +"3:\n" +#endif + -+" strexd %1, %0, %H0, [%3]\n" -+" teq %1, #0\n" -+" bne 1b" + " strexd %1, %0, %H0, [%3]\n" + " teq %1, #0\n" + " bne 1b" + +#ifdef CONFIG_PAX_REFCOUNT +"\n4:\n" + _ASM_EXTABLE(2b, 4b) +#endif + -+ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) -+ : "r" (&v->counter), "r" (i) -+ : "cc"); -+} -+ + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) + : "r" (&v->counter), "r" (i) + : "cc"); + } + +-static inline u64 atomic64_sub_return(u64 i, atomic64_t *v) +static inline void atomic64_sub_unchecked(u64 i, atomic64_unchecked_t *v) -+{ -+ u64 result; -+ unsigned long tmp; -+ + { + u64 result; + unsigned long tmp; + +- smp_mb(); +- +- __asm__ __volatile__("@ atomic64_sub_return\n" + __asm__ __volatile__("@ atomic64_sub_unchecked\n" -+"1: ldrexd %0, %H0, [%3]\n" -+" subs %0, %0, %4\n" + "1: ldrexd %0, %H0, [%3]\n" + " subs %0, %0, %4\n" " sbc %H0, %H0, %H4\n" - " strexd %1, %0, %H0, [%3]\n" - " teq %1, #0\n" -@@ -329,18 +648,32 @@ static inline void atomic64_sub(u64 i, atomic64_t *v) - - static inline u64 atomic64_sub_return(u64 i, atomic64_t *v) - { -- u64 result; -- unsigned long tmp; +@@ -344,6 +644,39 @@ static inline u64 atomic64_sub_return(u64 i, atomic64_t *v) + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) + : "r" (&v->counter), "r" (i) + : "cc"); ++} ++ ++static inline u64 atomic64_sub_return(u64 i, atomic64_t *v) ++{ + u64 result, tmp; - - smp_mb(); - - __asm__ __volatile__("@ atomic64_sub_return\n" --"1: ldrexd %0, %H0, [%3]\n" --" subs %0, %0, %4\n" --" sbc %H0, %H0, %H4\n" ++ ++ smp_mb(); ++ ++ __asm__ __volatile__("@ atomic64_sub_return\n" +"1: ldrexd %1, %H1, [%3]\n" +" subs %0, %1, %4\n" -+" sbc %H0, %H1, %H4\n" ++" sbcs %H0, %H1, %H4\n" + +#ifdef CONFIG_PAX_REFCOUNT +" bvc 3f\n" @@ -1247,18 +1292,21 @@ index 68374ba..cff7196 100644 +"3:\n" +#endif + - " strexd %1, %0, %H0, [%3]\n" - " teq %1, #0\n" - " bne 1b" ++" strexd %1, %0, %H0, [%3]\n" ++" teq %1, #0\n" ++" bne 1b" + +#ifdef CONFIG_PAX_REFCOUNT +"\n4:\n" + _ASM_EXTABLE(2b, 4b) +#endif + - : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) - : "r" (&v->counter), "r" (i) - : "cc"); ++ : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) ++ : "r" (&v->counter), "r" (i) ++ : "cc"); + + smp_mb(); + @@ -374,6 +707,30 @@ static inline u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old, u64 new) return oldval; } @@ -1306,7 +1354,7 @@ index 68374ba..cff7196 100644 -" sbc %H0, %H0, #0\n" +"1: ldrexd %1, %H1, [%3]\n" +" subs %0, %1, #1\n" -+" sbc %H0, %H1, #0\n" ++" sbcs %H0, %H1, #0\n" + +#ifdef CONFIG_PAX_REFCOUNT +" bvc 3f\n" @@ -1339,7 +1387,8 @@ index 68374ba..cff7196 100644 -" beq 2f\n" +" beq 4f\n" " adds %0, %0, %6\n" - " adc %H0, %H0, %H6\n" +-" adc %H0, %H0, %H6\n" ++" adcs %H0, %H0, %H6\n" + +#ifdef CONFIG_PAX_REFCOUNT +" bvc 3f\n" @@ -1391,7 +1440,7 @@ index 75fe66b..2255c86 100644 /* * Memory returned by kmalloc() may be used for DMA, so we must make diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h -index 1252a26..9dc17b5 100644 +index 42dec04..adcf84a 100644 --- a/arch/arm/include/asm/cacheflush.h +++ b/arch/arm/include/asm/cacheflush.h @@ -108,7 +108,7 @@ struct cpu_cache_fns { @@ -1612,7 +1661,7 @@ index b57c75e..ed2d6b2 100644 EXPORT_SYMBOL(__get_user_1); diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c -index 2b7b017..c380fa2 100644 +index 48f3624..eabfb29 100644 --- a/arch/arm/kernel/process.c +++ b/arch/arm/kernel/process.c @@ -28,7 +28,6 @@ @@ -1623,7 +1672,7 @@ index 2b7b017..c380fa2 100644 #include <linux/hw_breakpoint.h> #include <linux/cpuidle.h> -@@ -275,9 +274,10 @@ void machine_power_off(void) +@@ -276,9 +275,10 @@ void machine_power_off(void) machine_shutdown(); if (pm_power_off) pm_power_off(); @@ -1635,7 +1684,7 @@ index 2b7b017..c380fa2 100644 { machine_shutdown(); -@@ -519,12 +519,6 @@ unsigned long get_wchan(struct task_struct *p) +@@ -521,12 +521,6 @@ unsigned long get_wchan(struct task_struct *p) return 0; } @@ -1694,7 +1743,7 @@ index ebfac78..cbea9c0 100644 #endif diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c -index 63d402f..db1d714 100644 +index a8ad1e3..859d689 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c @@ -264,6 +264,8 @@ static int __die(const char *str, int err, struct thread_info *thread, struct pt @@ -2319,7 +2368,7 @@ index 0f01de2..d37d309 100644 #define __cacheline_aligned __aligned(L1_CACHE_BYTES) #define ____cacheline_aligned __aligned(L1_CACHE_BYTES) diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h -index 7d91166..88ab87e 100644 +index 6e6fe18..a6ae668 100644 --- a/arch/ia64/include/asm/atomic.h +++ b/arch/ia64/include/asm/atomic.h @@ -208,6 +208,16 @@ atomic64_add_negative (__s64 i, atomic64_t *v) @@ -2896,7 +2945,7 @@ index 881d18b..cea38bc 100644 /* diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h -index 0d85d8e..ec71487 100644 +index abb13e8..cd2d702 100644 --- a/arch/mips/include/asm/thread_info.h +++ b/arch/mips/include/asm/thread_info.h @@ -123,6 +123,8 @@ register struct thread_info *__current_thread_info __asm__("$28"); @@ -3237,7 +3286,7 @@ index 4ce7a01..449202a 100644 #endif /* __ASM_OPENRISC_CACHE_H */ diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h -index 6c6defc..d30653d 100644 +index af9cf30..2aae9b2 100644 --- a/arch/parisc/include/asm/atomic.h +++ b/arch/parisc/include/asm/atomic.h @@ -229,6 +229,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) @@ -3911,7 +3960,7 @@ index 4aad413..85d86bf 100644 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h -index 9d7f0fb..a28fe69 100644 +index cae0ed7..da44a51 100644 --- a/arch/powerpc/include/asm/reg.h +++ b/arch/powerpc/include/asm/reg.h @@ -212,6 +212,7 @@ @@ -4208,7 +4257,7 @@ index 2e3200c..72095ce 100644 /* Find this entry, or if that fails, the next avail. entry */ while (entry->jump[0]) { diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index 4937c96..70714b7 100644 +index 94178e5..e6076f0 100644 --- a/arch/powerpc/kernel/process.c +++ b/arch/powerpc/kernel/process.c @@ -681,8 +681,8 @@ void show_regs(struct pt_regs * regs) @@ -4222,7 +4271,7 @@ index 4937c96..70714b7 100644 #endif show_stack(current, (unsigned long *) regs->gpr[1]); if (!user_mode(regs)) -@@ -1186,10 +1186,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1178,10 +1178,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) newsp = stack[0]; ip = stack[STACK_FRAME_LR_SAVE]; if (!firstframe || ip != lr) { @@ -4235,7 +4284,7 @@ index 4937c96..70714b7 100644 (void *)current->ret_stack[curr_frame].ret); curr_frame--; } -@@ -1209,7 +1209,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) +@@ -1201,7 +1201,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack) struct pt_regs *regs = (struct pt_regs *) (sp + STACK_FRAME_OVERHEAD); lr = regs->link; @@ -4244,7 +4293,7 @@ index 4937c96..70714b7 100644 regs->trap, (void *)regs->nip, (void *)lr); firstframe = 1; } -@@ -1282,58 +1282,3 @@ void thread_info_cache_init(void) +@@ -1274,58 +1274,3 @@ void thread_info_cache_init(void) } #endif /* THREAD_SHIFT < PAGE_SHIFT */ @@ -4369,7 +4418,7 @@ index 2692efd..6673d2e 100644 } else { err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]); diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c -index 1589723..cefe690 100644 +index ae0843f..f16372c 100644 --- a/arch/powerpc/kernel/traps.c +++ b/arch/powerpc/kernel/traps.c @@ -133,6 +133,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs) @@ -4893,7 +4942,7 @@ index 60055ce..ee4b252 100644 - return ret; -} diff --git a/arch/s390/mm/mmap.c b/arch/s390/mm/mmap.c -index 2857c48..d047481 100644 +index a64fe53..5c66963 100644 --- a/arch/s390/mm/mmap.c +++ b/arch/s390/mm/mmap.c @@ -92,10 +92,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) @@ -4919,7 +4968,7 @@ index 2857c48..d047481 100644 mm->get_unmapped_area = arch_get_unmapped_area_topdown; mm->unmap_area = arch_unmap_area_topdown; } -@@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) +@@ -174,10 +186,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm) */ if (mmap_is_legacy()) { mm->mmap_base = TASK_UNMAPPED_BASE; @@ -5678,13 +5727,13 @@ index a1091afb..380228e 100644 { - unsigned long ret = ___copy_to_user(to, from, size); + unsigned long ret; - ++ + if ((long)size < 0 || size > INT_MAX) + return size; + + if (!__builtin_constant_p(size)) + check_object_size(from, size, true); -+ + + ret = ___copy_to_user(to, from, size); if (unlikely(ret)) ret = copy_to_user_fixup(to, from, size); @@ -6516,7 +6565,7 @@ index 301421c..e2535d1 100644 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o gup.o obj-y += fault_$(BITS).o diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c -index df3155a..eb708b8 100644 +index df3155a..9c41fb9 100644 --- a/arch/sparc/mm/fault_32.c +++ b/arch/sparc/mm/fault_32.c @@ -21,6 +21,9 @@ @@ -6529,7 +6578,7 @@ index df3155a..eb708b8 100644 #include <asm/page.h> #include <asm/pgtable.h> -@@ -207,6 +210,268 @@ static unsigned long compute_si_addr(struct pt_regs *regs, int text_fault) +@@ -207,6 +210,277 @@ static unsigned long compute_si_addr(struct pt_regs *regs, int text_fault) return safe_compute_effective_address(regs, insn); } @@ -6620,40 +6669,49 @@ index df3155a..eb708b8 100644 + } + } while (0); + -+ { /* PaX: patched PLT emulation #2 */ ++ do { /* PaX: patched PLT emulation #2 */ + unsigned int ba; + + err = get_user(ba, (unsigned int *)regs->pc); + -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) { ++ if (err) ++ break; ++ ++ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) { + unsigned int addr; + -+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2); ++ if ((ba & 0xFFC00000U) == 0x30800000U) ++ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2); ++ else ++ addr = regs->pc + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2); + regs->pc = addr; + regs->npc = addr+4; + return 2; + } -+ } ++ } while (0); + + do { /* PaX: patched PLT emulation #3 */ -+ unsigned int sethi, jmpl, nop; ++ unsigned int sethi, bajmpl, nop; + + err = get_user(sethi, (unsigned int *)regs->pc); -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4)); ++ err |= get_user(bajmpl, (unsigned int *)(regs->pc+4)); + err |= get_user(nop, (unsigned int *)(regs->pc+8)); + + if (err) + break; + + if ((sethi & 0xFFC00000U) == 0x03000000U && -+ (jmpl & 0xFFFFE000U) == 0x81C06000U && ++ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) && + nop == 0x01000000U) + { + unsigned int addr; + + addr = (sethi & 0x003FFFFFU) << 10; + regs->u_regs[UREG_G1] = addr; -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U); ++ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U) ++ addr += (((bajmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U); ++ else ++ addr = regs->pc + ((((bajmpl | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2); + regs->pc = addr; + regs->npc = addr+4; + return 2; @@ -6798,7 +6856,7 @@ index df3155a..eb708b8 100644 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs, int text_fault) { -@@ -282,6 +547,24 @@ good_area: +@@ -282,6 +556,24 @@ good_area: if(!(vma->vm_flags & VM_WRITE)) goto bad_area; } else { @@ -6824,7 +6882,7 @@ index df3155a..eb708b8 100644 if(!(vma->vm_flags & (VM_READ | VM_EXEC))) goto bad_area; diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c -index 1fe0429..aee2e87 100644 +index 1fe0429..8dd5dd5 100644 --- a/arch/sparc/mm/fault_64.c +++ b/arch/sparc/mm/fault_64.c @@ -21,6 +21,9 @@ @@ -6846,7 +6904,7 @@ index 1fe0429..aee2e87 100644 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr); dump_stack(); unhandled_fault(regs->tpc, current, regs); -@@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32bit_fault_address(struct pt_regs *regs, +@@ -272,6 +275,466 @@ static void noinline __kprobes bogus_32bit_fault_address(struct pt_regs *regs, show_regs(regs); } @@ -6941,15 +6999,21 @@ index 1fe0429..aee2e87 100644 + } + } while (0); + -+ { /* PaX: patched PLT emulation #2 */ ++ do { /* PaX: patched PLT emulation #2 */ + unsigned int ba; + + err = get_user(ba, (unsigned int *)regs->tpc); + -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) { ++ if (err) ++ break; ++ ++ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) { + unsigned long addr; + -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2); ++ if ((ba & 0xFFC00000U) == 0x30800000U) ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2); ++ else ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2); + + if (test_thread_flag(TIF_32BIT)) + addr &= 0xFFFFFFFFUL; @@ -6958,27 +7022,30 @@ index 1fe0429..aee2e87 100644 + regs->tnpc = addr+4; + return 2; + } -+ } ++ } while (0); + + do { /* PaX: patched PLT emulation #3 */ -+ unsigned int sethi, jmpl, nop; ++ unsigned int sethi, bajmpl, nop; + + err = get_user(sethi, (unsigned int *)regs->tpc); -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4)); ++ err |= get_user(bajmpl, (unsigned int *)(regs->tpc+4)); + err |= get_user(nop, (unsigned int *)(regs->tpc+8)); + + if (err) + break; + + if ((sethi & 0xFFC00000U) == 0x03000000U && -+ (jmpl & 0xFFFFE000U) == 0x81C06000U && ++ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) && + nop == 0x01000000U) + { + unsigned long addr; + + addr = (sethi & 0x003FFFFFU) << 10; + regs->u_regs[UREG_G1] = addr; -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL); ++ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U) ++ addr += (((bajmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL); ++ else ++ addr = regs->tpc + ((((bajmpl | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2); + + if (test_thread_flag(TIF_32BIT)) + addr &= 0xFFFFFFFFUL; @@ -7304,7 +7371,7 @@ index 1fe0429..aee2e87 100644 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs) { struct mm_struct *mm = current->mm; -@@ -343,6 +797,29 @@ retry: +@@ -343,6 +806,29 @@ retry: if (!vma) goto bad_area; @@ -8056,10 +8123,10 @@ index 4d3ff03..e4972ff 100644 err = check_flags(); } diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S -index f1bbeeb..aff09cb 100644 +index f1bbeeb..e58f183 100644 --- a/arch/x86/boot/header.S +++ b/arch/x86/boot/header.S -@@ -372,7 +372,7 @@ setup_data: .quad 0 # 64-bit physical pointer to +@@ -372,10 +372,14 @@ setup_data: .quad 0 # 64-bit physical pointer to # single linked list of # struct setup_data @@ -8067,7 +8134,14 @@ index f1bbeeb..aff09cb 100644 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset) ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++#define VO_INIT_SIZE (VO__end - VO__text - __PAGE_OFFSET - ____LOAD_PHYSICAL_ADDR) ++#else #define VO_INIT_SIZE (VO__end - VO__text) ++#endif + #if ZO_INIT_SIZE > VO_INIT_SIZE + #define INIT_SIZE ZO_INIT_SIZE + #else diff --git a/arch/x86/boot/memory.c b/arch/x86/boot/memory.c index db75d07..8e6d0af 100644 --- a/arch/x86/boot/memory.c @@ -9130,7 +9204,7 @@ index 20370c6..a2eb9b0 100644 "popl %%ebp\n\t" "popl %%edi\n\t" diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h -index 58cb6d4..ca9010d 100644 +index 58cb6d4..a4b806c 100644 --- a/arch/x86/include/asm/atomic.h +++ b/arch/x86/include/asm/atomic.h @@ -22,7 +22,18 @@ @@ -9538,6 +9612,52 @@ index 58cb6d4..ca9010d 100644 /* * atomic_dec_if_positive - decrement by 1 if old value positive +@@ -293,14 +552,37 @@ static inline void atomic_or_long(unsigned long *v1, unsigned long v2) + #endif + + /* These are x86-specific, used by some header files */ +-#define atomic_clear_mask(mask, addr) \ +- asm volatile(LOCK_PREFIX "andl %0,%1" \ +- : : "r" (~(mask)), "m" (*(addr)) : "memory") +- +-#define atomic_set_mask(mask, addr) \ +- asm volatile(LOCK_PREFIX "orl %0,%1" \ +- : : "r" ((unsigned)(mask)), "m" (*(addr)) \ +- : "memory") ++static inline void atomic_clear_mask(unsigned int mask, atomic_t *v) ++{ ++ asm volatile(LOCK_PREFIX "andl %1,%0" ++ : "+m" (v->counter) ++ : "r" (~(mask)) ++ : "memory"); ++} ++ ++static inline void atomic_clear_mask_unchecked(unsigned int mask, atomic_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "andl %1,%0" ++ : "+m" (v->counter) ++ : "r" (~(mask)) ++ : "memory"); ++} ++ ++static inline void atomic_set_mask(unsigned int mask, atomic_t *v) ++{ ++ asm volatile(LOCK_PREFIX "orl %1,%0" ++ : "+m" (v->counter) ++ : "r" (mask) ++ : "memory"); ++} ++ ++static inline void atomic_set_mask_unchecked(unsigned int mask, atomic_unchecked_t *v) ++{ ++ asm volatile(LOCK_PREFIX "orl %1,%0" ++ : "+m" (v->counter) ++ : "r" (mask) ++ : "memory"); ++} + + /* Atomic operations are already serializing on x86 */ + #define smp_mb__before_atomic_dec() barrier() diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h index 1981199..36b9dfb 100644 --- a/arch/x86/include/asm/atomic64_32.h @@ -10191,10 +10311,24 @@ index 99480e5..d81165b 100644 ({ \ __typeof__ (*(ptr)) __ret = (inc); \ diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h -index f91e80f..7f9bd27 100644 +index f91e80f..7731066 100644 --- a/arch/x86/include/asm/cpufeature.h +++ b/arch/x86/include/asm/cpufeature.h -@@ -371,7 +371,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) +@@ -202,11 +202,12 @@ + #define X86_FEATURE_BMI1 (9*32+ 3) /* 1st group bit manipulation extensions */ + #define X86_FEATURE_HLE (9*32+ 4) /* Hardware Lock Elision */ + #define X86_FEATURE_AVX2 (9*32+ 5) /* AVX2 instructions */ +-#define X86_FEATURE_SMEP (9*32+ 7) /* Supervisor Mode Execution Protection */ ++#define X86_FEATURE_SMEP (9*32+ 7) /* Supervisor Mode Execution Prevention */ + #define X86_FEATURE_BMI2 (9*32+ 8) /* 2nd group bit manipulation extensions */ + #define X86_FEATURE_ERMS (9*32+ 9) /* Enhanced REP MOVSB/STOSB */ + #define X86_FEATURE_INVPCID (9*32+10) /* Invalidate Processor Context ID */ + #define X86_FEATURE_RTM (9*32+11) /* Restricted Transactional Memory */ ++#define X86_FEATURE_SMAP (9*32+20) /* Supervisor Mode Access Prevention */ + + #if defined(__KERNEL__) && !defined(__ASSEMBLY__) + +@@ -371,7 +372,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit) ".section .discard,\"aw\",@progbits\n" " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */ ".previous\n" @@ -11019,9 +11153,9 @@ index 6902152..da4283a 100644 +#endif + } -+#endif - } --#endif +- } + #endif ++ } } #define activate_mm(prev, next) \ @@ -11760,6 +11894,18 @@ index 013286a..8b42f4f 100644 #define pgprot_writecombine pgprot_writecombine extern pgprot_t pgprot_writecombine(pgprot_t prot); +diff --git a/arch/x86/include/asm/processor-flags.h b/arch/x86/include/asm/processor-flags.h +index f8ab3ea..67889db 100644 +--- a/arch/x86/include/asm/processor-flags.h ++++ b/arch/x86/include/asm/processor-flags.h +@@ -63,6 +63,7 @@ + #define X86_CR4_RDWRGSFS 0x00010000 /* enable RDWRGSFS support */ + #define X86_CR4_OSXSAVE 0x00040000 /* enable xsave and xrestore */ + #define X86_CR4_SMEP 0x00100000 /* enable SMEP support */ ++#define X86_CR4_SMAP 0x00200000 /* enable SMAP support */ + + /* + * x86-64 Task Priority Register, CR8 diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h index 4fa7dcc..764e33a 100644 --- a/arch/x86/include/asm/processor.h @@ -11941,7 +12087,7 @@ index dcfde52..dbfea06 100644 } #endif diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h -index 92f29706..a79cbbb 100644 +index 92f29706..d0a1a53 100644 --- a/arch/x86/include/asm/reboot.h +++ b/arch/x86/include/asm/reboot.h @@ -6,19 +6,19 @@ @@ -11966,7 +12112,7 @@ index 92f29706..a79cbbb 100644 void native_machine_crash_shutdown(struct pt_regs *regs); void native_machine_shutdown(void); -void machine_real_restart(unsigned int type); -+void machine_real_restart(unsigned int type) __noreturn; ++void __noreturn machine_real_restart(unsigned int type); /* These must match dispatch_table in reboot_32.S */ #define MRR_BIOS 0 #define MRR_APM 1 @@ -12315,15 +12461,7 @@ index 70bbe39..4ae2bd4 100644 - void *data, - unsigned long *end, - int *graph); -+typedef unsigned long walk_stack_t(struct task_struct *task, -+ void *stack_start, -+ unsigned long *stack, -+ unsigned long bp, -+ const struct stacktrace_ops *ops, -+ void *data, -+ unsigned long *end, -+ int *graph); - +- -extern unsigned long -print_context_stack(struct thread_info *tinfo, - unsigned long *stack, unsigned long bp, @@ -12335,6 +12473,15 @@ index 70bbe39..4ae2bd4 100644 - unsigned long *stack, unsigned long bp, - const struct stacktrace_ops *ops, void *data, - unsigned long *end, int *graph); ++typedef unsigned long walk_stack_t(struct task_struct *task, ++ void *stack_start, ++ unsigned long *stack, ++ unsigned long bp, ++ const struct stacktrace_ops *ops, ++ void *data, ++ unsigned long *end, ++ int *graph); ++ +extern walk_stack_t print_context_stack; +extern walk_stack_t print_context_stack_bp; @@ -12474,43 +12621,16 @@ index ad6df8c..5e0cf6e 100644 /* Only used for 64 bit */ #define _TIF_DO_NOTIFY_MASK \ -@@ -173,45 +171,40 @@ struct thread_info { +@@ -173,6 +171,23 @@ struct thread_info { ret; \ }) --#ifdef CONFIG_X86_32 -- --#define STACK_WARN (THREAD_SIZE/8) --/* -- * macros/functions for gaining access to the thread information structure -- * -- * preempt_count needs to be 1 initially, until the scheduler is functional. -- */ --#ifndef __ASSEMBLY__ -- -- --/* how to get the current stack pointer from C */ --register unsigned long current_stack_pointer asm("esp") __used; -- --/* how to get the thread information struct from C */ --static inline struct thread_info *current_thread_info(void) --{ -- return (struct thread_info *) -- (current_stack_pointer & ~(THREAD_SIZE - 1)); --} -- --#else /* !__ASSEMBLY__ */ -- +#ifdef __ASSEMBLY__ - /* how to get the thread information struct from ASM */ - #define GET_THREAD_INFO(reg) \ -- movl $-THREAD_SIZE, reg; \ -- andl %esp, reg ++/* how to get the thread information struct from ASM */ ++#define GET_THREAD_INFO(reg) \ + mov PER_CPU_VAR(current_tinfo), reg - - /* use this one if reg already contains %esp */ --#define GET_THREAD_INFO_WITH_ESP(reg) \ -- andl $-THREAD_SIZE, reg ++ ++/* use this one if reg already contains %esp */ +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg) +#else +/* how to get the thread information struct from C */ @@ -12522,19 +12642,35 @@ index ad6df8c..5e0cf6e 100644 +} +#endif + -+#ifdef CONFIG_X86_32 -+ -+#define STACK_WARN (THREAD_SIZE/8) -+/* -+ * macros/functions for gaining access to the thread information structure -+ * -+ * preempt_count needs to be 1 initially, until the scheduler is functional. -+ */ -+#ifndef __ASSEMBLY__ -+ -+/* how to get the current stack pointer from C */ -+register unsigned long current_stack_pointer asm("esp") __used; + #ifdef CONFIG_X86_32 + #define STACK_WARN (THREAD_SIZE/8) +@@ -183,35 +198,13 @@ struct thread_info { + */ + #ifndef __ASSEMBLY__ + +- + /* how to get the current stack pointer from C */ + register unsigned long current_stack_pointer asm("esp") __used; + +-/* how to get the thread information struct from C */ +-static inline struct thread_info *current_thread_info(void) +-{ +- return (struct thread_info *) +- (current_stack_pointer & ~(THREAD_SIZE - 1)); +-} +- +-#else /* !__ASSEMBLY__ */ +- +-/* how to get the thread information struct from ASM */ +-#define GET_THREAD_INFO(reg) \ +- movl $-THREAD_SIZE, reg; \ +- andl %esp, reg +- +-/* use this one if reg already contains %esp */ +-#define GET_THREAD_INFO_WITH_ESP(reg) \ +- andl $-THREAD_SIZE, reg +- #endif #else /* X86_32 */ @@ -12912,18 +13048,18 @@ index 8084bc7..3d6ec37 100644 unsigned long n) { - return __copy_from_user_ll_nocache_nozero(to, from, n); +-} + if ((long)n < 0) + return n; -+ -+ return __copy_from_user_ll_nocache_nozero(to, from, n); - } -unsigned long __must_check copy_to_user(void __user *to, - const void *from, unsigned long n); -unsigned long __must_check _copy_from_user(void *to, - const void __user *from, - unsigned long n); -- ++ return __copy_from_user_ll_nocache_nozero(to, from, n); ++} + +extern void copy_to_user_overflow(void) +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS + __compiletime_error("copy_to_user() buffer size is not provably correct") @@ -12963,6 +13099,7 @@ index 8084bc7..3d6ec37 100644 - if (likely(sz == -1 || sz >= n)) - n = _copy_from_user(to, from, n); - else +- copy_from_user_overflow(); + if (unlikely(sz != (size_t)-1 && sz < n)) + copy_to_user_overflow(); + else if (access_ok(VERIFY_WRITE, to, n)) @@ -12990,10 +13127,9 @@ index 8084bc7..3d6ec37 100644 +copy_from_user(void *to, const void __user *from, unsigned long n) +{ + size_t sz = __compiletime_object_size(to); -+ + + if (unlikely(sz != (size_t)-1 && sz < n)) - copy_from_user_overflow(); -- ++ copy_from_user_overflow(); + else if (access_ok(VERIFY_READ, from, n)) + n = __copy_from_user(to, from, n); + else if ((long)n > 0) { @@ -13015,7 +13151,7 @@ index 8084bc7..3d6ec37 100644 #endif /* _ASM_X86_UACCESS_32_H */ diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h -index fcd4b6f..ef04f8f 100644 +index fcd4b6f..835efe7 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -10,6 +10,9 @@ @@ -13028,7 +13164,7 @@ index fcd4b6f..ef04f8f 100644 /* * Copy To/From Userspace -@@ -17,12 +20,14 @@ +@@ -17,12 +20,12 @@ /* Handles exceptions in both to and from, but doesn't do access_ok */ __must_check unsigned long @@ -13038,15 +13174,14 @@ index fcd4b6f..ef04f8f 100644 -copy_user_generic_unrolled(void *to, const void *from, unsigned len); +copy_user_generic_unrolled(void *to, const void *from, unsigned long len) __size_overflow(3); - static __always_inline __must_check unsigned long +-static __always_inline __must_check unsigned long -copy_user_generic(void *to, const void *from, unsigned len) -+copy_user_generic(void *to, const void *from, unsigned long len) __size_overflow(3); -+static __always_inline __must_check unsigned long ++static __always_inline __must_check __size_overflow(3) unsigned long +copy_user_generic(void *to, const void *from, unsigned long len) { unsigned ret; -@@ -32,142 +37,238 @@ copy_user_generic(void *to, const void *from, unsigned len) +@@ -32,142 +35,238 @@ copy_user_generic(void *to, const void *from, unsigned len) ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from), "=d" (len)), "1" (to), "2" (from), "3" (len) @@ -13333,7 +13468,7 @@ index fcd4b6f..ef04f8f 100644 ret, "b", "b", "=q", 1); if (likely(!ret)) __put_user_asm(tmp, (u8 __user *)dst, -@@ -176,7 +277,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -176,7 +275,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 2: { u16 tmp; @@ -13342,7 +13477,7 @@ index fcd4b6f..ef04f8f 100644 ret, "w", "w", "=r", 2); if (likely(!ret)) __put_user_asm(tmp, (u16 __user *)dst, -@@ -186,7 +287,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -186,7 +285,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) case 4: { u32 tmp; @@ -13351,7 +13486,7 @@ index fcd4b6f..ef04f8f 100644 ret, "l", "k", "=r", 4); if (likely(!ret)) __put_user_asm(tmp, (u32 __user *)dst, -@@ -195,7 +296,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -195,7 +294,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) } case 8: { u64 tmp; @@ -13360,7 +13495,7 @@ index fcd4b6f..ef04f8f 100644 ret, "q", "", "=r", 8); if (likely(!ret)) __put_user_asm(tmp, (u64 __user *)dst, -@@ -203,47 +304,92 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) +@@ -203,47 +302,92 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size) return ret; } default: @@ -13712,7 +13847,7 @@ index 7261083..5c12053 100644 bogus_magic: jmp bogus_magic diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c -index 1f84794..e23f862 100644 +index 73ef56c..0238021 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -276,6 +276,13 @@ void __init_or_module apply_alternatives(struct alt_instr *start, @@ -14016,16 +14151,16 @@ index 68de2dc..1f3c720 100644 + +#ifdef CONFIG_PAX_KERNEXEC + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0); - #endif - ++#endif ++ +#ifdef CONFIG_PAX_MEMORY_UDEREF + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3); + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3); +#ifdef CONFIG_X86_64 + OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched); +#endif -+#endif -+ + #endif + +#endif + + BLANK(); @@ -14243,7 +14378,7 @@ index 3e6ff6c..54b4992 100644 } #endif diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c -index 61604ae..98250a5 100644 +index 0d2db0e..7c1fb04 100644 --- a/arch/x86/kernel/cpu/mcheck/mce.c +++ b/arch/x86/kernel/cpu/mcheck/mce.c @@ -42,6 +42,7 @@ @@ -14303,7 +14438,7 @@ index 61604ae..98250a5 100644 wait_for_panic(); if (!monarch_timeout) goto out; -@@ -1535,7 +1536,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code) +@@ -1537,7 +1538,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code) } /* Call the installed machine check handler for this CPU setup. */ @@ -14312,7 +14447,7 @@ index 61604ae..98250a5 100644 unexpected_machine_check; /* -@@ -1558,7 +1559,9 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c) +@@ -1560,7 +1561,9 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c) return; } @@ -14322,7 +14457,7 @@ index 61604ae..98250a5 100644 __mcheck_cpu_init_generic(); __mcheck_cpu_init_vendor(c); -@@ -1572,7 +1575,7 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c) +@@ -1574,7 +1577,7 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c) */ static DEFINE_SPINLOCK(mce_chrdev_state_lock); @@ -14331,7 +14466,7 @@ index 61604ae..98250a5 100644 static int mce_chrdev_open_exclu; /* already open exclusive? */ static int mce_chrdev_open(struct inode *inode, struct file *file) -@@ -1580,7 +1583,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) +@@ -1582,7 +1585,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) spin_lock(&mce_chrdev_state_lock); if (mce_chrdev_open_exclu || @@ -14340,7 +14475,7 @@ index 61604ae..98250a5 100644 spin_unlock(&mce_chrdev_state_lock); return -EBUSY; -@@ -1588,7 +1591,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) +@@ -1590,7 +1593,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file) if (file->f_flags & O_EXCL) mce_chrdev_open_exclu = 1; @@ -14349,7 +14484,7 @@ index 61604ae..98250a5 100644 spin_unlock(&mce_chrdev_state_lock); -@@ -1599,7 +1602,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file) +@@ -1601,7 +1604,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file) { spin_lock(&mce_chrdev_state_lock); @@ -14358,7 +14493,7 @@ index 61604ae..98250a5 100644 mce_chrdev_open_exclu = 0; spin_unlock(&mce_chrdev_state_lock); -@@ -2324,7 +2327,7 @@ struct dentry *mce_get_debugfs_dir(void) +@@ -2326,7 +2329,7 @@ struct dentry *mce_get_debugfs_dir(void) static void mce_reset(void) { cpu_missing = 0; @@ -17218,12 +17353,8 @@ index 40f4eb3..6d24d9d 100644 - addq %rbp, level3_kernel_pgt + (510*8)(%rip) - addq %rbp, level3_kernel_pgt + (511*8)(%rip) -+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip) -+ -+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip) -+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip) - - addq %rbp, level2_fixmap_pgt + (506*8)(%rip) +- +- addq %rbp, level2_fixmap_pgt + (506*8)(%rip) - - /* Add an Identity mapping if I am above 1G */ - leaq _text(%rip), %rdi @@ -17233,11 +17364,14 @@ index 40f4eb3..6d24d9d 100644 - shrq $PUD_SHIFT, %rax - andq $(PTRS_PER_PUD - 1), %rax - jz ident_complete -- ++ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip) + - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx - leaq level3_ident_pgt(%rip), %rbx - movq %rdx, 0(%rbx, %rax, 8) -- ++ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip) ++ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip) + - movq %rdi, %rax - shrq $PMD_SHIFT, %rax - andq $(PTRS_PER_PMD - 1), %rax @@ -17245,6 +17379,7 @@ index 40f4eb3..6d24d9d 100644 - leaq level2_spare_pgt(%rip), %rbx - movq %rdx, 0(%rbx, %rax, 8) -ident_complete: ++ addq %rbp, level2_fixmap_pgt + (506*8)(%rip) + addq %rbp, level2_fixmap_pgt + (507*8)(%rip) /* @@ -17313,9 +17448,9 @@ index 40f4eb3..6d24d9d 100644 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" early_idt_ripmsg: .asciz "RIP %s\n" -+ .previous - #endif /* CONFIG_EARLY_PRINTK */ -- .previous +-#endif /* CONFIG_EARLY_PRINTK */ + .previous ++#endif /* CONFIG_EARLY_PRINTK */ + .section .rodata,"a",@progbits #define NEXT_PAGE(name) \ @@ -17793,15 +17928,15 @@ index d04d3ec..ea4b374 100644 if (regs->sp >= curbase + sizeof(struct thread_info) + diff --git a/arch/x86/kernel/kdebugfs.c b/arch/x86/kernel/kdebugfs.c -index 1d5d31e..ab846ed 100644 +index 1d5d31e..72731d4 100644 --- a/arch/x86/kernel/kdebugfs.c +++ b/arch/x86/kernel/kdebugfs.c -@@ -28,6 +28,8 @@ struct setup_data_node { +@@ -27,7 +27,7 @@ struct setup_data_node { + u32 len; }; - static ssize_t setup_data_read(struct file *file, char __user *user_buf, -+ size_t count, loff_t *ppos) __size_overflow(3); -+static ssize_t setup_data_read(struct file *file, char __user *user_buf, +-static ssize_t setup_data_read(struct file *file, char __user *user_buf, ++static ssize_t __size_overflow(3) setup_data_read(struct file *file, char __user *user_buf, size_t count, loff_t *ppos) { struct setup_data_node *node = file->private_data; @@ -18303,10 +18438,10 @@ index ab13760..01218e0 100644 ret = paravirt_patch_ident_32(insnbuf, len); - else if (opfunc == _paravirt_ident_64) + else if (opfunc == (void *)_paravirt_ident_64) - ret = paravirt_patch_ident_64(insnbuf, len); ++ ret = paravirt_patch_ident_64(insnbuf, len); +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64) -+ ret = paravirt_patch_ident_64(insnbuf, len); + ret = paravirt_patch_ident_64(insnbuf, len); +#endif else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) || @@ -18549,7 +18684,7 @@ index 1d92a5a..7bc8c29 100644 + + if (v8086_mode(regs)) + return; - ++ + rdtscl(time); + + /* P4 seems to return a 0 LSB, ignore it */ @@ -18566,7 +18701,7 @@ index 1d92a5a..7bc8c29 100644 + + thread->sp0 ^= time; + load_sp0(init_tss + smp_processor_id(), thread); -+ + +#ifdef CONFIG_X86_64 + percpu_write(kernel_stack, thread->sp0); +#endif @@ -18828,7 +18963,7 @@ index 42eb330..139955c 100644 return ret; diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c -index 3034ee5..7cfbfa6 100644 +index 3034ee5..554ae2d 100644 --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c @@ -35,7 +35,7 @@ void (*pm_power_off)(void); @@ -18877,7 +19012,7 @@ index 3034ee5..7cfbfa6 100644 /* GDT[0]: GDT self-pointer */ lowmem_gdt[0] = -@@ -385,7 +389,33 @@ void machine_real_restart(unsigned int type) +@@ -385,7 +389,35 @@ void machine_real_restart(unsigned int type) GDT_ENTRY(0x009b, restart_pa, 0xffff); /* Jump to the identity-mapped low memory code */ @@ -18888,7 +19023,9 @@ index 3034ee5..7cfbfa6 100644 +#ifdef CONFIG_PAX_MEMORY_UDEREF + gdt[GDT_ENTRY_KERNEL_DS].type = 3; + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf; -+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory"); ++ loadsegment(ds, __KERNEL_DS); ++ loadsegment(es, __KERNEL_DS); ++ loadsegment(ss, __KERNEL_DS); +#endif +#ifdef CONFIG_PAX_KERNEXEC + gdt[GDT_ENTRY_KERNEL_CS].base0 = 0; @@ -18911,16 +19048,16 @@ index 3034ee5..7cfbfa6 100644 } #ifdef CONFIG_APM_MODULE EXPORT_SYMBOL(machine_real_restart); -@@ -564,7 +594,7 @@ void __attribute__((weak)) mach_reboot_fixups(void) +@@ -564,7 +596,7 @@ void __attribute__((weak)) mach_reboot_fixups(void) * try to force a triple fault and then cycle between hitting the keyboard * controller and doing that */ -static void native_machine_emergency_restart(void) -+__noreturn static void native_machine_emergency_restart(void) ++static void __noreturn native_machine_emergency_restart(void) { int i; int attempt = 0; -@@ -688,13 +718,13 @@ void native_machine_shutdown(void) +@@ -688,13 +720,13 @@ void native_machine_shutdown(void) #endif } @@ -18932,29 +19069,29 @@ index 3034ee5..7cfbfa6 100644 } -static void native_machine_restart(char *__unused) -+static __noreturn void native_machine_restart(char *__unused) ++static void __noreturn native_machine_restart(char *__unused) { printk("machine restart\n"); -@@ -703,7 +733,7 @@ static void native_machine_restart(char *__unused) +@@ -703,7 +735,7 @@ static void native_machine_restart(char *__unused) __machine_emergency_restart(0); } -static void native_machine_halt(void) -+static __noreturn void native_machine_halt(void) ++static void __noreturn native_machine_halt(void) { /* stop other cpus and apics */ machine_shutdown(); -@@ -714,7 +744,7 @@ static void native_machine_halt(void) +@@ -714,7 +746,7 @@ static void native_machine_halt(void) stop_this_cpu(NULL); } -static void native_machine_power_off(void) -+__noreturn static void native_machine_power_off(void) ++static void __noreturn native_machine_power_off(void) { if (pm_power_off) { if (!reboot_force) -@@ -723,6 +753,7 @@ static void native_machine_power_off(void) +@@ -723,6 +755,7 @@ static void native_machine_power_off(void) } /* a fallback in case there is no PM info available */ tboot_shutdown(TB_SHUTDOWN_HALT); @@ -19271,12 +19408,7 @@ index 0b0cb5f..db6b9ed 100644 - const char *const argv[], - const char *const envp[]) +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags) - { -- long __res; -- asm volatile ("int $0x80" -- : "=a" (__res) -- : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory"); -- return __res; ++{ + unsigned long pax_task_size = TASK_SIZE; + +#ifdef CONFIG_PAX_SEGMEXEC @@ -19384,7 +19516,12 @@ index 0b0cb5f..db6b9ed 100644 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + const unsigned long len, const unsigned long pgoff, + const unsigned long flags) -+{ + { +- long __res; +- asm volatile ("int $0x80" +- : "=a" (__res) +- : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory"); +- return __res; + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE; @@ -20005,7 +20142,7 @@ index 255f58a..5e91150 100644 goto cannot_handle; if ((segoffs >> 16) == BIOSSEG) diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S -index 0f703f1..9e15f64 100644 +index 0f703f1..3b426f3 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -26,6 +26,13 @@ @@ -20074,7 +20211,7 @@ index 0f703f1..9e15f64 100644 HEAD_TEXT #ifdef CONFIG_X86_32 . = ALIGN(PAGE_SIZE); -@@ -108,13 +128,47 @@ SECTIONS +@@ -108,13 +128,48 @@ SECTIONS IRQENTRY_TEXT *(.fixup) *(.gnu.warning) @@ -20094,8 +20231,8 @@ index 0f703f1..9e15f64 100644 + MODULES_EXEC_VADDR = .; + BYTE(0) + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024); -+ . = ALIGN(HPAGE_SIZE); -+ MODULES_EXEC_END = . - 1; ++ . = ALIGN(HPAGE_SIZE) - 1; ++ MODULES_EXEC_END = .; +#endif + + } :module @@ -20103,6 +20240,7 @@ index 0f703f1..9e15f64 100644 + + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) { + /* End of text section */ ++ BYTE(0) + _etext = . - __KERNEL_TEXT_OFFSET; + } + @@ -20126,7 +20264,7 @@ index 0f703f1..9e15f64 100644 #if defined(CONFIG_DEBUG_RODATA) /* .text should occupy whole number of pages */ -@@ -126,16 +180,20 @@ SECTIONS +@@ -126,16 +181,20 @@ SECTIONS /* Data */ .data : AT(ADDR(.data) - LOAD_OFFSET) { @@ -20150,7 +20288,7 @@ index 0f703f1..9e15f64 100644 PAGE_ALIGNED_DATA(PAGE_SIZE) -@@ -176,12 +234,19 @@ SECTIONS +@@ -176,12 +235,19 @@ SECTIONS #endif /* CONFIG_X86_64 */ /* Init code and data - will be freed after init */ @@ -20173,7 +20311,7 @@ index 0f703f1..9e15f64 100644 /* * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the * output PHDR, so the next output section - .init.text - should -@@ -190,12 +255,27 @@ SECTIONS +@@ -190,12 +256,27 @@ SECTIONS PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu) #endif @@ -20206,7 +20344,7 @@ index 0f703f1..9e15f64 100644 /* * Code and data for a variety of lowlevel trampolines, to be -@@ -269,19 +349,12 @@ SECTIONS +@@ -269,19 +350,12 @@ SECTIONS } . = ALIGN(8); @@ -20227,7 +20365,7 @@ index 0f703f1..9e15f64 100644 PERCPU_SECTION(INTERNODE_CACHE_BYTES) #endif -@@ -300,16 +373,10 @@ SECTIONS +@@ -300,16 +374,10 @@ SECTIONS .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) { __smp_locks = .; *(.smp_locks) @@ -20245,7 +20383,7 @@ index 0f703f1..9e15f64 100644 /* BSS */ . = ALIGN(PAGE_SIZE); .bss : AT(ADDR(.bss) - LOAD_OFFSET) { -@@ -325,6 +392,7 @@ SECTIONS +@@ -325,6 +393,7 @@ SECTIONS __brk_base = .; . += 64 * 1024; /* 64k alignment slop space */ *(.brk_reservation) /* areas brk users have reserved */ @@ -20253,7 +20391,7 @@ index 0f703f1..9e15f64 100644 __brk_limit = .; } -@@ -351,13 +419,12 @@ SECTIONS +@@ -351,13 +420,12 @@ SECTIONS * for the boot processor. */ #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load @@ -22829,7 +22967,7 @@ index a63efd6..ccecad8 100644 ret CFI_ENDPROC diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c -index ef2a6a5..3b28862 100644 +index ef2a6a5..dc7f3dd 100644 --- a/arch/x86/lib/usercopy_32.c +++ b/arch/x86/lib/usercopy_32.c @@ -41,10 +41,12 @@ do { \ @@ -22936,7 +23074,7 @@ index ef2a6a5..3b28862 100644 ".section .fixup,\"ax\"\n" "101: lea 0(%%eax,%0,4),%0\n" " jmp 100b\n" -@@ -247,46 +253,155 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size) +@@ -247,46 +253,153 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size) } static unsigned long @@ -23046,9 +23184,7 @@ index ef2a6a5..3b28862 100644 + return size; +} + -+static unsigned long -+__copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) __size_overflow(3); -+static unsigned long ++static unsigned long __size_overflow(3) __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) { int d0, d1; @@ -23110,7 +23246,7 @@ index ef2a6a5..3b28862 100644 " movl %%eax, 56(%3)\n" " movl %%edx, 60(%3)\n" " addl $-64, %0\n" -@@ -298,9 +413,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) +@@ -298,9 +411,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) " shrl $2, %0\n" " andl $3, %%eax\n" " cld\n" @@ -23122,12 +23258,12 @@ index ef2a6a5..3b28862 100644 "8:\n" ".section .fixup,\"ax\"\n" "9: lea 0(%%eax,%0,4),%0\n" -@@ -347,47 +462,49 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) +@@ -346,48 +459,48 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) + * hyoshiok@miraclelinux.com */ - static unsigned long __copy_user_zeroing_intel_nocache(void *to, -+ const void __user *from, unsigned long size) __size_overflow(3); -+static unsigned long __copy_user_zeroing_intel_nocache(void *to, +-static unsigned long __copy_user_zeroing_intel_nocache(void *to, ++static unsigned long __size_overflow(3) __copy_user_zeroing_intel_nocache(void *to, const void __user *from, unsigned long size) { int d0, d1; @@ -23190,7 +23326,7 @@ index ef2a6a5..3b28862 100644 " movnti %%eax, 56(%3)\n" " movnti %%edx, 60(%3)\n" " addl $-64, %0\n" -@@ -400,9 +517,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to, +@@ -400,9 +513,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to, " shrl $2, %0\n" " andl $3, %%eax\n" " cld\n" @@ -23202,12 +23338,12 @@ index ef2a6a5..3b28862 100644 "8:\n" ".section .fixup,\"ax\"\n" "9: lea 0(%%eax,%0,4),%0\n" -@@ -444,47 +561,49 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to, +@@ -443,48 +556,48 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to, + return size; } - static unsigned long __copy_user_intel_nocache(void *to, -+ const void __user *from, unsigned long size) __size_overflow(3); -+static unsigned long __copy_user_intel_nocache(void *to, +-static unsigned long __copy_user_intel_nocache(void *to, ++static unsigned long __size_overflow(3) __copy_user_intel_nocache(void *to, const void __user *from, unsigned long size) { int d0, d1; @@ -23270,7 +23406,7 @@ index ef2a6a5..3b28862 100644 " movnti %%eax, 56(%3)\n" " movnti %%edx, 60(%3)\n" " addl $-64, %0\n" -@@ -497,9 +616,9 @@ static unsigned long __copy_user_intel_nocache(void *to, +@@ -497,9 +610,9 @@ static unsigned long __copy_user_intel_nocache(void *to, " shrl $2, %0\n" " andl $3, %%eax\n" " cld\n" @@ -23282,7 +23418,7 @@ index ef2a6a5..3b28862 100644 "8:\n" ".section .fixup,\"ax\"\n" "9: lea 0(%%eax,%0,4),%0\n" -@@ -542,32 +661,36 @@ static unsigned long __copy_user_intel_nocache(void *to, +@@ -542,32 +655,36 @@ static unsigned long __copy_user_intel_nocache(void *to, */ unsigned long __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size); @@ -23324,7 +23460,7 @@ index ef2a6a5..3b28862 100644 ".section .fixup,\"ax\"\n" \ "5: addl %3,%0\n" \ " jmp 2b\n" \ -@@ -595,14 +718,14 @@ do { \ +@@ -595,14 +712,14 @@ do { \ " negl %0\n" \ " andl $7,%0\n" \ " subl %0,%3\n" \ @@ -23342,7 +23478,7 @@ index ef2a6a5..3b28862 100644 "2:\n" \ ".section .fixup,\"ax\"\n" \ "5: addl %3,%0\n" \ -@@ -688,9 +811,9 @@ survive: +@@ -688,9 +805,9 @@ survive: } #endif if (movsl_is_ok(to, from, n)) @@ -23354,7 +23490,7 @@ index ef2a6a5..3b28862 100644 return n; } EXPORT_SYMBOL(__copy_to_user_ll); -@@ -710,10 +833,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from, +@@ -710,10 +827,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from, unsigned long n) { if (movsl_is_ok(to, from, n)) @@ -23367,7 +23503,7 @@ index ef2a6a5..3b28862 100644 return n; } EXPORT_SYMBOL(__copy_from_user_ll_nozero); -@@ -740,65 +862,50 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr +@@ -740,65 +856,50 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr if (n > 64 && cpu_has_xmm2) n = __copy_user_intel_nocache(to, from, n); else @@ -23396,13 +23532,16 @@ index ef2a6a5..3b28862 100644 - */ -unsigned long -copy_to_user(void __user *to, const void *from, unsigned long n) --{ ++void copy_from_user_overflow(void) + { - if (access_ok(VERIFY_WRITE, to, n)) - n = __copy_to_user(to, from, n); - return n; --} ++ WARN(1, "Buffer overflow detected!\n"); + } -EXPORT_SYMBOL(copy_to_user); -- ++EXPORT_SYMBOL(copy_from_user_overflow); + -/** - * copy_from_user: - Copy a block of data from user space. - * @to: Destination address, in kernel space. @@ -23421,30 +23560,23 @@ index ef2a6a5..3b28862 100644 - */ -unsigned long -_copy_from_user(void *to, const void __user *from, unsigned long n) --{ ++void copy_to_user_overflow(void) + { - if (access_ok(VERIFY_READ, from, n)) - n = __copy_from_user(to, from, n); - else - memset(to, 0, n); - return n; --} --EXPORT_SYMBOL(_copy_from_user); -- - void copy_from_user_overflow(void) - { - WARN(1, "Buffer overflow detected!\n"); - } - EXPORT_SYMBOL(copy_from_user_overflow); -+ -+void copy_to_user_overflow(void) -+{ + WARN(1, "Buffer overflow detected!\n"); -+} + } +-EXPORT_SYMBOL(_copy_from_user); +EXPORT_SYMBOL(copy_to_user_overflow); -+ + +-void copy_from_user_overflow(void) +#ifdef CONFIG_PAX_MEMORY_UDEREF +void __set_fs(mm_segment_t x) -+{ + { +- WARN(1, "Buffer overflow detected!\n"); + switch (x.seg) { + case 0: + loadsegment(gs, 0); @@ -23459,7 +23591,8 @@ index ef2a6a5..3b28862 100644 + BUG(); + } + return; -+} + } +-EXPORT_SYMBOL(copy_from_user_overflow); +EXPORT_SYMBOL(__set_fs); + +void set_fs(mm_segment_t x) @@ -23894,7 +24027,7 @@ index 3ecfd1a..304d554 100644 if (error_code & PF_WRITE) { /* write, present and write, not present: */ if (unlikely(!(vma->vm_flags & VM_WRITE))) -@@ -1005,18 +1197,33 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) +@@ -1005,19 +1197,34 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) { struct vm_area_struct *vma; struct task_struct *tsk; @@ -23905,11 +24038,7 @@ index 3ecfd1a..304d554 100644 unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE | (write ? FAULT_FLAG_WRITE : 0); -- tsk = current; -- mm = tsk->mm; -- - /* Get the faulting address: */ -- address = read_cr2(); ++ /* Get the faulting address: */ + unsigned long address = read_cr2(); + +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) @@ -23928,11 +24057,15 @@ index 3ecfd1a..304d554 100644 + } +#endif + -+ tsk = current; -+ mm = tsk->mm; + tsk = current; + mm = tsk->mm; +- /* Get the faulting address: */ +- address = read_cr2(); +- /* * Detect and handle instructions that would cause a page fault for + * both a tracked kernel page and a userspace page. @@ -1077,7 +1284,7 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code) * User-mode registers count as a user access even for any * potential system fault or CPU buglet: @@ -24313,10 +24446,10 @@ index 6f31ee5..8ee4164 100644 return (void *)vaddr; diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c -index f6679a7..8f795a3 100644 +index b91e485..d00e7c9 100644 --- a/arch/x86/mm/hugetlbpage.c +++ b/arch/x86/mm/hugetlbpage.c -@@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, +@@ -277,13 +277,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; @@ -24341,7 +24474,7 @@ index f6679a7..8f795a3 100644 } full_search: -@@ -280,26 +287,27 @@ full_search: +@@ -291,26 +298,27 @@ full_search: for (vma = find_vma(mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ @@ -24376,7 +24509,7 @@ index f6679a7..8f795a3 100644 } static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, -@@ -310,9 +318,8 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -321,9 +329,8 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, struct mm_struct *mm = current->mm; struct vm_area_struct *vma; unsigned long base = mm->mmap_base; @@ -24387,7 +24520,7 @@ index f6679a7..8f795a3 100644 /* don't allow allocations above current base */ if (mm->free_area_cache > base) -@@ -322,16 +329,15 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, +@@ -333,16 +340,15 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file, largest_hole = 0; mm->free_area_cache = base; } @@ -24406,7 +24539,7 @@ index f6679a7..8f795a3 100644 /* * Lookup failure means no vma is above this address, * i.e. return with success: -@@ -340,10 +346,10 @@ try_again: +@@ -351,10 +357,10 @@ try_again: if (!vma) return addr; @@ -24420,7 +24553,7 @@ index f6679a7..8f795a3 100644 } else if (mm->free_area_cache == vma->vm_end) { /* pull free_area_cache down to the first hole */ mm->free_area_cache = vma->vm_start; -@@ -352,29 +358,34 @@ try_again: +@@ -363,29 +369,34 @@ try_again: /* remember the largest hole we saw so far */ if (addr + largest_hole < vma->vm_start) @@ -24468,7 +24601,7 @@ index f6679a7..8f795a3 100644 mm->cached_hole_size = ~0UL; addr = hugetlb_get_unmapped_area_bottomup(file, addr0, len, pgoff, flags); -@@ -382,6 +393,7 @@ fail: +@@ -393,6 +404,7 @@ fail: /* * Restore the topdown base: */ @@ -24476,7 +24609,7 @@ index f6679a7..8f795a3 100644 mm->free_area_cache = base; mm->cached_hole_size = ~0UL; -@@ -395,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -406,10 +418,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, struct hstate *h = hstate_file(file); struct mm_struct *mm = current->mm; struct vm_area_struct *vma; @@ -24497,7 +24630,7 @@ index f6679a7..8f795a3 100644 return -ENOMEM; if (flags & MAP_FIXED) { -@@ -410,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, +@@ -421,8 +442,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr, if (addr) { addr = ALIGN(addr, huge_page_size(h)); vma = find_vma(mm, addr); @@ -24541,6 +24674,7 @@ index 4f0cec7..00976ce 100644 + int devmem_is_allowed(unsigned long pagenr) { +- if (pagenr <= 256) +#ifdef CONFIG_GRKERNSEC_KMEM + /* allow BDA */ + if (!pagenr) @@ -24550,7 +24684,7 @@ index 4f0cec7..00976ce 100644 + return 1; +#else + if (!pagenr) -+ return 1; + return 1; +#ifdef CONFIG_VM86 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT)) + return 1; @@ -24561,8 +24695,7 @@ index 4f0cec7..00976ce 100644 + return 1; +#ifdef CONFIG_GRKERNSEC_KMEM + /* throw out everything else below 1MB */ - if (pagenr <= 256) -- return 1; ++ if (pagenr <= 256) + return 0; +#endif if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) @@ -25539,7 +25672,7 @@ index 8573b83..4f3ed7e 100644 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) +{ + unsigned int count = USER_PGD_PTRS; - ++ + while (count--) + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER); +} @@ -25562,7 +25695,7 @@ index 8573b83..4f3ed7e 100644 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) + pgd = __pgd(pgd_val(pgd) & clone_pgd_mask); +#endif -+ + + *dst++ = pgd; + } + @@ -26100,6 +26233,19 @@ index d6aa6e8..266395a 100644 unsigned long stack = kernel_stack_pointer(regs); if (depth) dump_trace(NULL, regs, (unsigned long *)stack, 0, +diff --git a/arch/x86/pci/i386.c b/arch/x86/pci/i386.c +index 831971e..dd8ca6f 100644 +--- a/arch/x86/pci/i386.c ++++ b/arch/x86/pci/i386.c +@@ -57,7 +57,7 @@ static struct pcibios_fwaddrmap *pcibios_fwaddrmap_lookup(struct pci_dev *dev) + { + struct pcibios_fwaddrmap *map; + +- WARN_ON(!spin_is_locked(&pcibios_fwaddrmap_lock)); ++ WARN_ON_SMP(!spin_is_locked(&pcibios_fwaddrmap_lock)); + + list_for_each_entry(map, &pcibios_fwaddrmappings, list) + if (map->dev == dev) diff --git a/arch/x86/pci/mrst.c b/arch/x86/pci/mrst.c index 140942f..8a5cc55 100644 --- a/arch/x86/pci/mrst.c @@ -26466,7 +26612,7 @@ index 40e4469..1ab536e 100644 gdt_descr.size = GDT_SIZE - 1; load_gdt(&gdt_descr); diff --git a/arch/x86/platform/efi/efi_stub_32.S b/arch/x86/platform/efi/efi_stub_32.S -index fbe66e6..c5c0dd2 100644 +index fbe66e6..f62f167 100644 --- a/arch/x86/platform/efi/efi_stub_32.S +++ b/arch/x86/platform/efi/efi_stub_32.S @@ -6,7 +6,9 @@ @@ -26488,22 +26634,35 @@ index fbe66e6..c5c0dd2 100644 ENTRY(efi_call_phys) /* * 0. The function can only be called in Linux kernel. So CS has been -@@ -36,9 +38,11 @@ ENTRY(efi_call_phys) +@@ -36,10 +38,24 @@ ENTRY(efi_call_phys) * The mapping of lower virtual memory has been created in prelog and * epilog. */ - movl $1f, %edx - subl $__PAGE_OFFSET, %edx - jmp *%edx ++#ifdef CONFIG_PAX_KERNEXEC + movl $(__KERNEXEC_EFI_DS), %edx + mov %edx, %ds + mov %edx, %es + mov %edx, %ss -+ ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET ++ addl $2f,(1f) ++ ljmp *(1f) ++ ++__INITDATA ++1: .long __LOAD_PHYSICAL_ADDR, __KERNEXEC_EFI_CS ++.previous ++ ++2: ++ subl $2b,(1b) ++#else ++ jmp 1f-__PAGE_OFFSET 1: ++#endif /* -@@ -47,14 +51,8 @@ ENTRY(efi_call_phys) + * 2. Now on the top of stack is the return +@@ -47,14 +63,8 @@ ENTRY(efi_call_phys) * parameter 2, ..., param n. To make things easy, we save the return * address of efi_call_phys in a global variable. */ @@ -26520,7 +26679,7 @@ index fbe66e6..c5c0dd2 100644 /* * 3. Clear PG bit in %CR0. -@@ -73,9 +71,8 @@ ENTRY(efi_call_phys) +@@ -73,9 +83,8 @@ ENTRY(efi_call_phys) /* * 5. Call the physical function. */ @@ -26531,7 +26690,7 @@ index fbe66e6..c5c0dd2 100644 /* * 6. After EFI runtime service returns, control will return to * following instruction. We'd better readjust stack pointer first. -@@ -88,35 +85,32 @@ ENTRY(efi_call_phys) +@@ -88,35 +97,40 @@ ENTRY(efi_call_phys) movl %cr0, %edx orl $0x80000000, %edx movl %edx, %cr0 @@ -26544,7 +26703,15 @@ index fbe66e6..c5c0dd2 100644 */ - movl $1f, %edx - jmp *%edx -+ ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET ++#ifdef CONFIG_PAX_KERNEXEC ++ movl $(__KERNEL_DS), %edx ++ mov %edx, %ds ++ mov %edx, %es ++ mov %edx, %ss ++ ljmp $(__KERNEL_CS),$1f ++#else ++ jmp 1f+__PAGE_OFFSET ++#endif 1: + movl $(__KERNEL_DS), %edx + mov %edx, %ds @@ -26690,7 +26857,7 @@ index 218cdb1..fd55c08 100644 syscall_init(); /* This sets MSR_*STAR and related */ #endif diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c -index b685296..e00eb65 100644 +index b685296..4ac6aaa 100644 --- a/arch/x86/tools/relocs.c +++ b/arch/x86/tools/relocs.c @@ -12,10 +12,13 @@ @@ -26783,7 +26950,7 @@ index b685296..e00eb65 100644 } + base = 0; + -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) ++#ifdef CONFIG_X86_32 + for (j = 0; j < ehdr.e_phnum; j++) { + if (phdr[j].p_type != PT_LOAD ) + continue; @@ -26860,7 +27027,7 @@ index b685296..e00eb65 100644 + +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */ -+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext")) ++ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext")) + continue; + if (!strcmp(sec_name(sym->st_shndx), ".init.text")) + continue; @@ -27448,20 +27615,18 @@ index 6296b40..417c00f 100644 if (!gpt) return NULL; -+ if (!le32_to_cpu(gpt->num_partition_entries)) -+ return NULL; -+ pte = kcalloc(le32_to_cpu(gpt->num_partition_entries), le32_to_cpu(gpt->sizeof_partition_entry), GFP_KERNEL); -+ if (!pte) -+ return NULL; -+ - count = le32_to_cpu(gpt->num_partition_entries) * - le32_to_cpu(gpt->sizeof_partition_entry); +- count = le32_to_cpu(gpt->num_partition_entries) * +- le32_to_cpu(gpt->sizeof_partition_entry); - if (!count) -- return NULL; ++ if (!le32_to_cpu(gpt->num_partition_entries)) + return NULL; - pte = kzalloc(count, GFP_KERNEL); -- if (!pte) -- return NULL; -- ++ pte = kcalloc(le32_to_cpu(gpt->num_partition_entries), le32_to_cpu(gpt->sizeof_partition_entry), GFP_KERNEL); + if (!pte) + return NULL; + ++ count = le32_to_cpu(gpt->num_partition_entries) * ++ le32_to_cpu(gpt->sizeof_partition_entry); if (read_lba(state, le64_to_cpu(gpt->partition_entry_lba), (u8 *) pte, count) < count) { @@ -27655,7 +27820,7 @@ index 251c7b62..000462d 100644 bool enable = !device_may_wakeup(&dev->dev); device_set_wakeup_enable(&dev->dev, enable); diff --git a/drivers/acpi/processor_driver.c b/drivers/acpi/processor_driver.c -index 0734086..3ad3e4c 100644 +index bbac51e..4c094f9 100644 --- a/drivers/acpi/processor_driver.c +++ b/drivers/acpi/processor_driver.c @@ -556,7 +556,7 @@ static int __cpuinit acpi_processor_add(struct acpi_device *device) @@ -29468,7 +29633,7 @@ index 47ff7e4..0c7d340 100644 .part_num = MBCS_PART_NUM, .mfg_num = MBCS_MFG_NUM, diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index d6e9d08..4493e89 100644 +index d6e9d08..0c314bf 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -18,6 +18,7 @@ @@ -29530,7 +29695,7 @@ index d6e9d08..4493e89 100644 - remaining = copy_to_user(buf, ptr, sz); +#ifdef CONFIG_PAX_USERCOPY -+ temp = kmalloc(sz, GFP_KERNEL); ++ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY); + if (!temp) { + unxlate_dev_mem_ptr(p, ptr); + return -ENOMEM; @@ -29575,7 +29740,7 @@ index d6e9d08..4493e89 100644 - if (copy_to_user(buf, kbuf, sz)) +#ifdef CONFIG_PAX_USERCOPY -+ temp = kmalloc(sz, GFP_KERNEL); ++ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY); + if (!temp) + return -ENOMEM; + memcpy(temp, kbuf, sz); @@ -29617,10 +29782,10 @@ index 9df78e2..01ba9ae 100644 *ppos = i; diff --git a/drivers/char/random.c b/drivers/char/random.c -index 4ec04a7..4a092ed 100644 +index d98b2a6..230b4c6 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c -@@ -261,8 +261,13 @@ +@@ -272,8 +272,13 @@ /* * Configuration information */ @@ -29634,7 +29799,7 @@ index 4ec04a7..4a092ed 100644 #define SEC_XFER_SIZE 512 #define EXTRACT_SIZE 10 -@@ -300,10 +305,17 @@ static struct poolinfo { +@@ -313,10 +318,17 @@ static struct poolinfo { int poolwords; int tap1, tap2, tap3, tap4, tap5; } poolinfo_table[] = { @@ -29652,7 +29817,36 @@ index 4ec04a7..4a092ed 100644 #if 0 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */ { 2048, 1638, 1231, 819, 411, 1 }, -@@ -913,7 +925,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, +@@ -527,8 +539,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in, + input_rotate += i ? 7 : 14; + } + +- ACCESS_ONCE(r->input_rotate) = input_rotate; +- ACCESS_ONCE(r->add_ptr) = i; ++ ACCESS_ONCE_RW(r->input_rotate) = input_rotate; ++ ACCESS_ONCE_RW(r->add_ptr) = i; + smp_wmb(); + + if (out) +@@ -799,6 +811,17 @@ void add_disk_randomness(struct gendisk *disk) + } + #endif + ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++u64 latent_entropy; ++ ++__init void transfer_latent_entropy(void) ++{ ++ mix_pool_bytes(&input_pool, &latent_entropy, sizeof(latent_entropy)); ++ mix_pool_bytes(&nonblocking_pool, &latent_entropy, sizeof(latent_entropy)); ++// printk(KERN_INFO "PAX: transferring latent entropy: %16llx\n", latent_entropy); ++} ++#endif ++ + /********************************************************************* + * + * Entropy extraction routines +@@ -1008,7 +1031,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, extract_buf(r, tmp); i = min_t(int, nbytes, EXTRACT_SIZE); @@ -29661,7 +29855,7 @@ index 4ec04a7..4a092ed 100644 ret = -EFAULT; break; } -@@ -1238,7 +1250,7 @@ EXPORT_SYMBOL(generate_random_uuid); +@@ -1342,7 +1365,7 @@ EXPORT_SYMBOL(generate_random_uuid); #include <linux/sysctl.h> static int min_read_thresh = 8, min_write_thresh; @@ -29713,7 +29907,7 @@ index 45713f0..8286d21 100644 return 0; diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c -index ad7c732..5aa8054 100644 +index 08427ab..1ab10b7 100644 --- a/drivers/char/tpm/tpm.c +++ b/drivers/char/tpm/tpm.c @@ -415,7 +415,7 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, @@ -29946,10 +30140,10 @@ index 9047f55..e47c7ff 100644 void fw_card_initialize(struct fw_card *card, const struct fw_card_driver *driver, struct device *device); diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index 153980b..4b4d046 100644 +index b298158..7ed8432 100644 --- a/drivers/firmware/dmi_scan.c +++ b/drivers/firmware/dmi_scan.c -@@ -449,11 +449,6 @@ void __init dmi_scan_machine(void) +@@ -452,11 +452,6 @@ void __init dmi_scan_machine(void) } } else { @@ -29961,7 +30155,7 @@ index 153980b..4b4d046 100644 p = dmi_ioremap(0xF0000, 0x10000); if (p == NULL) goto error; -@@ -723,7 +718,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), +@@ -726,7 +721,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *), if (buf == NULL) return -1; @@ -30441,7 +30635,7 @@ index 26c67a7..8d4cbcb 100644 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func); INIT_WORK(&dev_priv->error_work, i915_error_work_func); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index d4d162f..e80037c 100644 +index 3de3d9b..7cb4130 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -2254,7 +2254,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb) @@ -30462,16 +30656,19 @@ index d4d162f..e80037c 100644 } static bool intel_crtc_driving_pch(struct drm_crtc *crtc) -@@ -7286,7 +7286,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev, +@@ -7273,9 +7273,8 @@ static void do_intel_finish_page_flip(struct drm_device *dev, + + obj = work->old_fb_obj; - atomic_clear_mask(1 << intel_crtc->plane, - &obj->pending_flip.counter); +- atomic_clear_mask(1 << intel_crtc->plane, +- &obj->pending_flip.counter); - if (atomic_read(&obj->pending_flip) == 0) ++ atomic_clear_mask_unchecked(1 << intel_crtc->plane, &obj->pending_flip); + if (atomic_read_unchecked(&obj->pending_flip) == 0) wake_up(&dev_priv->pending_flip_queue); schedule_work(&work->work); -@@ -7582,7 +7582,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, +@@ -7571,7 +7570,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, /* Block clients from rendering to the new back buffer until * the flip occurs and the object is no longer visible. */ @@ -30480,7 +30677,7 @@ index d4d162f..e80037c 100644 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj); if (ret) -@@ -7596,7 +7596,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, +@@ -7585,7 +7584,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc, return 0; cleanup_pending: @@ -30689,7 +30886,7 @@ index 2746402..c8dc4a4 100644 .train_set = nv50_sor_dp_train_set, .train_adj = nv50_sor_dp_train_adj diff --git a/drivers/gpu/drm/nouveau/nvd0_display.c b/drivers/gpu/drm/nouveau/nvd0_display.c -index 0247250..d2f6aaf 100644 +index 8a555fb..2743fe6 100644 --- a/drivers/gpu/drm/nouveau/nvd0_display.c +++ b/drivers/gpu/drm/nouveau/nvd0_display.c @@ -1366,7 +1366,7 @@ nvd0_sor_dpms(struct drm_encoder *encoder, int mode) @@ -31177,10 +31374,10 @@ index 8a8725c..afed796 100644 marker = list_first_entry(&queue->head, struct vmw_marker, head); diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 4da66b4..e948655 100644 +index 41d4437..631c2e5 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c -@@ -2063,7 +2063,7 @@ static bool hid_ignore(struct hid_device *hdev) +@@ -2073,7 +2073,7 @@ static bool hid_ignore(struct hid_device *hdev) int hid_add_device(struct hid_device *hdev) { @@ -31189,7 +31386,7 @@ index 4da66b4..e948655 100644 int ret; if (WARN_ON(hdev->status & HID_STAT_ADDED)) -@@ -2078,7 +2078,7 @@ int hid_add_device(struct hid_device *hdev) +@@ -2088,7 +2088,7 @@ int hid_add_device(struct hid_device *hdev) /* XXX hack, any other cleaner solution after the driver core * is converted to allow more than 20 bytes as the device name? */ dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, @@ -32698,10 +32895,10 @@ index b8d8611..7a4a04b 100644 #include <linux/input.h> #include <linux/gameport.h> diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c -index fd7a0d5..a4af10c 100644 +index 42f7b25..09fcf46 100644 --- a/drivers/input/joystick/xpad.c +++ b/drivers/input/joystick/xpad.c -@@ -710,7 +710,7 @@ static void xpad_led_set(struct led_classdev *led_cdev, +@@ -714,7 +714,7 @@ static void xpad_led_set(struct led_classdev *led_cdev, static int xpad_led_probe(struct usb_xpad *xpad) { @@ -32710,7 +32907,7 @@ index fd7a0d5..a4af10c 100644 long led_no; struct xpad_led *led; struct led_classdev *led_cdev; -@@ -723,7 +723,7 @@ static int xpad_led_probe(struct usb_xpad *xpad) +@@ -727,7 +727,7 @@ static int xpad_led_probe(struct usb_xpad *xpad) if (!led) return -ENOMEM; @@ -32901,7 +33098,7 @@ index b5fdcb7..5b6c59f 100644 printk(KERN_INFO "lguest: mapped switcher at %p\n", diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c -index 3980903..ce25c5e 100644 +index 39809035..ce25c5e 100644 --- a/drivers/lguest/x86/core.c +++ b/drivers/lguest/x86/core.c @@ -59,7 +59,7 @@ static struct { @@ -33047,7 +33244,7 @@ index a1a3e6d..1918bfc 100644 DMWARN("name not supplied when creating device"); return -EINVAL; diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c -index d039de8..0cf5b87 100644 +index b58b7a3..8018b19 100644 --- a/drivers/md/dm-raid1.c +++ b/drivers/md/dm-raid1.c @@ -40,7 +40,7 @@ enum dm_raid1_error { @@ -33113,7 +33310,7 @@ index d039de8..0cf5b87 100644 ms->mirror[mirror].error_type = 0; ms->mirror[mirror].offset = offset; -@@ -1351,7 +1351,7 @@ static void mirror_resume(struct dm_target *ti) +@@ -1352,7 +1352,7 @@ static void mirror_resume(struct dm_target *ti) */ static char device_status_char(struct mirror *m) { @@ -33258,7 +33455,7 @@ index e24143c..ce2f21a1 100644 void dm_uevent_add(struct mapped_device *md, struct list_head *elist) diff --git a/drivers/md/md.c b/drivers/md/md.c -index 2b30ffd..bf789ce 100644 +index 9ee8ce3..362b519 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -277,10 +277,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio); @@ -33330,7 +33527,7 @@ index 2b30ffd..bf789ce 100644 INIT_LIST_HEAD(&rdev->same_set); init_waitqueue_head(&rdev->blocked_wait); -@@ -6738,7 +6738,7 @@ static int md_seq_show(struct seq_file *seq, void *v) +@@ -6748,7 +6748,7 @@ static int md_seq_show(struct seq_file *seq, void *v) spin_unlock(&pers_lock); seq_printf(seq, "\n"); @@ -33339,7 +33536,7 @@ index 2b30ffd..bf789ce 100644 return 0; } if (v == (void*)2) { -@@ -6841,7 +6841,7 @@ static int md_seq_open(struct inode *inode, struct file *file) +@@ -6851,7 +6851,7 @@ static int md_seq_open(struct inode *inode, struct file *file) return error; seq = file->private_data; @@ -33348,7 +33545,7 @@ index 2b30ffd..bf789ce 100644 return error; } -@@ -6855,7 +6855,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) +@@ -6865,7 +6865,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait) /* always allow read */ mask = POLLIN | POLLRDNORM; @@ -33357,7 +33554,7 @@ index 2b30ffd..bf789ce 100644 mask |= POLLERR | POLLPRI; return mask; } -@@ -6899,7 +6899,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) +@@ -6909,7 +6909,7 @@ static int is_mddev_idle(struct mddev *mddev, int init) struct gendisk *disk = rdev->bdev->bd_contains->bd_disk; curr_events = (int)part_stat_read(&disk->part0, sectors[0]) + (int)part_stat_read(&disk->part0, sectors[1]) - @@ -33447,7 +33644,7 @@ index 1cbfc6b..56e1dbb 100644 /*----------------------------------------------------------------*/ diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index d7e9577..faa512f2 100644 +index 23904d2..c4801f9 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c @@ -1688,7 +1688,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio) @@ -33459,7 +33656,7 @@ index d7e9577..faa512f2 100644 } sectors -= s; sect += s; -@@ -1902,7 +1902,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, +@@ -1908,7 +1908,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk, test_bit(In_sync, &rdev->flags)) { if (r1_sync_page_io(rdev, sect, s, conf->tmppage, READ)) { @@ -33594,7 +33791,7 @@ index a7d876f..8c21b61 100644 struct dvb_demux *demux; void *priv; diff --git a/drivers/media/dvb/dvb-core/dvbdev.c b/drivers/media/dvb/dvb-core/dvbdev.c -index 00a6732..70a682e 100644 +index 39eab73..60033e7 100644 --- a/drivers/media/dvb/dvb-core/dvbdev.c +++ b/drivers/media/dvb/dvb-core/dvbdev.c @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, @@ -33693,6 +33890,33 @@ index 9cde353..8c6a1c3 100644 struct i2c_client i2c_client; u32 i2c_rc; +diff --git a/drivers/media/video/cx25821/cx25821-core.c b/drivers/media/video/cx25821/cx25821-core.c +index 7930ca5..235bf7d 100644 +--- a/drivers/media/video/cx25821/cx25821-core.c ++++ b/drivers/media/video/cx25821/cx25821-core.c +@@ -912,9 +912,6 @@ static int cx25821_dev_setup(struct cx25821_dev *dev) + list_add_tail(&dev->devlist, &cx25821_devlist); + mutex_unlock(&cx25821_devlist_mutex); + +- strcpy(cx25821_boards[UNKNOWN_BOARD].name, "unknown"); +- strcpy(cx25821_boards[CX25821_BOARD].name, "cx25821"); +- + if (dev->pci->device != 0x8210) { + pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n", + __func__, dev->pci->device); +diff --git a/drivers/media/video/cx25821/cx25821.h b/drivers/media/video/cx25821/cx25821.h +index b9aa801..029f293 100644 +--- a/drivers/media/video/cx25821/cx25821.h ++++ b/drivers/media/video/cx25821/cx25821.h +@@ -187,7 +187,7 @@ enum port { + }; + + struct cx25821_board { +- char *name; ++ const char *name; + enum port porta; + enum port portb; + enum port portc; diff --git a/drivers/media/video/cx88/cx88-alsa.c b/drivers/media/video/cx88/cx88-alsa.c index 04bf662..e0ac026 100644 --- a/drivers/media/video/cx88/cx88-alsa.c @@ -34071,6 +34295,19 @@ index 2b1482a..5d33616 100644 union axis_conversion ac; /* hw -> logical axis */ int mapped_btns[3]; +diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c +index 28adefe..08aad69 100644 +--- a/drivers/misc/lkdtm.c ++++ b/drivers/misc/lkdtm.c +@@ -477,6 +477,8 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, + int i, n, out; + + buf = (char *)__get_free_page(GFP_KERNEL); ++ if (buf == NULL) ++ return -ENOMEM; + + n = snprintf(buf, PAGE_SIZE, "Available crash types:\n"); + for (i = 0; i < ARRAY_SIZE(cp_type); i++) diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c index 2f30bad..c4c13d0 100644 --- a/drivers/misc/sgi-gru/gruhandles.c @@ -34172,6 +34409,31 @@ index 5c3ce24..4915ccb 100644 - atomic_long_t flush_tlb_gru; - atomic_long_t flush_tlb_gru_tgh; - atomic_long_t flush_tlb_gru_zero_asid; +- +- atomic_long_t copy_gpa; +- atomic_long_t read_gpa; +- +- atomic_long_t mesq_receive; +- atomic_long_t mesq_receive_none; +- atomic_long_t mesq_send; +- atomic_long_t mesq_send_failed; +- atomic_long_t mesq_noop; +- atomic_long_t mesq_send_unexpected_error; +- atomic_long_t mesq_send_lb_overflow; +- atomic_long_t mesq_send_qlimit_reached; +- atomic_long_t mesq_send_amo_nacked; +- atomic_long_t mesq_send_put_nacked; +- atomic_long_t mesq_page_overflow; +- atomic_long_t mesq_qf_locked; +- atomic_long_t mesq_qf_noop_not_full; +- atomic_long_t mesq_qf_switch_head_failed; +- atomic_long_t mesq_qf_unexpected_error; +- atomic_long_t mesq_noop_unexpected_error; +- atomic_long_t mesq_noop_lb_overflow; +- atomic_long_t mesq_noop_qlimit_reached; +- atomic_long_t mesq_noop_amo_nacked; +- atomic_long_t mesq_noop_put_nacked; +- atomic_long_t mesq_noop_page_overflow; + atomic_long_unchecked_t vdata_alloc; + atomic_long_unchecked_t vdata_free; + atomic_long_unchecked_t gts_alloc; @@ -34223,33 +34485,10 @@ index 5c3ce24..4915ccb 100644 + atomic_long_unchecked_t flush_tlb_gru; + atomic_long_unchecked_t flush_tlb_gru_tgh; + atomic_long_unchecked_t flush_tlb_gru_zero_asid; - -- atomic_long_t copy_gpa; -- atomic_long_t read_gpa; ++ + atomic_long_unchecked_t copy_gpa; + atomic_long_unchecked_t read_gpa; - -- atomic_long_t mesq_receive; -- atomic_long_t mesq_receive_none; -- atomic_long_t mesq_send; -- atomic_long_t mesq_send_failed; -- atomic_long_t mesq_noop; -- atomic_long_t mesq_send_unexpected_error; -- atomic_long_t mesq_send_lb_overflow; -- atomic_long_t mesq_send_qlimit_reached; -- atomic_long_t mesq_send_amo_nacked; -- atomic_long_t mesq_send_put_nacked; -- atomic_long_t mesq_page_overflow; -- atomic_long_t mesq_qf_locked; -- atomic_long_t mesq_qf_noop_not_full; -- atomic_long_t mesq_qf_switch_head_failed; -- atomic_long_t mesq_qf_unexpected_error; -- atomic_long_t mesq_noop_unexpected_error; -- atomic_long_t mesq_noop_lb_overflow; -- atomic_long_t mesq_noop_qlimit_reached; -- atomic_long_t mesq_noop_amo_nacked; -- atomic_long_t mesq_noop_put_nacked; -- atomic_long_t mesq_noop_page_overflow; ++ + atomic_long_unchecked_t mesq_receive; + atomic_long_unchecked_t mesq_receive_none; + atomic_long_unchecked_t mesq_send; @@ -34341,11 +34580,27 @@ index 8d082b4..aa749ae 100644 /* * Timer function to enforce the timelimit on the partition disengage. +diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c +index 2b62232..acfaeeb 100644 +--- a/drivers/misc/ti-st/st_core.c ++++ b/drivers/misc/ti-st/st_core.c +@@ -349,6 +349,11 @@ void st_int_recv(void *disc_data, + st_gdata->rx_skb = alloc_skb( + st_gdata->list[type]->max_frame_size, + GFP_ATOMIC); ++ if (st_gdata->rx_skb == NULL) { ++ pr_err("out of memory: dropping\n"); ++ goto done; ++ } ++ + skb_reserve(st_gdata->rx_skb, + st_gdata->list[type]->reserve); + /* next 2 required for BT only */ diff --git a/drivers/mmc/host/sdhci-pci.c b/drivers/mmc/host/sdhci-pci.c -index 69ef0be..f3ef91e 100644 +index 504da71..9722d43 100644 --- a/drivers/mmc/host/sdhci-pci.c +++ b/drivers/mmc/host/sdhci-pci.c -@@ -652,7 +652,7 @@ static const struct sdhci_pci_fixes sdhci_via = { +@@ -653,7 +653,7 @@ static const struct sdhci_pci_fixes sdhci_via = { .probe = via_probe, }; @@ -34790,6 +35045,36 @@ index 8636e83..ab9bbc3 100644 struct ixgbe_mbx_stats stats; u32 timeout; u32 usec_delay; +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index 307611a..d8e4562 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -969,8 +969,6 @@ static irqreturn_t ixgbevf_msix_clean_tx(int irq, void *data) + r_idx = find_first_bit(q_vector->txr_idx, adapter->num_tx_queues); + for (i = 0; i < q_vector->txr_count; i++) { + tx_ring = &(adapter->tx_ring[r_idx]); +- tx_ring->total_bytes = 0; +- tx_ring->total_packets = 0; + ixgbevf_clean_tx_irq(adapter, tx_ring); + r_idx = find_next_bit(q_vector->txr_idx, adapter->num_tx_queues, + r_idx + 1); +@@ -994,16 +992,6 @@ static irqreturn_t ixgbevf_msix_clean_rx(int irq, void *data) + struct ixgbe_hw *hw = &adapter->hw; + struct ixgbevf_ring *rx_ring; + int r_idx; +- int i; +- +- r_idx = find_first_bit(q_vector->rxr_idx, adapter->num_rx_queues); +- for (i = 0; i < q_vector->rxr_count; i++) { +- rx_ring = &(adapter->rx_ring[r_idx]); +- rx_ring->total_bytes = 0; +- rx_ring->total_packets = 0; +- r_idx = find_next_bit(q_vector->rxr_idx, adapter->num_rx_queues, +- r_idx + 1); +- } + + if (!q_vector->rxr_count) + return IRQ_HANDLED; diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.h b/drivers/net/ethernet/intel/ixgbevf/vf.h index 25c951d..cc7cf33 100644 --- a/drivers/net/ethernet/intel/ixgbevf/vf.h @@ -34867,7 +35152,7 @@ index 4a518a3..936b334 100644 #define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \ ((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next) diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index 161e045..0bb5b86 100644 +index a73bbe7..94abcb7 100644 --- a/drivers/net/ethernet/realtek/r8169.c +++ b/drivers/net/ethernet/realtek/r8169.c @@ -708,17 +708,17 @@ struct rtl8169_private { @@ -34920,10 +35205,10 @@ index c07cfe9..81cbf7e 100644 /* To mask all all interrupts.*/ diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c -index 48d56da..a27e46c 100644 +index 9bdfaba..3d8f8d4 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c -@@ -1584,7 +1584,7 @@ static const struct file_operations stmmac_rings_status_fops = { +@@ -1587,7 +1587,7 @@ static const struct file_operations stmmac_rings_status_fops = { .open = stmmac_sysfs_ring_open, .read = seq_read, .llseek = seq_lseek, @@ -34932,7 +35217,7 @@ index 48d56da..a27e46c 100644 }; static int stmmac_sysfs_dma_cap_read(struct seq_file *seq, void *v) -@@ -1656,7 +1656,7 @@ static const struct file_operations stmmac_dma_cap_fops = { +@@ -1659,7 +1659,7 @@ static const struct file_operations stmmac_dma_cap_fops = { .open = stmmac_sysfs_dma_cap_open, .read = seq_read, .llseek = seq_lseek, @@ -35393,10 +35678,10 @@ index a66a13b..0ef399e 100644 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads) diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h -index e88f182..4e57f5d 100644 +index f8e1fbb..bbc303c 100644 --- a/drivers/net/wireless/ath/ath9k/hw.h +++ b/drivers/net/wireless/ath/ath9k/hw.h -@@ -614,7 +614,7 @@ struct ath_hw_private_ops { +@@ -615,7 +615,7 @@ struct ath_hw_private_ops { /* ANI */ void (*ani_cache_ini_regs)(struct ath_hw *ah); @@ -35405,7 +35690,7 @@ index e88f182..4e57f5d 100644 /** * struct ath_hw_ops - callbacks used by hardware code and driver code -@@ -644,7 +644,7 @@ struct ath_hw_ops { +@@ -645,7 +645,7 @@ struct ath_hw_ops { void (*antdiv_comb_conf_set)(struct ath_hw *ah, struct ath_hw_antcomb_conf *antconf); @@ -35414,7 +35699,7 @@ index e88f182..4e57f5d 100644 struct ath_nf_limits { s16 max; -@@ -664,7 +664,7 @@ enum ath_cal_list { +@@ -665,7 +665,7 @@ enum ath_cal_list { #define AH_FASTCC 0x4 struct ath_hw { @@ -36164,7 +36449,7 @@ index 1a99d4b..e85d64b 100644 /* * Queue element to wait for room in request queue. FIFO order is diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c -index a3a056a..b9bbc2f 100644 +index b48c24f..dac0fbc 100644 --- a/drivers/scsi/hosts.c +++ b/drivers/scsi/hosts.c @@ -42,7 +42,7 @@ @@ -36176,7 +36461,7 @@ index a3a056a..b9bbc2f 100644 static void scsi_host_cls_release(struct device *dev) -@@ -360,7 +360,7 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize) +@@ -361,7 +361,7 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize) * subtract one because we increment first then return, but we need to * know what the next host number was before increment */ @@ -36476,6 +36761,19 @@ index d109cc3..09f4e7d 100644 .qc_prep = ata_noop_qc_prep, .qc_issue = sas_ata_qc_issue, .qc_fill_rtf = sas_ata_qc_fill_rtf, +diff --git a/drivers/scsi/lpfc/Makefile b/drivers/scsi/lpfc/Makefile +index fe5d396..e93d526 100644 +--- a/drivers/scsi/lpfc/Makefile ++++ b/drivers/scsi/lpfc/Makefile +@@ -22,7 +22,7 @@ + ccflags-$(GCOV) := -fprofile-arcs -ftest-coverage + ccflags-$(GCOV) += -O0 + +-ccflags-y += -Werror ++#ccflags-y += -Werror + + obj-$(CONFIG_SCSI_LPFC) := lpfc.o + diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h index 3a1ffdd..8eb7c71 100644 --- a/drivers/scsi/lpfc/lpfc.h @@ -36839,10 +37137,10 @@ index 07322ec..91ccc23 100644 /* check if the device is still usable */ if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c -index 4037fd5..a19fcc7 100644 +index 2bc0362..a858ebe 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c -@@ -1415,7 +1415,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) +@@ -1425,7 +1425,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q) shost = sdev->host; scsi_init_cmd_errh(cmd); cmd->result = DID_NO_CONNECT << 16; @@ -36851,7 +37149,7 @@ index 4037fd5..a19fcc7 100644 /* * SCSI request completion path will do scsi_device_unbusy(), -@@ -1441,9 +1441,9 @@ static void scsi_softirq_done(struct request *rq) +@@ -1451,9 +1451,9 @@ static void scsi_softirq_done(struct request *rq) INIT_LIST_HEAD(&cmd->eh_entry); @@ -36864,7 +37162,7 @@ index 4037fd5..a19fcc7 100644 disposition = scsi_decide_disposition(cmd); if (disposition != SUCCESS && diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c -index 04c2a27..9d8bd66 100644 +index bb7c482..7551a95 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -660,7 +660,7 @@ show_iostat_##field(struct device *dev, struct device_attribute *attr, \ @@ -37329,7 +37627,7 @@ index f015839..b15dfc4 100644 (cmd->transport_state & CMD_T_STOP) != 0, (cmd->transport_state & CMD_T_SENT) != 0); diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index 443704f..92d3517 100644 +index 222f1c5..0cdfd3e 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -1355,7 +1355,7 @@ struct se_device *transport_add_device_to_core_hba( @@ -37359,7 +37657,7 @@ index 443704f..92d3517 100644 atomic_read(&cmd->t_task_cdbs_ex_left), (cmd->transport_state & CMD_T_ACTIVE) != 0, (cmd->transport_state & CMD_T_STOP) != 0, -@@ -2216,9 +2216,9 @@ check_depth: +@@ -2217,9 +2217,9 @@ check_depth: cmd = task->task_se_cmd; spin_lock_irqsave(&cmd->t_state_lock, flags); task->task_flags |= (TF_ACTIVE | TF_SENT); @@ -38106,7 +38404,7 @@ index d956965..4179a77 100644 file->f_version = event_count; return POLLIN | POLLRDNORM; diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c -index 1fc8f12..20647c1 100644 +index 347bb05..63e1b73 100644 --- a/drivers/usb/early/ehci-dbgp.c +++ b/drivers/usb/early/ehci-dbgp.c @@ -97,7 +97,8 @@ static inline u32 dbgp_len_update(u32 x, u32 len) @@ -41561,7 +41859,7 @@ index d146e18..12d1bd1 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) { diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 16f7354..666524e 100644 +index 16f7354..7cc1e24 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -32,6 +32,7 @@ @@ -41692,7 +41990,7 @@ index 16f7354..666524e 100644 error = -ENOMEM; goto out_close; } -@@ -525,6 +549,349 @@ out: +@@ -525,6 +549,311 @@ out: return error; } @@ -41712,15 +42010,6 @@ index 16f7354..666524e 100644 + pax_flags |= MF_PAX_SEGMEXEC; +#endif + -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC) -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { -+ if ((__supported_pte_mask & _PAGE_NX)) -+ pax_flags &= ~MF_PAX_SEGMEXEC; -+ else -+ pax_flags &= ~MF_PAX_PAGEEXEC; -+ } -+#endif -+ +#ifdef CONFIG_PAX_EMUTRAMP + if (elf_phdata->p_flags & PF_EMUTRAMP) + pax_flags |= MF_PAX_EMUTRAMP; @@ -41754,15 +42043,6 @@ index 16f7354..666524e 100644 + pax_flags |= MF_PAX_SEGMEXEC; +#endif + -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC) -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { -+ if ((__supported_pte_mask & _PAGE_NX)) -+ pax_flags &= ~MF_PAX_SEGMEXEC; -+ else -+ pax_flags &= ~MF_PAX_PAGEEXEC; -+ } -+#endif -+ +#ifdef CONFIG_PAX_EMUTRAMP + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP)) + pax_flags |= MF_PAX_EMUTRAMP; @@ -41798,15 +42078,6 @@ index 16f7354..666524e 100644 + pax_flags |= MF_PAX_SEGMEXEC; +#endif + -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC) -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { -+ if ((__supported_pte_mask & _PAGE_NX)) -+ pax_flags &= ~MF_PAX_SEGMEXEC; -+ else -+ pax_flags &= ~MF_PAX_PAGEEXEC; -+ } -+#endif -+ +#ifdef CONFIG_PAX_EMUTRAMP + if (pax_flags_softmode & MF_PAX_EMUTRAMP) + pax_flags |= MF_PAX_EMUTRAMP; @@ -41840,15 +42111,6 @@ index 16f7354..666524e 100644 + pax_flags |= MF_PAX_SEGMEXEC; +#endif + -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC) -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { -+ if ((__supported_pte_mask & _PAGE_NX)) -+ pax_flags &= ~MF_PAX_SEGMEXEC; -+ else -+ pax_flags &= ~MF_PAX_PAGEEXEC; -+ } -+#endif -+ +#ifdef CONFIG_PAX_EMUTRAMP + if (!(pax_flags_hardmode & MF_PAX_EMUTRAMP)) + pax_flags |= MF_PAX_EMUTRAMP; @@ -41868,7 +42130,7 @@ index 16f7354..666524e 100644 +} +#endif + -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_XATTR_PAX_FLAGS) ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex) +{ + unsigned long pax_flags = 0UL; @@ -41885,15 +42147,6 @@ index 16f7354..666524e 100644 + pax_flags |= MF_PAX_SEGMEXEC; +#endif + -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC) -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { -+ if ((__supported_pte_mask & _PAGE_NX)) -+ pax_flags &= ~MF_PAX_SEGMEXEC; -+ else -+ pax_flags &= ~MF_PAX_PAGEEXEC; -+ } -+#endif -+ +#ifdef CONFIG_PAX_EMUTRAMP + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP)) + pax_flags |= MF_PAX_EMUTRAMP; @@ -41915,19 +42168,17 @@ index 16f7354..666524e 100644 + pax_flags |= MF_PAX_PAGEEXEC; +#endif + ++#ifdef CONFIG_PAX_SEGMEXEC ++ pax_flags |= MF_PAX_SEGMEXEC; ++#endif ++ +#ifdef CONFIG_PAX_MPROTECT + pax_flags |= MF_PAX_MPROTECT; +#endif + +#ifdef CONFIG_PAX_RANDMMAP -+ pax_flags |= MF_PAX_RANDMMAP; -+#endif -+ -+#ifdef CONFIG_PAX_SEGMEXEC -+ if (!(pax_flags & MF_PAX_PAGEEXEC) || !(__supported_pte_mask & _PAGE_NX)) { -+ pax_flags &= ~MF_PAX_PAGEEXEC; -+ pax_flags |= MF_PAX_SEGMEXEC; -+ } ++ if (randomize_va_space) ++ pax_flags |= MF_PAX_RANDMMAP; +#endif + +#endif @@ -42031,6 +42282,15 @@ index 16f7354..666524e 100644 + if (pt_pax_flags != ~0UL) + pax_flags = pt_pax_flags; + ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC) ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { ++ if ((__supported_pte_mask & _PAGE_NX)) ++ pax_flags &= ~MF_PAX_SEGMEXEC; ++ else ++ pax_flags &= ~MF_PAX_PAGEEXEC; ++ } ++#endif ++ + if (0 > pax_check_flags(&pax_flags)) + return -EINVAL; + @@ -42042,7 +42302,7 @@ index 16f7354..666524e 100644 /* * These are the functions used to load ELF style executables and shared * libraries. There is no binary dependent code anywhere else. -@@ -541,6 +908,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) +@@ -541,6 +870,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) { unsigned int random_variable = 0; @@ -42054,7 +42314,7 @@ index 16f7354..666524e 100644 if ((current->flags & PF_RANDOMIZE) && !(current->personality & ADDR_NO_RANDOMIZE)) { random_variable = get_random_int() & STACK_RND_MASK; -@@ -559,7 +931,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -559,7 +893,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long load_addr = 0, load_bias = 0; int load_addr_set = 0; char * elf_interpreter = NULL; @@ -42063,7 +42323,7 @@ index 16f7354..666524e 100644 struct elf_phdr *elf_ppnt, *elf_phdata; unsigned long elf_bss, elf_brk; int retval, i; -@@ -569,11 +941,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -569,11 +903,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long start_code, end_code, start_data, end_data; unsigned long reloc_func_desc __maybe_unused = 0; int executable_stack = EXSTACK_DEFAULT; @@ -42076,7 +42336,7 @@ index 16f7354..666524e 100644 loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { -@@ -709,11 +1081,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -709,11 +1043,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; /* OK, This is the point of no return */ @@ -42101,7 +42361,7 @@ index 16f7354..666524e 100644 + + current->mm->def_flags = 0; + -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_XATTR_PAX_FLAGS) ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) + if (0 > pax_parse_pax_flags(&loc->elf_ex, elf_phdata, bprm->file)) { + send_sig(SIGKILL, current, 0); + goto out_free_dentry; @@ -42159,7 +42419,7 @@ index 16f7354..666524e 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -804,6 +1246,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -804,6 +1208,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) #else load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); #endif @@ -42180,7 +42440,7 @@ index 16f7354..666524e 100644 } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -836,9 +1292,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -836,9 +1254,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -42193,7 +42453,7 @@ index 16f7354..666524e 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -877,11 +1333,40 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -877,10 +1295,39 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -42205,8 +42465,8 @@ index 16f7354..666524e 100644 + * file specifies odd protections. So + * we don't check the return value + */ - } - ++ } ++ +#ifdef CONFIG_PAX_RANDMMAP + if (current->mm->pax_flags & MF_PAX_RANDMMAP) { + unsigned long start, size; @@ -42231,13 +42491,12 @@ index 16f7354..666524e 100644 + send_sig(SIGKILL, current, 0); + goto out_free_dentry; + } -+ } + } +#endif -+ + if (elf_interpreter) { unsigned long uninitialized_var(interp_map_addr); - -@@ -1109,7 +1594,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) +@@ -1109,7 +1556,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -42246,7 +42505,7 @@ index 16f7354..666524e 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1146,7 +1631,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1146,7 +1593,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -42255,7 +42514,7 @@ index 16f7354..666524e 100644 goto whole; /* -@@ -1368,9 +1853,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1368,9 +1815,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -42267,7 +42526,7 @@ index 16f7354..666524e 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1892,14 +2377,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -1892,14 +2339,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -42284,7 +42543,7 @@ index 16f7354..666524e 100644 return size; } -@@ -1993,7 +2478,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1993,7 +2440,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -42293,7 +42552,7 @@ index 16f7354..666524e 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -2007,10 +2492,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2007,10 +2454,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -42306,7 +42565,7 @@ index 16f7354..666524e 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -2024,7 +2511,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2024,7 +2473,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -42315,7 +42574,7 @@ index 16f7354..666524e 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2035,6 +2522,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2035,6 +2484,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -42323,7 +42582,7 @@ index 16f7354..666524e 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2059,7 +2547,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2059,7 +2509,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -42332,7 +42591,7 @@ index 16f7354..666524e 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2068,6 +2556,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2068,6 +2518,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -42340,7 +42599,7 @@ index 16f7354..666524e 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2085,6 +2574,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2085,6 +2536,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -42348,7 +42607,7 @@ index 16f7354..666524e 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2105,6 +2595,97 @@ out: +@@ -2105,6 +2557,97 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -42483,7 +42742,7 @@ index 6b2daf9..a70dccb 100644 goto err; } diff --git a/fs/bio.c b/fs/bio.c -index 84da885..2149cd9 100644 +index 84da885..bac1d48 100644 --- a/fs/bio.c +++ b/fs/bio.c @@ -838,7 +838,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q, @@ -42495,6 +42754,15 @@ index 84da885..2149cd9 100644 return ERR_PTR(-EINVAL); nr_pages += end - start; +@@ -972,7 +972,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, + /* + * Overflow, abort + */ +- if (end < start) ++ if (end < start || end - start > INT_MAX - nr_pages) + return ERR_PTR(-EINVAL); + + nr_pages += end - start; @@ -1234,7 +1234,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err) const int read = bio_data_dir(bio) == READ; struct bio_map_data *bmd = bio->bi_private; @@ -42625,51 +42893,6 @@ index 646ee21..f020f87 100644 if (!del) { spin_lock(&rc->reloc_root_tree.lock); -diff --git a/fs/buffer.c b/fs/buffer.c -index ad5938c..0bc1bed 100644 ---- a/fs/buffer.c -+++ b/fs/buffer.c -@@ -1036,6 +1036,9 @@ grow_buffers(struct block_device *bdev, sector_t block, int size) - static struct buffer_head * - __getblk_slow(struct block_device *bdev, sector_t block, int size) - { -+ int ret; -+ struct buffer_head *bh; -+ - /* Size must be multiple of hard sectorsize */ - if (unlikely(size & (bdev_logical_block_size(bdev)-1) || - (size < 512 || size > PAGE_SIZE))) { -@@ -1048,20 +1051,21 @@ __getblk_slow(struct block_device *bdev, sector_t block, int size) - return NULL; - } - -- for (;;) { -- struct buffer_head * bh; -- int ret; -+retry: -+ bh = __find_get_block(bdev, block, size); -+ if (bh) -+ return bh; - -+ ret = grow_buffers(bdev, block, size); -+ if (ret == 0) { -+ free_more_memory(); -+ goto retry; -+ } else if (ret > 0) { - bh = __find_get_block(bdev, block, size); - if (bh) - return bh; -- -- ret = grow_buffers(bdev, block, size); -- if (ret < 0) -- return NULL; -- if (ret == 0) -- free_more_memory(); - } -+ return NULL; - } - - /* diff --git a/fs/cachefiles/bind.c b/fs/cachefiles/bind.c index 622f469..e8d2d55 100644 --- a/fs/cachefiles/bind.c @@ -43171,7 +43394,7 @@ index 6901578..d402eb5 100644 return hit; diff --git a/fs/compat.c b/fs/compat.c -index f2944ac..62845d2 100644 +index 2b371b3..7e947e3 100644 --- a/fs/compat.c +++ b/fs/compat.c @@ -490,7 +490,7 @@ compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p) @@ -43465,7 +43688,7 @@ index b2a34a1..162fa69 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 29e5f84..ec81452 100644 +index 126e01c..be60c6e 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,6 +55,15 @@ @@ -43925,7 +44148,7 @@ index 29e5f84..ec81452 100644 cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->used = 0; -@@ -1821,6 +1953,228 @@ out: +@@ -1821,6 +1953,250 @@ out: return ispipe; } @@ -44070,7 +44293,7 @@ index 29e5f84..ec81452 100644 + +#ifdef CONFIG_PAX_USERCOPY +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */ -+int object_is_on_stack(const void *obj, unsigned long len) ++static noinline int check_stack_object(const void *obj, unsigned long len) +{ + const void * const stack = task_stack_page(current); + const void * const stackend = stack + THREAD_SIZE; @@ -44116,7 +44339,7 @@ index 29e5f84..ec81452 100644 +#endif +} + -+__noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ++static __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) +{ + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", @@ -44130,6 +44353,28 @@ index 29e5f84..ec81452 100644 +} +#endif + ++void check_object_size(const void *ptr, unsigned long n, bool to) ++{ ++ ++#ifdef CONFIG_PAX_USERCOPY ++ const char *type; ++ ++ if (!n) ++ return; ++ ++ type = check_heap_object(ptr, n, to); ++ if (!type) { ++ if (check_stack_object(ptr, n) != -1) ++ return; ++ type = "<process stack>"; ++ } ++ ++ pax_report_usercopy(ptr, n, to, type); ++#endif ++ ++} ++EXPORT_SYMBOL(check_object_size); ++ +#ifdef CONFIG_PAX_MEMORY_STACKLEAK +void pax_track_stack(void) +{ @@ -44154,7 +44399,37 @@ index 29e5f84..ec81452 100644 static int zap_process(struct task_struct *start, int exit_code) { struct task_struct *t; -@@ -2018,17 +2372,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -1980,17 +2356,17 @@ static void coredump_finish(struct mm_struct *mm) + void set_dumpable(struct mm_struct *mm, int value) + { + switch (value) { +- case 0: ++ case SUID_DUMPABLE_DISABLED: + clear_bit(MMF_DUMPABLE, &mm->flags); + smp_wmb(); + clear_bit(MMF_DUMP_SECURELY, &mm->flags); + break; +- case 1: ++ case SUID_DUMPABLE_ENABLED: + set_bit(MMF_DUMPABLE, &mm->flags); + smp_wmb(); + clear_bit(MMF_DUMP_SECURELY, &mm->flags); + break; +- case 2: ++ case SUID_DUMPABLE_SAFE: + set_bit(MMF_DUMP_SECURELY, &mm->flags); + smp_wmb(); + set_bit(MMF_DUMPABLE, &mm->flags); +@@ -2003,7 +2379,7 @@ static int __get_dumpable(unsigned long mm_flags) + int ret; + + ret = mm_flags & MMF_DUMPABLE_MASK; +- return (ret >= 2) ? 2 : ret; ++ return (ret > SUID_DUMPABLE_ENABLED) ? SUID_DUMPABLE_SAFE : ret; + } + + int get_dumpable(struct mm_struct *mm) +@@ -2018,17 +2394,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -44177,16 +44452,17 @@ index 29e5f84..ec81452 100644 pipe_unlock(pipe); } -@@ -2089,7 +2443,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2089,7 +2465,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int retval = 0; int flag = 0; int ispipe; - static atomic_t core_dump_count = ATOMIC_INIT(0); ++ bool need_nonrelative = false; + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0); struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2104,6 +2458,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2104,6 +2481,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -44196,7 +44472,28 @@ index 29e5f84..ec81452 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2171,7 +2528,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2114,14 +2494,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) + if (!cred) + goto fail; + /* +- * We cannot trust fsuid as being the "true" uid of the +- * process nor do we know its entire history. We only know it +- * was tainted so we dump it as root in mode 2. ++ * We cannot trust fsuid as being the "true" uid of the process ++ * nor do we know its entire history. We only know it was tainted ++ * so we dump it as root in mode 2, and only into a controlled ++ * environment (pipe handler or fully qualified path). + */ +- if (__get_dumpable(cprm.mm_flags) == 2) { ++ if (__get_dumpable(cprm.mm_flags) == SUID_DUMPABLE_SAFE) { + /* Setuid core dump mode */ + flag = O_EXCL; /* Stop rewrite attacks */ + cred->fsuid = 0; /* Dump root private */ ++ need_nonrelative = true; + } + + retval = coredump_wait(exit_code, &core_state); +@@ -2171,7 +2553,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -44205,7 +44502,7 @@ index 29e5f84..ec81452 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2198,6 +2555,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2198,9 +2580,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -44214,7 +44511,18 @@ index 29e5f84..ec81452 100644 if (cprm.limit < binfmt->min_coredump) goto fail_unlock; -@@ -2241,7 +2600,7 @@ close_fail: ++ if (need_nonrelative && cn.corename[0] != '/') { ++ printk(KERN_WARNING "Pid %d(%s) can only dump core "\ ++ "to fully qualified path!\n", ++ task_tgid_vnr(current), current->comm); ++ printk(KERN_WARNING "Skipping core dump\n"); ++ goto fail_unlock; ++ } ++ + cprm.file = filp_open(cn.corename, + O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, + 0600); +@@ -2241,7 +2633,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -44223,7 +44531,7 @@ index 29e5f84..ec81452 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2260,7 +2619,7 @@ fail: +@@ -2260,7 +2652,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -44263,7 +44571,7 @@ index baac1b1..1499b62 100644 } return 1; diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c -index 8da837b..ed3835b 100644 +index df76291..60a4ad3 100644 --- a/fs/ext4/balloc.c +++ b/fs/ext4/balloc.c @@ -463,8 +463,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi, @@ -44278,10 +44586,10 @@ index 8da837b..ed3835b 100644 if (free_clusters >= (nclusters + dirty_clusters)) return 1; diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 0e01e90..ae2bd5e 100644 +index 47d1c8c..a8e1cc7 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h -@@ -1225,19 +1225,19 @@ struct ext4_sb_info { +@@ -1224,19 +1224,19 @@ struct ext4_sb_info { unsigned long s_mb_last_start; /* stats for buddy allocator */ @@ -44471,10 +44779,10 @@ index 75e7c1f..1eb3e4d 100644 break; err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0); diff --git a/fs/fifo.c b/fs/fifo.c -index b1a524d..4ee270e 100644 +index cf6f434..3d7942c 100644 --- a/fs/fifo.c +++ b/fs/fifo.c -@@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode, struct file *filp) */ filp->f_op = &read_pipefifo_fops; pipe->r_counter++; @@ -44503,10 +44811,10 @@ index b1a524d..4ee270e 100644 - if (!pipe->readers) { + if (!atomic_read(&pipe->readers)) { - wait_for_partner(inode, &pipe->r_counter); - if (signal_pending(current)) + if (wait_for_partner(inode, &pipe->r_counter)) goto err_wr; -@@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode, struct file *filp) + } +@@ -104,11 +104,11 @@ static int fifo_open(struct inode *inode, struct file *filp) */ filp->f_op = &rdwr_pipefifo_fops; @@ -44521,7 +44829,7 @@ index b1a524d..4ee270e 100644 wake_up_partner(inode); break; -@@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode, struct file *filp) +@@ -122,19 +122,19 @@ static int fifo_open(struct inode *inode, struct file *filp) return 0; err_rd: @@ -44838,26 +45146,13 @@ index f6aad48..88dcf26 100644 -extern atomic_t fscache_n_op_gc; -extern atomic_t fscache_n_op_cancelled; -extern atomic_t fscache_n_op_rejected; -+extern atomic_unchecked_t fscache_n_op_pend; -+extern atomic_unchecked_t fscache_n_op_run; -+extern atomic_unchecked_t fscache_n_op_enqueue; -+extern atomic_unchecked_t fscache_n_op_deferred_release; -+extern atomic_unchecked_t fscache_n_op_release; -+extern atomic_unchecked_t fscache_n_op_gc; -+extern atomic_unchecked_t fscache_n_op_cancelled; -+extern atomic_unchecked_t fscache_n_op_rejected; - +- -extern atomic_t fscache_n_attr_changed; -extern atomic_t fscache_n_attr_changed_ok; -extern atomic_t fscache_n_attr_changed_nobufs; -extern atomic_t fscache_n_attr_changed_nomem; -extern atomic_t fscache_n_attr_changed_calls; -+extern atomic_unchecked_t fscache_n_attr_changed; -+extern atomic_unchecked_t fscache_n_attr_changed_ok; -+extern atomic_unchecked_t fscache_n_attr_changed_nobufs; -+extern atomic_unchecked_t fscache_n_attr_changed_nomem; -+extern atomic_unchecked_t fscache_n_attr_changed_calls; - +- -extern atomic_t fscache_n_allocs; -extern atomic_t fscache_n_allocs_ok; -extern atomic_t fscache_n_allocs_wait; @@ -44866,15 +45161,7 @@ index f6aad48..88dcf26 100644 -extern atomic_t fscache_n_allocs_object_dead; -extern atomic_t fscache_n_alloc_ops; -extern atomic_t fscache_n_alloc_op_waits; -+extern atomic_unchecked_t fscache_n_allocs; -+extern atomic_unchecked_t fscache_n_allocs_ok; -+extern atomic_unchecked_t fscache_n_allocs_wait; -+extern atomic_unchecked_t fscache_n_allocs_nobufs; -+extern atomic_unchecked_t fscache_n_allocs_intr; -+extern atomic_unchecked_t fscache_n_allocs_object_dead; -+extern atomic_unchecked_t fscache_n_alloc_ops; -+extern atomic_unchecked_t fscache_n_alloc_op_waits; - +- -extern atomic_t fscache_n_retrievals; -extern atomic_t fscache_n_retrievals_ok; -extern atomic_t fscache_n_retrievals_wait; @@ -44885,17 +45172,7 @@ index f6aad48..88dcf26 100644 -extern atomic_t fscache_n_retrievals_object_dead; -extern atomic_t fscache_n_retrieval_ops; -extern atomic_t fscache_n_retrieval_op_waits; -+extern atomic_unchecked_t fscache_n_retrievals; -+extern atomic_unchecked_t fscache_n_retrievals_ok; -+extern atomic_unchecked_t fscache_n_retrievals_wait; -+extern atomic_unchecked_t fscache_n_retrievals_nodata; -+extern atomic_unchecked_t fscache_n_retrievals_nobufs; -+extern atomic_unchecked_t fscache_n_retrievals_intr; -+extern atomic_unchecked_t fscache_n_retrievals_nomem; -+extern atomic_unchecked_t fscache_n_retrievals_object_dead; -+extern atomic_unchecked_t fscache_n_retrieval_ops; -+extern atomic_unchecked_t fscache_n_retrieval_op_waits; - +- -extern atomic_t fscache_n_stores; -extern atomic_t fscache_n_stores_ok; -extern atomic_t fscache_n_stores_again; @@ -44906,6 +45183,84 @@ index f6aad48..88dcf26 100644 -extern atomic_t fscache_n_store_pages; -extern atomic_t fscache_n_store_radix_deletes; -extern atomic_t fscache_n_store_pages_over_limit; +- +-extern atomic_t fscache_n_store_vmscan_not_storing; +-extern atomic_t fscache_n_store_vmscan_gone; +-extern atomic_t fscache_n_store_vmscan_busy; +-extern atomic_t fscache_n_store_vmscan_cancelled; +- +-extern atomic_t fscache_n_marks; +-extern atomic_t fscache_n_uncaches; +- +-extern atomic_t fscache_n_acquires; +-extern atomic_t fscache_n_acquires_null; +-extern atomic_t fscache_n_acquires_no_cache; +-extern atomic_t fscache_n_acquires_ok; +-extern atomic_t fscache_n_acquires_nobufs; +-extern atomic_t fscache_n_acquires_oom; +- +-extern atomic_t fscache_n_updates; +-extern atomic_t fscache_n_updates_null; +-extern atomic_t fscache_n_updates_run; +- +-extern atomic_t fscache_n_relinquishes; +-extern atomic_t fscache_n_relinquishes_null; +-extern atomic_t fscache_n_relinquishes_waitcrt; +-extern atomic_t fscache_n_relinquishes_retire; +- +-extern atomic_t fscache_n_cookie_index; +-extern atomic_t fscache_n_cookie_data; +-extern atomic_t fscache_n_cookie_special; +- +-extern atomic_t fscache_n_object_alloc; +-extern atomic_t fscache_n_object_no_alloc; +-extern atomic_t fscache_n_object_lookups; +-extern atomic_t fscache_n_object_lookups_negative; +-extern atomic_t fscache_n_object_lookups_positive; +-extern atomic_t fscache_n_object_lookups_timed_out; +-extern atomic_t fscache_n_object_created; +-extern atomic_t fscache_n_object_avail; +-extern atomic_t fscache_n_object_dead; +- +-extern atomic_t fscache_n_checkaux_none; +-extern atomic_t fscache_n_checkaux_okay; +-extern atomic_t fscache_n_checkaux_update; +-extern atomic_t fscache_n_checkaux_obsolete; ++extern atomic_unchecked_t fscache_n_op_pend; ++extern atomic_unchecked_t fscache_n_op_run; ++extern atomic_unchecked_t fscache_n_op_enqueue; ++extern atomic_unchecked_t fscache_n_op_deferred_release; ++extern atomic_unchecked_t fscache_n_op_release; ++extern atomic_unchecked_t fscache_n_op_gc; ++extern atomic_unchecked_t fscache_n_op_cancelled; ++extern atomic_unchecked_t fscache_n_op_rejected; ++ ++extern atomic_unchecked_t fscache_n_attr_changed; ++extern atomic_unchecked_t fscache_n_attr_changed_ok; ++extern atomic_unchecked_t fscache_n_attr_changed_nobufs; ++extern atomic_unchecked_t fscache_n_attr_changed_nomem; ++extern atomic_unchecked_t fscache_n_attr_changed_calls; ++ ++extern atomic_unchecked_t fscache_n_allocs; ++extern atomic_unchecked_t fscache_n_allocs_ok; ++extern atomic_unchecked_t fscache_n_allocs_wait; ++extern atomic_unchecked_t fscache_n_allocs_nobufs; ++extern atomic_unchecked_t fscache_n_allocs_intr; ++extern atomic_unchecked_t fscache_n_allocs_object_dead; ++extern atomic_unchecked_t fscache_n_alloc_ops; ++extern atomic_unchecked_t fscache_n_alloc_op_waits; ++ ++extern atomic_unchecked_t fscache_n_retrievals; ++extern atomic_unchecked_t fscache_n_retrievals_ok; ++extern atomic_unchecked_t fscache_n_retrievals_wait; ++extern atomic_unchecked_t fscache_n_retrievals_nodata; ++extern atomic_unchecked_t fscache_n_retrievals_nobufs; ++extern atomic_unchecked_t fscache_n_retrievals_intr; ++extern atomic_unchecked_t fscache_n_retrievals_nomem; ++extern atomic_unchecked_t fscache_n_retrievals_object_dead; ++extern atomic_unchecked_t fscache_n_retrieval_ops; ++extern atomic_unchecked_t fscache_n_retrieval_op_waits; ++ +extern atomic_unchecked_t fscache_n_stores; +extern atomic_unchecked_t fscache_n_stores_ok; +extern atomic_unchecked_t fscache_n_stores_again; @@ -44916,66 +45271,35 @@ index f6aad48..88dcf26 100644 +extern atomic_unchecked_t fscache_n_store_pages; +extern atomic_unchecked_t fscache_n_store_radix_deletes; +extern atomic_unchecked_t fscache_n_store_pages_over_limit; - --extern atomic_t fscache_n_store_vmscan_not_storing; --extern atomic_t fscache_n_store_vmscan_gone; --extern atomic_t fscache_n_store_vmscan_busy; --extern atomic_t fscache_n_store_vmscan_cancelled; ++ +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing; +extern atomic_unchecked_t fscache_n_store_vmscan_gone; +extern atomic_unchecked_t fscache_n_store_vmscan_busy; +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled; - --extern atomic_t fscache_n_marks; --extern atomic_t fscache_n_uncaches; ++ +extern atomic_unchecked_t fscache_n_marks; +extern atomic_unchecked_t fscache_n_uncaches; - --extern atomic_t fscache_n_acquires; --extern atomic_t fscache_n_acquires_null; --extern atomic_t fscache_n_acquires_no_cache; --extern atomic_t fscache_n_acquires_ok; --extern atomic_t fscache_n_acquires_nobufs; --extern atomic_t fscache_n_acquires_oom; ++ +extern atomic_unchecked_t fscache_n_acquires; +extern atomic_unchecked_t fscache_n_acquires_null; +extern atomic_unchecked_t fscache_n_acquires_no_cache; +extern atomic_unchecked_t fscache_n_acquires_ok; +extern atomic_unchecked_t fscache_n_acquires_nobufs; +extern atomic_unchecked_t fscache_n_acquires_oom; - --extern atomic_t fscache_n_updates; --extern atomic_t fscache_n_updates_null; --extern atomic_t fscache_n_updates_run; ++ +extern atomic_unchecked_t fscache_n_updates; +extern atomic_unchecked_t fscache_n_updates_null; +extern atomic_unchecked_t fscache_n_updates_run; - --extern atomic_t fscache_n_relinquishes; --extern atomic_t fscache_n_relinquishes_null; --extern atomic_t fscache_n_relinquishes_waitcrt; --extern atomic_t fscache_n_relinquishes_retire; ++ +extern atomic_unchecked_t fscache_n_relinquishes; +extern atomic_unchecked_t fscache_n_relinquishes_null; +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt; +extern atomic_unchecked_t fscache_n_relinquishes_retire; - --extern atomic_t fscache_n_cookie_index; --extern atomic_t fscache_n_cookie_data; --extern atomic_t fscache_n_cookie_special; ++ +extern atomic_unchecked_t fscache_n_cookie_index; +extern atomic_unchecked_t fscache_n_cookie_data; +extern atomic_unchecked_t fscache_n_cookie_special; - --extern atomic_t fscache_n_object_alloc; --extern atomic_t fscache_n_object_no_alloc; --extern atomic_t fscache_n_object_lookups; --extern atomic_t fscache_n_object_lookups_negative; --extern atomic_t fscache_n_object_lookups_positive; --extern atomic_t fscache_n_object_lookups_timed_out; --extern atomic_t fscache_n_object_created; --extern atomic_t fscache_n_object_avail; --extern atomic_t fscache_n_object_dead; ++ +extern atomic_unchecked_t fscache_n_object_alloc; +extern atomic_unchecked_t fscache_n_object_no_alloc; +extern atomic_unchecked_t fscache_n_object_lookups; @@ -44985,11 +45309,7 @@ index f6aad48..88dcf26 100644 +extern atomic_unchecked_t fscache_n_object_created; +extern atomic_unchecked_t fscache_n_object_avail; +extern atomic_unchecked_t fscache_n_object_dead; - --extern atomic_t fscache_n_checkaux_none; --extern atomic_t fscache_n_checkaux_okay; --extern atomic_t fscache_n_checkaux_update; --extern atomic_t fscache_n_checkaux_obsolete; ++ +extern atomic_unchecked_t fscache_n_checkaux_none; +extern atomic_unchecked_t fscache_n_checkaux_okay; +extern atomic_unchecked_t fscache_n_checkaux_update; @@ -45655,27 +45975,13 @@ index 4765190..2a067f2 100644 -atomic_t fscache_n_op_gc; -atomic_t fscache_n_op_cancelled; -atomic_t fscache_n_op_rejected; -+atomic_unchecked_t fscache_n_op_pend; -+atomic_unchecked_t fscache_n_op_run; -+atomic_unchecked_t fscache_n_op_enqueue; -+atomic_unchecked_t fscache_n_op_requeue; -+atomic_unchecked_t fscache_n_op_deferred_release; -+atomic_unchecked_t fscache_n_op_release; -+atomic_unchecked_t fscache_n_op_gc; -+atomic_unchecked_t fscache_n_op_cancelled; -+atomic_unchecked_t fscache_n_op_rejected; - +- -atomic_t fscache_n_attr_changed; -atomic_t fscache_n_attr_changed_ok; -atomic_t fscache_n_attr_changed_nobufs; -atomic_t fscache_n_attr_changed_nomem; -atomic_t fscache_n_attr_changed_calls; -+atomic_unchecked_t fscache_n_attr_changed; -+atomic_unchecked_t fscache_n_attr_changed_ok; -+atomic_unchecked_t fscache_n_attr_changed_nobufs; -+atomic_unchecked_t fscache_n_attr_changed_nomem; -+atomic_unchecked_t fscache_n_attr_changed_calls; - +- -atomic_t fscache_n_allocs; -atomic_t fscache_n_allocs_ok; -atomic_t fscache_n_allocs_wait; @@ -45684,15 +45990,7 @@ index 4765190..2a067f2 100644 -atomic_t fscache_n_allocs_object_dead; -atomic_t fscache_n_alloc_ops; -atomic_t fscache_n_alloc_op_waits; -+atomic_unchecked_t fscache_n_allocs; -+atomic_unchecked_t fscache_n_allocs_ok; -+atomic_unchecked_t fscache_n_allocs_wait; -+atomic_unchecked_t fscache_n_allocs_nobufs; -+atomic_unchecked_t fscache_n_allocs_intr; -+atomic_unchecked_t fscache_n_allocs_object_dead; -+atomic_unchecked_t fscache_n_alloc_ops; -+atomic_unchecked_t fscache_n_alloc_op_waits; - +- -atomic_t fscache_n_retrievals; -atomic_t fscache_n_retrievals_ok; -atomic_t fscache_n_retrievals_wait; @@ -45703,17 +46001,7 @@ index 4765190..2a067f2 100644 -atomic_t fscache_n_retrievals_object_dead; -atomic_t fscache_n_retrieval_ops; -atomic_t fscache_n_retrieval_op_waits; -+atomic_unchecked_t fscache_n_retrievals; -+atomic_unchecked_t fscache_n_retrievals_ok; -+atomic_unchecked_t fscache_n_retrievals_wait; -+atomic_unchecked_t fscache_n_retrievals_nodata; -+atomic_unchecked_t fscache_n_retrievals_nobufs; -+atomic_unchecked_t fscache_n_retrievals_intr; -+atomic_unchecked_t fscache_n_retrievals_nomem; -+atomic_unchecked_t fscache_n_retrievals_object_dead; -+atomic_unchecked_t fscache_n_retrieval_ops; -+atomic_unchecked_t fscache_n_retrieval_op_waits; - +- -atomic_t fscache_n_stores; -atomic_t fscache_n_stores_ok; -atomic_t fscache_n_stores_again; @@ -45724,6 +46012,85 @@ index 4765190..2a067f2 100644 -atomic_t fscache_n_store_pages; -atomic_t fscache_n_store_radix_deletes; -atomic_t fscache_n_store_pages_over_limit; +- +-atomic_t fscache_n_store_vmscan_not_storing; +-atomic_t fscache_n_store_vmscan_gone; +-atomic_t fscache_n_store_vmscan_busy; +-atomic_t fscache_n_store_vmscan_cancelled; +- +-atomic_t fscache_n_marks; +-atomic_t fscache_n_uncaches; +- +-atomic_t fscache_n_acquires; +-atomic_t fscache_n_acquires_null; +-atomic_t fscache_n_acquires_no_cache; +-atomic_t fscache_n_acquires_ok; +-atomic_t fscache_n_acquires_nobufs; +-atomic_t fscache_n_acquires_oom; +- +-atomic_t fscache_n_updates; +-atomic_t fscache_n_updates_null; +-atomic_t fscache_n_updates_run; +- +-atomic_t fscache_n_relinquishes; +-atomic_t fscache_n_relinquishes_null; +-atomic_t fscache_n_relinquishes_waitcrt; +-atomic_t fscache_n_relinquishes_retire; +- +-atomic_t fscache_n_cookie_index; +-atomic_t fscache_n_cookie_data; +-atomic_t fscache_n_cookie_special; +- +-atomic_t fscache_n_object_alloc; +-atomic_t fscache_n_object_no_alloc; +-atomic_t fscache_n_object_lookups; +-atomic_t fscache_n_object_lookups_negative; +-atomic_t fscache_n_object_lookups_positive; +-atomic_t fscache_n_object_lookups_timed_out; +-atomic_t fscache_n_object_created; +-atomic_t fscache_n_object_avail; +-atomic_t fscache_n_object_dead; +- +-atomic_t fscache_n_checkaux_none; +-atomic_t fscache_n_checkaux_okay; +-atomic_t fscache_n_checkaux_update; +-atomic_t fscache_n_checkaux_obsolete; ++atomic_unchecked_t fscache_n_op_pend; ++atomic_unchecked_t fscache_n_op_run; ++atomic_unchecked_t fscache_n_op_enqueue; ++atomic_unchecked_t fscache_n_op_requeue; ++atomic_unchecked_t fscache_n_op_deferred_release; ++atomic_unchecked_t fscache_n_op_release; ++atomic_unchecked_t fscache_n_op_gc; ++atomic_unchecked_t fscache_n_op_cancelled; ++atomic_unchecked_t fscache_n_op_rejected; ++ ++atomic_unchecked_t fscache_n_attr_changed; ++atomic_unchecked_t fscache_n_attr_changed_ok; ++atomic_unchecked_t fscache_n_attr_changed_nobufs; ++atomic_unchecked_t fscache_n_attr_changed_nomem; ++atomic_unchecked_t fscache_n_attr_changed_calls; ++ ++atomic_unchecked_t fscache_n_allocs; ++atomic_unchecked_t fscache_n_allocs_ok; ++atomic_unchecked_t fscache_n_allocs_wait; ++atomic_unchecked_t fscache_n_allocs_nobufs; ++atomic_unchecked_t fscache_n_allocs_intr; ++atomic_unchecked_t fscache_n_allocs_object_dead; ++atomic_unchecked_t fscache_n_alloc_ops; ++atomic_unchecked_t fscache_n_alloc_op_waits; ++ ++atomic_unchecked_t fscache_n_retrievals; ++atomic_unchecked_t fscache_n_retrievals_ok; ++atomic_unchecked_t fscache_n_retrievals_wait; ++atomic_unchecked_t fscache_n_retrievals_nodata; ++atomic_unchecked_t fscache_n_retrievals_nobufs; ++atomic_unchecked_t fscache_n_retrievals_intr; ++atomic_unchecked_t fscache_n_retrievals_nomem; ++atomic_unchecked_t fscache_n_retrievals_object_dead; ++atomic_unchecked_t fscache_n_retrieval_ops; ++atomic_unchecked_t fscache_n_retrieval_op_waits; ++ +atomic_unchecked_t fscache_n_stores; +atomic_unchecked_t fscache_n_stores_ok; +atomic_unchecked_t fscache_n_stores_again; @@ -45734,66 +46101,35 @@ index 4765190..2a067f2 100644 +atomic_unchecked_t fscache_n_store_pages; +atomic_unchecked_t fscache_n_store_radix_deletes; +atomic_unchecked_t fscache_n_store_pages_over_limit; - --atomic_t fscache_n_store_vmscan_not_storing; --atomic_t fscache_n_store_vmscan_gone; --atomic_t fscache_n_store_vmscan_busy; --atomic_t fscache_n_store_vmscan_cancelled; ++ +atomic_unchecked_t fscache_n_store_vmscan_not_storing; +atomic_unchecked_t fscache_n_store_vmscan_gone; +atomic_unchecked_t fscache_n_store_vmscan_busy; +atomic_unchecked_t fscache_n_store_vmscan_cancelled; - --atomic_t fscache_n_marks; --atomic_t fscache_n_uncaches; ++ +atomic_unchecked_t fscache_n_marks; +atomic_unchecked_t fscache_n_uncaches; - --atomic_t fscache_n_acquires; --atomic_t fscache_n_acquires_null; --atomic_t fscache_n_acquires_no_cache; --atomic_t fscache_n_acquires_ok; --atomic_t fscache_n_acquires_nobufs; --atomic_t fscache_n_acquires_oom; ++ +atomic_unchecked_t fscache_n_acquires; +atomic_unchecked_t fscache_n_acquires_null; +atomic_unchecked_t fscache_n_acquires_no_cache; +atomic_unchecked_t fscache_n_acquires_ok; +atomic_unchecked_t fscache_n_acquires_nobufs; +atomic_unchecked_t fscache_n_acquires_oom; - --atomic_t fscache_n_updates; --atomic_t fscache_n_updates_null; --atomic_t fscache_n_updates_run; ++ +atomic_unchecked_t fscache_n_updates; +atomic_unchecked_t fscache_n_updates_null; +atomic_unchecked_t fscache_n_updates_run; - --atomic_t fscache_n_relinquishes; --atomic_t fscache_n_relinquishes_null; --atomic_t fscache_n_relinquishes_waitcrt; --atomic_t fscache_n_relinquishes_retire; ++ +atomic_unchecked_t fscache_n_relinquishes; +atomic_unchecked_t fscache_n_relinquishes_null; +atomic_unchecked_t fscache_n_relinquishes_waitcrt; +atomic_unchecked_t fscache_n_relinquishes_retire; - --atomic_t fscache_n_cookie_index; --atomic_t fscache_n_cookie_data; --atomic_t fscache_n_cookie_special; ++ +atomic_unchecked_t fscache_n_cookie_index; +atomic_unchecked_t fscache_n_cookie_data; +atomic_unchecked_t fscache_n_cookie_special; - --atomic_t fscache_n_object_alloc; --atomic_t fscache_n_object_no_alloc; --atomic_t fscache_n_object_lookups; --atomic_t fscache_n_object_lookups_negative; --atomic_t fscache_n_object_lookups_positive; --atomic_t fscache_n_object_lookups_timed_out; --atomic_t fscache_n_object_created; --atomic_t fscache_n_object_avail; --atomic_t fscache_n_object_dead; ++ +atomic_unchecked_t fscache_n_object_alloc; +atomic_unchecked_t fscache_n_object_no_alloc; +atomic_unchecked_t fscache_n_object_lookups; @@ -45803,11 +46139,7 @@ index 4765190..2a067f2 100644 +atomic_unchecked_t fscache_n_object_created; +atomic_unchecked_t fscache_n_object_avail; +atomic_unchecked_t fscache_n_object_dead; - --atomic_t fscache_n_checkaux_none; --atomic_t fscache_n_checkaux_okay; --atomic_t fscache_n_checkaux_update; --atomic_t fscache_n_checkaux_obsolete; ++ +atomic_unchecked_t fscache_n_checkaux_none; +atomic_unchecked_t fscache_n_checkaux_okay; +atomic_unchecked_t fscache_n_checkaux_update; @@ -46027,7 +46359,7 @@ index 3426521..3b75162 100644 cuse_class = class_create(THIS_MODULE, "cuse"); if (IS_ERR(cuse_class)) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c -index 7df2b5e..5804aa7 100644 +index f4246cf..b4aed1d 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1242,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos, @@ -46181,18 +46513,9 @@ index 8392cb8..80d6193 100644 memcpy(c->data, &cookie, 4); c->len=4; diff --git a/fs/locks.c b/fs/locks.c -index 0d68f1f..3114738 100644 +index fcc50ab..c3dacf2 100644 --- a/fs/locks.c +++ b/fs/locks.c -@@ -1465,7 +1465,7 @@ int generic_setlease(struct file *filp, long arg, struct file_lock **flp) - case F_WRLCK: - return generic_add_lease(filp, arg, flp); - default: -- BUG(); -+ return -EINVAL; - } - } - EXPORT_SYMBOL(generic_setlease); @@ -2075,16 +2075,16 @@ void locks_remove_flock(struct file *filp) return; @@ -47071,7 +47394,7 @@ index 5d22872..523db20 100644 kfree(link); } diff --git a/fs/open.c b/fs/open.c -index 3f1108b..822d7f7 100644 +index cf1d34f..e58a595 100644 --- a/fs/open.c +++ b/fs/open.c @@ -31,6 +31,8 @@ @@ -47168,7 +47491,7 @@ index 3f1108b..822d7f7 100644 newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { newattrs.ia_valid |= ATTR_UID; -@@ -987,6 +1024,7 @@ long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode) +@@ -988,6 +1025,7 @@ long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode) } else { fsnotify_open(f); fd_install(fd, f); @@ -47496,7 +47819,7 @@ index f9bd395..acb7847 100644 +} +#endif diff --git a/fs/proc/base.c b/fs/proc/base.c -index 9fc77b4..04761b8 100644 +index 9fc77b4..4877d08 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -109,6 +109,14 @@ struct pid_entry { @@ -47514,7 +47837,19 @@ index 9fc77b4..04761b8 100644 #define NOD(NAME, MODE, IOP, FOP, OP) { \ .name = (NAME), \ .len = sizeof(NAME) - 1, \ -@@ -213,6 +221,9 @@ static int proc_pid_cmdline(struct task_struct *task, char * buffer) +@@ -198,11 +206,6 @@ static int proc_root_link(struct dentry *dentry, struct path *path) + return result; + } + +-struct mm_struct *mm_for_maps(struct task_struct *task) +-{ +- return mm_access(task, PTRACE_MODE_READ); +-} +- + static int proc_pid_cmdline(struct task_struct *task, char * buffer) + { + int res = 0; +@@ -213,6 +216,9 @@ static int proc_pid_cmdline(struct task_struct *task, char * buffer) if (!mm->arg_end) goto out_mm; /* Shh! No looking before we're done */ @@ -47524,7 +47859,7 @@ index 9fc77b4..04761b8 100644 len = mm->arg_end - mm->arg_start; if (len > PAGE_SIZE) -@@ -240,12 +251,28 @@ out: +@@ -240,12 +246,28 @@ out: return res; } @@ -47536,7 +47871,8 @@ index 9fc77b4..04761b8 100644 + static int proc_pid_auxv(struct task_struct *task, char *buffer) { - struct mm_struct *mm = mm_for_maps(task); +- struct mm_struct *mm = mm_for_maps(task); ++ struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ); int res = PTR_ERR(mm); if (mm && !IS_ERR(mm)) { unsigned int nwords = 0; @@ -47553,7 +47889,7 @@ index 9fc77b4..04761b8 100644 do { nwords += 2; } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */ -@@ -259,7 +286,7 @@ static int proc_pid_auxv(struct task_struct *task, char *buffer) +@@ -259,7 +281,7 @@ static int proc_pid_auxv(struct task_struct *task, char *buffer) } @@ -47562,7 +47898,7 @@ index 9fc77b4..04761b8 100644 /* * Provides a wchan file via kallsyms in a proper one-value-per-file format. * Returns the resolved symbol. If that fails, simply return the address. -@@ -298,7 +325,7 @@ static void unlock_trace(struct task_struct *task) +@@ -298,7 +320,7 @@ static void unlock_trace(struct task_struct *task) mutex_unlock(&task->signal->cred_guard_mutex); } @@ -47571,7 +47907,7 @@ index 9fc77b4..04761b8 100644 #define MAX_STACK_TRACE_DEPTH 64 -@@ -489,7 +516,7 @@ static int proc_pid_limits(struct task_struct *task, char *buffer) +@@ -489,7 +511,7 @@ static int proc_pid_limits(struct task_struct *task, char *buffer) return count; } @@ -47580,7 +47916,7 @@ index 9fc77b4..04761b8 100644 static int proc_pid_syscall(struct task_struct *task, char *buffer) { long nr; -@@ -518,7 +545,7 @@ static int proc_pid_syscall(struct task_struct *task, char *buffer) +@@ -518,7 +540,7 @@ static int proc_pid_syscall(struct task_struct *task, char *buffer) /************************************************************************/ /* permission checks */ @@ -47589,7 +47925,7 @@ index 9fc77b4..04761b8 100644 { struct task_struct *task; int allowed = 0; -@@ -528,7 +555,10 @@ static int proc_fd_access_allowed(struct inode *inode) +@@ -528,7 +550,10 @@ static int proc_fd_access_allowed(struct inode *inode) */ task = get_proc_task(inode); if (task) { @@ -47601,7 +47937,7 @@ index 9fc77b4..04761b8 100644 put_task_struct(task); } return allowed; -@@ -566,10 +596,35 @@ static bool has_pid_permissions(struct pid_namespace *pid, +@@ -566,10 +591,35 @@ static bool has_pid_permissions(struct pid_namespace *pid, struct task_struct *task, int hide_pid_min) { @@ -47637,7 +47973,7 @@ index 9fc77b4..04761b8 100644 return ptrace_may_access(task, PTRACE_MODE_READ); } -@@ -587,7 +642,11 @@ static int proc_pid_permission(struct inode *inode, int mask) +@@ -587,7 +637,11 @@ static int proc_pid_permission(struct inode *inode, int mask) put_task_struct(task); if (!has_perms) { @@ -47649,8 +47985,35 @@ index 9fc77b4..04761b8 100644 /* * Let's make getdents(), stat(), and open() * consistent with each other. If a process -@@ -702,6 +761,10 @@ static int mem_open(struct inode* inode, struct file* file) - file->f_mode |= FMODE_UNSIGNED_OFFSET; +@@ -677,7 +731,7 @@ static const struct file_operations proc_single_file_operations = { + .release = single_release, + }; + +-static int mem_open(struct inode* inode, struct file* file) ++static int __mem_open(struct inode *inode, struct file *file, unsigned int mode) + { + struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode); + struct mm_struct *mm; +@@ -685,7 +739,12 @@ static int mem_open(struct inode* inode, struct file* file) + if (!task) + return -ESRCH; + +- mm = mm_access(task, PTRACE_MODE_ATTACH); ++ if (gr_acl_handle_procpidmem(task)) { ++ put_task_struct(task); ++ return -EPERM; ++ } ++ ++ mm = mm_access(task, mode); + put_task_struct(task); + + if (IS_ERR(mm)) +@@ -698,13 +757,26 @@ static int mem_open(struct inode* inode, struct file* file) + mmput(mm); + } + +- /* OK to pass negative loff_t, we can catch out-of-range */ +- file->f_mode |= FMODE_UNSIGNED_OFFSET; file->private_data = mm; +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP @@ -47660,7 +48023,21 @@ index 9fc77b4..04761b8 100644 return 0; } -@@ -713,6 +776,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf, ++static int mem_open(struct inode *inode, struct file *file) ++{ ++ int ret; ++ ret = __mem_open(inode, file, PTRACE_MODE_ATTACH); ++ ++ /* OK to pass negative loff_t, we can catch out-of-range */ ++ file->f_mode |= FMODE_UNSIGNED_OFFSET; ++ ++ return ret; ++} ++ + static ssize_t mem_rw(struct file *file, char __user *buf, + size_t count, loff_t *ppos, int write) + { +@@ -713,6 +785,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf, ssize_t copied; char *page; @@ -47678,17 +48055,101 @@ index 9fc77b4..04761b8 100644 if (!mm) return 0; -@@ -813,6 +887,9 @@ static ssize_t environ_read(struct file *file, char __user *buf, - if (!task) - goto out_no_task; +@@ -801,42 +884,49 @@ static const struct file_operations proc_mem_operations = { + .release = mem_release, + }; -+ if (gr_acl_handle_procpidmem(task)) -+ goto out; ++static int environ_open(struct inode *inode, struct file *file) ++{ ++ return __mem_open(inode, file, PTRACE_MODE_READ); ++} + - ret = -ENOMEM; + static ssize_t environ_read(struct file *file, char __user *buf, + size_t count, loff_t *ppos) + { +- struct task_struct *task = get_proc_task(file->f_dentry->d_inode); + char *page; + unsigned long src = *ppos; +- int ret = -ESRCH; +- struct mm_struct *mm; ++ int ret = 0; ++ struct mm_struct *mm = file->private_data; + +- if (!task) +- goto out_no_task; ++ if (!mm) ++ return 0; ++ ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (file->f_version != current->exec_id) { ++ gr_log_badprocpid("environ"); ++ return 0; ++ } ++#endif + +- ret = -ENOMEM; page = (char *)__get_free_page(GFP_TEMPORARY); if (!page) -@@ -1433,7 +1510,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd) +- goto out; +- +- +- mm = mm_for_maps(task); +- ret = PTR_ERR(mm); +- if (!mm || IS_ERR(mm)) +- goto out_free; ++ return -ENOMEM; + + ret = 0; ++ if (!atomic_inc_not_zero(&mm->mm_users)) ++ goto free; + while (count > 0) { +- int this_len, retval, max_len; +- +- this_len = mm->env_end - (mm->env_start + src); ++ size_t this_len, max_len; ++ int retval; + +- if (this_len <= 0) ++ if (src >= (mm->env_end - mm->env_start)) + break; + +- max_len = (count > PAGE_SIZE) ? PAGE_SIZE : count; +- this_len = (this_len > max_len) ? max_len : this_len; ++ this_len = mm->env_end - (mm->env_start + src); ++ ++ max_len = min_t(size_t, PAGE_SIZE, count); ++ this_len = min(max_len, this_len); + +- retval = access_process_vm(task, (mm->env_start + src), ++ retval = access_remote_vm(mm, (mm->env_start + src), + page, this_len, 0); + + if (retval <= 0) { +@@ -855,19 +945,18 @@ static ssize_t environ_read(struct file *file, char __user *buf, + count -= retval; + } + *ppos = src; +- + mmput(mm); +-out_free: ++ ++free: + free_page((unsigned long) page); +-out: +- put_task_struct(task); +-out_no_task: + return ret; + } + + static const struct file_operations proc_environ_operations = { ++ .open = environ_open, + .read = environ_read, + .llseek = generic_file_llseek, ++ .release = mem_release, + }; + + static ssize_t oom_adjust_read(struct file *file, char __user *buf, +@@ -1433,7 +1522,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd) path_put(&nd->path); /* Are we allowed to snoop on the tasks file descriptors? */ @@ -47697,7 +48158,7 @@ index 9fc77b4..04761b8 100644 goto out; error = PROC_I(inode)->op.proc_get_link(dentry, &nd->path); -@@ -1472,8 +1549,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b +@@ -1472,8 +1561,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b struct path path; /* Are we allowed to snoop on the tasks file descriptors? */ @@ -47718,7 +48179,7 @@ index 9fc77b4..04761b8 100644 error = PROC_I(inode)->op.proc_get_link(dentry, &path); if (error) -@@ -1538,7 +1625,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t +@@ -1538,7 +1637,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t rcu_read_lock(); cred = __task_cred(task); inode->i_uid = cred->euid; @@ -47730,7 +48191,7 @@ index 9fc77b4..04761b8 100644 rcu_read_unlock(); } security_task_to_inode(task, inode); -@@ -1574,10 +1665,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) +@@ -1574,10 +1677,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) return -ENOENT; } if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || @@ -47750,7 +48211,7 @@ index 9fc77b4..04761b8 100644 } } rcu_read_unlock(); -@@ -1615,11 +1715,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd) +@@ -1615,11 +1727,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd) if (task) { if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || @@ -47771,7 +48232,7 @@ index 9fc77b4..04761b8 100644 rcu_read_unlock(); } else { inode->i_uid = 0; -@@ -1737,7 +1846,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) +@@ -1737,7 +1858,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) int fd = proc_fd(inode); if (task) { @@ -47781,7 +48242,21 @@ index 9fc77b4..04761b8 100644 put_task_struct(task); } if (files) { -@@ -2338,11 +2448,21 @@ static const struct file_operations proc_map_files_operations = { +@@ -2025,11 +2147,8 @@ static int map_files_d_revalidate(struct dentry *dentry, struct nameidata *nd) + if (!task) + goto out_notask; + +- if (!ptrace_may_access(task, PTRACE_MODE_READ)) +- goto out; +- +- mm = get_task_mm(task); +- if (!mm) ++ mm = mm_access(task, PTRACE_MODE_READ); ++ if (IS_ERR_OR_NULL(mm)) + goto out; + + if (!dname_to_vma_addr(dentry, &vm_start, &vm_end)) { +@@ -2338,11 +2457,21 @@ static const struct file_operations proc_map_files_operations = { */ static int proc_fd_permission(struct inode *inode, int mask) { @@ -47805,7 +48280,7 @@ index 9fc77b4..04761b8 100644 return rv; } -@@ -2452,6 +2572,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, +@@ -2452,6 +2581,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, if (!task) goto out_no_task; @@ -47815,7 +48290,7 @@ index 9fc77b4..04761b8 100644 /* * Yes, it does not scale. And it should not. Don't add * new entries into /proc/<tgid>/ without very good reasons. -@@ -2496,6 +2619,9 @@ static int proc_pident_readdir(struct file *filp, +@@ -2496,6 +2628,9 @@ static int proc_pident_readdir(struct file *filp, if (!task) goto out_no_task; @@ -47825,7 +48300,7 @@ index 9fc77b4..04761b8 100644 ret = 0; i = filp->f_pos; switch (i) { -@@ -2766,7 +2892,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd) +@@ -2766,7 +2901,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd) static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie) { @@ -47834,7 +48309,7 @@ index 9fc77b4..04761b8 100644 if (!IS_ERR(s)) __putname(s); } -@@ -2967,7 +3093,7 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2967,7 +3102,7 @@ static const struct pid_entry tgid_base_stuff[] = { REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -47843,7 +48318,7 @@ index 9fc77b4..04761b8 100644 INF("syscall", S_IRUGO, proc_pid_syscall), #endif INF("cmdline", S_IRUGO, proc_pid_cmdline), -@@ -2992,10 +3118,10 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2992,10 +3127,10 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -47856,7 +48331,7 @@ index 9fc77b4..04761b8 100644 ONE("stack", S_IRUGO, proc_pid_stack), #endif #ifdef CONFIG_SCHEDSTATS -@@ -3029,6 +3155,9 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -3029,6 +3164,9 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_HARDWALL INF("hardwall", S_IRUGO, proc_pid_hardwall), #endif @@ -47866,7 +48341,7 @@ index 9fc77b4..04761b8 100644 }; static int proc_tgid_base_readdir(struct file * filp, -@@ -3155,7 +3284,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir, +@@ -3155,7 +3293,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir, if (!inode) goto out; @@ -47881,7 +48356,7 @@ index 9fc77b4..04761b8 100644 inode->i_op = &proc_tgid_base_inode_operations; inode->i_fop = &proc_tgid_base_operations; inode->i_flags|=S_IMMUTABLE; -@@ -3197,7 +3333,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct +@@ -3197,7 +3342,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct if (!task) goto out; @@ -47893,7 +48368,7 @@ index 9fc77b4..04761b8 100644 put_task_struct(task); out: return result; -@@ -3260,6 +3400,8 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi +@@ -3260,6 +3409,8 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi static int fake_filldir(void *buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type) { @@ -47902,7 +48377,7 @@ index 9fc77b4..04761b8 100644 return 0; } -@@ -3326,7 +3468,7 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3326,7 +3477,7 @@ static const struct pid_entry tid_base_stuff[] = { REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -47911,7 +48386,7 @@ index 9fc77b4..04761b8 100644 INF("syscall", S_IRUGO, proc_pid_syscall), #endif INF("cmdline", S_IRUGO, proc_pid_cmdline), -@@ -3350,10 +3492,10 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3350,10 +3501,10 @@ static const struct pid_entry tid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -48005,10 +48480,19 @@ index 205c922..2ee4c57 100644 if (de->size) inode->i_size = de->size; diff --git a/fs/proc/internal.h b/fs/proc/internal.h -index 5f79bb8..eeccee4 100644 +index 5f79bb8..e9ab85d 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h -@@ -54,6 +54,9 @@ extern int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, +@@ -31,8 +31,6 @@ struct vmalloc_info { + unsigned long largest_chunk; + }; + +-extern struct mm_struct *mm_for_maps(struct task_struct *); +- + #ifdef CONFIG_MMU + #define VMALLOC_TOTAL (VMALLOC_END - VMALLOC_START) + extern void get_vmalloc_info(struct vmalloc_info *vmi); +@@ -54,6 +52,9 @@ extern int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task); extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task); @@ -48040,9 +48524,7 @@ index 86c67ee..cdca321 100644 } else { if (kern_addr_valid(start)) { - unsigned long n; -+ char *elf_buf; -+ mm_segment_t oldfs; - +- - n = copy_to_user(buffer, (char *)start, tsz); - /* - * We cannot distinguish between fault on source @@ -48053,6 +48535,9 @@ index 86c67ee..cdca321 100644 - if (n) { - if (clear_user(buffer + tsz - n, - n)) ++ char *elf_buf; ++ mm_segment_t oldfs; ++ + elf_buf = kmalloc(tsz, GFP_KERNEL); + if (!elf_buf) + return -ENOMEM; @@ -48277,7 +48762,7 @@ index eed44bf..abeb499 100644 } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 7faaf2a..096c28b 100644 +index 7faaf2a..7793015 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -11,12 +11,19 @@ @@ -48337,6 +48822,15 @@ index 7faaf2a..096c28b 100644 } unsigned long task_vsize(struct mm_struct *mm) +@@ -125,7 +149,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) + if (!priv->task) + return ERR_PTR(-ESRCH); + +- mm = mm_for_maps(priv->task); ++ mm = mm_access(priv->task, PTRACE_MODE_READ); + if (!mm || IS_ERR(mm)) + return mm; + down_read(&mm->mmap_sem); @@ -231,13 +255,13 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid) pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; } @@ -48444,6 +48938,15 @@ index 7faaf2a..096c28b 100644 mss.resident >> 10, (unsigned long)(mss.pss >> (10 + PSS_SHIFT)), mss.shared_clean >> 10, +@@ -919,7 +970,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, + if (!pm.buffer) + goto out_task; + +- mm = mm_for_maps(task); ++ mm = mm_access(task, PTRACE_MODE_READ); + ret = PTR_ERR(mm); + if (!mm || IS_ERR(mm)) + goto out_free; @@ -1138,6 +1189,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid) int n; char buffer[50]; @@ -48476,7 +48979,7 @@ index 7faaf2a..096c28b 100644 seq_printf(m, " heap"); } else { diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c -index 74fe164..899e77b 100644 +index 74fe164..0848f95 100644 --- a/fs/proc/task_nommu.c +++ b/fs/proc/task_nommu.c @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) @@ -48497,6 +49000,15 @@ index 74fe164..899e77b 100644 } else if (mm) { pid_t tid = vm_is_stack(priv->task, vma, is_pid); +@@ -223,7 +223,7 @@ static void *m_start(struct seq_file *m, loff_t *pos) + if (!priv->task) + return ERR_PTR(-ESRCH); + +- mm = mm_for_maps(priv->task); ++ mm = mm_access(priv->task, PTRACE_MODE_READ); + if (!mm || IS_ERR(mm)) { + put_task_struct(priv->task); + priv->task = NULL; diff --git a/fs/quota/netlink.c b/fs/quota/netlink.c index d67908b..d13f6a6 100644 --- a/fs/quota/netlink.c @@ -48670,7 +49182,7 @@ index a59d271..e12d1cf 100644 #define __fs_changed(gen,s) (gen != get_generation (s)) #define fs_changed(gen,s) \ diff --git a/fs/select.c b/fs/select.c -index 17d33d0..da0bf5c 100644 +index 0baa0a3..7795e27 100644 --- a/fs/select.c +++ b/fs/select.c @@ -20,6 +20,7 @@ @@ -48690,7 +49202,7 @@ index 17d33d0..da0bf5c 100644 return -EINVAL; diff --git a/fs/seq_file.c b/fs/seq_file.c -index 0cbd049..cab1127 100644 +index 0cbd049..64e705c 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c @@ -9,6 +9,7 @@ @@ -48711,6 +49223,42 @@ index 0cbd049..cab1127 100644 /* * Wrappers around seq_open(e.g. swaps_open) need to be +@@ -92,7 +96,7 @@ static int traverse(struct seq_file *m, loff_t offset) + return 0; + } + if (!m->buf) { +- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL); ++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY); + if (!m->buf) + return -ENOMEM; + } +@@ -132,7 +136,7 @@ static int traverse(struct seq_file *m, loff_t offset) + Eoverflow: + m->op->stop(m, p); + kfree(m->buf); +- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL); ++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY); + return !m->buf ? -ENOMEM : -EAGAIN; + } + +@@ -187,7 +191,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) + + /* grab buffer if we didn't have one */ + if (!m->buf) { +- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL); ++ m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY); + if (!m->buf) + goto Enomem; + } +@@ -228,7 +232,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) + goto Fill; + m->op->stop(m, p); + kfree(m->buf); +- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL); ++ m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY); + if (!m->buf) + goto Enomem; + m->count = 0; @@ -567,7 +571,7 @@ static void single_stop(struct seq_file *p, void *v) int single_open(struct file *file, int (*show)(struct seq_file *, void *), void *data) @@ -49127,10 +49675,10 @@ index 3011b87..1ab03e9 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..b9e7d6f +index 0000000..4d533f1 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,940 @@ +@@ -0,0 +1,941 @@ +# +# grecurity configuration +# @@ -49259,6 +49807,7 @@ index 0000000..b9e7d6f +config GRKERNSEC_HIDESYM + bool "Hide kernel symbols" + default y if GRKERNSEC_CONFIG_AUTO ++ select PAX_USERCOPY_SLABS + help + If you say Y here, getting information on loaded modules, and + displaying all kernel symbols through a syscall will be restricted @@ -58907,8 +59456,23 @@ index f1c8ca6..b5c1cc7 100644 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */ +diff --git a/include/asm-generic/4level-fixup.h b/include/asm-generic/4level-fixup.h +index 77ff547..181834f 100644 +--- a/include/asm-generic/4level-fixup.h ++++ b/include/asm-generic/4level-fixup.h +@@ -13,8 +13,10 @@ + #define pmd_alloc(mm, pud, address) \ + ((unlikely(pgd_none(*(pud))) && __pmd_alloc(mm, pud, address))? \ + NULL: pmd_offset(pud, address)) ++#define pmd_alloc_kernel(mm, pud, address) pmd_alloc((mm), (pud), (address)) + + #define pud_alloc(mm, pgd, address) (pgd) ++#define pud_alloc_kernel(mm, pgd, address) pud_alloc((mm), (pgd), (address)) + #define pud_offset(pgd, start) (pgd) + #define pud_none(pud) 0 + #define pud_bad(pud) 0 diff --git a/include/asm-generic/atomic-long.h b/include/asm-generic/atomic-long.h -index b7babf0..71e4e74 100644 +index b7babf0..3ba8aee 100644 --- a/include/asm-generic/atomic-long.h +++ b/include/asm-generic/atomic-long.h @@ -22,6 +22,12 @@ @@ -59161,7 +59725,7 @@ index b7babf0..71e4e74 100644 static inline long atomic_long_dec_return(atomic_long_t *l) { atomic_t *v = (atomic_t *)l; -@@ -255,4 +393,49 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u) +@@ -255,4 +393,55 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u) #endif /* BITS_PER_LONG == 64 */ @@ -59179,6 +59743,10 @@ index b7babf0..71e4e74 100644 + atomic_dec_unchecked((atomic_unchecked_t *)NULL); + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0); + (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0); ++#ifdef CONFIG_X86 ++ atomic_clear_mask_unchecked(0, NULL); ++ atomic_set_mask_unchecked(0, NULL); ++#endif + + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL); + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0); @@ -59200,6 +59768,8 @@ index b7babf0..71e4e74 100644 +#define atomic_dec_unchecked(v) atomic_dec(v) +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n)) +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i)) ++#define atomic_clear_mask_unchecked(mask, v) atomic_clear_mask((mask), (v)) ++#define atomic_set_mask_unchecked(mask, v) atomic_set_mask((mask), (v)) + +#define atomic_long_read_unchecked(v) atomic_long_read(v) +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i)) @@ -59211,6 +59781,19 @@ index b7babf0..71e4e74 100644 +#endif + #endif /* _ASM_GENERIC_ATOMIC_LONG_H */ +diff --git a/include/asm-generic/atomic.h b/include/asm-generic/atomic.h +index 1ced641..c896ee8 100644 +--- a/include/asm-generic/atomic.h ++++ b/include/asm-generic/atomic.h +@@ -159,7 +159,7 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u) + * Atomically clears the bits set in @mask from @v + */ + #ifndef atomic_clear_mask +-static inline void atomic_clear_mask(unsigned long mask, atomic_t *v) ++static inline void atomic_clear_mask(unsigned int mask, atomic_t *v) + { + unsigned long flags; + diff --git a/include/asm-generic/atomic64.h b/include/asm-generic/atomic64.h index b18ce4f..2ee2843 100644 --- a/include/asm-generic/atomic64.h @@ -59676,10 +60259,10 @@ index 42e55de..1cd0e66 100644 extern struct cleancache_ops cleancache_register_ops(struct cleancache_ops *ops); diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h -index 2f40791..a62d196 100644 +index 2f40791..938880e 100644 --- a/include/linux/compiler-gcc4.h +++ b/include/linux/compiler-gcc4.h -@@ -32,6 +32,16 @@ +@@ -32,6 +32,21 @@ #define __linktime_error(message) __attribute__((__error__(message))) #if __GNUC_MINOR__ >= 5 @@ -59691,12 +60274,17 @@ index 2f40791..a62d196 100644 + +#ifdef SIZE_OVERFLOW_PLUGIN +#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__))) ++#define __intentional_overflow(...) __attribute__((intentional_overflow(__VA_ARGS__))) ++#endif ++ ++#ifdef LATENT_ENTROPY_PLUGIN ++#define __latent_entropy __attribute__((latent_entropy)) +#endif + /* * Mark a position in code as unreachable. This can be used to * suppress control flow warnings after asm blocks that transfer -@@ -47,6 +57,11 @@ +@@ -47,6 +62,11 @@ #define __noclone __attribute__((__noclone__)) #endif @@ -59709,7 +60297,7 @@ index 2f40791..a62d196 100644 #if __GNUC_MINOR__ > 0 diff --git a/include/linux/compiler.h b/include/linux/compiler.h -index 923d093..726c17f 100644 +index 923d093..3625de1 100644 --- a/include/linux/compiler.h +++ b/include/linux/compiler.h @@ -5,31 +5,62 @@ @@ -59785,7 +60373,7 @@ index 923d093..726c17f 100644 #endif #ifdef __KERNEL__ -@@ -264,6 +297,18 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); +@@ -264,6 +297,26 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); # define __attribute_const__ /* unimplemented */ #endif @@ -59801,10 +60389,18 @@ index 923d093..726c17f 100644 +# define __size_overflow(...) +#endif + ++#ifndef __latent_entropy ++# define __latent_entropy ++#endif ++ ++#ifndef __intentional_overflow ++# define __intentional_overflow(...) ++#endif ++ /* * Tell gcc if a function is cold. The compiler will assume any path * directly leading to the call is unlikely. -@@ -273,6 +318,22 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); +@@ -273,6 +326,22 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); #define __cold #endif @@ -59827,7 +60423,7 @@ index 923d093..726c17f 100644 /* Simple shorthand for a section definition */ #ifndef __section # define __section(S) __attribute__ ((__section__(#S))) -@@ -308,6 +369,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); +@@ -308,6 +377,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); * use is to mediate communication between process-level code and irq/NMI * handlers, all running on the same CPU. */ @@ -59905,6 +60501,22 @@ index dfc099e..e583e66 100644 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1)) +diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h +index f9a2e5e..c392120 100644 +--- a/include/linux/dmaengine.h ++++ b/include/linux/dmaengine.h +@@ -993,9 +993,9 @@ struct dma_pinned_list { + struct dma_pinned_list *dma_pin_iovec_pages(struct iovec *iov, size_t len); + void dma_unpin_iovec_pages(struct dma_pinned_list* pinned_list); + +-dma_cookie_t dma_memcpy_to_iovec(struct dma_chan *chan, struct iovec *iov, ++dma_cookie_t __intentional_overflow(0) dma_memcpy_to_iovec(struct dma_chan *chan, struct iovec *iov, + struct dma_pinned_list *pinned_list, unsigned char *kdata, size_t len); +-dma_cookie_t dma_memcpy_pg_to_iovec(struct dma_chan *chan, struct iovec *iov, ++dma_cookie_t __intentional_overflow(0) dma_memcpy_pg_to_iovec(struct dma_chan *chan, struct iovec *iov, + struct dma_pinned_list *pinned_list, struct page *page, + unsigned int offset, size_t len); + diff --git a/include/linux/efi.h b/include/linux/efi.h index ec45ccd..9923c32 100644 --- a/include/linux/efi.h @@ -60138,6 +60750,49 @@ index 017a7fb..33a8507 100644 struct disk_events *ev; #ifdef CONFIG_BLK_DEV_INTEGRITY struct blk_integrity *integrity; +diff --git a/include/linux/gfp.h b/include/linux/gfp.h +index 581e74b..8c34a24 100644 +--- a/include/linux/gfp.h ++++ b/include/linux/gfp.h +@@ -38,6 +38,12 @@ struct vm_area_struct; + #define ___GFP_OTHER_NODE 0x800000u + #define ___GFP_WRITE 0x1000000u + ++#ifdef CONFIG_PAX_USERCOPY_SLABS ++#define ___GFP_USERCOPY 0x2000000u ++#else ++#define ___GFP_USERCOPY 0 ++#endif ++ + /* + * GFP bitmasks.. + * +@@ -87,6 +93,7 @@ struct vm_area_struct; + #define __GFP_NO_KSWAPD ((__force gfp_t)___GFP_NO_KSWAPD) + #define __GFP_OTHER_NODE ((__force gfp_t)___GFP_OTHER_NODE) /* On behalf of other node */ + #define __GFP_WRITE ((__force gfp_t)___GFP_WRITE) /* Allocator intends to dirty page */ ++#define __GFP_USERCOPY ((__force gfp_t)___GFP_USERCOPY)/* Allocator intends to copy page to/from userland */ + + /* + * This may seem redundant, but it's a way of annotating false positives vs. +@@ -94,7 +101,7 @@ struct vm_area_struct; + */ + #define __GFP_NOTRACK_FALSE_POSITIVE (__GFP_NOTRACK) + +-#define __GFP_BITS_SHIFT 25 /* Room for N __GFP_FOO bits */ ++#define __GFP_BITS_SHIFT 26 /* Room for N __GFP_FOO bits */ + #define __GFP_BITS_MASK ((__force gfp_t)((1 << __GFP_BITS_SHIFT) - 1)) + + /* This equals 0, but use constants in case they ever change */ +@@ -148,6 +155,8 @@ struct vm_area_struct; + /* 4GB DMA on some platforms */ + #define GFP_DMA32 __GFP_DMA32 + ++#define GFP_USERCOPY __GFP_USERCOPY ++ + /* Convert GFP flags to their corresponding migrate type */ + static inline int allocflags_to_migratetype(gfp_t gfp_flags) + { diff --git a/include/linux/gracl.h b/include/linux/gracl.h new file mode 100644 index 0000000..c938b1f @@ -61316,10 +61971,54 @@ index 58404b0..439ed95 100644 }; diff --git a/include/linux/init.h b/include/linux/init.h -index 6b95109..4aca62c 100644 +index 6b95109..bcbdd68 100644 --- a/include/linux/init.h +++ b/include/linux/init.h -@@ -294,13 +294,13 @@ void __init parse_early_options(char *cmdline); +@@ -39,9 +39,15 @@ + * Also note, that this data cannot be "const". + */ + ++#ifdef MODULE ++#define add_latent_entropy ++#else ++#define add_latent_entropy __latent_entropy ++#endif ++ + /* These are for everybody (although not all archs will actually + discard it in modules) */ +-#define __init __section(.init.text) __cold notrace ++#define __init __section(.init.text) __cold notrace add_latent_entropy + #define __initdata __section(.init.data) + #define __initconst __section(.init.rodata) + #define __exitdata __section(.exit.data) +@@ -83,7 +89,7 @@ + #define __exit __section(.exit.text) __exitused __cold notrace + + /* Used for HOTPLUG */ +-#define __devinit __section(.devinit.text) __cold notrace ++#define __devinit __section(.devinit.text) __cold notrace add_latent_entropy + #define __devinitdata __section(.devinit.data) + #define __devinitconst __section(.devinit.rodata) + #define __devexit __section(.devexit.text) __exitused __cold notrace +@@ -91,7 +97,7 @@ + #define __devexitconst __section(.devexit.rodata) + + /* Used for HOTPLUG_CPU */ +-#define __cpuinit __section(.cpuinit.text) __cold notrace ++#define __cpuinit __section(.cpuinit.text) __cold notrace add_latent_entropy + #define __cpuinitdata __section(.cpuinit.data) + #define __cpuinitconst __section(.cpuinit.rodata) + #define __cpuexit __section(.cpuexit.text) __exitused __cold notrace +@@ -99,7 +105,7 @@ + #define __cpuexitconst __section(.cpuexit.rodata) + + /* Used for MEMORY_HOTPLUG */ +-#define __meminit __section(.meminit.text) __cold notrace ++#define __meminit __section(.meminit.text) __cold notrace add_latent_entropy + #define __meminitdata __section(.meminit.data) + #define __meminitconst __section(.meminit.rodata) + #define __memexit __section(.memexit.text) __exitused __cold notrace +@@ -294,13 +300,13 @@ void __init parse_early_options(char *cmdline); /* Each module must use one module_init(). */ #define module_init(initfn) \ @@ -61576,7 +62275,7 @@ index 9b07725..3d55001 100644 /** * struct ux500_charger - power supply ux500 charger sub class diff --git a/include/linux/mm.h b/include/linux/mm.h -index 74aa71b..4ae97ba 100644 +index 441a564..81a3499 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -116,7 +116,14 @@ extern unsigned int kobjsize(const void *objp); @@ -61736,7 +62435,7 @@ index 74aa71b..4ae97ba 100644 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr); int remap_pfn_range(struct vm_area_struct *, unsigned long addr, unsigned long pfn, unsigned long size, pgprot_t); -@@ -1602,7 +1612,7 @@ extern int unpoison_memory(unsigned long pfn); +@@ -1603,7 +1613,7 @@ extern int unpoison_memory(unsigned long pfn); extern int sysctl_memory_failure_early_kill; extern int sysctl_memory_failure_recovery; extern void shake_page(struct page *p, int access); @@ -61745,7 +62444,7 @@ index 74aa71b..4ae97ba 100644 extern int soft_offline_page(struct page *page, int flags); extern void dump_page(struct page *page); -@@ -1633,5 +1643,11 @@ static inline unsigned int debug_guardpage_minorder(void) { return 0; } +@@ -1634,5 +1644,11 @@ static inline unsigned int debug_guardpage_minorder(void) { return 0; } static inline bool page_is_guard(struct page *page) { return false; } #endif /* CONFIG_DEBUG_PAGEALLOC */ @@ -62251,10 +62950,25 @@ index 85c5073..51fac8b 100644 struct ctl_table_header; struct ctl_table; diff --git a/include/linux/random.h b/include/linux/random.h -index 8f74538..02a1012 100644 +index ac621ce..e085135 100644 --- a/include/linux/random.h +++ b/include/linux/random.h -@@ -69,12 +69,17 @@ void srandom32(u32 seed); +@@ -53,6 +53,14 @@ extern void add_input_randomness(unsigned int type, unsigned int code, + unsigned int value); + extern void add_interrupt_randomness(int irq, int irq_flags); + ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++extern void transfer_latent_entropy(void); ++#endif ++ ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++extern void transfer_latent_entropy(void); ++#endif ++ + extern void get_random_bytes(void *buf, int nbytes); + extern void get_random_bytes_arch(void *buf, int nbytes); + void generate_random_uuid(unsigned char uuid_out[16]); +@@ -69,12 +77,17 @@ void srandom32(u32 seed); u32 prandom32(struct rnd_state *); @@ -62367,7 +63081,7 @@ index fd07c45..4676b8e 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, struct vm_area_struct *next) diff --git a/include/linux/sched.h b/include/linux/sched.h -index 81a173c..85ccd8f 100644 +index 7b06169..eb46ae3 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -100,6 +100,7 @@ struct bio_list; @@ -62392,7 +63106,19 @@ index 81a173c..85ccd8f 100644 extern void arch_pick_mmap_layout(struct mm_struct *mm); extern unsigned long arch_get_unmapped_area(struct file *, unsigned long, unsigned long, -@@ -643,6 +647,17 @@ struct signal_struct { +@@ -404,6 +408,11 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {} + extern void set_dumpable(struct mm_struct *mm, int value); + extern int get_dumpable(struct mm_struct *mm); + ++/* get/set_dumpable() values */ ++#define SUID_DUMPABLE_DISABLED 0 ++#define SUID_DUMPABLE_ENABLED 1 ++#define SUID_DUMPABLE_SAFE 2 ++ + /* mm flags */ + /* dumpable bits */ + #define MMF_DUMPABLE 0 /* core dump is permitted */ +@@ -643,6 +652,17 @@ struct signal_struct { #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif @@ -62410,7 +63136,7 @@ index 81a173c..85ccd8f 100644 #ifdef CONFIG_AUDIT unsigned audit_tty; struct tty_audit_buf *tty_audit_buf; -@@ -726,6 +741,11 @@ struct user_struct { +@@ -726,6 +746,11 @@ struct user_struct { struct key *session_keyring; /* UID's default session keyring */ #endif @@ -62422,7 +63148,7 @@ index 81a173c..85ccd8f 100644 /* Hash table maintenance information */ struct hlist_node uidhash_node; uid_t uid; -@@ -1386,8 +1406,8 @@ struct task_struct { +@@ -1386,8 +1411,8 @@ struct task_struct { struct list_head thread_group; struct completion *vfork_done; /* for vfork() */ @@ -62433,7 +63159,7 @@ index 81a173c..85ccd8f 100644 cputime_t utime, stime, utimescaled, stimescaled; cputime_t gtime; -@@ -1403,13 +1423,6 @@ struct task_struct { +@@ -1403,13 +1428,6 @@ struct task_struct { struct task_cputime cputime_expires; struct list_head cpu_timers[3]; @@ -62447,7 +63173,7 @@ index 81a173c..85ccd8f 100644 char comm[TASK_COMM_LEN]; /* executable name excluding path - access with [gs]et_task_comm (which lock it with task_lock()) -@@ -1426,8 +1439,16 @@ struct task_struct { +@@ -1426,8 +1444,16 @@ struct task_struct { #endif /* CPU-specific state of this task */ struct thread_struct thread; @@ -62464,7 +63190,7 @@ index 81a173c..85ccd8f 100644 /* open file information */ struct files_struct *files; /* namespaces */ -@@ -1469,6 +1490,11 @@ struct task_struct { +@@ -1469,6 +1495,11 @@ struct task_struct { struct rt_mutex_waiter *pi_blocked_on; #endif @@ -62476,7 +63202,7 @@ index 81a173c..85ccd8f 100644 #ifdef CONFIG_DEBUG_MUTEXES /* mutex deadlock detection */ struct mutex_waiter *blocked_on; -@@ -1585,6 +1611,27 @@ struct task_struct { +@@ -1585,6 +1616,27 @@ struct task_struct { unsigned long default_timer_slack_ns; struct list_head *scm_work_list; @@ -62504,7 +63230,7 @@ index 81a173c..85ccd8f 100644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack */ int curr_ret_stack; -@@ -1619,6 +1666,51 @@ struct task_struct { +@@ -1619,6 +1671,51 @@ struct task_struct { #endif }; @@ -62551,12 +63277,12 @@ index 81a173c..85ccd8f 100644 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp); +extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp); +extern void pax_report_refcount_overflow(struct pt_regs *regs); -+extern __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type); ++extern void check_object_size(const void *ptr, unsigned long n, bool to); + /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -2138,7 +2230,9 @@ void yield(void); +@@ -2146,7 +2243,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -62566,7 +63292,7 @@ index 81a173c..85ccd8f 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2171,6 +2265,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2179,6 +2278,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -62574,7 +63300,7 @@ index 81a173c..85ccd8f 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2314,7 +2409,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2322,7 +2422,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -62583,7 +63309,7 @@ index 81a173c..85ccd8f 100644 extern void daemonize(const char *, ...); extern int allow_signal(int); -@@ -2515,13 +2610,17 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2523,9 +2623,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -62595,14 +63321,6 @@ index 81a173c..85ccd8f 100644 return (obj >= stack) && (obj < (stack + THREAD_SIZE)); } - -+#ifdef CONFIG_PAX_USERCOPY -+extern int object_is_on_stack(const void *obj, unsigned long len); -+#endif -+ - extern void thread_info_cache_init(void); - - #ifdef CONFIG_DEBUG_STACK_USAGE diff --git a/include/linux/screen_info.h b/include/linux/screen_info.h index 899fbb4..1cb4138 100644 --- a/include/linux/screen_info.h @@ -62667,9 +63385,18 @@ index 92808b8..c28cac4 100644 /* shm_mode upper byte flags */ diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index c1bae8d..2dbcd31 100644 +index c1bae8d..f25c5e2 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h +@@ -560,7 +560,7 @@ extern void __kfree_skb(struct sk_buff *skb); + extern struct sk_buff *__alloc_skb(unsigned int size, + gfp_t priority, int fclone, int node); + extern struct sk_buff *build_skb(void *data); +-static inline struct sk_buff *alloc_skb(unsigned int size, ++static inline struct sk_buff * __intentional_overflow(0) alloc_skb(unsigned int size, + gfp_t priority) + { + return __alloc_skb(size, priority, 0, NUMA_NO_NODE); @@ -663,7 +663,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb) */ static inline int skb_queue_empty(const struct sk_buff_head *list) @@ -62706,8 +63433,17 @@ index c1bae8d..2dbcd31 100644 #endif extern int ___pskb_trim(struct sk_buff *skb, unsigned int len); +@@ -2097,7 +2097,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, + int noblock, int *err); + extern unsigned int datagram_poll(struct file *file, struct socket *sock, + struct poll_table_struct *wait); +-extern int skb_copy_datagram_iovec(const struct sk_buff *from, ++extern int __intentional_overflow(0) skb_copy_datagram_iovec(const struct sk_buff *from, + int offset, struct iovec *to, + int size); + extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, diff --git a/include/linux/slab.h b/include/linux/slab.h -index a595dce..c403597 100644 +index a595dce..dfab0d2 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -11,12 +11,20 @@ @@ -62722,7 +63458,7 @@ index a595dce..c403597 100644 */ #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */ + -+#ifdef CONFIG_PAX_USERCOPY ++#ifdef CONFIG_PAX_USERCOPY_SLABS +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */ +#else +#define SLAB_USERCOPY 0x00000000UL @@ -62748,15 +63484,16 @@ index a595dce..c403597 100644 /* * struct kmem_cache related prototypes -@@ -161,6 +172,7 @@ void * __must_check krealloc(const void *, size_t, gfp_t); +@@ -161,6 +172,8 @@ void * __must_check krealloc(const void *, size_t, gfp_t); void kfree(const void *); void kzfree(const void *); size_t ksize(const void *); -+void check_object_size(const void *ptr, unsigned long n, bool to); ++const char *check_heap_object(const void *ptr, unsigned long n, bool to); ++bool is_usercopy_object(const void *ptr); /* * Allocator specific definitions. These are mainly used to establish optimized -@@ -240,6 +252,7 @@ size_t ksize(const void *); +@@ -240,6 +253,7 @@ size_t ksize(const void *); * for general use, and so are not documented here. For a full list of * potential flags, always refer to linux/gfp.h. */ @@ -62764,7 +63501,7 @@ index a595dce..c403597 100644 static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags) { if (size != 0 && n > ULONG_MAX / size) -@@ -298,7 +311,7 @@ static inline void *kmem_cache_alloc_node(struct kmem_cache *cachep, +@@ -298,7 +312,7 @@ static inline void *kmem_cache_alloc_node(struct kmem_cache *cachep, */ #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB) || \ (defined(CONFIG_SLAB) && defined(CONFIG_TRACING)) @@ -62773,7 +63510,7 @@ index a595dce..c403597 100644 #define kmalloc_track_caller(size, flags) \ __kmalloc_track_caller(size, flags, _RET_IP_) #else -@@ -317,7 +330,7 @@ extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long); +@@ -317,7 +331,7 @@ extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long); */ #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB) || \ (defined(CONFIG_SLAB) && defined(CONFIG_TRACING)) @@ -62783,7 +63520,7 @@ index a595dce..c403597 100644 __kmalloc_node_track_caller(size, flags, node, \ _RET_IP_) diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h -index fbd1117..d4d8ef8 100644 +index fbd1117..0a3d314 100644 --- a/include/linux/slab_def.h +++ b/include/linux/slab_def.h @@ -66,10 +66,10 @@ struct kmem_cache { @@ -62801,7 +63538,16 @@ index fbd1117..d4d8ef8 100644 /* * If debugging is enabled, then the allocator can add additional -@@ -107,7 +107,7 @@ struct cache_sizes { +@@ -103,11 +103,16 @@ struct cache_sizes { + #ifdef CONFIG_ZONE_DMA + struct kmem_cache *cs_dmacachep; + #endif ++ ++#ifdef CONFIG_PAX_USERCOPY_SLABS ++ struct kmem_cache *cs_usercopycachep; ++#endif ++ + }; extern struct cache_sizes malloc_sizes[]; void *kmem_cache_alloc(struct kmem_cache *, gfp_t); @@ -62810,7 +63556,21 @@ index fbd1117..d4d8ef8 100644 #ifdef CONFIG_TRACING extern void *kmem_cache_alloc_trace(size_t size, -@@ -160,7 +160,7 @@ found: +@@ -150,6 +155,13 @@ found: + cachep = malloc_sizes[i].cs_dmacachep; + else + #endif ++ ++#ifdef CONFIG_PAX_USERCOPY_SLABS ++ if (flags & GFP_USERCOPY) ++ cachep = malloc_sizes[i].cs_usercopycachep; ++ else ++#endif ++ + cachep = malloc_sizes[i].cs_cachep; + + ret = kmem_cache_alloc_trace(size, cachep, flags); +@@ -160,7 +172,7 @@ found: } #ifdef CONFIG_NUMA @@ -62819,8 +63579,22 @@ index fbd1117..d4d8ef8 100644 extern void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node); #ifdef CONFIG_TRACING +@@ -203,6 +215,13 @@ found: + cachep = malloc_sizes[i].cs_dmacachep; + else + #endif ++ ++#ifdef CONFIG_PAX_USERCOPY_SLABS ++ if (flags & GFP_USERCOPY) ++ cachep = malloc_sizes[i].cs_usercopycachep; ++ else ++#endif ++ + cachep = malloc_sizes[i].cs_cachep; + + return kmem_cache_alloc_node_trace(size, cachep, flags, node); diff --git a/include/linux/slob_def.h b/include/linux/slob_def.h -index 0ec00b3..39cb7fc 100644 +index 0ec00b3..22b4715 100644 --- a/include/linux/slob_def.h +++ b/include/linux/slob_def.h @@ -9,7 +9,7 @@ static __always_inline void *kmem_cache_alloc(struct kmem_cache *cachep, @@ -62832,16 +63606,17 @@ index 0ec00b3..39cb7fc 100644 static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) { -@@ -29,6 +29,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) +@@ -29,7 +29,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) return __kmalloc_node(size, flags, -1); } -+static __always_inline void *__kmalloc(size_t size, gfp_t flags) __size_overflow(1); - static __always_inline void *__kmalloc(size_t size, gfp_t flags) +-static __always_inline void *__kmalloc(size_t size, gfp_t flags) ++static __always_inline __size_overflow(1) void *__kmalloc(size_t size, gfp_t flags) { return kmalloc(size, flags); + } diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h -index c2f8c8b..be9e036 100644 +index c2f8c8b..d992a41 100644 --- a/include/linux/slub_def.h +++ b/include/linux/slub_def.h @@ -92,7 +92,7 @@ struct kmem_cache { @@ -62853,15 +63628,16 @@ index c2f8c8b..be9e036 100644 void (*ctor)(void *); int inuse; /* Offset to metadata */ int align; /* Alignment */ -@@ -153,6 +153,7 @@ extern struct kmem_cache *kmalloc_caches[SLUB_PAGE_SHIFT]; +@@ -153,7 +153,7 @@ extern struct kmem_cache *kmalloc_caches[SLUB_PAGE_SHIFT]; * Sorry that the following has to be that ugly but some versions of GCC * have trouble with constant propagation and loops. */ -+static __always_inline int kmalloc_index(size_t size) __size_overflow(1); - static __always_inline int kmalloc_index(size_t size) +-static __always_inline int kmalloc_index(size_t size) ++static __always_inline __size_overflow(1) int kmalloc_index(size_t size) { if (!size) -@@ -218,7 +219,7 @@ static __always_inline struct kmem_cache *kmalloc_slab(size_t size) + return 0; +@@ -218,7 +218,7 @@ static __always_inline struct kmem_cache *kmalloc_slab(size_t size) } void *kmem_cache_alloc(struct kmem_cache *, gfp_t); @@ -62870,15 +63646,16 @@ index c2f8c8b..be9e036 100644 static __always_inline void * kmalloc_order(size_t size, gfp_t flags, unsigned int order) -@@ -259,6 +260,7 @@ kmalloc_order_trace(size_t size, gfp_t flags, unsigned int order) +@@ -259,7 +259,7 @@ kmalloc_order_trace(size_t size, gfp_t flags, unsigned int order) } #endif -+static __always_inline void *kmalloc_large(size_t size, gfp_t flags) __size_overflow(1); - static __always_inline void *kmalloc_large(size_t size, gfp_t flags) +-static __always_inline void *kmalloc_large(size_t size, gfp_t flags) ++static __always_inline __size_overflow(1) void *kmalloc_large(size_t size, gfp_t flags) { unsigned int order = get_order(size); -@@ -284,7 +286,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) + return kmalloc_order_trace(size, flags, order); +@@ -284,7 +284,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) } #ifdef CONFIG_NUMA @@ -63428,7 +64205,7 @@ index 10422ef..662570f 100644 fib_info_update_nh_saddr((net), &FIB_RES_NH(res))) #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw) diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h -index 72522f0..6f03a2b 100644 +index 72522f0..2965e05 100644 --- a/include/net/ip_vs.h +++ b/include/net/ip_vs.h @@ -510,7 +510,7 @@ struct ip_vs_conn { @@ -63449,6 +64226,15 @@ index 72522f0..6f03a2b 100644 atomic_t weight; /* server weight */ atomic_t refcnt; /* reference counter */ +@@ -1356,7 +1356,7 @@ static inline void ip_vs_notrack(struct sk_buff *skb) + struct nf_conn *ct = nf_ct_get(skb, &ctinfo); + + if (!ct || !nf_ct_is_untracked(ct)) { +- nf_reset(skb); ++ nf_conntrack_put(skb->nfct); + skb->nfct = &nf_ct_untracked_get()->ct_general; + skb->nfctinfo = IP_CT_NEW; + nf_conntrack_get(skb->nfct); diff --git a/include/net/irda/ircomm_core.h b/include/net/irda/ircomm_core.h index 69b610a..fe3962c 100644 --- a/include/net/irda/ircomm_core.h @@ -63511,6 +64297,19 @@ index 34c996f..bb3b4d4 100644 struct pneigh_entry { struct pneigh_entry *next; +diff --git a/include/net/netdma.h b/include/net/netdma.h +index 8ba8ce2..99b7fff 100644 +--- a/include/net/netdma.h ++++ b/include/net/netdma.h +@@ -24,7 +24,7 @@ + #include <linux/dmaengine.h> + #include <linux/skbuff.h> + +-int dma_skb_copy_datagram_iovec(struct dma_chan* chan, ++int __intentional_overflow(3,5) dma_skb_copy_datagram_iovec(struct dma_chan* chan, + struct sk_buff *skb, int offset, struct iovec *to, + size_t len, struct dma_pinned_list *pinned_list); + diff --git a/include/net/netlink.h b/include/net/netlink.h index f394fe5..fd073f9 100644 --- a/include/net/netlink.h @@ -63557,7 +64356,7 @@ index a2ef814..31a8e3f 100644 #define SCTP_DISABLE_DEBUG #define SCTP_ASSERT(expr, str, func) diff --git a/include/net/sock.h b/include/net/sock.h -index 5a0a58a..2e3d4d0 100644 +index 5a0a58a..ed2bf11 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -302,7 +302,7 @@ struct sock { @@ -63578,10 +64377,48 @@ index 5a0a58a..2e3d4d0 100644 int copy, int offset) { if (skb->ip_summed == CHECKSUM_NONE) { +@@ -1953,7 +1953,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk) + } + } + +-struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp); ++struct sk_buff * __intentional_overflow(0) sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp); + + static inline struct page *sk_stream_alloc_page(struct sock *sk) + { diff --git a/include/net/tcp.h b/include/net/tcp.h -index f75a04d..702cf06 100644 +index f75a04d..e8f5101 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h +@@ -478,7 +478,7 @@ extern void tcp_retransmit_timer(struct sock *sk); + extern void tcp_xmit_retransmit_queue(struct sock *); + extern void tcp_simple_retransmit(struct sock *); + extern int tcp_trim_head(struct sock *, struct sk_buff *, u32); +-extern int tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int); ++extern int __intentional_overflow(3) tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int); + + extern void tcp_send_probe0(struct sock *); + extern void tcp_send_partial(struct sock *); +@@ -641,8 +641,8 @@ struct tcp_skb_cb { + struct inet6_skb_parm h6; + #endif + } header; /* For incoming frames */ +- __u32 seq; /* Starting sequence number */ +- __u32 end_seq; /* SEQ + FIN + SYN + datalen */ ++ __u32 seq __intentional_overflow(0); /* Starting sequence number */ ++ __u32 end_seq __intentional_overflow(0); /* SEQ + FIN + SYN + datalen */ + __u32 when; /* used to compute rtt's */ + __u8 tcp_flags; /* TCP header flags. (tcp[13]) */ + __u8 sacked; /* State flags for SACK/FACK. */ +@@ -655,7 +655,7 @@ struct tcp_skb_cb { + #define TCPCB_EVER_RETRANS 0x80 /* Ever retransmitted frame */ + #define TCPCB_RETRANS (TCPCB_SACKED_RETRANS|TCPCB_EVER_RETRANS) + +- __u32 ack_seq; /* Sequence number ACK'd */ ++ __u32 ack_seq __intentional_overflow(0); /* Sequence number ACK'd */ + }; + + #define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0])) @@ -1425,7 +1425,7 @@ struct tcp_seq_afinfo { char *name; sa_family_t family; @@ -63781,10 +64618,10 @@ index 4119966..1a4671c 100644 const struct firmware *dsp_microcode; const struct firmware *controller_microcode; diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h -index aaccc5f..092d568 100644 +index 3ad5b33..1fa86f4 100644 --- a/include/target/target_core_base.h +++ b/include/target/target_core_base.h -@@ -447,7 +447,7 @@ struct t10_reservation_ops { +@@ -448,7 +448,7 @@ struct t10_reservation_ops { int (*t10_seq_non_holder)(struct se_cmd *, unsigned char *, u32); int (*t10_pr_register)(struct se_cmd *); int (*t10_pr_clear)(struct se_cmd *); @@ -63793,7 +64630,7 @@ index aaccc5f..092d568 100644 struct t10_reservation { /* Reservation effects all target ports */ -@@ -576,7 +576,7 @@ struct se_cmd { +@@ -577,7 +577,7 @@ struct se_cmd { atomic_t t_se_count; atomic_t t_task_cdbs_left; atomic_t t_task_cdbs_ex_left; @@ -63802,7 +64639,7 @@ index aaccc5f..092d568 100644 unsigned int transport_state; #define CMD_T_ABORTED (1 << 0) #define CMD_T_ACTIVE (1 << 1) -@@ -802,7 +802,7 @@ struct se_device { +@@ -803,7 +803,7 @@ struct se_device { spinlock_t stats_lock; /* Active commands on this virtual SE device */ atomic_t simple_cmds; @@ -64256,7 +65093,7 @@ index 8216c30..25e8e32 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index b08c5f7..09f865e 100644 +index b08c5f7..3688049 100644 --- a/init/main.c +++ b/init/main.c @@ -95,6 +95,8 @@ static inline void mark_rodata_ro(void) { } @@ -64268,7 +65105,7 @@ index b08c5f7..09f865e 100644 /* * Debug helper: via this flag we know that we are in 'early bootup code' * where only the boot processor is running with IRQ disabled. This means -@@ -148,6 +150,49 @@ static int __init set_reset_devices(char *str) +@@ -148,6 +150,51 @@ static int __init set_reset_devices(char *str) __setup("reset_devices", set_reset_devices); @@ -64292,7 +65129,9 @@ index b08c5f7..09f865e 100644 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf; + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf; + } -+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory"); ++ loadsegment(ds, __KERNEL_DS); ++ loadsegment(es, __KERNEL_DS); ++ loadsegment(ss, __KERNEL_DS); +#else + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1); + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1); @@ -64318,7 +65157,7 @@ index b08c5f7..09f865e 100644 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; static const char *panic_later, *panic_param; -@@ -674,6 +719,7 @@ int __init_or_module do_one_initcall(initcall_t fn) +@@ -674,6 +721,7 @@ int __init_or_module do_one_initcall(initcall_t fn) { int count = preempt_count(); int ret; @@ -64326,7 +65165,7 @@ index b08c5f7..09f865e 100644 if (initcall_debug) ret = do_one_initcall_debug(fn); -@@ -686,15 +732,15 @@ int __init_or_module do_one_initcall(initcall_t fn) +@@ -686,15 +734,15 @@ int __init_or_module do_one_initcall(initcall_t fn) sprintf(msgbuf, "error code %d ", ret); if (preempt_count() != count) { @@ -64346,7 +65185,39 @@ index b08c5f7..09f865e 100644 } return ret; -@@ -865,7 +911,7 @@ static int __init kernel_init(void * unused) +@@ -747,8 +795,14 @@ static void __init do_initcall_level(int level) + level, level, + repair_env_string); + +- for (fn = initcall_levels[level]; fn < initcall_levels[level+1]; fn++) ++ for (fn = initcall_levels[level]; fn < initcall_levels[level+1]; fn++) { + do_one_initcall(*fn); ++ ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++ transfer_latent_entropy(); ++#endif ++ ++ } + } + + static void __init do_initcalls(void) +@@ -782,8 +836,14 @@ static void __init do_pre_smp_initcalls(void) + { + initcall_t *fn; + +- for (fn = __initcall_start; fn < __initcall0_start; fn++) ++ for (fn = __initcall_start; fn < __initcall0_start; fn++) { + do_one_initcall(*fn); ++ ++#ifdef CONFIG_PAX_LATENT_ENTROPY ++ transfer_latent_entropy(); ++#endif ++ ++ } + } + + static void run_init_process(const char *init_filename) +@@ -865,7 +925,7 @@ static int __init kernel_init(void * unused) do_basic_setup(); /* Open the /dev/console on the rootfs, this should never fail */ @@ -64355,7 +65226,7 @@ index b08c5f7..09f865e 100644 printk(KERN_WARNING "Warning: unable to open an initial console.\n"); (void) sys_dup(0); -@@ -878,11 +924,13 @@ static int __init kernel_init(void * unused) +@@ -878,11 +938,13 @@ static int __init kernel_init(void * unused) if (!ramdisk_execute_command) ramdisk_execute_command = "/init"; @@ -64383,7 +65254,7 @@ index 28bd64d..c66b72a 100644 if (u->mq_bytes + mq_bytes < u->mq_bytes || u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) { diff --git a/ipc/msg.c b/ipc/msg.c -index 7385de2..a8180e08 100644 +index 7385de2..a8180e0 100644 --- a/ipc/msg.c +++ b/ipc/msg.c @@ -309,18 +309,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) @@ -65205,7 +66076,7 @@ index fd126f8..70b755b 100644 /* diff --git a/kernel/exit.c b/kernel/exit.c -index 9d81012..d7911f1 100644 +index bfbd856..0dd1897 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -59,6 +59,10 @@ @@ -65427,7 +66298,7 @@ index 8163333..aee97f3 100644 if (mpnt->vm_flags & VM_DONTCOPY) { long pages = vma_pages(mpnt); mm->total_vm -= pages; -@@ -354,54 +422,11 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) +@@ -354,56 +422,13 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) -pages); continue; } @@ -65438,11 +66309,7 @@ index 8163333..aee97f3 100644 - if (security_vm_enough_memory_mm(oldmm, len)) /* sic */ - goto fail_nomem; - charge = len; -+ tmp = dup_vma(mm, oldmm, mpnt); -+ if (!tmp) { -+ retval = -ENOMEM; -+ goto out; - } +- } - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL); - if (!tmp) - goto fail_nomem; @@ -65474,18 +66341,24 @@ index 8163333..aee97f3 100644 - vma_prio_tree_add(tmp, mpnt); - flush_dcache_mmap_unlock(mapping); - mutex_unlock(&mapping->i_mmap_mutex); -- } -- -- /* ++ tmp = dup_vma(mm, oldmm, mpnt); ++ if (!tmp) { ++ retval = -ENOMEM; ++ goto out; + } + + /* - * Clear hugetlb-related page reserves for children. This only - * affects MAP_PRIVATE mappings. Faults generated by the child - * are not guaranteed to succeed, even if read-only - */ - if (is_vm_hugetlb_page(tmp)) - reset_vma_resv_huge_pages(tmp); - - /* +- +- /* * Link in the new vma and copy the page table entries. + */ + *pprev = tmp; @@ -424,6 +449,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) if (retval) goto out; @@ -65618,7 +66491,7 @@ index 8163333..aee97f3 100644 else new_fs = fs; diff --git a/kernel/futex.c b/kernel/futex.c -index e2b0fb9..db818ac 100644 +index 3717e7b..473c750 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -54,6 +54,7 @@ @@ -65641,7 +66514,7 @@ index e2b0fb9..db818ac 100644 /* * The futex address must be "naturally" aligned. */ -@@ -2711,6 +2717,7 @@ static int __init futex_init(void) +@@ -2714,6 +2720,7 @@ static int __init futex_init(void) { u32 curval; int i; @@ -65649,7 +66522,7 @@ index e2b0fb9..db818ac 100644 /* * This will fail and we want it. Some arch implementations do -@@ -2722,8 +2729,11 @@ static int __init futex_init(void) +@@ -2725,8 +2732,11 @@ static int __init futex_init(void) * implementation, the non-functional ones will return * -ENOSYS. */ @@ -65687,18 +66560,18 @@ index 9b22d03..6295b62 100644 prev->next = info->next; else diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c -index ae34bf5..4e2f3d0 100644 +index 6db7a5e..25b6648 100644 --- a/kernel/hrtimer.c +++ b/kernel/hrtimer.c -@@ -1393,7 +1393,7 @@ void hrtimer_peek_ahead_timers(void) +@@ -1407,7 +1407,7 @@ void hrtimer_peek_ahead_timers(void) local_irq_restore(flags); } -static void run_hrtimer_softirq(struct softirq_action *h) +static void run_hrtimer_softirq(void) { - hrtimer_peek_ahead_timers(); - } + struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases); + diff --git a/kernel/jump_label.c b/kernel/jump_label.c index 4304919..408c4c0 100644 --- a/kernel/jump_label.c @@ -65735,7 +66608,7 @@ index 4304919..408c4c0 100644 static int diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c -index 079f1d3..a407562 100644 +index 079f1d3..4e80e69 100644 --- a/kernel/kallsyms.c +++ b/kernel/kallsyms.c @@ -11,6 +11,9 @@ @@ -65831,7 +66704,30 @@ index 079f1d3..a407562 100644 /* Some debugging symbols have no name. Ignore them. */ if (!iter->name[0]) return 0; -@@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *inode, struct file *file) +@@ -515,11 +558,22 @@ static int s_show(struct seq_file *m, void *p) + */ + type = iter->exported ? toupper(iter->type) : + tolower(iter->type); ++ ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ seq_printf(m, "%pP %c %s\t[%s]\n", (void *)iter->value, ++ type, iter->name, iter->module_name); ++#else + seq_printf(m, "%pK %c %s\t[%s]\n", (void *)iter->value, + type, iter->name, iter->module_name); ++#endif + } else ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ seq_printf(m, "%pP %c %s\n", (void *)iter->value, ++ iter->type, iter->name); ++#else + seq_printf(m, "%pK %c %s\n", (void *)iter->value, + iter->type, iter->name); ++#endif + return 0; + } + +@@ -540,7 +594,7 @@ static int kallsyms_open(struct inode *inode, struct file *file) struct kallsym_iter *iter; int ret; @@ -66528,10 +67424,8 @@ index 78ac6ec..e87db0e 100644 + kmemleak_not_leak(ptr); + if (!ptr && mod->init_size_rw) { + module_free(mod, mod->module_core_rw); - return -ENOMEM; - } -- memset(ptr, 0, mod->init_size); -- mod->module_init = ptr; ++ return -ENOMEM; ++ } + memset(ptr, 0, mod->init_size_rw); + mod->module_init_rw = ptr; + @@ -66554,8 +67448,10 @@ index 78ac6ec..e87db0e 100644 + module_free_exec(mod, mod->module_core_rx); + module_free(mod, mod->module_init_rw); + module_free(mod, mod->module_core_rw); -+ return -ENOMEM; -+ } + return -ENOMEM; + } +- memset(ptr, 0, mod->init_size); +- mod->module_init = ptr; + + pax_open_kernel(); + memset(ptr, 0, mod->init_size_rx); @@ -66935,10 +67831,25 @@ index a307cc9..27fd2e9 100644 /* set it to 0 if there are no waiters left: */ diff --git a/kernel/panic.c b/kernel/panic.c -index 9ed023b..e49543e 100644 +index 9ed023b..4846159 100644 --- a/kernel/panic.c +++ b/kernel/panic.c -@@ -402,7 +402,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, +@@ -75,6 +75,14 @@ void panic(const char *fmt, ...) + int state = 0; + + /* ++ * Disable local interrupts. This will prevent panic_smp_self_stop ++ * from deadlocking the first cpu that invokes the panic, since ++ * there is nothing to prevent an interrupt handler (that runs ++ * after the panic_lock is acquired) from invoking panic again. ++ */ ++ local_irq_disable(); ++ ++ /* + * It's possible to come here directly from a panic-assertion and + * not have preempt disabled. Some functions called from here want + * preempt to be disabled. No point enabling it later though... +@@ -402,7 +410,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, const char *board; printk(KERN_WARNING "------------[ cut here ]------------\n"); @@ -66947,7 +67858,7 @@ index 9ed023b..e49543e 100644 board = dmi_get_system_info(DMI_PRODUCT_NAME); if (board) printk(KERN_WARNING "Hardware name: %s\n", board); -@@ -457,7 +457,8 @@ EXPORT_SYMBOL(warn_slowpath_null); +@@ -457,7 +465,8 @@ EXPORT_SYMBOL(warn_slowpath_null); */ void __stack_chk_fail(void) { @@ -67932,10 +68843,10 @@ index 0984a21..939f183 100644 #ifdef CONFIG_RT_GROUP_SCHED /* diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index 2000e06..79cf3d8 100644 +index ef6a8f2..d9bc4df 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c -@@ -3907,6 +3907,8 @@ int can_nice(const struct task_struct *p, const int nice) +@@ -4044,6 +4044,8 @@ int can_nice(const struct task_struct *p, const int nice) /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = 20 - nice; @@ -67944,7 +68855,7 @@ index 2000e06..79cf3d8 100644 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || capable(CAP_SYS_NICE)); } -@@ -3940,7 +3942,8 @@ SYSCALL_DEFINE1(nice, int, increment) +@@ -4077,7 +4079,8 @@ SYSCALL_DEFINE1(nice, int, increment) if (nice > 19) nice = 19; @@ -67954,7 +68865,7 @@ index 2000e06..79cf3d8 100644 return -EPERM; retval = security_task_setnice(current, nice); -@@ -4097,6 +4100,7 @@ recheck: +@@ -4234,6 +4237,7 @@ recheck: unsigned long rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO); @@ -68359,7 +69270,7 @@ index e7006eb..8fb7c51 100644 break; } diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 4ab1187..0b75ced 100644 +index 4ab1187..33f4f2b 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -91,7 +91,6 @@ @@ -68370,7 +69281,7 @@ index 4ab1187..0b75ced 100644 /* External variables not in a header file. */ extern int sysctl_overcommit_memory; extern int sysctl_overcommit_ratio; -@@ -169,10 +168,8 @@ static int proc_taint(struct ctl_table *table, int write, +@@ -169,10 +168,13 @@ static int proc_taint(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); #endif @@ -68378,10 +69289,15 @@ index 4ab1187..0b75ced 100644 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); -#endif ++ ++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos); ++static int proc_dostring_coredump(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos); #ifdef CONFIG_MAGIC_SYSRQ /* Note: sysrq code uses it's own private copy */ -@@ -196,6 +193,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, +@@ -196,6 +198,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write, #endif @@ -68390,7 +69306,7 @@ index 4ab1187..0b75ced 100644 static struct ctl_table kern_table[]; static struct ctl_table vm_table[]; static struct ctl_table fs_table[]; -@@ -210,6 +209,20 @@ extern struct ctl_table epoll_table[]; +@@ -210,6 +214,20 @@ extern struct ctl_table epoll_table[]; int sysctl_legacy_va_layout; #endif @@ -68411,7 +69327,7 @@ index 4ab1187..0b75ced 100644 /* The default sysctl tables: */ static struct ctl_table sysctl_base_table[] = { -@@ -256,6 +269,22 @@ static int max_extfrag_threshold = 1000; +@@ -256,6 +274,22 @@ static int max_extfrag_threshold = 1000; #endif static struct ctl_table kern_table[] = { @@ -68434,7 +69350,16 @@ index 4ab1187..0b75ced 100644 { .procname = "sched_child_runs_first", .data = &sysctl_sched_child_runs_first, -@@ -540,7 +569,7 @@ static struct ctl_table kern_table[] = { +@@ -410,7 +444,7 @@ static struct ctl_table kern_table[] = { + .data = core_pattern, + .maxlen = CORENAME_MAX_SIZE, + .mode = 0644, +- .proc_handler = proc_dostring, ++ .proc_handler = proc_dostring_coredump, + }, + { + .procname = "core_pipe_limit", +@@ -540,7 +574,7 @@ static struct ctl_table kern_table[] = { .data = &modprobe_path, .maxlen = KMOD_PATH_LEN, .mode = 0644, @@ -68443,7 +69368,7 @@ index 4ab1187..0b75ced 100644 }, { .procname = "modules_disabled", -@@ -707,16 +736,20 @@ static struct ctl_table kern_table[] = { +@@ -707,16 +741,20 @@ static struct ctl_table kern_table[] = { .extra1 = &zero, .extra2 = &one, }, @@ -68465,7 +69390,7 @@ index 4ab1187..0b75ced 100644 { .procname = "ngroups_max", .data = &ngroups_max, -@@ -1215,6 +1248,13 @@ static struct ctl_table vm_table[] = { +@@ -1215,6 +1253,13 @@ static struct ctl_table vm_table[] = { .proc_handler = proc_dointvec_minmax, .extra1 = &zero, }, @@ -68479,7 +69404,16 @@ index 4ab1187..0b75ced 100644 #else { .procname = "nr_trim_pages", -@@ -1645,6 +1685,16 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -1498,7 +1543,7 @@ static struct ctl_table fs_table[] = { + .data = &suid_dumpable, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec_minmax, ++ .proc_handler = proc_dointvec_minmax_coredump, + .extra1 = &zero, + .extra2 = &two, + }, +@@ -1645,6 +1690,16 @@ int proc_dostring(struct ctl_table *table, int write, buffer, lenp, ppos); } @@ -68496,7 +69430,7 @@ index 4ab1187..0b75ced 100644 static size_t proc_skip_spaces(char **buf) { size_t ret; -@@ -1750,6 +1800,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, +@@ -1750,6 +1805,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val, len = strlen(tmp); if (len > *size) len = *size; @@ -68505,7 +69439,7 @@ index 4ab1187..0b75ced 100644 if (copy_to_user(*buf, tmp, len)) return -EFAULT; *size -= len; -@@ -1942,7 +1994,6 @@ static int proc_taint(struct ctl_table *table, int write, +@@ -1942,7 +1999,6 @@ static int proc_taint(struct ctl_table *table, int write, return err; } @@ -68513,7 +69447,7 @@ index 4ab1187..0b75ced 100644 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { -@@ -1951,7 +2002,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, +@@ -1951,7 +2007,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, return proc_dointvec_minmax(table, write, buffer, lenp, ppos); } @@ -68521,7 +69455,42 @@ index 4ab1187..0b75ced 100644 struct do_proc_dointvec_minmax_conv_param { int *min; -@@ -2066,8 +2116,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int +@@ -2009,6 +2064,34 @@ int proc_dointvec_minmax(struct ctl_table *table, int write, + do_proc_dointvec_minmax_conv, ¶m); + } + ++static void validate_coredump_safety(void) ++{ ++ if (suid_dumpable == SUID_DUMPABLE_SAFE && ++ core_pattern[0] != '/' && core_pattern[0] != '|') { ++ printk(KERN_WARNING "Unsafe core_pattern used with "\ ++ "suid_dumpable=2. Pipe handler or fully qualified "\ ++ "core dump path required.\n"); ++ } ++} ++ ++static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos) ++{ ++ int error = proc_dointvec_minmax(table, write, buffer, lenp, ppos); ++ if (!error) ++ validate_coredump_safety(); ++ return error; ++} ++ ++static int proc_dostring_coredump(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos) ++{ ++ int error = proc_dostring(table, write, buffer, lenp, ppos); ++ if (!error) ++ validate_coredump_safety(); ++ return error; ++} ++ + static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int write, + void __user *buffer, + size_t *lenp, loff_t *ppos, +@@ -2066,8 +2149,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int *i = val; } else { val = convdiv * (*i) / convmul; @@ -68534,7 +69503,7 @@ index 4ab1187..0b75ced 100644 err = proc_put_long(&buffer, &left, val, false); if (err) break; -@@ -2459,6 +2512,12 @@ int proc_dostring(struct ctl_table *table, int write, +@@ -2459,6 +2545,12 @@ int proc_dostring(struct ctl_table *table, int write, return -ENOSYS; } @@ -68547,7 +69516,7 @@ index 4ab1187..0b75ced 100644 int proc_dointvec(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { -@@ -2515,5 +2574,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); +@@ -2515,5 +2607,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax); EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); EXPORT_SYMBOL(proc_dointvec_ms_jiffies); EXPORT_SYMBOL(proc_dostring); @@ -68691,7 +69660,7 @@ index f113755..ec24223 100644 cpumask_clear_cpu(cpu, tick_get_broadcast_mask()); tick_broadcast_clear_oneshot(cpu); diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c -index d42574df..247414c 100644 +index 7c50de8..e29a94d 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -14,6 +14,7 @@ @@ -68702,7 +69671,7 @@ index d42574df..247414c 100644 #include <linux/syscore_ops.h> #include <linux/clocksource.h> #include <linux/jiffies.h> -@@ -373,6 +374,8 @@ int do_settimeofday(const struct timespec *tv) +@@ -388,6 +389,8 @@ int do_settimeofday(const struct timespec *tv) if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC) return -EINVAL; @@ -69319,7 +70288,7 @@ index 3ac50dc..240bb7e 100644 static inline void *ptr_to_indirect(void *ptr) { diff --git a/lib/vsprintf.c b/lib/vsprintf.c -index abbabec..362988d 100644 +index abbabec..6779788 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -16,6 +16,9 @@ @@ -69391,7 +70360,44 @@ index abbabec..362988d 100644 case 'B': return symbol_string(buf, end, ptr, spec, *fmt); case 'R': -@@ -1653,11 +1669,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) +@@ -920,12 +936,15 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, + va_end(va); + return buf; + } ++ case 'P': ++ break; + case 'K': + /* + * %pK cannot be used in IRQ context because its test + * for CAP_SYSLOG would be meaningless. + */ +- if (in_irq() || in_serving_softirq() || in_nmi()) { ++ if (kptr_restrict && (in_irq() || in_serving_softirq() || ++ in_nmi())) { + if (spec.field_width == -1) + spec.field_width = 2 * sizeof(void *); + return string(buf, end, "pK-error", spec); +@@ -942,6 +961,19 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, + } + break; + } ++ ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ /* 'P' = approved pointers to copy to userland, ++ as in the /proc/kallsyms case, as we make it display nothing ++ for non-root users, and the real contents for root users ++ */ ++ if (ptr > TASK_SIZE && *fmt != 'P' && is_usercopy_object(buf)) { ++ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@grsecurity.net.\n"); ++ dump_stack(); ++ ptr = NULL; ++ } ++#endif ++ + spec.flags |= SMALL; + if (spec.field_width == -1) { + spec.field_width = 2 * sizeof(void *); +@@ -1653,11 +1685,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) typeof(type) value; \ if (sizeof(type) == 8) { \ args = PTR_ALIGN(args, sizeof(u32)); \ @@ -69406,7 +70412,7 @@ index abbabec..362988d 100644 } \ args += sizeof(type); \ value; \ -@@ -1720,7 +1736,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) +@@ -1720,7 +1752,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) case FORMAT_TYPE_STR: { const char *str_arg = args; args += strlen(str_arg) + 1; @@ -69529,10 +70535,10 @@ index f0e5306..cb9398e 100644 /* if an huge pmd materialized from under us just retry later */ if (unlikely(pmd_trans_huge(*pmd))) diff --git a/mm/hugetlb.c b/mm/hugetlb.c -index 263e177..3f36aec 100644 +index a799df5..a987032 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c -@@ -2446,6 +2446,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2462,6 +2462,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, return 1; } @@ -69560,7 +70566,7 @@ index 263e177..3f36aec 100644 /* * Hugetlb_cow() should be called with page lock of the original hugepage held. * Called with hugetlb_instantiation_mutex held and pte_page locked so we -@@ -2558,6 +2579,11 @@ retry_avoidcopy: +@@ -2574,6 +2595,11 @@ retry_avoidcopy: make_huge_pte(vma, new_page, 1)); page_remove_rmap(old_page); hugepage_add_new_anon_rmap(new_page, vma, address); @@ -69572,7 +70578,7 @@ index 263e177..3f36aec 100644 /* Make the old page be freed below */ new_page = old_page; mmu_notifier_invalidate_range_end(mm, -@@ -2712,6 +2738,10 @@ retry: +@@ -2728,6 +2754,10 @@ retry: && (vma->vm_flags & VM_SHARED))); set_huge_pte_at(mm, address, ptep, new_pte); @@ -69583,7 +70589,7 @@ index 263e177..3f36aec 100644 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page); -@@ -2741,6 +2771,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2757,6 +2787,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, static DEFINE_MUTEX(hugetlb_instantiation_mutex); struct hstate *h = hstate_vma(vma); @@ -69594,7 +70600,7 @@ index 263e177..3f36aec 100644 address &= huge_page_mask(h); ptep = huge_pte_offset(mm, address); -@@ -2754,6 +2788,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2770,6 +2804,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, VM_FAULT_SET_HINDEX(h - hstates); } @@ -69749,7 +70755,7 @@ index 55f645c..cde5320 100644 if (end == start) goto out; diff --git a/mm/memory-failure.c b/mm/memory-failure.c -index 97cc273..6ed703f 100644 +index 274c3cc..4836a70 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0; @@ -69770,7 +70776,7 @@ index 97cc273..6ed703f 100644 #ifdef __ARCH_SI_TRAPNO si.si_trapno = trapno; #endif -@@ -1036,7 +1036,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) +@@ -1038,7 +1038,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) } nr_pages = 1 << compound_trans_order(hpage); @@ -69779,7 +70785,7 @@ index 97cc273..6ed703f 100644 /* * We need/can do nothing about count=0 pages. -@@ -1066,7 +1066,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) +@@ -1068,7 +1068,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) if (!PageHWPoison(hpage) || (hwpoison_filter(p) && TestClearPageHWPoison(p)) || (p != hpage && TestSetPageHWPoison(hpage))) { @@ -69788,7 +70794,7 @@ index 97cc273..6ed703f 100644 return 0; } set_page_hwpoison_huge_page(hpage); -@@ -1124,7 +1124,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) +@@ -1126,7 +1126,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags) } if (hwpoison_filter(p)) { if (TestClearPageHWPoison(p)) @@ -69797,7 +70803,7 @@ index 97cc273..6ed703f 100644 unlock_page(hpage); put_page(hpage); return 0; -@@ -1319,7 +1319,7 @@ int unpoison_memory(unsigned long pfn) +@@ -1321,7 +1321,7 @@ int unpoison_memory(unsigned long pfn) return 0; } if (TestClearPageHWPoison(p)) @@ -69806,7 +70812,7 @@ index 97cc273..6ed703f 100644 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn); return 0; } -@@ -1333,7 +1333,7 @@ int unpoison_memory(unsigned long pfn) +@@ -1335,7 +1335,7 @@ int unpoison_memory(unsigned long pfn) */ if (TestClearPageHWPoison(page)) { pr_info("MCE: Software-unpoisoned page %#lx\n", pfn); @@ -69815,7 +70821,7 @@ index 97cc273..6ed703f 100644 freeit = 1; if (PageHuge(page)) clear_page_hwpoison_huge_page(page); -@@ -1446,7 +1446,7 @@ static int soft_offline_huge_page(struct page *page, int flags) +@@ -1448,7 +1448,7 @@ static int soft_offline_huge_page(struct page *page, int flags) } done: if (!PageHWPoison(hpage)) @@ -69824,7 +70830,7 @@ index 97cc273..6ed703f 100644 set_page_hwpoison_huge_page(hpage); dequeue_hwpoisoned_huge_page(hpage); /* keep elevated page count for bad page */ -@@ -1577,7 +1577,7 @@ int soft_offline_page(struct page *page, int flags) +@@ -1579,7 +1579,7 @@ int soft_offline_page(struct page *page, int flags) return ret; done: @@ -70478,7 +71484,7 @@ index 6105f47..3363489 100644 return 0; } diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index bf5b485..e44c2cb 100644 +index 9afcbad..bfa00c2 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -619,6 +619,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, @@ -70554,7 +71560,7 @@ index bf5b485..e44c2cb 100644 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE); diff --git a/mm/mlock.c b/mm/mlock.c -index ef726e8..13e0901 100644 +index ef726e8..cd7f1ec 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -13,6 +13,7 @@ @@ -70565,6 +71571,15 @@ index ef726e8..13e0901 100644 #include <linux/sched.h> #include <linux/export.h> #include <linux/rmap.h> +@@ -376,7 +377,7 @@ static int do_mlock(unsigned long start, size_t len, int on) + { + unsigned long nstart, end, tmp; + struct vm_area_struct * vma, * prev; +- int error; ++ int error = 0; + + VM_BUG_ON(start & ~PAGE_MASK); + VM_BUG_ON(len != PAGE_ALIGN(len)); @@ -385,6 +386,9 @@ static int do_mlock(unsigned long start, size_t len, int on) return -EINVAL; if (end == start) @@ -72514,7 +73529,7 @@ index 9d65a02..7c877e7 100644 return -ENOMEM; diff --git a/mm/slab.c b/mm/slab.c -index e901a36..ee8fe97 100644 +index e901a36..9ff3f90 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -153,7 +153,7 @@ @@ -72568,16 +73583,36 @@ index e901a36..ee8fe97 100644 { u32 offset = (obj - slab->s_mem); return reciprocal_divide(offset, cache->reciprocal_buffer_size); -@@ -568,7 +568,7 @@ struct cache_names { +@@ -563,12 +563,13 @@ EXPORT_SYMBOL(malloc_sizes); + struct cache_names { + char *name; + char *name_dma; ++ char *name_usercopy; + }; + static struct cache_names __initdata cache_names[] = { - #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" }, +-#define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" }, ++#define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)", .name_usercopy = "size-" #x "(USERCOPY)" }, #include <linux/kmalloc_sizes.h> - {NULL,} + {NULL} #undef CACHE }; -@@ -1588,7 +1588,7 @@ void __init kmem_cache_init(void) +@@ -756,6 +757,12 @@ static inline struct kmem_cache *__find_general_cachep(size_t size, + if (unlikely(gfpflags & GFP_DMA)) + return csizep->cs_dmacachep; + #endif ++ ++#ifdef CONFIG_PAX_USERCOPY_SLABS ++ if (unlikely(gfpflags & GFP_USERCOPY)) ++ return csizep->cs_usercopycachep; ++#endif ++ + return csizep->cs_cachep; + } + +@@ -1588,7 +1595,7 @@ void __init kmem_cache_init(void) sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name, sizes[INDEX_AC].cs_size, ARCH_KMALLOC_MINALIGN, @@ -72586,7 +73621,7 @@ index e901a36..ee8fe97 100644 NULL); if (INDEX_AC != INDEX_L3) { -@@ -1596,7 +1596,7 @@ void __init kmem_cache_init(void) +@@ -1596,7 +1603,7 @@ void __init kmem_cache_init(void) kmem_cache_create(names[INDEX_L3].name, sizes[INDEX_L3].cs_size, ARCH_KMALLOC_MINALIGN, @@ -72595,7 +73630,7 @@ index e901a36..ee8fe97 100644 NULL); } -@@ -1614,7 +1614,7 @@ void __init kmem_cache_init(void) +@@ -1614,7 +1621,7 @@ void __init kmem_cache_init(void) sizes->cs_cachep = kmem_cache_create(names->name, sizes->cs_size, ARCH_KMALLOC_MINALIGN, @@ -72604,7 +73639,24 @@ index e901a36..ee8fe97 100644 NULL); } #ifdef CONFIG_ZONE_DMA -@@ -4390,10 +4390,10 @@ static int s_show(struct seq_file *m, void *p) +@@ -1626,6 +1633,16 @@ void __init kmem_cache_init(void) + SLAB_PANIC, + NULL); + #endif ++ ++#ifdef CONFIG_PAX_USERCOPY_SLABS ++ sizes->cs_usercopycachep = kmem_cache_create( ++ names->name_usercopy, ++ sizes->cs_size, ++ ARCH_KMALLOC_MINALIGN, ++ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY, ++ NULL); ++#endif ++ + sizes++; + names++; + } +@@ -4390,10 +4407,10 @@ static int s_show(struct seq_file *m, void *p) } /* cpu stats */ { @@ -72619,7 +73671,7 @@ index e901a36..ee8fe97 100644 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu", allochit, allocmiss, freehit, freemiss); -@@ -4652,13 +4652,62 @@ static int __init slab_proc_init(void) +@@ -4652,13 +4669,71 @@ static int __init slab_proc_init(void) { proc_create("slabinfo",S_IWUSR|S_IRUSR,NULL,&proc_slabinfo_operations); #ifdef CONFIG_DEBUG_SLAB_LEAK @@ -72631,60 +73683,69 @@ index e901a36..ee8fe97 100644 module_init(slab_proc_init); #endif -+void check_object_size(const void *ptr, unsigned long n, bool to) ++bool is_usercopy_object(const void *ptr) +{ ++ struct page *page; ++ struct kmem_cache *cachep; ++ ++ if (ZERO_OR_NULL_PTR(ptr)) ++ return false; ++ ++ if (!slab_is_available()) ++ return false; ++ ++ if (!virt_addr_valid(ptr)) ++ return false; ++ ++ page = virt_to_head_page(ptr); ++ ++ if (!PageSlab(page)) ++ return false; ++ ++ cachep = page_get_cache(page); ++ return cachep->flags & SLAB_USERCOPY; ++} + +#ifdef CONFIG_PAX_USERCOPY ++const char *check_heap_object(const void *ptr, unsigned long n, bool to) ++{ + struct page *page; -+ struct kmem_cache *cachep = NULL; ++ struct kmem_cache *cachep; + struct slab *slabp; + unsigned int objnr; + unsigned long offset; -+ const char *type; + -+ if (!n) -+ return; -+ -+ type = "<null>"; + if (ZERO_OR_NULL_PTR(ptr)) -+ goto report; ++ return "<null>"; + + if (!virt_addr_valid(ptr)) -+ return; ++ return NULL; + + page = virt_to_head_page(ptr); + -+ type = "<process stack>"; -+ if (!PageSlab(page)) { -+ if (object_is_on_stack(ptr, n) == -1) -+ goto report; -+ return; -+ } ++ if (!PageSlab(page)) ++ return NULL; + + cachep = page_get_cache(page); -+ type = cachep->name; + if (!(cachep->flags & SLAB_USERCOPY)) -+ goto report; ++ return cachep->name; + + slabp = page_get_slab(page); + objnr = obj_to_index(cachep, slabp, ptr); + BUG_ON(objnr >= cachep->num); + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep); + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset) -+ return; -+ -+report: -+ pax_report_usercopy(ptr, n, to, type); -+#endif ++ return NULL; + ++ return cachep->name; +} -+EXPORT_SYMBOL(check_object_size); ++#endif + /** * ksize - get the actual amount of memory allocated for a given object * @objp: Pointer to the object diff --git a/mm/slob.c b/mm/slob.c -index 8105be4..e045f96 100644 +index 8105be4..33e52d7 100644 --- a/mm/slob.c +++ b/mm/slob.c @@ -29,7 +29,7 @@ @@ -72704,17 +73765,18 @@ index 8105be4..e045f96 100644 #include <linux/slab.h> #include <linux/mm.h> #include <linux/swap.h> /* struct reclaim_state */ -@@ -102,7 +103,8 @@ struct slob_page { +@@ -100,9 +101,8 @@ struct slob_page { + union { + struct { unsigned long flags; /* mandatory */ - atomic_t _count; /* mandatory */ +- atomic_t _count; /* mandatory */ slobidx_t units; /* free units left in page */ - unsigned long pad[2]; -+ unsigned long pad[1]; + unsigned long size; /* size when >=PAGE_SIZE */ slob_t *free; /* first free slob_t in page */ struct list_head list; /* linked list of free pages */ }; -@@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large); +@@ -135,7 +135,7 @@ static LIST_HEAD(free_slob_large); */ static inline int is_slob_page(struct slob_page *sp) { @@ -72723,7 +73785,7 @@ index 8105be4..e045f96 100644 } static inline void set_slob_page(struct slob_page *sp) -@@ -150,7 +152,7 @@ static inline void clear_slob_page(struct slob_page *sp) +@@ -150,7 +150,7 @@ static inline void clear_slob_page(struct slob_page *sp) static inline struct slob_page *slob_page(const void *addr) { @@ -72732,7 +73794,7 @@ index 8105be4..e045f96 100644 } /* -@@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_t size, slob_t *next) +@@ -210,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_t size, slob_t *next) /* * Return the size of a slob block. */ @@ -72741,7 +73803,7 @@ index 8105be4..e045f96 100644 { if (s->units > 0) return s->units; -@@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s) +@@ -220,7 +220,7 @@ static slobidx_t slob_units(slob_t *s) /* * Return the next free slob block pointer after this one. */ @@ -72750,7 +73812,7 @@ index 8105be4..e045f96 100644 { slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK); slobidx_t next; -@@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s) +@@ -235,7 +235,7 @@ static slob_t *slob_next(slob_t *s) /* * Returns true if s is the last free block in its page. */ @@ -72759,7 +73821,7 @@ index 8105be4..e045f96 100644 { return !((unsigned long)slob_next(s) & ~PAGE_MASK); } -@@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, int order, int node) +@@ -254,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, int order, int node) if (!page) return NULL; @@ -72767,7 +73829,7 @@ index 8105be4..e045f96 100644 return page_address(page); } -@@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node) +@@ -370,11 +371,11 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node) if (!b) return NULL; sp = slob_page(b); @@ -72780,7 +73842,7 @@ index 8105be4..e045f96 100644 INIT_LIST_HEAD(&sp->list); set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE)); set_slob_page_free(sp, slob_list); -@@ -476,10 +479,9 @@ out: +@@ -476,10 +477,9 @@ out: * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend. */ @@ -72793,7 +73855,7 @@ index 8105be4..e045f96 100644 void *ret; gfp &= gfp_allowed_mask; -@@ -494,7 +496,10 @@ void *__kmalloc_node(size_t size, gfp_t gfp, int node) +@@ -494,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t gfp, int node) if (!m) return NULL; @@ -72805,7 +73867,7 @@ index 8105be4..e045f96 100644 ret = (void *)m + align; trace_kmalloc_node(_RET_IP_, ret, -@@ -506,16 +511,25 @@ void *__kmalloc_node(size_t size, gfp_t gfp, int node) +@@ -506,16 +509,25 @@ void *__kmalloc_node(size_t size, gfp_t gfp, int node) gfp |= __GFP_COMP; ret = slob_new_pages(gfp, order, node); if (ret) { @@ -72835,7 +73897,7 @@ index 8105be4..e045f96 100644 return ret; } EXPORT_SYMBOL(__kmalloc_node); -@@ -533,13 +547,92 @@ void kfree(const void *block) +@@ -533,13 +545,88 @@ void kfree(const void *block) sp = slob_page(block); if (is_slob_page(sp)) { int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN); @@ -72853,40 +73915,39 @@ index 8105be4..e045f96 100644 } EXPORT_SYMBOL(kfree); -+void check_object_size(const void *ptr, unsigned long n, bool to) ++bool is_usercopy_object(const void *ptr) +{ ++ if (!slab_is_available()) ++ return false; ++ ++ // PAX: TODO ++ ++ return false; ++} + +#ifdef CONFIG_PAX_USERCOPY ++const char *check_heap_object(const void *ptr, unsigned long n, bool to) ++{ + struct slob_page *sp; + const slob_t *free; + const void *base; + unsigned long flags; -+ const char *type; + -+ if (!n) -+ return; -+ -+ type = "<null>"; + if (ZERO_OR_NULL_PTR(ptr)) -+ goto report; ++ return "<null>"; + + if (!virt_addr_valid(ptr)) -+ return; ++ return NULL; + -+ type = "<process stack>"; + sp = slob_page(ptr); -+ if (!PageSlab((struct page *)sp)) { -+ if (object_is_on_stack(ptr, n) == -1) -+ goto report; -+ return; -+ } ++ if (!PageSlab((struct page *)sp)) ++ return NULL; + -+ type = "<slob>"; + if (sp->size) { + base = page_address(&sp->page); + if (base <= ptr && n <= sp->size - (ptr - base)) -+ return; -+ goto report; ++ return NULL; ++ return "<slob>"; + } + + /* some tricky double walking to find the chunk */ @@ -72894,7 +73955,7 @@ index 8105be4..e045f96 100644 + base = (void *)((unsigned long)ptr & PAGE_MASK); + free = sp->free; + -+ while (!slob_last(free) && (void *)free <= ptr) { ++ while ((void *)free <= ptr) { + base = free + slob_units(free); + free = slob_next(free); + } @@ -72917,21 +73978,18 @@ index 8105be4..e045f96 100644 + break; + + spin_unlock_irqrestore(&slob_lock, flags); -+ return; ++ return NULL; + } + + spin_unlock_irqrestore(&slob_lock, flags); -+report: -+ pax_report_usercopy(ptr, n, to, type); -+#endif -+ ++ return "<slob>"; +} -+EXPORT_SYMBOL(check_object_size); ++#endif + /* can't use ksize for kmem_cache_alloc memory, only kmalloc */ size_t ksize(const void *block) { -@@ -552,10 +645,10 @@ size_t ksize(const void *block) +@@ -552,10 +639,10 @@ size_t ksize(const void *block) sp = slob_page(block); if (is_slob_page(sp)) { int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN); @@ -72945,11 +74003,11 @@ index 8105be4..e045f96 100644 } EXPORT_SYMBOL(ksize); -@@ -571,8 +664,13 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, +@@ -571,8 +658,13 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, { struct kmem_cache *c; -+#ifdef CONFIG_PAX_USERCOPY ++#ifdef CONFIG_PAX_USERCOPY_SLABS + c = __kmalloc_node_align(sizeof(struct kmem_cache), + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN); +#else @@ -72959,11 +74017,11 @@ index 8105be4..e045f96 100644 if (c) { c->name = name; -@@ -614,17 +712,25 @@ void *kmem_cache_alloc_node(struct kmem_cache *c, gfp_t flags, int node) +@@ -614,17 +706,25 @@ void *kmem_cache_alloc_node(struct kmem_cache *c, gfp_t flags, int node) lockdep_trace_alloc(flags); -+#ifdef CONFIG_PAX_USERCOPY ++#ifdef CONFIG_PAX_USERCOPY_SLABS + b = __kmalloc_node_align(c->size, flags, node, c->align); +#else if (c->size < PAGE_SIZE) { @@ -72985,7 +74043,7 @@ index 8105be4..e045f96 100644 if (c->ctor) c->ctor(b); -@@ -636,10 +742,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node); +@@ -636,10 +736,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node); static void __kmem_cache_free(void *b, int size) { @@ -73004,13 +74062,13 @@ index 8105be4..e045f96 100644 } static void kmem_rcu_free(struct rcu_head *head) -@@ -652,17 +764,31 @@ static void kmem_rcu_free(struct rcu_head *head) +@@ -652,17 +758,31 @@ static void kmem_rcu_free(struct rcu_head *head) void kmem_cache_free(struct kmem_cache *c, void *b) { + int size = c->size; + -+#ifdef CONFIG_PAX_USERCOPY ++#ifdef CONFIG_PAX_USERCOPY_SLABS + if (size + c->align < PAGE_SIZE) { + size += c->align; + b -= c->align; @@ -73030,7 +74088,7 @@ index 8105be4..e045f96 100644 + __kmem_cache_free(b, size); } -+#ifdef CONFIG_PAX_USERCOPY ++#ifdef CONFIG_PAX_USERCOPY_SLABS + trace_kfree(_RET_IP_, b); +#else trace_kmem_cache_free(_RET_IP_, b); @@ -73040,7 +74098,7 @@ index 8105be4..e045f96 100644 EXPORT_SYMBOL(kmem_cache_free); diff --git a/mm/slub.c b/mm/slub.c -index 71de9b5..dd263c5 100644 +index 71de9b5..51f97c9 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -209,7 +209,7 @@ struct track { @@ -73098,58 +74156,92 @@ index 71de9b5..dd263c5 100644 list_del(&s->list); up_write(&slub_lock); if (kmem_cache_close(s)) { -@@ -3405,6 +3406,50 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node) +@@ -3223,6 +3224,10 @@ static struct kmem_cache *kmem_cache; + static struct kmem_cache *kmalloc_dma_caches[SLUB_PAGE_SHIFT]; + #endif + ++#ifdef CONFIG_PAX_USERCOPY_SLABS ++static struct kmem_cache *kmalloc_usercopy_caches[SLUB_PAGE_SHIFT]; ++#endif ++ + static int __init setup_slub_min_order(char *str) + { + get_option(&str, &slub_min_order); +@@ -3337,6 +3342,13 @@ static struct kmem_cache *get_slab(size_t size, gfp_t flags) + return kmalloc_dma_caches[index]; + + #endif ++ ++#ifdef CONFIG_PAX_USERCOPY_SLABS ++ if (flags & SLAB_USERCOPY) ++ return kmalloc_usercopy_caches[index]; ++ ++#endif ++ + return kmalloc_caches[index]; + } + +@@ -3405,6 +3417,59 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node) EXPORT_SYMBOL(__kmalloc_node); #endif -+void check_object_size(const void *ptr, unsigned long n, bool to) ++bool is_usercopy_object(const void *ptr) +{ ++ struct page *page; ++ struct kmem_cache *s; ++ ++ if (ZERO_OR_NULL_PTR(ptr)) ++ return false; ++ ++ if (!slab_is_available()) ++ return false; ++ ++ if (!virt_addr_valid(ptr)) ++ return false; ++ ++ page = virt_to_head_page(ptr); ++ ++ if (!PageSlab(page)) ++ return false; ++ ++ s = page->slab; ++ return s->flags & SLAB_USERCOPY; ++} + +#ifdef CONFIG_PAX_USERCOPY ++const char *check_heap_object(const void *ptr, unsigned long n, bool to) ++{ + struct page *page; -+ struct kmem_cache *s = NULL; ++ struct kmem_cache *s; + unsigned long offset; -+ const char *type; + -+ if (!n) -+ return; -+ -+ type = "<null>"; + if (ZERO_OR_NULL_PTR(ptr)) -+ goto report; ++ return "<null>"; + + if (!virt_addr_valid(ptr)) -+ return; ++ return NULL; + + page = virt_to_head_page(ptr); + -+ type = "<process stack>"; -+ if (!PageSlab(page)) { -+ if (object_is_on_stack(ptr, n) == -1) -+ goto report; -+ return; -+ } ++ if (!PageSlab(page)) ++ return NULL; + + s = page->slab; -+ type = s->name; + if (!(s->flags & SLAB_USERCOPY)) -+ goto report; ++ return s->name; + + offset = (ptr - page_address(page)) % s->size; + if (offset <= s->objsize && n <= s->objsize - offset) -+ return; -+ -+report: -+ pax_report_usercopy(ptr, n, to, type); -+#endif ++ return NULL; + ++ return s->name; +} -+EXPORT_SYMBOL(check_object_size); ++#endif + size_t ksize(const void *object) { struct page *page; -@@ -3679,7 +3724,7 @@ static void __init kmem_cache_bootstrap_fixup(struct kmem_cache *s) +@@ -3679,7 +3744,7 @@ static void __init kmem_cache_bootstrap_fixup(struct kmem_cache *s) int node; list_add(&s->list, &slab_caches); @@ -73158,7 +74250,7 @@ index 71de9b5..dd263c5 100644 for_each_node_state(node, N_NORMAL_MEMORY) { struct kmem_cache_node *n = get_node(s, node); -@@ -3799,17 +3844,17 @@ void __init kmem_cache_init(void) +@@ -3799,17 +3864,17 @@ void __init kmem_cache_init(void) /* Caches that are not of the two-to-the-power-of size */ if (KMALLOC_MIN_SIZE <= 32) { @@ -73179,7 +74271,30 @@ index 71de9b5..dd263c5 100644 caches++; } -@@ -3877,7 +3922,7 @@ static int slab_unmergeable(struct kmem_cache *s) +@@ -3851,6 +3916,22 @@ void __init kmem_cache_init(void) + } + } + #endif ++ ++#ifdef CONFIG_PAX_USERCOPY_SLABS ++ for (i = 0; i < SLUB_PAGE_SHIFT; i++) { ++ struct kmem_cache *s = kmalloc_caches[i]; ++ ++ if (s && s->size) { ++ char *name = kasprintf(GFP_NOWAIT, ++ "usercopy-kmalloc-%d", s->objsize); ++ ++ BUG_ON(!name); ++ kmalloc_usercopy_caches[i] = create_kmalloc_cache(name, ++ s->objsize, SLAB_USERCOPY); ++ } ++ } ++#endif ++ + printk(KERN_INFO + "SLUB: Genslabs=%d, HWalign=%d, Order=%d-%d, MinObjects=%d," + " CPUs=%d, Nodes=%d\n", +@@ -3877,7 +3958,7 @@ static int slab_unmergeable(struct kmem_cache *s) /* * We may have set a slab to be unmergeable during bootstrap. */ @@ -73188,7 +74303,7 @@ index 71de9b5..dd263c5 100644 return 1; return 0; -@@ -3936,7 +3981,7 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, +@@ -3936,7 +4017,7 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, down_write(&slub_lock); s = find_mergeable(size, align, flags, name, ctor); if (s) { @@ -73197,7 +74312,7 @@ index 71de9b5..dd263c5 100644 /* * Adjust the object sizes so that we clear * the complete object on kzalloc. -@@ -3945,7 +3990,7 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, +@@ -3945,7 +4026,7 @@ struct kmem_cache *kmem_cache_create(const char *name, size_t size, s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *))); if (sysfs_slab_alias(s, name)) { @@ -73206,7 +74321,7 @@ index 71de9b5..dd263c5 100644 goto err; } up_write(&slub_lock); -@@ -4074,7 +4119,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags, +@@ -4074,7 +4155,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags, } #endif @@ -73215,7 +74330,7 @@ index 71de9b5..dd263c5 100644 static int count_inuse(struct page *page) { return page->inuse; -@@ -4461,12 +4506,12 @@ static void resiliency_test(void) +@@ -4461,12 +4542,12 @@ static void resiliency_test(void) validate_slab_cache(kmalloc_caches[9]); } #else @@ -73230,7 +74345,7 @@ index 71de9b5..dd263c5 100644 enum slab_stat_type { SL_ALL, /* All slabs */ SL_PARTIAL, /* Only partially allocated slabs */ -@@ -4709,7 +4754,7 @@ SLAB_ATTR_RO(ctor); +@@ -4709,7 +4790,7 @@ SLAB_ATTR_RO(ctor); static ssize_t aliases_show(struct kmem_cache *s, char *buf) { @@ -73239,7 +74354,7 @@ index 71de9b5..dd263c5 100644 } SLAB_ATTR_RO(aliases); -@@ -5280,6 +5325,7 @@ static char *create_unique_id(struct kmem_cache *s) +@@ -5280,6 +5361,7 @@ static char *create_unique_id(struct kmem_cache *s) return name; } @@ -73247,7 +74362,7 @@ index 71de9b5..dd263c5 100644 static int sysfs_slab_add(struct kmem_cache *s) { int err; -@@ -5342,6 +5388,7 @@ static void sysfs_slab_remove(struct kmem_cache *s) +@@ -5342,6 +5424,7 @@ static void sysfs_slab_remove(struct kmem_cache *s) kobject_del(&s->kobj); kobject_put(&s->kobj); } @@ -73255,7 +74370,7 @@ index 71de9b5..dd263c5 100644 /* * Need to buffer aliases during bootup until sysfs becomes -@@ -5355,6 +5402,7 @@ struct saved_alias { +@@ -5355,6 +5438,7 @@ struct saved_alias { static struct saved_alias *alias_list; @@ -73263,7 +74378,7 @@ index 71de9b5..dd263c5 100644 static int sysfs_slab_alias(struct kmem_cache *s, const char *name) { struct saved_alias *al; -@@ -5377,6 +5425,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name) +@@ -5377,6 +5461,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name) alias_list = al; return 0; } @@ -73383,7 +74498,7 @@ index ae962b3..0bba886 100644 mm->unmap_area = arch_unmap_area; } diff --git a/mm/vmalloc.c b/mm/vmalloc.c -index 1196c77..2e608e8 100644 +index 1196c77..fb1cca8 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end) @@ -73507,17 +74622,17 @@ index 1196c77..2e608e8 100644 if (!pmd_none(*pmd)) { pte_t *ptep, pte; -@@ -332,6 +372,10 @@ static void purge_vmap_area_lazy(void); +@@ -329,6 +369,10 @@ static void purge_vmap_area_lazy(void); + * Allocate a region of KVA of the specified size and alignment, within the + * vstart and vend. + */ ++static __size_overflow(1) struct vmap_area *alloc_vmap_area(unsigned long size, ++ unsigned long align, ++ unsigned long vstart, unsigned long vend, ++ int node, gfp_t gfp_mask) __size_overflow(1); static struct vmap_area *alloc_vmap_area(unsigned long size, unsigned long align, unsigned long vstart, unsigned long vend, -+ int node, gfp_t gfp_mask) __size_overflow(1); -+static struct vmap_area *alloc_vmap_area(unsigned long size, -+ unsigned long align, -+ unsigned long vstart, unsigned long vend, - int node, gfp_t gfp_mask) - { - struct vmap_area *va; @@ -1320,6 +1364,16 @@ static struct vm_struct *__get_vm_area_node(unsigned long size, struct vm_struct *area; @@ -73650,10 +74765,10 @@ index 7db1b9b..e9f6b07 100644 return 0; } diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c -index efea35b..9c8dd0b 100644 +index cf4a49c..de3b32e 100644 --- a/net/8021q/vlan.c +++ b/net/8021q/vlan.c -@@ -554,8 +554,7 @@ static int vlan_ioctl_handler(struct net *net, void __user *arg) +@@ -557,8 +557,7 @@ static int vlan_ioctl_handler(struct net *net, void __user *arg) err = -EPERM; if (!capable(CAP_NET_ADMIN)) break; @@ -73900,10 +75015,10 @@ index 5238b6b..c9798ce 100644 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); } diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index 6f9c25b..d19fd66 100644 +index 9a86759..f0951ea 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c -@@ -2466,8 +2466,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi +@@ -2467,8 +2467,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi break; case L2CAP_CONF_RFC: @@ -73916,7 +75031,7 @@ index 6f9c25b..d19fd66 100644 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && rfc.mode != chan->mode) -@@ -2585,8 +2587,10 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) +@@ -2586,8 +2588,10 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) switch (type) { case L2CAP_CONF_RFC: @@ -73999,7 +75114,7 @@ index 3d79b12..8de85fa 100644 diff --git a/net/compat.c b/net/compat.c -index e055708..3f80795 100644 +index ae6d67a..95dbaf6 100644 --- a/net/compat.c +++ b/net/compat.c @@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) @@ -74064,8 +75179,8 @@ index e055708..3f80795 100644 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control; + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control; struct compat_cmsghdr cmhdr; - int cmlen; - + struct compat_timeval ctv; + struct compat_timespec cts[3]; @@ -275,7 +275,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) @@ -74143,7 +75258,7 @@ index e4fbfd6..6a6ac94 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index 533c586..f78a55f 100644 +index c299416..8733baa 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1136,9 +1136,13 @@ void dev_load(struct net *net, const char *name) @@ -74160,7 +75275,7 @@ index 533c586..f78a55f 100644 } } EXPORT_SYMBOL(dev_load); -@@ -1602,7 +1606,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) +@@ -1603,7 +1607,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) { if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) { if (skb_copy_ubufs(skb, GFP_ATOMIC)) { @@ -74169,7 +75284,7 @@ index 533c586..f78a55f 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -1612,7 +1616,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) +@@ -1613,7 +1617,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) nf_reset(skb); if (unlikely(!is_skb_forwardable(dev, skb))) { @@ -74178,7 +75293,7 @@ index 533c586..f78a55f 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -2042,7 +2046,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb) +@@ -2043,7 +2047,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb) struct dev_gso_cb { void (*destructor)(struct sk_buff *skb); @@ -74187,7 +75302,7 @@ index 533c586..f78a55f 100644 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) -@@ -2877,7 +2881,7 @@ enqueue: +@@ -2878,7 +2882,7 @@ enqueue: local_irq_restore(flags); @@ -74196,7 +75311,7 @@ index 533c586..f78a55f 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -2949,7 +2953,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -2950,7 +2954,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -74205,7 +75320,7 @@ index 533c586..f78a55f 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); -@@ -3237,7 +3241,7 @@ ncls: +@@ -3238,7 +3242,7 @@ ncls: if (pt_prev) { ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { @@ -74214,7 +75329,7 @@ index 533c586..f78a55f 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -3797,7 +3801,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -3798,7 +3802,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -74223,7 +75338,7 @@ index 533c586..f78a55f 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -4267,8 +4271,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) +@@ -4268,8 +4272,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) else seq_printf(seq, "%04x", ntohs(pt->type)); @@ -74237,7 +75352,7 @@ index 533c586..f78a55f 100644 } return 0; -@@ -5818,7 +5827,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -5821,7 +5830,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -74309,7 +75424,7 @@ index 7e7aeb0..2a998cb 100644 m->msg_iov = iov; diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 90430b7..0032ec0 100644 +index 900fc61..90d0583 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -56,7 +56,7 @@ struct rtnl_link { @@ -74770,6 +75885,19 @@ index 167ea10..4b15883 100644 if (peer->tcp_ts_stamp) { ts = peer->tcp_ts; tsage = get_seconds() - peer->tcp_ts_stamp; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 56a9c8d..82e01c0 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4726,7 +4726,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, + * simplifies code) + */ + static void +-tcp_collapse(struct sock *sk, struct sk_buff_head *list, ++__intentional_overflow(5,6) tcp_collapse(struct sock *sk, struct sk_buff_head *list, + struct sk_buff *head, struct sk_buff *tail, + u32 start, u32 end) + { diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 0cb86ce..8e7fda8 100644 --- a/net/ipv4/tcp_ipv4.c @@ -75772,7 +76900,7 @@ index 00bdb1d..6725a48 100644 if ((ipvs->sync_state & IP_VS_STATE_MASTER) && cp->protocol == IPPROTO_SCTP) { diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c -index f558998..9cdff60 100644 +index f558998..7dfb054 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -788,7 +788,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest, @@ -75784,7 +76912,30 @@ index f558998..9cdff60 100644 /* bind the service */ if (!dest->svc) { -@@ -2028,7 +2028,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v) +@@ -1521,11 +1521,12 @@ static int ip_vs_dst_event(struct notifier_block *this, unsigned long event, + { + struct net_device *dev = ptr; + struct net *net = dev_net(dev); ++ struct netns_ipvs *ipvs = net_ipvs(net); + struct ip_vs_service *svc; + struct ip_vs_dest *dest; + unsigned int idx; + +- if (event != NETDEV_UNREGISTER) ++ if (event != NETDEV_UNREGISTER || !ipvs) + return NOTIFY_DONE; + IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name); + EnterFunction(2); +@@ -1551,7 +1552,7 @@ static int ip_vs_dst_event(struct notifier_block *this, unsigned long event, + } + } + +- list_for_each_entry(dest, &net_ipvs(net)->dest_trash, n_list) { ++ list_for_each_entry(dest, &ipvs->dest_trash, n_list) { + __ip_vs_dev_reset(dest, dev); + } + mutex_unlock(&__ip_vs_mutex); +@@ -2028,7 +2029,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v) " %-7s %-6d %-10d %-10d\n", &dest->addr.in6, ntohs(dest->port), @@ -75793,7 +76944,7 @@ index f558998..9cdff60 100644 atomic_read(&dest->weight), atomic_read(&dest->activeconns), atomic_read(&dest->inactconns)); -@@ -2039,7 +2039,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v) +@@ -2039,7 +2040,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v) "%-7s %-6d %-10d %-10d\n", ntohl(dest->addr.ip), ntohs(dest->port), @@ -75802,7 +76953,7 @@ index f558998..9cdff60 100644 atomic_read(&dest->weight), atomic_read(&dest->activeconns), atomic_read(&dest->inactconns)); -@@ -2509,7 +2509,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get, +@@ -2509,7 +2510,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get, entry.addr = dest->addr.ip; entry.port = dest->port; @@ -75811,7 +76962,7 @@ index f558998..9cdff60 100644 entry.weight = atomic_read(&dest->weight); entry.u_threshold = dest->u_threshold; entry.l_threshold = dest->l_threshold; -@@ -3042,7 +3042,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) +@@ -3042,7 +3043,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest) NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port); NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD, @@ -75864,6 +77015,33 @@ index 7fd66de..e6fb361 100644 goto out; } +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 729f157..ac0fa7b 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1538,6 +1538,10 @@ err_proto: + #define UNCONFIRMED_NULLS_VAL ((1<<30)+0) + #define DYING_NULLS_VAL ((1<<30)+1) + ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0); ++#endif ++ + static int nf_conntrack_init_net(struct net *net) + { + int ret; +@@ -1551,7 +1555,11 @@ static int nf_conntrack_init_net(struct net *net) + goto err_stat; + } + ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return_unchecked(&conntrack_cache_id)); ++#else + net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net); ++#endif + if (!net->ct.slabname) { + ret = -ENOMEM; + goto err_slabname; diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 66b2c54..c7884e3 100644 --- a/net/netfilter/nfnetlink_log.c @@ -76020,7 +77198,7 @@ index 06592d8..64860f6 100644 *uaddr_len = sizeof(struct sockaddr_ax25); } diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 4f2c0df..f0ff342 100644 +index 4f2c0df..a1a00a5 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1687,7 +1687,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, @@ -76041,7 +77219,26 @@ index 4f2c0df..f0ff342 100644 spin_unlock(&sk->sk_receive_queue.lock); drop_n_restore: -@@ -3294,7 +3294,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -2641,6 +2641,7 @@ out: + + static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) + { ++ struct sock_extended_err ee; + struct sock_exterr_skb *serr; + struct sk_buff *skb, *skb2; + int copied, err; +@@ -2662,8 +2663,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len) + sock_recv_timestamp(msg, sk, skb); + + serr = SKB_EXT_ERR(skb); ++ ee = serr->ee; + put_cmsg(msg, SOL_PACKET, PACKET_TX_TIMESTAMP, +- sizeof(serr->ee), &serr->ee); ++ sizeof ee, &ee); + + msg->msg_flags |= MSG_ERRQUEUE; + err = copied; +@@ -3294,7 +3296,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, case PACKET_HDRLEN: if (len > sizeof(int)) len = sizeof(int); @@ -76050,7 +77247,7 @@ index 4f2c0df..f0ff342 100644 return -EFAULT; switch (val) { case TPACKET_V1: -@@ -3344,7 +3344,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, +@@ -3344,7 +3346,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, if (put_user(len, optlen)) return -EFAULT; @@ -76259,6 +77456,27 @@ index 4503335..db566b4 100644 } #endif +diff --git a/net/rds/recv.c b/net/rds/recv.c +index 5c6e9f1..9f0f17c 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + + rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); + ++ msg->msg_namelen = 0; ++ + if (msg_flags & MSG_OOB) + goto out; + +@@ -485,6 +487,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + sin->sin_port = inc->i_hdr.h_sport; + sin->sin_addr.s_addr = inc->i_saddr; + memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ msg->msg_namelen = sizeof(*sin); + } + break; + } diff --git a/net/rds/tcp.c b/net/rds/tcp.c index edac9ef..16bcb98 100644 --- a/net/rds/tcp.c @@ -76560,10 +77778,10 @@ index 1e2eee8..ce3967e 100644 assoc->assoc_id, assoc->sndbuf_used, diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 92ba71d..9a97902 100644 +index dba20d6..9352c05 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c -@@ -4569,7 +4569,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, +@@ -4577,7 +4577,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len, addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len; if (space_left < addrlen) return -ENOMEM; @@ -76573,7 +77791,7 @@ index 92ba71d..9a97902 100644 to += addrlen; cnt++; diff --git a/net/socket.c b/net/socket.c -index 851edcd..b786851 100644 +index 06ffa0f..aff61b1 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -76602,7 +77820,7 @@ index 851edcd..b786851 100644 static struct file_system_type sock_fs_type = { .name = "sockfs", -@@ -1207,6 +1210,8 @@ int __sock_create(struct net *net, int family, int type, int protocol, +@@ -1210,6 +1213,8 @@ int __sock_create(struct net *net, int family, int type, int protocol, return -EAFNOSUPPORT; if (type < 0 || type >= SOCK_MAX) return -EINVAL; @@ -76611,7 +77829,7 @@ index 851edcd..b786851 100644 /* Compatibility. -@@ -1339,6 +1344,16 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol) +@@ -1342,6 +1347,16 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol) if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK)) flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK; @@ -76628,7 +77846,7 @@ index 851edcd..b786851 100644 retval = sock_create(family, type, protocol, &sock); if (retval < 0) goto out; -@@ -1451,6 +1466,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen) +@@ -1454,6 +1469,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen) if (sock) { err = move_addr_to_kernel(umyaddr, addrlen, &address); if (err >= 0) { @@ -76643,7 +77861,7 @@ index 851edcd..b786851 100644 err = security_socket_bind(sock, (struct sockaddr *)&address, addrlen); -@@ -1459,6 +1482,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen) +@@ -1462,6 +1485,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen) (struct sockaddr *) &address, addrlen); } @@ -76651,7 +77869,7 @@ index 851edcd..b786851 100644 fput_light(sock->file, fput_needed); } return err; -@@ -1482,10 +1506,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog) +@@ -1485,10 +1509,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog) if ((unsigned)backlog > somaxconn) backlog = somaxconn; @@ -76672,7 +77890,7 @@ index 851edcd..b786851 100644 fput_light(sock->file, fput_needed); } return err; -@@ -1529,6 +1563,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr, +@@ -1532,6 +1566,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr, newsock->type = sock->type; newsock->ops = sock->ops; @@ -76691,7 +77909,7 @@ index 851edcd..b786851 100644 /* * We don't need try_module_get here, as the listening socket (sock) * has the protocol module (sock->ops->owner) held. -@@ -1567,6 +1613,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr, +@@ -1570,6 +1616,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr, fd_install(newfd, newfile); err = newfd; @@ -76700,7 +77918,7 @@ index 851edcd..b786851 100644 out_put: fput_light(sock->file, fput_needed); out: -@@ -1599,6 +1647,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, +@@ -1602,6 +1650,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, int, addrlen) { struct socket *sock; @@ -76708,7 +77926,7 @@ index 851edcd..b786851 100644 struct sockaddr_storage address; int err, fput_needed; -@@ -1609,6 +1658,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, +@@ -1612,6 +1661,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, if (err < 0) goto out_put; @@ -76726,7 +77944,7 @@ index 851edcd..b786851 100644 err = security_socket_connect(sock, (struct sockaddr *)&address, addrlen); if (err) -@@ -1966,7 +2026,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, +@@ -1969,7 +2029,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -76735,7 +77953,7 @@ index 851edcd..b786851 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2136,7 +2196,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2139,7 +2199,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg, * kernel msghdr to use the kernel address space) */ @@ -76744,7 +77962,7 @@ index 851edcd..b786851 100644 uaddr_len = COMPAT_NAMELEN(msg); if (MSG_CMSG_COMPAT & flags) { err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); -@@ -2758,7 +2818,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2761,7 +2821,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) } ifr = compat_alloc_user_space(buf_size); @@ -76753,7 +77971,7 @@ index 851edcd..b786851 100644 if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ)) return -EFAULT; -@@ -2782,12 +2842,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2785,12 +2845,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) offsetof(struct ethtool_rxnfc, fs.ring_cookie)); if (copy_in_user(rxnfc, compat_rxnfc, @@ -76770,7 +77988,7 @@ index 851edcd..b786851 100644 copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2799,12 +2859,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) +@@ -2802,12 +2862,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) if (convert_out) { if (copy_in_user(compat_rxnfc, rxnfc, @@ -76787,7 +78005,7 @@ index 851edcd..b786851 100644 copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; -@@ -2874,7 +2934,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2877,7 +2937,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -76796,7 +78014,7 @@ index 851edcd..b786851 100644 set_fs(old_fs); return err; -@@ -2983,7 +3043,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -2986,7 +3046,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -76805,7 +78023,7 @@ index 851edcd..b786851 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3088,7 +3148,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3091,7 +3151,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -76814,7 +78032,7 @@ index 851edcd..b786851 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3314,8 +3374,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3317,8 +3377,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -76825,7 +78043,7 @@ index 851edcd..b786851 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3335,7 +3395,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3338,7 +3398,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -76835,7 +78053,7 @@ index 851edcd..b786851 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c -index 994cfea..5343b6b 100644 +index eda32ae..1c9fa7c 100644 --- a/net/sunrpc/sched.c +++ b/net/sunrpc/sched.c @@ -240,9 +240,9 @@ static int rpc_wait_bit_killable(void *word) @@ -77175,7 +78393,7 @@ index d510353..26c8a32 100644 dput(path.dentry); path.dentry = dentry; diff --git a/net/wireless/core.h b/net/wireless/core.h -index 3ac2dd0..fbe533e 100644 +index ce5597c..46d01db 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -27,7 +27,7 @@ struct cfg80211_registered_device { @@ -77536,7 +78754,7 @@ index 44ddaa5..a3119bd 100644 sprintf(alias, "dmi*"); diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c -index c4e7d15..4241aef 100644 +index c4e7d15..dad16c1 100644 --- a/scripts/mod/modpost.c +++ b/scripts/mod/modpost.c @@ -922,6 +922,7 @@ enum mismatch { @@ -77578,12 +78796,12 @@ index c4e7d15..4241aef 100644 free(prl_to); break; + case DATA_TO_TEXT: -+/* ++#if 0 + fprintf(stderr, -+ "The variable %s references\n" -+ "the %s %s%s%s\n", -+ fromsym, to, sec2annotation(tosec), tosym, to_p); -+*/ ++ "The %s %s:%s references\n" ++ "the %s %s:%s%s\n", ++ from, fromsec, fromsym, to, tosec, tosym, to_p); ++#endif + break; } fprintf(stderr, "\n"); @@ -77682,10 +78900,10 @@ index 5c11312..72742b5 100644 write_hex_cnt = 0; for (i = 0; i < logo_clutsize; i++) { diff --git a/security/Kconfig b/security/Kconfig -index ccc61f8..7244cf1 100644 +index ccc61f8..0759500 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,861 @@ +@@ -4,6 +4,876 @@ menu "Security options" @@ -77710,10 +78928,14 @@ index ccc61f8..7244cf1 100644 + bool + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM)) + ++ config PAX_USERCOPY_SLABS ++ bool ++ +config GRKERNSEC + bool "Grsecurity" + select CRYPTO + select CRYPTO_SHA256 ++ select PROC_FS + select STOP_MACHINE + help + If you say Y here, you will be able to configure many features @@ -77944,13 +79166,12 @@ index ccc61f8..7244cf1 100644 + has been deprecated in favour of PT_PAX_FLAGS and XATTR_PAX_FLAGS + support. + -+ If you have applications not marked by the PT_PAX_FLAGS ELF program -+ header and you cannot use XATTR_PAX_FLAGS then you MUST enable this -+ option otherwise they will not get any protection. -+ + Note that if you enable PT_PAX_FLAGS or XATTR_PAX_FLAGS marking + support as well, they will override the legacy EI_PAX marks. + ++ If you enable none of the marking options then all applications ++ will run with PaX enabled on them by default. ++ +config PAX_PT_PAX_FLAGS + bool 'Use ELF program header marking' + default y if GRKERNSEC_CONFIG_AUTO @@ -77963,15 +79184,14 @@ index ccc61f8..7244cf1 100644 + integrated into the toolchain (the binutils patch is available + from http://pax.grsecurity.net). + -+ If you have applications not marked by the PT_PAX_FLAGS ELF program -+ header then you MUST enable either XATTR_PAX_FLAGS or EI_PAX marking -+ support otherwise they will not get any protection. ++ Note that if you enable the legacy EI_PAX marking support as well, ++ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks. + + If you enable both PT_PAX_FLAGS and XATTR_PAX_FLAGS support then you + must make sure that the marks are the same if a binary has both marks. + -+ Note that if you enable the legacy EI_PAX marking support as well, -+ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks. ++ If you enable none of the marking options then all applications ++ will run with PaX enabled on them by default. + +config PAX_XATTR_PAX_FLAGS + bool 'Use filesystem extended attributes marking' @@ -77996,15 +79216,14 @@ index ccc61f8..7244cf1 100644 + isofs, udf, vfat) so copying files through such filesystems will + lose the extended attributes and these PaX markings. + -+ If you have applications not marked by the PT_PAX_FLAGS ELF program -+ header then you MUST enable either XATTR_PAX_FLAGS or EI_PAX marking -+ support otherwise they will not get any protection. ++ Note that if you enable the legacy EI_PAX marking support as well, ++ the EI_PAX marks will be overridden by the XATTR_PAX_FLAGS marks. + + If you enable both PT_PAX_FLAGS and XATTR_PAX_FLAGS support then you + must make sure that the marks are the same if a binary has both marks. + -+ Note that if you enable the legacy EI_PAX marking support as well, -+ the EI_PAX marks will be overridden by the XATTR_PAX_FLAGS marks. ++ If you enable none of the marking options then all applications ++ will run with PaX enabled on them by default. + +choice + prompt 'MAC system integration' @@ -78494,6 +79713,7 @@ index ccc61f8..7244cf1 100644 + default y if GRKERNSEC_CONFIG_AUTO + depends on X86 || PPC || SPARC || ARM + depends on GRKERNSEC && (SLAB || SLUB || SLOB) ++ select PAX_USERCOPY_SLABS + help + By saying Y here the kernel will enforce the size of heap objects + when they are copied in either direction between the kernel and @@ -78534,6 +79754,19 @@ index ccc61f8..7244cf1 100644 + Homepage: + http://www.grsecurity.net/~ephox/overflow_plugin/ + ++config PAX_LATENT_ENTROPY ++ bool "Generate some entropy during boot" ++ default y if GRKERNSEC_CONFIG_AUTO ++ help ++ By saying Y here the kernel will instrument early boot code to ++ extract some entropy from both original and artificially created ++ program state. This will help especially embedded systems where ++ there is little 'natural' source of entropy normally. The cost ++ is some slowdown of the boot process. ++ ++ Note that entropy extracted this way is not cryptographically ++ secure! ++ +endmenu + +endmenu @@ -78547,7 +79780,7 @@ index ccc61f8..7244cf1 100644 config KEYS bool "Enable access key retention support" help -@@ -169,7 +1024,7 @@ config INTEL_TXT +@@ -169,7 +1039,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -78740,7 +79973,7 @@ index f728728..6457a0c 100644 /* diff --git a/security/security.c b/security/security.c -index bf619ff..8179030 100644 +index bf619ff..cf3683f 100644 --- a/security/security.c +++ b/security/security.c @@ -20,6 +20,7 @@ @@ -78772,8 +80005,18 @@ index bf619ff..8179030 100644 } /* Save user chosen LSM */ +@@ -123,7 +126,9 @@ int __init register_security(struct security_operations *ops) + if (security_ops != &default_security_ops) + return -EAGAIN; + ++ pax_open_kernel(); + security_ops = ops; ++ pax_close_kernel(); + + return 0; + } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index d85b793..a164832 100644 +index 5626222..891e275 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -95,8 +95,6 @@ @@ -79411,12 +80654,19 @@ index da5fa1a..113cd02 100644 int last_frame_number; /* stored frame number */ int last_delay; /* stored delay */ }; +diff --git a/tools/gcc/.gitignore b/tools/gcc/.gitignore +new file mode 100644 +index 0000000..50f2f2f +--- /dev/null ++++ b/tools/gcc/.gitignore +@@ -0,0 +1 @@ ++size_overflow_hash.h diff --git a/tools/gcc/Makefile b/tools/gcc/Makefile new file mode 100644 -index 0000000..f4f9986 +index 0000000..1d09b7e --- /dev/null +++ b/tools/gcc/Makefile -@@ -0,0 +1,41 @@ +@@ -0,0 +1,43 @@ +#CC := gcc +#PLUGIN_SOURCE_FILES := pax_plugin.c +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES)) @@ -79438,6 +80688,7 @@ index 0000000..f4f9986 +$(HOSTLIBS)-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so +$(HOSTLIBS)-y += colorize_plugin.so +$(HOSTLIBS)-$(CONFIG_PAX_SIZE_OVERFLOW) += size_overflow_plugin.so ++$(HOSTLIBS)-$(CONFIG_PAX_LATENT_ENTROPY) += latent_entropy_plugin.so + +always := $($(HOSTLIBS)-y) + @@ -79448,6 +80699,7 @@ index 0000000..f4f9986 +checker_plugin-objs := checker_plugin.o +colorize_plugin-objs := colorize_plugin.o +size_overflow_plugin-objs := size_overflow_plugin.o ++latent_entropy_plugin-objs := latent_entropy_plugin.o + +$(obj)/size_overflow_plugin.o: $(objtree)/$(obj)/size_overflow_hash.h + @@ -79637,7 +80889,7 @@ index 0000000..d41b5af +} diff --git a/tools/gcc/colorize_plugin.c b/tools/gcc/colorize_plugin.c new file mode 100644 -index 0000000..7a5e311 +index 0000000..846aeb0 --- /dev/null +++ b/tools/gcc/colorize_plugin.c @@ -0,0 +1,148 @@ @@ -79775,7 +81027,7 @@ index 0000000..7a5e311 + struct register_pass_info colorize_rearm_pass_info = { + .pass = &pass_ipa_colorize_rearm.pass, + .reference_pass_name = "*free_lang_data", -+ .ref_pass_instance_number = 0, ++ .ref_pass_instance_number = 1, + .pos_op = PASS_POS_INSERT_AFTER + }; + @@ -79791,7 +81043,7 @@ index 0000000..7a5e311 +} diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c new file mode 100644 -index 0000000..89b7f56 +index 0000000..048d4ff --- /dev/null +++ b/tools/gcc/constify_plugin.c @@ -0,0 +1,328 @@ @@ -80097,7 +81349,7 @@ index 0000000..89b7f56 + struct register_pass_info local_variable_pass_info = { + .pass = &pass_local_variable.pass, + .reference_pass_name = "*referenced_vars", -+ .ref_pass_instance_number = 0, ++ .ref_pass_instance_number = 1, + .pos_op = PASS_POS_INSERT_AFTER + }; + @@ -80125,10 +81377,10 @@ index 0000000..89b7f56 +} diff --git a/tools/gcc/generate_size_overflow_hash.sh b/tools/gcc/generate_size_overflow_hash.sh new file mode 100644 -index 0000000..a0fe8b2 +index 0000000..7d66989 --- /dev/null +++ b/tools/gcc/generate_size_overflow_hash.sh -@@ -0,0 +1,94 @@ +@@ -0,0 +1,96 @@ +#!/bin/bash + +# This script generates the hash table (size_overflow_hash.h) for the size_overflow gcc plugin (size_overflow_plugin.c). @@ -80176,9 +81428,10 @@ index 0000000..a0fe8b2 + + cat "$database" | while read data + do -+ data_array=($data) ++ data_array=(${data// /?}) ++ data_array=(${data_array[@]//+/ }) + struct_hash_name="${data_array[0]}" -+ funcn="${data_array[1]}" ++ funcn="${data_array[1]//\?/ }" + params="${data_array[2]}" + next="${data_array[5]}" + @@ -80202,9 +81455,10 @@ index 0000000..a0fe8b2 + +create_array_elements () { + index=0 -+ grep -v "nohasharray" $database | sort -n -k 4 | while read data ++ grep -v "nohasharray" $database | sort -n -t '+' -k 4 | while read data + do -+ data_array=($data) ++ data_array=(${data// /?}) ++ data_array=(${data_array//+/ }) + i="${data_array[3]}" + hash="${data_array[4]}" + while [[ $index -lt $i ]] @@ -80225,7 +81479,7 @@ index 0000000..a0fe8b2 +exit 0 diff --git a/tools/gcc/kallocstat_plugin.c b/tools/gcc/kallocstat_plugin.c new file mode 100644 -index 0000000..a5eabce +index 0000000..a86e422 --- /dev/null +++ b/tools/gcc/kallocstat_plugin.c @@ -0,0 +1,167 @@ @@ -80382,7 +81636,7 @@ index 0000000..a5eabce + struct register_pass_info kallocstat_pass_info = { + .pass = &kallocstat_pass.pass, + .reference_pass_name = "ssa", -+ .ref_pass_instance_number = 0, ++ .ref_pass_instance_number = 1, + .pos_op = PASS_POS_INSERT_AFTER + }; + @@ -80398,7 +81652,7 @@ index 0000000..a5eabce +} diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c new file mode 100644 -index 0000000..d8a8da2 +index 0000000..98011fa --- /dev/null +++ b/tools/gcc/kernexec_plugin.c @@ -0,0 +1,427 @@ @@ -80774,19 +82028,19 @@ index 0000000..d8a8da2 + struct register_pass_info kernexec_reload_pass_info = { + .pass = &kernexec_reload_pass.pass, + .reference_pass_name = "ssa", -+ .ref_pass_instance_number = 0, ++ .ref_pass_instance_number = 1, + .pos_op = PASS_POS_INSERT_AFTER + }; + struct register_pass_info kernexec_fptr_pass_info = { + .pass = &kernexec_fptr_pass.pass, + .reference_pass_name = "ssa", -+ .ref_pass_instance_number = 0, ++ .ref_pass_instance_number = 1, + .pos_op = PASS_POS_INSERT_AFTER + }; + struct register_pass_info kernexec_retaddr_pass_info = { + .pass = &kernexec_retaddr_pass.pass, + .reference_pass_name = "pro_and_epilogue", -+ .ref_pass_instance_number = 0, ++ .ref_pass_instance_number = 1, + .pos_op = PASS_POS_INSERT_AFTER + }; + @@ -80829,12 +82083,313 @@ index 0000000..d8a8da2 + + return 0; +} +diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c +new file mode 100644 +index 0000000..b8008f7 +--- /dev/null ++++ b/tools/gcc/latent_entropy_plugin.c +@@ -0,0 +1,295 @@ ++/* ++ * Copyright 2012 by the PaX Team <pageexec@freemail.hu> ++ * Licensed under the GPL v2 ++ * ++ * Note: the choice of the license means that the compilation process is ++ * NOT 'eligible' as defined by gcc's library exception to the GPL v3, ++ * but for the kernel it doesn't matter since it doesn't link against ++ * any of the gcc libraries ++ * ++ * gcc plugin to help generate a little bit of entropy from program state, ++ * used during boot in the kernel ++ * ++ * TODO: ++ * - add ipa pass to identify not explicitly marked candidate functions ++ * - mix in more program state (function arguments/return values, loop variables, etc) ++ * - more instrumentation control via attribute parameters ++ * ++ * BUGS: ++ * - LTO needs -flto-partition=none for now ++ */ ++#include "gcc-plugin.h" ++#include "config.h" ++#include "system.h" ++#include "coretypes.h" ++#include "tree.h" ++#include "tree-pass.h" ++#include "flags.h" ++#include "intl.h" ++#include "toplev.h" ++#include "plugin.h" ++//#include "expr.h" where are you... ++#include "diagnostic.h" ++#include "plugin-version.h" ++#include "tm.h" ++#include "function.h" ++#include "basic-block.h" ++#include "gimple.h" ++#include "rtl.h" ++#include "emit-rtl.h" ++#include "tree-flow.h" ++ ++int plugin_is_GPL_compatible; ++ ++static tree latent_entropy_decl; ++ ++static struct plugin_info latent_entropy_plugin_info = { ++ .version = "201207271820", ++ .help = NULL ++}; ++ ++static unsigned int execute_latent_entropy(void); ++static bool gate_latent_entropy(void); ++ ++static struct gimple_opt_pass latent_entropy_pass = { ++ .pass = { ++ .type = GIMPLE_PASS, ++ .name = "latent_entropy", ++ .gate = gate_latent_entropy, ++ .execute = execute_latent_entropy, ++ .sub = NULL, ++ .next = NULL, ++ .static_pass_number = 0, ++ .tv_id = TV_NONE, ++ .properties_required = PROP_gimple_leh | PROP_cfg, ++ .properties_provided = 0, ++ .properties_destroyed = 0, ++ .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts, ++ .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_update_ssa ++ } ++}; ++ ++static tree handle_latent_entropy_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs) ++{ ++ if (TREE_CODE(*node) != FUNCTION_DECL) { ++ *no_add_attrs = true; ++ error("%qE attribute only applies to functions", name); ++ } ++ return NULL_TREE; ++} ++ ++static struct attribute_spec latent_entropy_attr = { ++ .name = "latent_entropy", ++ .min_length = 0, ++ .max_length = 0, ++ .decl_required = true, ++ .type_required = false, ++ .function_type_required = false, ++ .handler = handle_latent_entropy_attribute, ++#if BUILDING_GCC_VERSION >= 4007 ++ .affects_type_identity = false ++#endif ++}; ++ ++static void register_attributes(void *event_data, void *data) ++{ ++ register_attribute(&latent_entropy_attr); ++} ++ ++static bool gate_latent_entropy(void) ++{ ++ tree latent_entropy_attr; ++ ++ latent_entropy_attr = lookup_attribute("latent_entropy", DECL_ATTRIBUTES(current_function_decl)); ++ return latent_entropy_attr != NULL_TREE; ++} ++ ++static unsigned HOST_WIDE_INT seed; ++static unsigned HOST_WIDE_INT get_random_const(void) ++{ ++ seed = (seed >> 1U) ^ (-(seed & 1ULL) & 0xD800000000000000ULL); ++ return seed; ++} ++ ++static enum tree_code get_op(tree *rhs) ++{ ++ static enum tree_code op; ++ unsigned HOST_WIDE_INT random_const; ++ ++ random_const = get_random_const(); ++ ++ switch (op) { ++ case BIT_XOR_EXPR: ++ op = PLUS_EXPR; ++ break; ++ ++ case PLUS_EXPR: ++ if (rhs) { ++ op = LROTATE_EXPR; ++ random_const &= HOST_BITS_PER_WIDE_INT - 1; ++ break; ++ } ++ ++ case LROTATE_EXPR: ++ default: ++ op = BIT_XOR_EXPR; ++ break; ++ } ++ if (rhs) ++ *rhs = build_int_cstu(unsigned_intDI_type_node, random_const); ++ return op; ++} ++ ++static void perturb_local_entropy(basic_block bb, tree local_entropy) ++{ ++ gimple_stmt_iterator gsi; ++ gimple assign; ++ tree addxorrol, rhs; ++ enum tree_code op; ++ ++ op = get_op(&rhs); ++ addxorrol = fold_build2_loc(UNKNOWN_LOCATION, op, unsigned_intDI_type_node, local_entropy, rhs); ++ assign = gimple_build_assign(local_entropy, addxorrol); ++ find_referenced_vars_in(assign); ++//debug_bb(bb); ++ gsi = gsi_after_labels(bb); ++ gsi_insert_before(&gsi, assign, GSI_NEW_STMT); ++ update_stmt(assign); ++} ++ ++static void perturb_latent_entropy(basic_block bb, tree rhs) ++{ ++ gimple_stmt_iterator gsi; ++ gimple assign; ++ tree addxorrol, temp; ++ ++ // 1. create temporary copy of latent_entropy ++ temp = create_tmp_var(unsigned_intDI_type_node, "temp_latent_entropy"); ++ add_referenced_var(temp); ++ mark_sym_for_renaming(temp); ++ ++ // 2. read... ++ assign = gimple_build_assign(temp, latent_entropy_decl); ++ find_referenced_vars_in(assign); ++ gsi = gsi_after_labels(bb); ++ gsi_insert_after(&gsi, assign, GSI_NEW_STMT); ++ update_stmt(assign); ++ ++ // 3. ...modify... ++ addxorrol = fold_build2_loc(UNKNOWN_LOCATION, get_op(NULL), unsigned_intDI_type_node, temp, rhs); ++ assign = gimple_build_assign(temp, addxorrol); ++ find_referenced_vars_in(assign); ++ gsi_insert_after(&gsi, assign, GSI_NEW_STMT); ++ update_stmt(assign); ++ ++ // 4. ...write latent_entropy ++ assign = gimple_build_assign(latent_entropy_decl, temp); ++ find_referenced_vars_in(assign); ++ gsi_insert_after(&gsi, assign, GSI_NEW_STMT); ++ update_stmt(assign); ++} ++ ++static unsigned int execute_latent_entropy(void) ++{ ++ basic_block bb; ++ gimple assign; ++ gimple_stmt_iterator gsi; ++ tree local_entropy; ++ ++ if (!latent_entropy_decl) { ++ struct varpool_node *node; ++ ++ for (node = varpool_nodes; node; node = node->next) { ++ tree var = node->decl; ++ if (strcmp(IDENTIFIER_POINTER(DECL_NAME(var)), "latent_entropy")) ++ continue; ++ latent_entropy_decl = var; ++// debug_tree(var); ++ break; ++ } ++ if (!latent_entropy_decl) { ++// debug_tree(current_function_decl); ++ return 0; ++ } ++ } ++ ++//fprintf(stderr, "latent_entropy: %s\n", IDENTIFIER_POINTER(DECL_NAME(current_function_decl))); ++ ++ // 1. create local entropy variable ++ local_entropy = create_tmp_var(unsigned_intDI_type_node, "local_entropy"); ++ add_referenced_var(local_entropy); ++ mark_sym_for_renaming(local_entropy); ++ ++ // 2. initialize local entropy variable ++ bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest; ++ if (dom_info_available_p(CDI_DOMINATORS)) ++ set_immediate_dominator(CDI_DOMINATORS, bb, ENTRY_BLOCK_PTR); ++ gsi = gsi_start_bb(bb); ++ ++ assign = gimple_build_assign(local_entropy, build_int_cstu(unsigned_intDI_type_node, get_random_const())); ++// gimple_set_location(assign, loc); ++ find_referenced_vars_in(assign); ++ gsi_insert_after(&gsi, assign, GSI_NEW_STMT); ++ update_stmt(assign); ++ bb = bb->next_bb; ++ ++ // 3. instrument each BB with an operation on the local entropy variable ++ while (bb != EXIT_BLOCK_PTR) { ++ perturb_local_entropy(bb, local_entropy); ++ bb = bb->next_bb; ++ }; ++ ++ // 4. mix local entropy into the global entropy variable ++ perturb_latent_entropy(EXIT_BLOCK_PTR->prev_bb, local_entropy); ++ return 0; ++} ++ ++static void start_unit_callback(void *gcc_data, void *user_data) ++{ ++#if BUILDING_GCC_VERSION >= 4007 ++ seed = get_random_seed(false); ++#else ++ sscanf(get_random_seed(false), "%" HOST_WIDE_INT_PRINT "x", &seed); ++ seed *= seed; ++#endif ++ ++ if (in_lto_p) ++ return; ++ ++ // extern u64 latent_entropy ++ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), unsigned_intDI_type_node); ++ ++ TREE_STATIC(latent_entropy_decl) = 1; ++ TREE_PUBLIC(latent_entropy_decl) = 1; ++ TREE_USED(latent_entropy_decl) = 1; ++ TREE_THIS_VOLATILE(latent_entropy_decl) = 1; ++ DECL_EXTERNAL(latent_entropy_decl) = 1; ++ DECL_ARTIFICIAL(latent_entropy_decl) = 0; ++ DECL_INITIAL(latent_entropy_decl) = NULL; ++// DECL_ASSEMBLER_NAME(latent_entropy_decl); ++// varpool_finalize_decl(latent_entropy_decl); ++// varpool_mark_needed_node(latent_entropy_decl); ++} ++ ++int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version) ++{ ++ const char * const plugin_name = plugin_info->base_name; ++ struct register_pass_info latent_entropy_pass_info = { ++ .pass = &latent_entropy_pass.pass, ++ .reference_pass_name = "optimized", ++ .ref_pass_instance_number = 1, ++ .pos_op = PASS_POS_INSERT_BEFORE ++ }; ++ ++ if (!plugin_default_version_check(version, &gcc_version)) { ++ error(G_("incompatible gcc/plugin versions")); ++ return 1; ++ } ++ ++ register_callback(plugin_name, PLUGIN_INFO, NULL, &latent_entropy_plugin_info); ++ register_callback ("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL); ++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &latent_entropy_pass_info); ++ register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL); ++ ++ return 0; ++} diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data new file mode 100644 -index 0000000..daaa86c +index 0000000..ba0e88b --- /dev/null +++ b/tools/gcc/size_overflow_hash.data -@@ -0,0 +1,2486 @@ +@@ -0,0 +1,3028 @@ +_000001_hash alloc_dr 2 65495 _000001_hash NULL +_000002_hash __copy_from_user 3 10918 _000002_hash NULL +_000003_hash copy_from_user 3 17559 _000003_hash NULL @@ -81157,7 +82712,7 @@ index 0000000..daaa86c +_000331_hash lcd_write 3 14857 _000331_hash &_000014_hash +_000332_hash ldm_frag_add 2 5611 _000332_hash NULL +_000333_hash __lgread 4 31668 _000333_hash NULL -+_000334_hash libipw_alloc_txb 1 27579 _000334_hash NULL ++_000334_hash libipw_alloc_txb 1-3-2 27579 _000334_hash NULL +_000335_hash link_send_sections_long 4 46556 _000335_hash NULL +_000336_hash listxattr 3 12769 _000336_hash NULL +_000337_hash LoadBitmap 2 19658 _000337_hash NULL @@ -81185,7 +82740,7 @@ index 0000000..daaa86c +_000360_hash mpi_resize 2 44674 _000360_hash NULL +_000361_hash mptctl_getiocinfo 2 28545 _000361_hash NULL +_000362_hash mtdchar_readoob 4 31200 _000362_hash NULL -+_000363_hash mtdchar_write 3 56831 _000363_hash NULL ++_000363_hash mtdchar_write 3 56831 _002688_hash NULL nohasharray +_000364_hash mtdchar_writeoob 4 3393 _000364_hash NULL +_000365_hash mtd_device_parse_register 5 5024 _000365_hash NULL +_000366_hash mtf_test_write 3 18844 _000366_hash NULL @@ -81292,7 +82847,7 @@ index 0000000..daaa86c +_000472_hash rfcomm_sock_setsockopt 5 18254 _000472_hash NULL +_000473_hash rndis_add_response 2 58544 _000473_hash NULL +_000474_hash rndis_set_oid 4 6547 _000474_hash NULL -+_000475_hash rngapi_reset 3 34366 _000475_hash NULL ++_000475_hash rngapi_reset 3 34366 _002911_hash NULL nohasharray +_000476_hash roccat_common_receive 4 53407 _000476_hash NULL +_000477_hash roccat_common_send 4 12284 _000477_hash NULL +_000478_hash rpc_malloc 2 43573 _000478_hash NULL @@ -81478,7 +83033,7 @@ index 0000000..daaa86c +_000667_hash zd_usb_read_fw 4 22049 _000667_hash NULL +_000668_hash zerocopy_sg_from_iovec 3 11828 _000668_hash NULL +_000669_hash zoran_write 3 22404 _000669_hash NULL -+_000671_hash acpi_ex_allocate_name_string 2 7685 _000671_hash NULL ++_000671_hash acpi_ex_allocate_name_string 2 7685 _002855_hash NULL nohasharray +_000672_hash acpi_os_allocate_zeroed 1 37422 _000672_hash NULL +_000673_hash acpi_ut_initialize_buffer 2 47143 _002314_hash NULL nohasharray +_000674_hash ad7879_spi_xfer 3 36311 _000674_hash NULL @@ -81537,7 +83092,7 @@ index 0000000..daaa86c +_000733_hash ath6kl_wmi_send_mgmt_cmd 7 17347 _000733_hash NULL +_000734_hash ath_descdma_setup 5 12257 _000734_hash NULL +_000735_hash ath_rx_edma_init 2 65483 _000735_hash NULL -+_000736_hash ati_create_gatt_pages 1 4722 _000736_hash NULL ++_000736_hash ati_create_gatt_pages 1 4722 _003142_hash NULL nohasharray +_000737_hash au0828_init_isoc 2-3 61917 _000737_hash NULL +_000739_hash audit_init_entry 1 38644 _000739_hash NULL +_000740_hash ax25_sendmsg 4 62770 _000740_hash NULL @@ -81573,7 +83128,7 @@ index 0000000..daaa86c +_000774_hash cfg80211_roamed_bss 4-6 50198 _000774_hash NULL +_000776_hash cifs_readdata_alloc 1 50318 _000776_hash NULL +_000777_hash cifs_readv_from_socket 3 19109 _000777_hash NULL -+_000778_hash cifs_writedata_alloc 1 32880 _000778_hash NULL ++_000778_hash cifs_writedata_alloc 1 32880 _003176_hash NULL nohasharray +_000779_hash cnic_alloc_dma 3 34641 _000779_hash NULL +_000780_hash configfs_write_file 3 61621 _000780_hash NULL +_000781_hash construct_key 3 11329 _000781_hash NULL @@ -81663,7 +83218,7 @@ index 0000000..daaa86c +_000873_hash ib_send_cm_rtu 3 63138 _000873_hash NULL +_000874_hash ieee80211_key_alloc 3 19065 _000874_hash NULL +_000875_hash ieee80211_mgmt_tx 9 46860 _000875_hash NULL -+_000876_hash ieee80211_send_probe_req 6 6924 _000876_hash NULL ++_000876_hash ieee80211_send_probe_req 6-4 6924 _000876_hash NULL +_000877_hash if_writecmd 2 815 _000877_hash NULL +_000878_hash init_bch 1-2 64130 _000878_hash NULL +_000880_hash init_ipath 1 48187 _000880_hash NULL @@ -81722,7 +83277,7 @@ index 0000000..daaa86c +_000937_hash kvm_read_guest_page_mmu 6 37611 _000937_hash NULL +_000938_hash kvm_set_irq_routing 3 48704 _000938_hash NULL +_000939_hash kvm_write_guest_cached 4 11106 _000939_hash NULL -+_000940_hash kvm_write_guest_page 5 63555 _000940_hash NULL ++_000940_hash kvm_write_guest_page 5 63555 _002809_hash NULL nohasharray +_000941_hash l2cap_skbuff_fromiovec 3-4 35003 _000941_hash NULL +_000943_hash l2tp_ip_sendmsg 4 50411 _000943_hash NULL +_000944_hash l2tp_session_create 1 25286 _000944_hash NULL @@ -81950,7 +83505,7 @@ index 0000000..daaa86c +_001186_hash timeout_write 3 50991 _001186_hash NULL +_001187_hash tipc_link_send_sections_fast 4 37920 _001187_hash NULL +_001188_hash tipc_subseq_alloc 1 5957 _001188_hash NULL -+_001189_hash tm6000_read_write_usb 7 50774 _001189_hash NULL ++_001189_hash tm6000_read_write_usb 7 50774 _002917_hash NULL nohasharray +_001190_hash tnode_alloc 1 49407 _001190_hash NULL +_001191_hash tomoyo_commit_ok 2 20167 _001191_hash NULL +_001192_hash tomoyo_scan_bprm 2-4 15642 _001192_hash NULL @@ -81970,7 +83525,7 @@ index 0000000..daaa86c +_001208_hash update_pmkid 4 2481 _001208_hash NULL +_001209_hash usb_alloc_coherent 2 65444 _001209_hash NULL +_001210_hash uvc_alloc_buffers 2 9656 _001210_hash NULL -+_001211_hash uvc_alloc_entity 3 20836 _001211_hash NULL ++_001211_hash uvc_alloc_entity 3-4 20836 _001211_hash NULL +_001212_hash v4l2_ctrl_new 7 38725 _001212_hash NULL +_001213_hash v4l2_event_subscribe 3 19510 _001213_hash NULL +_001214_hash vb2_read 3 42703 _001214_hash NULL @@ -81997,7 +83552,7 @@ index 0000000..daaa86c +_001237_hash _xfs_buf_get_pages 2 46811 _001237_hash NULL +_001238_hash xfs_da_buf_make 1 55845 _001238_hash NULL +_001239_hash xfs_da_grow_inode_int 3 21785 _001239_hash NULL -+_001240_hash xfs_dir_cilookup_result 3 64288 _001240_hash NULL ++_001240_hash xfs_dir_cilookup_result 3 64288 _003130_hash NULL nohasharray +_001241_hash xfs_iext_add_indirect_multi 3 32400 _001241_hash NULL +_001242_hash xfs_iext_inline_to_direct 2 12384 _001242_hash NULL +_001243_hash xfs_iroot_realloc 2 46826 _001243_hash NULL @@ -82096,7 +83651,7 @@ index 0000000..daaa86c +_001343_hash dump_midi 3 51040 _001343_hash NULL +_001344_hash dvb_dmxdev_set_buffer_size 2 55643 _001344_hash NULL +_001345_hash dvb_dvr_set_buffer_size 2 9840 _001345_hash NULL -+_001346_hash dvb_ringbuffer_pkt_read_user 3-5 4303 _001346_hash NULL ++_001346_hash dvb_ringbuffer_pkt_read_user 3-5-2 4303 _001346_hash NULL +_001348_hash dvb_ringbuffer_read_user 3 56702 _001348_hash NULL +_001349_hash ecryptfs_filldir 3 6622 _001349_hash NULL +_001350_hash ecryptfs_readlink 3 40775 _001350_hash NULL @@ -82270,7 +83825,7 @@ index 0000000..daaa86c +_001530_hash sys_getxattr 4 37418 _001530_hash NULL +_001531_hash sys_kexec_load 2 14222 _001531_hash NULL +_001532_hash sys_msgsnd 3 44537 _001532_hash &_000129_hash -+_001533_hash sys_process_vm_readv 3-5 19090 _001533_hash NULL ++_001533_hash sys_process_vm_readv 3-5 19090 _003178_hash NULL nohasharray +_001535_hash sys_process_vm_writev 3-5 4928 _001535_hash NULL +_001537_hash sys_sched_getaffinity 2 60033 _001537_hash NULL +_001538_hash sys_setsockopt 5 35320 _001538_hash NULL @@ -82336,7 +83891,7 @@ index 0000000..daaa86c +_001603_hash xfs_iext_realloc_indirect 2 59211 _001603_hash NULL +_001604_hash xfs_inumbers_fmt 3 12817 _001604_hash NULL +_001605_hash xlog_recover_add_to_cont_trans 4 44102 _001605_hash NULL -+_001606_hash xz_dec_lzma2_create 2 36353 _001606_hash NULL ++_001606_hash xz_dec_lzma2_create 2 36353 _002745_hash NULL nohasharray +_001607_hash _zd_iowrite32v_locked 3 44725 _001607_hash NULL +_001608_hash aat2870_reg_read_file 3 12221 _001608_hash NULL +_001609_hash add_sctp_bind_addr 3 12269 _001609_hash NULL @@ -82376,7 +83931,7 @@ index 0000000..daaa86c +_001645_hash bfad_debugfs_read 3 13119 _001645_hash NULL +_001646_hash bfad_debugfs_read_regrd 3 57830 _001646_hash NULL +_001647_hash blk_init_tags 1 30592 _001647_hash NULL -+_001648_hash blk_queue_init_tags 2 44355 _001648_hash NULL ++_001648_hash blk_queue_init_tags 2 44355 _002686_hash NULL nohasharray +_001649_hash blk_rq_map_kern 4 47004 _001649_hash NULL +_001650_hash bm_entry_read 3 10976 _001650_hash NULL +_001651_hash bm_status_read 3 19583 _001651_hash NULL @@ -82450,9 +84005,9 @@ index 0000000..daaa86c +_001721_hash generic_readlink 3 32654 _001721_hash NULL +_001722_hash gpio_power_read 3 36059 _001722_hash NULL +_001723_hash hash_recvmsg 4 50924 _001723_hash NULL -+_001724_hash ht40allow_map_read 3 55209 _001724_hash NULL ++_001724_hash ht40allow_map_read 3 55209 _002830_hash NULL nohasharray +_001725_hash hwflags_read 3 52318 _001725_hash NULL -+_001726_hash hysdn_conf_read 3 42324 _001726_hash NULL ++_001726_hash hysdn_conf_read 3 42324 _003159_hash NULL nohasharray +_001727_hash i2400m_rx_stats_read 3 57706 _001727_hash NULL +_001728_hash i2400m_tx_stats_read 3 28527 _001728_hash NULL +_001729_hash idmouse_read 3 63374 _001729_hash NULL @@ -82533,7 +84088,7 @@ index 0000000..daaa86c +_001805_hash iwl_dbgfs_rxon_flags_read 3 20795 _001805_hash NULL +_001806_hash iwl_dbgfs_rx_queue_read 3 19943 _001806_hash NULL +_001807_hash iwl_dbgfs_rx_statistics_read 3 62687 _001807_hash &_000425_hash -+_001808_hash iwl_dbgfs_sensitivity_read 3 63116 _001808_hash NULL ++_001808_hash iwl_dbgfs_sensitivity_read 3 63116 _003026_hash NULL nohasharray +_001809_hash iwl_dbgfs_sleep_level_override_read 3 3038 _001809_hash NULL +_001810_hash iwl_dbgfs_sram_read 3 44505 _001810_hash NULL +_001811_hash iwl_dbgfs_stations_read 3 9309 _001811_hash NULL @@ -82599,7 +84154,7 @@ index 0000000..daaa86c +_001873_hash mwifiex_info_read 3 53447 _001873_hash NULL +_001874_hash mwifiex_rdeeprom_read 3 51429 _001874_hash NULL +_001875_hash mwifiex_regrdwr_read 3 34472 _001875_hash NULL -+_001876_hash nfsd_vfs_read 6 62605 _001876_hash NULL ++_001876_hash nfsd_vfs_read 6 62605 _003003_hash NULL nohasharray +_001877_hash nfsd_vfs_write 6 54577 _001877_hash NULL +_001878_hash nfs_idmap_lookup_id 2 10660 _001878_hash NULL +_001879_hash o2hb_debug_read 3 37851 _001879_hash NULL @@ -82712,7 +84267,7 @@ index 0000000..daaa86c +_001986_hash rx_out_of_mem_read 3 10157 _001986_hash NULL +_001987_hash rx_path_reset_read 3 23801 _001987_hash NULL +_001988_hash rxpipe_beacon_buffer_thres_host_int_trig_rx_data_read 3 55106 _001988_hash NULL -+_001989_hash rxpipe_descr_host_int_trig_rx_data_read 3 22001 _001989_hash NULL ++_001989_hash rxpipe_descr_host_int_trig_rx_data_read 3 22001 _003089_hash NULL nohasharray +_001990_hash rxpipe_missed_beacon_host_int_trig_rx_data_read 3 63405 _001990_hash NULL +_001991_hash rxpipe_rx_prep_beacon_drop_read 3 2403 _001991_hash NULL +_001992_hash rxpipe_tx_xfr_host_int_trig_rx_data_read 3 35538 _001992_hash NULL @@ -82833,7 +84388,7 @@ index 0000000..daaa86c +_002116_hash exofs_read_kern 6 39921 _002116_hash &_001885_hash +_002117_hash fc_change_queue_depth 2 36841 _002117_hash NULL +_002118_hash forced_ps_read 3 31685 _002118_hash NULL -+_002119_hash frequency_read 3 64031 _002119_hash NULL ++_002119_hash frequency_read 3 64031 _003106_hash NULL nohasharray +_002120_hash get_alua_req 3 4166 _002120_hash NULL +_002121_hash get_rdac_req 3 45882 _002121_hash NULL +_002122_hash hci_sock_recvmsg 4 7072 _002122_hash NULL @@ -82871,7 +84426,7 @@ index 0000000..daaa86c +_002154_hash ieee80211_if_read_flags 3 57470 _002389_hash NULL nohasharray +_002155_hash ieee80211_if_read_fwded_frames 3 36520 _002155_hash NULL +_002156_hash ieee80211_if_read_fwded_mcast 3 39571 _002156_hash &_000151_hash -+_002157_hash ieee80211_if_read_fwded_unicast 3 59740 _002157_hash NULL ++_002157_hash ieee80211_if_read_fwded_unicast 3 59740 _002859_hash NULL nohasharray +_002158_hash ieee80211_if_read_last_beacon 3 31257 _002158_hash NULL +_002159_hash ieee80211_if_read_min_discovery_timeout 3 13946 _002159_hash NULL +_002160_hash ieee80211_if_read_num_buffered_multicast 3 12716 _002160_hash NULL @@ -83181,7 +84736,7 @@ index 0000000..daaa86c +_002482_hash gru_alloc_gts 2-3 60056 _002482_hash NULL +_002484_hash handle_eviocgbit 3 44193 _002484_hash NULL +_002485_hash hid_parse_report 3 51737 _002485_hash NULL -+_002486_hash ieee80211_alloc_txb 1 52477 _002486_hash NULL ++_002486_hash ieee80211_alloc_txb 1-2 52477 _002486_hash NULL +_002487_hash ieee80211_wx_set_gen_ie 3 51399 _002487_hash NULL +_002488_hash ieee80211_wx_set_gen_ie_rsl 3 3521 _002488_hash NULL +_002489_hash init_cdev 1 8274 _002489_hash NULL @@ -83209,7 +84764,7 @@ index 0000000..daaa86c +_002511_hash queue_reply 3 22416 _002511_hash NULL +_002512_hash Realloc 2 34961 _002512_hash NULL +_002513_hash rfc4106_set_key 3 54519 _002513_hash NULL -+_002514_hash rtllib_alloc_txb 1 21687 _002514_hash NULL ++_002514_hash rtllib_alloc_txb 1-2 21687 _002514_hash NULL +_002515_hash rtllib_wx_set_gen_ie 3 59808 _002515_hash NULL +_002516_hash rts51x_transfer_data_partial 6 5735 _002516_hash NULL +_002517_hash sparse_early_usemaps_alloc_node 4 9269 _002517_hash NULL @@ -83227,7 +84782,7 @@ index 0000000..daaa86c +_002529_hash xpc_kzalloc_cacheline_aligned 1 65433 _002529_hash NULL +_002530_hash xsd_read 3 15653 _002530_hash NULL +_002531_hash compat_do_readv_writev 4 49102 _002531_hash NULL -+_002532_hash compat_keyctl_instantiate_key_iov 3 57431 _002532_hash NULL ++_002532_hash compat_keyctl_instantiate_key_iov 3 57431 _003117_hash NULL nohasharray +_002533_hash compat_process_vm_rw 3-5 22254 _002533_hash NULL +_002535_hash compat_sys_setsockopt 5 3326 _002535_hash NULL +_002536_hash ipath_cdev_init 1 37752 _002536_hash NULL @@ -83318,15 +84873,557 @@ index 0000000..daaa86c +_002631_hash v9fs_fid_readn 4 60544 _002631_hash NULL +_002632_hash v9fs_file_read 3 40858 _002632_hash NULL +_002633_hash __devres_alloc 2 25598 _002633_hash NULL -+_002634_hash acl_alloc 1 35979 _002634_hash NULL -+_002635_hash acl_alloc_stack_init 1 60630 _002635_hash NULL -+_002636_hash acl_alloc_num 1-2 60778 _002636_hash NULL ++_002634_hash alloc_dummy_extent_buffer 2 56374 _002634_hash NULL ++_002635_hash alloc_fdtable 1 17389 _002635_hash NULL ++_002636_hash alloc_large_system_hash 2 22391 _002636_hash NULL ++_002637_hash alloc_ldt 2 21972 _002637_hash NULL ++_002638_hash __alloc_skb 1 23940 _002638_hash NULL ++_002639_hash __ata_change_queue_depth 3 23484 _002639_hash NULL ++_002640_hash btrfs_alloc_free_block 3 8986 _002640_hash NULL ++_002641_hash btrfs_find_device_for_logical 2 44993 _002641_hash NULL ++_002642_hash ccid3_hc_rx_getsockopt 3 62331 _002642_hash NULL ++_002643_hash ccid3_hc_tx_getsockopt 3 16314 _002643_hash NULL ++_002644_hash cifs_readdata_alloc 1 26360 _002644_hash NULL ++_002645_hash cistpl_vers_1 4 15023 _002645_hash NULL ++_002646_hash cmm_read 3 57520 _002646_hash NULL ++_002647_hash cosa_read 3 25966 _002647_hash NULL ++_002648_hash dm_table_create 3 35687 _002648_hash NULL ++_002649_hash dpcm_state_read_file 3 65489 _002649_hash NULL ++_002651_hash edac_mc_alloc 4 3611 _002651_hash NULL ++_002652_hash ep0_read 3 38095 _002652_hash NULL ++_002653_hash event_buffer_read 3 48772 _002765_hash NULL nohasharray ++_002654_hash extend_netdev_table 2 21453 _002654_hash NULL ++_002655_hash extract_entropy_user 3 26952 _002655_hash NULL ++_002656_hash fcoe_ctlr_device_add 3 1793 _002656_hash NULL ++_002657_hash fd_do_readv 3 51297 _002657_hash NULL ++_002658_hash fd_do_writev 3 29329 _002658_hash NULL ++_002659_hash ffs_ep0_read 3 2672 _002659_hash NULL ++_002660_hash fill_readbuf 3 32464 _002660_hash NULL ++_002661_hash fw_iso_buffer_alloc 2 13704 _002661_hash NULL ++_002662_hash get_fd_set 1 3866 _002662_hash NULL ++_002663_hash hidraw_report_event 3 20503 _002663_hash NULL ++_002664_hash ieee80211_if_read_ht_opmode 3 29044 _002664_hash NULL ++_002665_hash ieee80211_if_read_num_mcast_sta 3 12419 _002665_hash NULL ++_002666_hash iwl_dbgfs_calib_disabled_read 3 22649 _002666_hash NULL ++_002667_hash iwl_dbgfs_rf_reset_read 3 26512 _002667_hash NULL ++_002668_hash ixgbe_alloc_q_vector 4-6 24439 _002668_hash NULL ++_002670_hash joydev_handle_JSIOCSAXMAP 3 48898 _002836_hash NULL nohasharray ++_002671_hash joydev_handle_JSIOCSBTNMAP 3 15643 _002671_hash NULL ++_002672_hash __kfifo_from_user_r 3 60345 _002672_hash NULL ++_002673_hash kstrtoint_from_user 2 8778 _002673_hash NULL ++_002674_hash kstrtol_from_user 2 10168 _002674_hash NULL ++_002675_hash kstrtoll_from_user 2 19500 _002675_hash NULL ++_002676_hash kstrtos16_from_user 2 28300 _002676_hash NULL ++_002677_hash kstrtos8_from_user 2 58268 _002677_hash NULL ++_002678_hash kstrtou16_from_user 2 54274 _002678_hash NULL ++_002679_hash kstrtou8_from_user 2 55599 _002679_hash NULL ++_002680_hash kstrtouint_from_user 2 10536 _002680_hash NULL ++_002681_hash kstrtoul_from_user 2 64569 _002681_hash NULL ++_002682_hash kstrtoull_from_user 2 63026 _002682_hash NULL ++_002683_hash l2cap_create_iframe_pdu 3 40055 _002683_hash NULL ++_002684_hash l2tp_ip6_recvmsg 4 62874 _002684_hash NULL ++_002685_hash mem_cgroup_read 5 22461 _002685_hash NULL ++_002686_hash nfs_fscache_get_super_cookie 3 44355 _002686_hash &_001648_hash ++_002687_hash nfs_pgarray_set 2 1085 _002687_hash NULL ++_002688_hash ntfs_rl_realloc 3 56831 _002688_hash &_000363_hash ++_002689_hash ntfs_rl_realloc_nofail 3 32173 _002689_hash NULL ++_002690_hash pn533_dep_link_up 5 22154 _002690_hash NULL ++_002691_hash port_fops_write 3 54627 _002691_hash NULL ++_002692_hash ptp_read 4 63251 _002692_hash NULL ++_002693_hash qla4xxx_change_queue_depth 2 1268 _002693_hash NULL ++_002694_hash reqsk_queue_alloc 2 40272 _002694_hash NULL ++_002695_hash resize_info_buffer 2 62889 _002695_hash NULL ++_002696_hash rfkill_fop_write 3 64808 _002696_hash NULL ++_002697_hash rt2x00debug_write_rfcsr 3 41473 _002697_hash NULL ++_002698_hash rvmalloc 1 46873 _002698_hash NULL ++_002699_hash rw_copy_check_uvector 3 45748 _002699_hash NULL ++_002700_hash sctp_getsockopt_active_key 2 45483 _002700_hash NULL ++_002701_hash sctp_getsockopt_adaptation_layer 2 45375 _002701_hash NULL ++_002702_hash sctp_getsockopt_assoc_ids 2 9043 _002702_hash NULL ++_002703_hash sctp_getsockopt_associnfo 2 58169 _002703_hash NULL ++_002704_hash sctp_getsockopt_assoc_number 2 6384 _002704_hash NULL ++_002705_hash sctp_getsockopt_auto_asconf 2 46584 _002705_hash NULL ++_002706_hash sctp_getsockopt_context 2 52490 _002706_hash NULL ++_002707_hash sctp_getsockopt_default_send_param 2 63056 _002707_hash NULL ++_002708_hash sctp_getsockopt_disable_fragments 2 12330 _002708_hash NULL ++_002709_hash sctp_getsockopt_fragment_interleave 2 51215 _002709_hash NULL ++_002710_hash sctp_getsockopt_initmsg 2 26042 _002710_hash NULL ++_002711_hash sctp_getsockopt_mappedv4 2 20044 _002711_hash NULL ++_002712_hash sctp_getsockopt_nodelay 2 9560 _002712_hash NULL ++_002713_hash sctp_getsockopt_partial_delivery_point 2 60952 _002713_hash NULL ++_002714_hash sctp_getsockopt_peeloff 2 59190 _002714_hash NULL ++_002715_hash sctp_getsockopt_peer_addr_info 2 6024 _002715_hash NULL ++_002716_hash sctp_getsockopt_peer_addr_params 2 53645 _002716_hash NULL ++_002717_hash sctp_getsockopt_primary_addr 2 24639 _002717_hash NULL ++_002718_hash sctp_getsockopt_rtoinfo 2 62027 _002718_hash NULL ++_002719_hash sctp_getsockopt_sctp_status 2 56540 _002719_hash NULL ++_002720_hash self_check_write 5 50856 _002720_hash NULL ++_002721_hash smk_read_mapped 3 7562 _002721_hash NULL ++_002722_hash smk_set_cipso 3 20379 _002722_hash NULL ++_002723_hash smk_user_access 3 24440 _002723_hash NULL ++_002724_hash smk_write_mapped 3 13519 _002724_hash NULL ++_002725_hash smk_write_rules_list 3 18565 _002725_hash NULL ++_002726_hash snd_mixart_BA0_read 5 45069 _002726_hash NULL ++_002727_hash snd_mixart_BA1_read 5 5082 _002727_hash NULL ++_002728_hash snd_pcm_oss_read2 3 54387 _002728_hash NULL ++_002729_hash syslog_print 2 307 _002729_hash NULL ++_002730_hash tcp_dma_try_early_copy 3 4457 _002730_hash NULL ++_002731_hash tcp_send_rcvq 3 11316 _002731_hash NULL ++_002732_hash tomoyo_init_log 2 61526 _002732_hash NULL ++_002733_hash ubi_dump_flash 4 46381 _002733_hash NULL ++_002734_hash ubi_eba_atomic_leb_change 5 60379 _002734_hash NULL ++_002735_hash ubi_eba_write_leb 5-6 36029 _002735_hash NULL ++_002737_hash ubi_eba_write_leb_st 5 44343 _002737_hash NULL ++_002738_hash ubi_self_check_all_ff 4 41959 _002738_hash NULL ++_002739_hash unix_bind 3 15668 _002739_hash NULL ++_002740_hash usbvision_rvmalloc 1 19655 _002740_hash NULL ++_002742_hash v4l2_ctrl_new 7 24927 _002742_hash NULL ++_002743_hash v4l2_event_subscribe 3 53687 _002743_hash NULL ++_002744_hash v9fs_direct_read 3 45546 _002744_hash NULL ++_002745_hash v9fs_file_readn 4 36353 _002745_hash &_001606_hash ++_002746_hash __videobuf_alloc_vb 1 5665 _002746_hash NULL ++_002747_hash wm8350_write 3 24480 _002747_hash NULL ++_002748_hash xfs_buf_read_uncached 3 42844 _002748_hash NULL ++_002749_hash yurex_write 3 8761 _002749_hash NULL ++_002750_hash alloc_skb 1 55439 _002750_hash NULL ++_002751_hash alloc_skb_fclone 1 3467 _002751_hash NULL ++_002752_hash ata_scsi_change_queue_depth 2 23126 _002752_hash NULL ++_002753_hash ath6kl_disconnect_timeout_write 3 794 _002753_hash NULL ++_002754_hash ath6kl_keepalive_write 3 45600 _002754_hash NULL ++_002755_hash ath6kl_lrssi_roam_write 3 8362 _002755_hash NULL ++_002756_hash ath6kl_regread_write 3 14220 _002756_hash NULL ++_002757_hash core_sys_select 1 47494 _002757_hash NULL ++_002758_hash do_syslog 3 56807 _002758_hash NULL ++_002759_hash expand_fdtable 2 39273 _002759_hash NULL ++_002760_hash fd_execute_cmd 3 1132 _002760_hash NULL ++_002761_hash get_chars 3 40373 _002761_hash NULL ++_002762_hash hid_report_raw_event 4 2762 _002762_hash NULL ++_002763_hash inet_csk_listen_start 2 38233 _002763_hash NULL ++_002764_hash kstrtou32_from_user 2 30361 _002764_hash NULL ++_002765_hash l2cap_segment_sdu 4 48772 _002765_hash &_002653_hash ++_002766_hash __netdev_alloc_skb 2 18595 _002766_hash NULL ++_002767_hash nfs_readdata_alloc 2 65015 _002767_hash NULL ++_002768_hash nfs_writedata_alloc 2 12133 _002768_hash NULL ++_002769_hash ntfs_rl_append 2-4 6037 _002769_hash NULL ++_002771_hash ntfs_rl_insert 2-4 4931 _002771_hash NULL ++_002773_hash ntfs_rl_replace 2-4 14136 _002773_hash NULL ++_002775_hash ntfs_rl_split 2-4 52328 _002775_hash NULL ++_002777_hash port_fops_read 3 49626 _002777_hash NULL ++_002778_hash random_read 3 13815 _002778_hash NULL ++_002779_hash sg_proc_write_adio 3 45704 _002779_hash NULL ++_002780_hash sg_proc_write_dressz 3 46316 _002780_hash NULL ++_002781_hash tcp_sendmsg 4 30296 _002781_hash NULL ++_002782_hash tomoyo_write_log2 2 34318 _002782_hash NULL ++_002783_hash ubi_leb_change 4 10289 _002783_hash NULL ++_002784_hash ubi_leb_write 4-5 5478 _002784_hash NULL ++_002786_hash urandom_read 3 30462 _002786_hash NULL ++_002787_hash v9fs_cached_file_read 3 2514 _002787_hash NULL ++_002788_hash __videobuf_alloc_cached 1 12740 _002788_hash NULL ++_002789_hash __videobuf_alloc_uncached 1 55711 _002789_hash NULL ++_002790_hash wm8350_block_write 3 19727 _002790_hash NULL ++_002791_hash alloc_tx 2 32143 _002791_hash NULL ++_002792_hash alloc_wr 1-2 24635 _002792_hash NULL ++_002794_hash ath6kl_endpoint_stats_write 3 59621 _002794_hash NULL ++_002795_hash ath6kl_fwlog_mask_write 3 24810 _002795_hash NULL ++_002796_hash ath9k_wmi_cmd 4 327 _002796_hash NULL ++_002797_hash atm_alloc_charge 2 19517 _002879_hash NULL nohasharray ++_002798_hash ax25_output 2 22736 _002798_hash NULL ++_002799_hash bcsp_prepare_pkt 3 12961 _002799_hash NULL ++_002800_hash bt_skb_alloc 1 6404 _002800_hash NULL ++_002801_hash capinc_tty_write 3 28539 _002801_hash NULL ++_002802_hash cfpkt_create_pfx 1-2 23594 _002802_hash NULL ++_002804_hash cmd_complete 6 51629 _002804_hash NULL ++_002805_hash cmtp_add_msgpart 4 9252 _002805_hash NULL ++_002806_hash cmtp_send_interopmsg 7 376 _002806_hash NULL ++_002807_hash cxgb3_get_cpl_reply_skb 2 10620 _002807_hash NULL ++_002808_hash dbg_leb_change 4 23555 _002808_hash NULL ++_002809_hash dbg_leb_write 4-5 63555 _002809_hash &_000940_hash ++_002811_hash dccp_listen_start 2 35918 _002811_hash NULL ++_002812_hash __dev_alloc_skb 1 28681 _002812_hash NULL ++_002813_hash diva_os_alloc_message_buffer 1 64568 _002813_hash NULL ++_002814_hash dn_alloc_skb 2 6631 _002814_hash NULL ++_002815_hash do_pselect 1 62061 _002815_hash NULL ++_002816_hash _fc_frame_alloc 1 43568 _002816_hash NULL ++_002817_hash find_skb 2 20431 _002817_hash NULL ++_002818_hash fm_send_cmd 5 39639 _002818_hash NULL ++_002819_hash gem_alloc_skb 2 51715 _002819_hash NULL ++_002820_hash get_packet 3 41914 _002820_hash NULL ++_002821_hash get_packet 3 5747 _002821_hash NULL ++_002822_hash get_packet_pg 4 28023 _002822_hash NULL ++_002823_hash get_skb 2 63008 _002823_hash NULL ++_002824_hash hidp_queue_report 3 1881 _002824_hash NULL ++_002825_hash __hidp_send_ctrl_message 4 28303 _002825_hash NULL ++_002826_hash hycapi_rx_capipkt 3 11602 _002826_hash NULL ++_002827_hash i2400m_net_rx 5 27170 _002827_hash NULL ++_002828_hash igmpv3_newpack 2 35912 _002828_hash NULL ++_002829_hash inet_listen 2 14723 _002829_hash NULL ++_002830_hash isdn_net_ciscohdlck_alloc_skb 2 55209 _002830_hash &_001724_hash ++_002831_hash isdn_ppp_ccp_xmit_reset 6 63297 _002831_hash NULL ++_002832_hash kmsg_read 3 46514 _002832_hash NULL ++_002833_hash _l2_alloc_skb 1 11883 _002833_hash NULL ++_002834_hash l3_alloc_skb 1 32289 _002834_hash NULL ++_002835_hash llc_alloc_frame 4 64366 _002835_hash NULL ++_002836_hash mac_drv_rx_init 2 48898 _002836_hash &_002670_hash ++_002837_hash mgmt_event 4 12810 _002837_hash NULL ++_002838_hash mI_alloc_skb 1 24770 _002838_hash NULL ++_002839_hash nci_skb_alloc 2 49757 _002839_hash NULL ++_002840_hash netdev_alloc_skb 2 62437 _002840_hash NULL ++_002841_hash __netdev_alloc_skb_ip_align 2 55067 _002841_hash NULL ++_002842_hash new_skb 1 21148 _002842_hash NULL ++_002843_hash nfc_alloc_recv_skb 1 10244 _002843_hash NULL ++_002844_hash nfcwilink_skb_alloc 1 16167 _002844_hash NULL ++_002845_hash nfulnl_alloc_skb 2 65207 _002845_hash NULL ++_002846_hash ni65_alloc_mem 3 10664 _002846_hash NULL ++_002847_hash pep_alloc_skb 3 46303 _002847_hash NULL ++_002848_hash pn_raw_send 2 54330 _002848_hash NULL ++_002849_hash __pskb_copy 2 9038 _002849_hash NULL ++_002850_hash refill_pool 2 19477 _002850_hash NULL ++_002851_hash rfcomm_wmalloc 2 58090 _002851_hash NULL ++_002852_hash rx 4 57944 _002852_hash NULL ++_002853_hash sctp_ulpevent_new 1 33377 _002853_hash NULL ++_002854_hash send_command 4 10832 _002854_hash NULL ++_002855_hash skb_copy_expand 2-3 7685 _002855_hash &_000671_hash ++_002857_hash sk_stream_alloc_skb 2 57622 _002857_hash NULL ++_002858_hash sock_alloc_send_pskb 2 21246 _002858_hash NULL ++_002859_hash sock_rmalloc 2 59740 _002859_hash &_002157_hash ++_002860_hash sock_wmalloc 2 16472 _002860_hash NULL ++_002861_hash solos_param_store 4 34755 _002861_hash NULL ++_002862_hash sys_select 1 38827 _002862_hash NULL ++_002863_hash sys_syslog 3 10746 _002863_hash NULL ++_002864_hash t4vf_pktgl_to_skb 2 39005 _002864_hash NULL ++_002865_hash tcp_collapse 5-6 63294 _002865_hash NULL ++_002867_hash tipc_cfg_reply_alloc 1 27606 _002867_hash NULL ++_002868_hash ubifs_leb_change 4 17789 _002868_hash NULL ++_002869_hash ubifs_leb_write 4-5 22679 _002869_hash NULL ++_002871_hash ulog_alloc_skb 1 23427 _002871_hash NULL ++_002872_hash _alloc_mISDN_skb 3 52232 _002872_hash NULL ++_002873_hash ath9k_multi_regread 4 65056 _002873_hash NULL ++_002874_hash ath_rxbuf_alloc 2 24745 _002874_hash NULL ++_002875_hash ax25_send_frame 2 19964 _002875_hash NULL ++_002876_hash bchannel_get_rxbuf 2 37213 _002876_hash NULL ++_002877_hash cfpkt_create 1 18197 _002877_hash NULL ++_002878_hash console_store 4 36007 _002878_hash NULL ++_002879_hash dev_alloc_skb 1 19517 _002879_hash &_002797_hash ++_002880_hash dn_nsp_do_disc 2-6 49474 _002880_hash NULL ++_002882_hash do_write_orph_node 2 64343 _002882_hash NULL ++_002883_hash dsp_cmx_send_member 2 15625 _002883_hash NULL ++_002884_hash fc_frame_alloc 2 1596 _002884_hash NULL ++_002885_hash fc_frame_alloc_fill 2 59394 _002885_hash NULL ++_002886_hash fmc_send_cmd 5 20435 _002886_hash NULL ++_002887_hash hci_send_cmd 3 43810 _002887_hash NULL ++_002888_hash hci_si_event 3 1404 _002888_hash NULL ++_002889_hash hfcpci_empty_bfifo 4 62323 _002889_hash NULL ++_002890_hash hidp_send_ctrl_message 4 43702 _002890_hash NULL ++_002891_hash hysdn_sched_rx 3 60533 _002891_hash NULL ++_002892_hash inet_dccp_listen 2 28565 _002892_hash NULL ++_002893_hash ip6_append_data 4-5 36490 _002893_hash NULL ++_002894_hash __ip_append_data 7-8 36191 _002894_hash NULL ++_002895_hash l1oip_socket_recv 6 56537 _002895_hash NULL ++_002896_hash l2cap_build_cmd 4 48676 _002896_hash NULL ++_002897_hash l2down_create 4 21755 _002897_hash NULL ++_002898_hash l2up_create 3 6430 _002898_hash NULL ++_002899_hash ldisc_receive 4 41516 _002899_hash NULL ++_002902_hash lro_gen_skb 6 2644 _002902_hash NULL ++_002903_hash macvtap_alloc_skb 2-4-3 50629 _002903_hash NULL ++_002906_hash mgmt_device_found 10 14146 _002906_hash NULL ++_002907_hash nci_send_cmd 3 58206 _002907_hash NULL ++_002908_hash netdev_alloc_skb_ip_align 2 40811 _002908_hash NULL ++_002909_hash nfcwilink_send_bts_cmd 3 10802 _002909_hash NULL ++_002910_hash nfqnl_mangle 2 14583 _002910_hash NULL ++_002911_hash p54_alloc_skb 3 34366 _002911_hash &_000475_hash ++_002912_hash packet_alloc_skb 2-5-4 62602 _002912_hash NULL ++_002915_hash pep_indicate 5 38611 _002915_hash NULL ++_002916_hash pep_reply 5 50582 _002916_hash NULL ++_002917_hash pipe_handler_request 5 50774 _002917_hash &_001189_hash ++_002918_hash ql_process_mac_rx_page 4 15543 _002918_hash NULL ++_002919_hash ql_process_mac_rx_skb 4 6689 _002919_hash NULL ++_002920_hash rfcomm_tty_write 3 51603 _002920_hash NULL ++_002921_hash send_mpa_reject 3 7135 _002921_hash NULL ++_002922_hash send_mpa_reply 3 32372 _002922_hash NULL ++_002923_hash set_rxd_buffer_pointer 8 9950 _002923_hash NULL ++_002924_hash sge_rx 3 50594 _002924_hash NULL ++_002925_hash skb_cow_data 2 11565 _002925_hash NULL ++_002926_hash smp_build_cmd 3 45853 _002926_hash NULL ++_002927_hash sock_alloc_send_skb 2 23720 _002927_hash NULL ++_002928_hash sys_pselect6 1 57449 _002928_hash NULL ++_002929_hash tcp_fragment 3 20436 _002929_hash NULL ++_002930_hash teiup_create 3 43201 _002930_hash NULL ++_002931_hash tg3_run_loopback 2 30093 _002931_hash NULL ++_002932_hash tun_alloc_skb 2-4-3 41216 _002932_hash NULL ++_002935_hash ubifs_write_node 5 11258 _002935_hash NULL ++_002936_hash use_pool 2 64607 _002936_hash NULL ++_002937_hash vxge_rx_alloc 3 52024 _002937_hash NULL ++_002938_hash add_packet 3 54433 _002938_hash NULL ++_002939_hash add_rx_skb 3 8257 _002939_hash NULL ++_002940_hash ath6kl_buf_alloc 1 57304 _002940_hash NULL ++_002941_hash bat_iv_ogm_aggregate_new 2 2620 _002941_hash NULL ++_002942_hash bnx2fc_process_l2_frame_compl 3 65072 _002942_hash NULL ++_002943_hash brcmu_pkt_buf_get_skb 1 5556 _002943_hash NULL ++_002944_hash br_send_bpdu 3 29669 _002944_hash NULL ++_002945_hash bt_skb_send_alloc 2 6581 _002945_hash NULL ++_002946_hash c4iw_reject_cr 3 28174 _002946_hash NULL ++_002947_hash carl9170_rx_copy_data 2 21656 _002947_hash NULL ++_002948_hash cfpkt_add_body 3 44630 _002948_hash NULL ++_002949_hash cfpkt_append 3 61206 _002949_hash NULL ++_002950_hash cosa_net_setup_rx 2 38594 _002950_hash NULL ++_002951_hash cxgb4_pktgl_to_skb 2 61899 _002951_hash NULL ++_002952_hash dn_alloc_send_pskb 2 4465 _002952_hash NULL ++_002953_hash dn_nsp_return_disc 2 60296 _002953_hash NULL ++_002954_hash dn_nsp_send_disc 2 23469 _002954_hash NULL ++_002955_hash dsp_tone_hw_message 3 17678 _002955_hash NULL ++_002956_hash dvb_net_sec 3 37884 _002956_hash NULL ++_002957_hash e1000_check_copybreak 3 62448 _002957_hash NULL ++_002958_hash fast_rx_path 3 59214 _002958_hash NULL ++_002959_hash fc_fcp_frame_alloc 2 12624 _002959_hash NULL ++_002960_hash fcoe_ctlr_send_keep_alive 3 15308 _002960_hash NULL ++_002961_hash fwnet_incoming_packet 3 40380 _002961_hash NULL ++_002962_hash fwnet_pd_new 4 39947 _002962_hash NULL ++_002963_hash got_frame 2 16028 _002963_hash NULL ++_002964_hash gsm_mux_rx_netchar 3 33336 _002964_hash NULL ++_002965_hash hdlcdev_rx 3 997 _002965_hash NULL ++_002966_hash hdlc_empty_fifo 2 18397 _002966_hash NULL ++_002967_hash hfc_empty_fifo 2 57972 _002967_hash NULL ++_002968_hash hfcpci_empty_fifo 4 2427 _002968_hash NULL ++_002969_hash hfcsusb_rx_frame 3 52745 _002969_hash NULL ++_002970_hash hidp_output_raw_report 3 5629 _002970_hash NULL ++_002971_hash hscx_empty_fifo 2 13360 _002971_hash NULL ++_002972_hash hysdn_rx_netpkt 3 16136 _002972_hash NULL ++_002973_hash ieee80211_fragment 4 33112 _002973_hash NULL ++_002974_hash ieee80211_probereq_get 4-6 29069 _002974_hash NULL ++_002976_hash ieee80211_send_auth 5 24121 _002976_hash NULL ++_002977_hash ieee80211_set_probe_resp 3 10077 _002977_hash NULL ++_002978_hash ieee80211_tdls_mgmt 8 9581 _002978_hash NULL ++_002979_hash ip6_ufo_append_data 5-7-6 4780 _002979_hash NULL ++_002982_hash ip_ufo_append_data 6-8-7 12775 _002982_hash NULL ++_002985_hash ipw_packet_received_skb 2 1230 _002985_hash NULL ++_002986_hash iwch_reject_cr 3 23901 _002986_hash NULL ++_002987_hash iwm_rx_packet_alloc 3 9898 _002987_hash NULL ++_002988_hash ixgb_check_copybreak 3 5847 _002988_hash NULL ++_002989_hash l1oip_socket_parse 4 4507 _002989_hash NULL ++_002990_hash l2cap_send_cmd 4 14548 _002990_hash NULL ++_002991_hash l2tp_ip6_sendmsg 4 7461 _002991_hash NULL ++_002993_hash lowpan_fragment_xmit 3-4 22095 _002993_hash NULL ++_002996_hash mcs_unwrap_fir 3 25733 _002996_hash NULL ++_002997_hash mcs_unwrap_mir 3 9455 _002997_hash NULL ++_002998_hash mld_newpack 2 50950 _002998_hash NULL ++_002999_hash nfc_alloc_send_skb 4 3167 _002999_hash NULL ++_003000_hash p54_download_eeprom 4 43842 _003000_hash NULL ++_003002_hash ppp_tx_cp 5 62044 _003002_hash NULL ++_003003_hash prism2_send_mgmt 4 62605 _003003_hash &_001876_hash ++_003004_hash prism2_sta_send_mgmt 5 43916 _003004_hash NULL ++_003005_hash _queue_data 4 54983 _003005_hash NULL ++_003006_hash read_dma 3 55086 _003006_hash NULL ++_003007_hash read_fifo 3 826 _003007_hash NULL ++_003008_hash receive_copy 3 12216 _003008_hash NULL ++_003009_hash rtl8169_try_rx_copy 3 705 _003009_hash NULL ++_003010_hash _rtl92s_firmware_downloadcode 3 14021 _003010_hash NULL ++_003011_hash rx_data 4 60442 _003011_hash NULL ++_003012_hash sis190_try_rx_copy 3 57069 _003012_hash NULL ++_003013_hash skge_rx_get 3 40598 _003013_hash NULL ++_003014_hash tcp_mark_head_lost 2 35895 _003014_hash NULL ++_003015_hash tcp_match_skb_to_sack 3-4 23568 _003015_hash NULL ++_003017_hash tso_fragment 3 29050 _003017_hash NULL ++_003018_hash tt_response_fill_table 1 57902 _003018_hash NULL ++_003020_hash udpv6_sendmsg 4 22316 _003020_hash NULL ++_003021_hash velocity_rx_copy 2 34583 _003021_hash NULL ++_003022_hash W6692_empty_Bfifo 2 47804 _003022_hash NULL ++_003023_hash zd_mac_rx 3 38296 _003023_hash NULL ++_003024_hash ath6kl_wmi_get_new_buf 1 52304 _003024_hash NULL ++_003025_hash bat_iv_ogm_queue_add 3 30870 _003025_hash NULL ++_003026_hash brcmf_alloc_pkt_and_read 2 63116 _003026_hash &_001808_hash ++_003027_hash brcmf_sdcard_recv_buf 6 38179 _003027_hash NULL ++_003028_hash brcmf_sdcard_rwdata 5 65041 _003028_hash NULL ++_003029_hash brcmf_sdcard_send_buf 6 7713 _003029_hash NULL ++_003030_hash carl9170_handle_mpdu 3 11056 _003030_hash NULL ++_003031_hash cfpkt_add_trail 3 27260 _003031_hash NULL ++_003032_hash cfpkt_pad_trail 2 55511 _003032_hash NULL ++_003033_hash dvb_net_sec_callback 2 28786 _003033_hash NULL ++_003034_hash fwnet_receive_packet 9 50537 _003034_hash NULL ++_003035_hash handle_rx_packet 3 58993 _003035_hash NULL ++_003036_hash HDLC_irq 2 8709 _003036_hash NULL ++_003037_hash hdlc_rpr_irq 2 10240 _003037_hash NULL ++_003043_hash ipwireless_network_packet_received 4 51277 _003043_hash NULL ++_003044_hash l2cap_bredr_sig_cmd 3 49065 _003044_hash NULL ++_003045_hash l2cap_sock_alloc_skb_cb 2 33532 _003045_hash NULL ++_003046_hash llcp_allocate_pdu 3 19866 _003046_hash NULL ++_003047_hash ppp_cp_event 6 2965 _003047_hash NULL ++_003048_hash receive_client_update_packet 3 49104 _003048_hash NULL ++_003049_hash receive_server_sync_packet 3 59021 _003049_hash NULL ++_003050_hash sky2_receive 2 13407 _003050_hash NULL ++_003051_hash tcp_sacktag_walk 5-6 49703 _003051_hash NULL ++_003053_hash tcp_write_xmit 2 64602 _003053_hash NULL ++_003054_hash ath6kl_wmi_add_wow_pattern_cmd 4 12842 _003054_hash NULL ++_003055_hash ath6kl_wmi_beginscan_cmd 8 25462 _003055_hash NULL ++_003056_hash ath6kl_wmi_send_probe_response_cmd 6 31728 _003056_hash NULL ++_003057_hash ath6kl_wmi_set_appie_cmd 5 39266 _003057_hash NULL ++_003058_hash ath6kl_wmi_set_ie_cmd 6 37260 _003058_hash NULL ++_003059_hash ath6kl_wmi_startscan_cmd 8 33674 _003059_hash NULL ++_003060_hash ath6kl_wmi_test_cmd 3 27312 _003060_hash NULL ++_003061_hash brcmf_sdbrcm_membytes 3-5 37324 _003061_hash NULL ++_003063_hash brcmf_sdbrcm_read_control 3 22721 _003063_hash NULL ++_003064_hash brcmf_tx_frame 3 20978 _003064_hash NULL ++_003065_hash __carl9170_rx 3 56784 _003065_hash NULL ++_003066_hash cfpkt_setlen 2 49343 _003066_hash NULL ++_003067_hash hdlc_irq_one 2 3944 _003067_hash NULL ++_003069_hash tcp_push_one 2 48816 _003069_hash NULL ++_003070_hash __tcp_push_pending_frames 2 48148 _003070_hash NULL ++_003071_hash brcmf_sdbrcm_bus_txctl 3 42492 _003071_hash NULL ++_003072_hash carl9170_rx 3 13272 _003072_hash NULL ++_003073_hash carl9170_rx_stream 3 1334 _003073_hash NULL ++_003074_hash tcp_push 3 10680 _003074_hash NULL ++_003075_hash create_log 2 8225 _003075_hash NULL ++_003076_hash expand_files 2 17080 _003076_hash NULL ++_003077_hash iio_device_alloc 1 41440 _003077_hash NULL ++_003078_hash OS_mem_token_alloc 1 14276 _003078_hash NULL ++_003079_hash packet_came 3 18072 _003079_hash NULL ++_003080_hash softsynth_write 3 3455 _003080_hash NULL ++_003081_hash alloc_fd 1 37637 _003081_hash NULL ++_003082_hash sys_dup3 2 33421 _003082_hash NULL ++_003083_hash do_fcntl 3 31468 _003083_hash NULL ++_003084_hash sys_dup2 2 25284 _003084_hash NULL ++_003085_hash sys_fcntl 3 19267 _003085_hash NULL ++_003086_hash sys_fcntl64 3 29031 _003086_hash NULL ++_003087_hash cmpk_message_handle_tx 4 54024 _003087_hash NULL ++_003088_hash comedi_buf_alloc 3 24822 _003088_hash NULL ++_003089_hash compat_rw_copy_check_uvector 3 22001 _003089_hash &_001989_hash ++_003090_hash compat_sys_fcntl64 3 60256 _003090_hash NULL ++_003091_hash evtchn_write 3 43278 _003091_hash NULL ++_003092_hash fw_download_code 3 13249 _003092_hash NULL ++_003093_hash fwSendNullPacket 2 54618 _003093_hash NULL ++_003095_hash ieee80211_authentication_req 3 63973 _003095_hash NULL ++_003097_hash rtllib_authentication_req 3 26713 _003097_hash NULL ++_003098_hash SendTxCommandPacket 3 42901 _003098_hash NULL ++_003099_hash snd_nm256_capture_copy 5 28622 _003099_hash NULL ++_003100_hash snd_nm256_playback_copy 5 38567 _003100_hash NULL ++_003101_hash tomoyo_init_log 2 14806 _003101_hash NULL ++_003102_hash usbdux_attach_common 4 51764 _003102_hash NULL ++_003103_hash compat_sys_fcntl 3 15654 _003103_hash NULL ++_003104_hash ieee80211_auth_challenge 3 18810 _003104_hash NULL ++_003105_hash ieee80211_rtl_auth_challenge 3 61897 _003105_hash NULL ++_003106_hash resize_async_buffer 4 64031 _003106_hash &_002119_hash ++_003107_hash rtllib_auth_challenge 3 12493 _003107_hash NULL ++_003108_hash tomoyo_write_log2 2 11732 _003108_hash NULL ++_003109_hash l2cap_sock_alloc_skb_cb 2 27671 _003109_hash NULL ++_003110_hash tcp_sacktag_walk 5-6 26339 _003110_hash NULL ++_003112_hash tcp_write_xmit 2 39755 _003112_hash NULL ++_003113_hash ab8500_address_write 3 4099 _003113_hash NULL ++_003114_hash ab8500_bank_write 3 51960 _003114_hash NULL ++_003115_hash ab8500_val_write 3 16473 _003115_hash NULL ++_003116_hash allocate_probes 1 40204 _003116_hash NULL ++_003117_hash alloc_ftrace_hash 1 57431 _003117_hash &_002532_hash ++_003118_hash __alloc_preds 2 9492 _003118_hash NULL ++_003119_hash __alloc_pred_stack 2 26687 _003119_hash NULL ++_003120_hash alloc_sched_domains 1 47756 _003120_hash NULL ++_003121_hash alloc_trace_probe 6 12323 _003121_hash NULL ++_003122_hash blk_dropped_read 3 4168 _003122_hash NULL ++_003123_hash blk_msg_write 3 13655 _003123_hash NULL ++_003124_hash cyttsp_probe 4 1940 _003124_hash NULL ++_003125_hash dccpprobe_read 3 52549 _003125_hash NULL ++_003126_hash event_enable_read 3 7074 _003126_hash NULL ++_003127_hash event_enable_write 3 45238 _003127_hash NULL ++_003128_hash event_filter_read 3 23494 _003128_hash NULL ++_003129_hash event_filter_write 3 56609 _003129_hash NULL ++_003130_hash event_id_read 3 64288 _003130_hash &_001240_hash ++_003131_hash ftrace_pid_write 3 39710 _003131_hash NULL ++_003132_hash ftrace_profile_read 3 21327 _003132_hash NULL ++_003133_hash ftrace_profile_write 3 53327 _003133_hash NULL ++_003134_hash hsc_msg_alloc 1 60990 _003134_hash NULL ++_003135_hash hsc_write 3 55875 _003135_hash NULL ++_003136_hash hsi_alloc_controller 1 41802 _003136_hash NULL ++_003137_hash hsi_register_board_info 2 13820 _003137_hash NULL ++_003138_hash ivtvfb_write 3 40023 _003138_hash NULL ++_003139_hash probes_write 3 29711 _003139_hash NULL ++_003140_hash rb_simple_read 3 45972 _003140_hash NULL ++_003141_hash rb_simple_write 3 20890 _003141_hash NULL ++_003142_hash show_header 3 4722 _003142_hash &_000736_hash ++_003143_hash stack_max_size_read 3 1445 _003143_hash NULL ++_003144_hash stack_max_size_write 3 36068 _003144_hash NULL ++_003145_hash subsystem_filter_read 3 62310 _003145_hash NULL ++_003146_hash subsystem_filter_write 3 13022 _003146_hash NULL ++_003147_hash system_enable_read 3 25815 _003147_hash NULL ++_003148_hash system_enable_write 3 61396 _003148_hash NULL ++_003149_hash trace_options_core_read 3 47390 _003149_hash NULL ++_003150_hash trace_options_core_write 3 61551 _003150_hash NULL ++_003151_hash trace_options_read 3 11419 _003151_hash NULL ++_003152_hash trace_options_write 3 48275 _003152_hash NULL ++_003153_hash trace_parser_get_init 2 31379 _003153_hash NULL ++_003154_hash trace_seq_to_user 3 65398 _003154_hash NULL ++_003155_hash tracing_buffers_read 3 11124 _003155_hash NULL ++_003156_hash tracing_clock_write 3 27961 _003156_hash NULL ++_003157_hash tracing_cpumask_read 3 7010 _003157_hash NULL ++_003158_hash tracing_ctrl_read 3 46922 _003158_hash NULL ++_003159_hash tracing_ctrl_write 3 42324 _003159_hash &_001726_hash ++_003160_hash tracing_entries_read 3 8345 _003160_hash NULL ++_003161_hash tracing_entries_write 3 60563 _003161_hash NULL ++_003162_hash tracing_max_lat_read 3 8890 _003162_hash NULL ++_003163_hash tracing_max_lat_write 3 8728 _003163_hash NULL ++_003164_hash tracing_read_dyn_info 3 45468 _003164_hash NULL ++_003165_hash tracing_readme_read 3 16493 _003165_hash NULL ++_003166_hash tracing_saved_cmdlines_read 3 21434 _003166_hash NULL ++_003167_hash tracing_set_trace_read 3 44122 _003167_hash NULL ++_003168_hash tracing_set_trace_write 3 57096 _003168_hash NULL ++_003169_hash tracing_stats_read 3 34537 _003169_hash NULL ++_003170_hash tracing_total_entries_read 3 62817 _003170_hash NULL ++_003171_hash tracing_trace_options_write 3 153 _003171_hash NULL ++_003172_hash ttm_put_pages 2 9179 _003172_hash NULL ++_003173_hash u_memcpya 2-3 30139 _003173_hash NULL ++_003174_hash alloc_and_copy_ftrace_hash 1 29368 _003174_hash NULL ++_003175_hash ath6kl_sdio_alloc_prep_scat_req 2 51986 _003175_hash NULL ++_003176_hash ath6kl_usb_submit_ctrl_in 6 32880 _003176_hash &_000778_hash ++_003177_hash ath6kl_usb_submit_ctrl_out 6 9978 _003177_hash NULL ++_003178_hash brcmf_usbdev_qinit 2 19090 _003178_hash &_001533_hash ++_003179_hash brcmf_usb_dl_cmd 4 53130 _003179_hash NULL ++_003180_hash create_trace_probe 1 20175 _003180_hash NULL ++_003181_hash da9052_group_write 3 4534 _003181_hash NULL ++_003182_hash mmio_read 4 40348 _003182_hash NULL ++_003183_hash ptp_filter_init 2 36780 _003183_hash NULL ++_003184_hash read_file_dfs 3 43145 _003184_hash NULL ++_003185_hash tracing_read_pipe 3 35312 _003185_hash NULL ++_003186_hash vivi_read 3 23073 _003186_hash NULL ++_003187_hash arcfb_write 3 8702 _003187_hash NULL ++_003188_hash beacon_interval_write 3 17952 _003188_hash NULL ++_003189_hash brcmf_usb_attach 1-2 44656 _003189_hash NULL ++_003191_hash broadsheetfb_write 3 39976 _003191_hash NULL ++_003192_hash broadsheet_spiflash_rewrite_sector 2 54864 _003192_hash NULL ++_003193_hash dtim_interval_write 3 30489 _003193_hash NULL ++_003194_hash dynamic_ps_timeout_write 3 37713 _003194_hash NULL ++_003195_hash f_audio_buffer_alloc 1 41110 _003195_hash NULL ++_003196_hash fb_sys_read 3 13778 _003196_hash NULL ++_003197_hash fb_sys_write 3 33130 _003197_hash NULL ++_003198_hash forced_ps_write 3 37209 _003198_hash NULL ++_003199_hash gpio_power_write 3 1991 _003199_hash NULL ++_003200_hash hecubafb_write 3 26942 _003200_hash NULL ++_003201_hash metronomefb_write 3 8823 _003201_hash NULL ++_003202_hash odev_update 2 50169 _003202_hash NULL ++_003203_hash oz_add_farewell 5 20652 _003203_hash NULL ++_003204_hash oz_cdev_read 3 20659 _003204_hash NULL ++_003205_hash oz_cdev_write 3 33852 _003205_hash NULL ++_003206_hash oz_ep_alloc 2 5587 _003206_hash NULL ++_003207_hash pmcraid_copy_sglist 3 38431 _003207_hash NULL ++_003208_hash rx_streaming_always_write 3 32357 _003208_hash NULL ++_003209_hash rx_streaming_interval_write 3 50120 _003209_hash NULL ++_003210_hash split_scan_timeout_write 3 52128 _003210_hash NULL ++_003211_hash suspend_dtim_interval_write 3 48854 _003211_hash NULL ++_003212_hash ufx_alloc_urb_list 3 10349 _003212_hash NULL ++_003213_hash viafb_dfph_proc_write 3 49288 _003213_hash NULL ++_003214_hash viafb_dfpl_proc_write 3 627 _003214_hash NULL ++_003215_hash viafb_dvp0_proc_write 3 23023 _003215_hash NULL ++_003216_hash viafb_dvp1_proc_write 3 48864 _003216_hash NULL ++_003217_hash viafb_vt1636_proc_write 3 16018 _003217_hash NULL ++_003218_hash wl1271_rx_handle_data 3 56360 _003218_hash NULL ++_003219_hash wl12xx_cmd_build_probe_req 6-8 3098 _003219_hash NULL ++_003220_hash picolcd_fb_write 3 2318 _003220_hash NULL ++_003221_hash dlfb_ops_write 3 64150 _003221_hash NULL ++_003222_hash ufx_ops_write 3 54848 _003222_hash NULL ++_003223_hash viafb_iga1_odev_proc_write 3 36241 _003223_hash NULL ++_003224_hash viafb_iga2_odev_proc_write 3 2363 _003224_hash NULL ++_003225_hash xenfb_write 3 43412 _003225_hash NULL diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c new file mode 100644 -index 0000000..cc96254 +index 0000000..24b6c8e --- /dev/null +++ b/tools/gcc/size_overflow_plugin.c -@@ -0,0 +1,1204 @@ +@@ -0,0 +1,1595 @@ +/* + * Copyright 2011, 2012 by Emese Revfy <re.emese@gmail.com> + * Licensed under the GPL v2, or (at your option) v3 @@ -83369,6 +85466,14 @@ index 0000000..cc96254 + +#include "size_overflow_hash.h" + ++enum marked { ++ MARKED_NO, MARKED_YES, MARKED_NOT_INTENTIONAL ++}; ++ ++enum overflow_reason { ++ OVERFLOW_NONE, OVERFLOW_INTENTIONAL ++}; ++ +#define __unused __attribute__((__unused__)) +#define NAME(node) IDENTIFIER_POINTER(DECL_NAME(node)) +#define NAME_LEN(node) IDENTIFIER_LENGTH(DECL_NAME(node)) @@ -83376,7 +85481,9 @@ index 0000000..cc96254 +#define AFTER_STMT false +#define CREATE_NEW_VAR NULL_TREE +#define CODES_LIMIT 32 -+#define MAX_PARAM 10 ++#define MAX_PARAM 16 ++#define MY_STMT GF_PLF_1 ++#define NO_CAST_CHECK GF_PLF_2 + +#if BUILDING_GCC_VERSION == 4005 +#define DECL_CHAIN(NODE) (TREE_CHAIN(DECL_MINIMAL_CHECK(NODE))) @@ -83386,20 +85493,30 @@ index 0000000..cc96254 +void debug_gimple_stmt(gimple gs); + +static tree expand(struct pointer_set_t *visited, bool *potentionally_overflowed, tree var); -+static tree signed_size_overflow_type; -+static tree unsigned_size_overflow_type; +static tree report_size_overflow_decl; +static tree const_char_ptr_type_node; +static unsigned int handle_function(void); ++static void check_size_overflow(gimple stmt, tree size_overflow_type, tree cast_rhs, tree rhs, bool *potentionally_overflowed, bool before); ++static tree get_size_overflow_type(gimple stmt, tree node); + +static struct plugin_info size_overflow_plugin_info = { -+ .version = "20120618beta", ++ .version = "20120811beta", + .help = "no-size-overflow\tturn off size overflow checking\n", +}; + +static tree handle_size_overflow_attribute(tree *node, tree __unused name, tree args, int __unused flags, bool *no_add_attrs) +{ -+ unsigned int arg_count = type_num_arguments(*node); ++ unsigned int arg_count; ++ ++ if (TREE_CODE(*node) == FUNCTION_DECL) ++ arg_count = type_num_arguments(TREE_TYPE(*node)); ++ else if (TREE_CODE(*node) == FUNCTION_TYPE || TREE_CODE(*node) == METHOD_TYPE) ++ arg_count = type_num_arguments(*node); ++ else { ++ *no_add_attrs = true; ++ error("%qE attribute only applies to functions", name); ++ return NULL_TREE; ++ } + + for (; args; args = TREE_CHAIN(args)) { + tree position = TREE_VALUE(args); @@ -83411,22 +85528,36 @@ index 0000000..cc96254 + return NULL_TREE; +} + -+static struct attribute_spec no_size_overflow_attr = { ++static struct attribute_spec size_overflow_attr = { + .name = "size_overflow", + .min_length = 1, + .max_length = -1, -+ .decl_required = false, -+ .type_required = true, -+ .function_type_required = true, ++ .decl_required = true, ++ .type_required = false, ++ .function_type_required = false, + .handler = handle_size_overflow_attribute, +#if BUILDING_GCC_VERSION >= 4007 + .affects_type_identity = false +#endif +}; + ++static struct attribute_spec intentional_overflow_attr = { ++ .name = "intentional_overflow", ++ .min_length = 1, ++ .max_length = -1, ++ .decl_required = true, ++ .type_required = false, ++ .function_type_required = false, ++ .handler = NULL, ++#if BUILDING_GCC_VERSION >= 4007 ++ .affects_type_identity = false ++#endif ++}; ++ +static void register_attributes(void __unused *event_data, void __unused *data) +{ -+ register_attribute(&no_size_overflow_attr); ++ register_attribute(&size_overflow_attr); ++ register_attribute(&intentional_overflow_attr); +} + +// http://www.team5150.com/~andrew/noncryptohashzoo2~/CrapWow.html @@ -83477,11 +85608,12 @@ index 0000000..cc96254 + +static inline gimple get_def_stmt(tree node) +{ ++ gcc_assert(node != NULL_TREE); + gcc_assert(TREE_CODE(node) == SSA_NAME); + return SSA_NAME_DEF_STMT(node); +} + -+static unsigned char get_tree_code(tree type) ++static unsigned char get_tree_code(const_tree type) +{ + switch (TREE_CODE(type)) { + case ARRAY_TYPE: @@ -83508,13 +85640,17 @@ index 0000000..cc96254 + return 10; + case REFERENCE_TYPE: + return 11; ++ case OFFSET_TYPE: ++ return 12; ++ case COMPLEX_TYPE: ++ return 13; + default: -+ debug_tree(type); ++ debug_tree((tree)type); + gcc_unreachable(); + } +} + -+static size_t add_type_codes(tree type, unsigned char *tree_codes, size_t len) ++static size_t add_type_codes(const_tree type, unsigned char *tree_codes, size_t len) +{ + gcc_assert(type != NULL_TREE); + @@ -83639,11 +85775,11 @@ index 0000000..cc96254 + gcc_assert(TREE_CODE(arg) != COMPONENT_REF); + + type = TREE_TYPE(arg); -+ // skip function pointers -+ if (TREE_CODE(type) == POINTER_TYPE && TREE_CODE(TREE_TYPE(type)) == FUNCTION_TYPE) ++ ++ if (TREE_CODE(type) == POINTER_TYPE) + return; + -+ if (lookup_attribute("size_overflow", TYPE_ATTRIBUTES(TREE_TYPE(func)))) ++ if (lookup_attribute("size_overflow", DECL_ATTRIBUTES(func))) + return; + + argnum = find_arg_number(arg, func); @@ -83664,6 +85800,22 @@ index 0000000..cc96254 + return new_var; +} + ++static gimple create_binary_assign(enum tree_code code, gimple stmt, tree rhs1, tree rhs2) ++{ ++ gimple assign; ++ gimple_stmt_iterator gsi = gsi_for_stmt(stmt); ++ tree type = TREE_TYPE(rhs1); ++ tree lhs = create_new_var(type); ++ ++ assign = gimple_build_assign_with_ops(code, lhs, rhs1, rhs2); ++ gimple_set_lhs(assign, make_ssa_name(lhs, assign)); ++ ++ gsi_insert_before(&gsi, assign, GSI_NEW_STMT); ++ update_stmt(assign); ++ gimple_set_plf(assign, MY_STMT, true); ++ return assign; ++} ++ +static bool is_bool(tree node) +{ + tree type; @@ -83683,34 +85835,63 @@ index 0000000..cc96254 + +static tree cast_a_tree(tree type, tree var) +{ -+ gcc_assert(type != NULL_TREE && var != NULL_TREE); ++ gcc_assert(type != NULL_TREE); ++ gcc_assert(var != NULL_TREE); + gcc_assert(fold_convertible_p(type, var)); + + return fold_convert(type, var); +} + -+static tree signed_cast(tree var) -+{ -+ return cast_a_tree(signed_size_overflow_type, var); -+} -+ -+static gimple build_cast_stmt(tree type, tree var, tree new_var, location_t loc) ++static gimple build_cast_stmt(tree type, tree var, tree new_var, gimple_stmt_iterator *gsi, bool before) +{ + gimple assign; ++ location_t loc; ++ ++ gcc_assert(type != NULL_TREE && var != NULL_TREE); ++ if (gsi_end_p(*gsi) && before == BEFORE_STMT) ++ gcc_unreachable(); + + if (new_var == CREATE_NEW_VAR) + new_var = create_new_var(type); + + assign = gimple_build_assign(new_var, cast_a_tree(type, var)); -+ gimple_set_location(assign, loc); ++ ++ if (!gsi_end_p(*gsi)) { ++ loc = gimple_location(gsi_stmt(*gsi)); ++ gimple_set_location(assign, loc); ++ } ++ + gimple_set_lhs(assign, make_ssa_name(new_var, assign)); + ++ if (before) ++ gsi_insert_before(gsi, assign, GSI_NEW_STMT); ++ else ++ gsi_insert_after(gsi, assign, GSI_NEW_STMT); ++ update_stmt(assign); ++ gimple_set_plf(assign, MY_STMT, true); ++ + return assign; +} + ++static tree cast_to_new_size_overflow_type(gimple stmt, tree new_rhs1, tree size_overflow_type, bool before) ++{ ++ gimple assign; ++ gimple_stmt_iterator gsi; ++ ++ if (new_rhs1 == NULL_TREE) ++ return NULL_TREE; ++ ++ if (!useless_type_conversion_p(TREE_TYPE(new_rhs1), size_overflow_type)) { ++ gsi = gsi_for_stmt(stmt); ++ assign = build_cast_stmt(size_overflow_type, new_rhs1, CREATE_NEW_VAR, &gsi, before); ++ return gimple_get_lhs(assign); ++ } ++ return new_rhs1; ++} ++ +static tree create_assign(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple oldstmt, tree rhs1, bool before) +{ -+ tree oldstmt_rhs1; ++ tree oldstmt_rhs1, size_overflow_type, lhs; + enum tree_code code; + gimple stmt; + gimple_stmt_iterator gsi; @@ -83724,13 +85905,24 @@ index 0000000..cc96254 + gcc_unreachable(); + } + ++ if (gimple_code(oldstmt) == GIMPLE_ASM) ++ lhs = rhs1; ++ else ++ lhs = gimple_get_lhs(oldstmt); ++ + oldstmt_rhs1 = gimple_assign_rhs1(oldstmt); + code = TREE_CODE(oldstmt_rhs1); -+ if (code == PARM_DECL || (code == SSA_NAME && gimple_code(get_def_stmt(oldstmt_rhs1)) == GIMPLE_NOP)) -+ check_missing_attribute(oldstmt_rhs1); ++ if (code == PARM_DECL || (code == SSA_NAME && gimple_code(get_def_stmt(oldstmt_rhs1)) == GIMPLE_NOP)) { ++ argnum = search_missing_attribute(oldstmt_rhs1); ++ if (argnum && is_already_marked(get_original_function_decl(current_function_decl), argnum) == MARKED_YES) { ++ *overflowed = OVERFLOW_INTENTIONAL; ++ return NULL_TREE; ++ } ++ ++ } + -+ stmt = build_cast_stmt(signed_size_overflow_type, rhs1, CREATE_NEW_VAR, gimple_location(oldstmt)); + gsi = gsi_for_stmt(oldstmt); ++ pointer_set_insert(visited, oldstmt); + if (lookup_stmt_eh_lp(oldstmt) != 0) { + basic_block next_bb, cur_bb; + edge e; @@ -83748,18 +85940,20 @@ index 0000000..cc96254 + + gsi = gsi_after_labels(next_bb); + gcc_assert(!gsi_end_p(gsi)); ++ + before = true; ++ oldstmt = gsi_stmt(gsi); ++ pointer_set_insert(visited, oldstmt); + } -+ if (before) -+ gsi_insert_before(&gsi, stmt, GSI_NEW_STMT); -+ else -+ gsi_insert_after(&gsi, stmt, GSI_NEW_STMT); -+ update_stmt(stmt); -+ pointer_set_insert(visited, oldstmt); ++ ++ size_overflow_type = get_size_overflow_type(oldstmt, lhs); ++ ++ stmt = build_cast_stmt(size_overflow_type, rhs1, CREATE_NEW_VAR, &gsi, before); ++ gimple_set_plf(stmt, MY_STMT, true); + return gimple_get_lhs(stmt); +} + -+static tree dup_assign(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple oldstmt, tree rhs1, tree rhs2, tree __unused rhs3) ++static tree dup_assign(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple oldstmt, tree size_overflow_type, tree rhs1, tree rhs2, tree __unused rhs3) +{ + tree new_var, lhs = gimple_get_lhs(oldstmt); + gimple stmt; @@ -83768,17 +85962,21 @@ index 0000000..cc96254 + if (!*potentionally_overflowed) + return NULL_TREE; + ++ if (gimple_plf(oldstmt, MY_STMT)) ++ return lhs; ++ + if (gimple_num_ops(oldstmt) != 4 && rhs1 == NULL_TREE) { + rhs1 = gimple_assign_rhs1(oldstmt); -+ rhs1 = create_assign(visited, potentionally_overflowed, oldstmt, rhs1, BEFORE_STMT); ++ rhs1 = create_assign(visited, overflowed, oldstmt, rhs1, BEFORE_STMT); + } + if (gimple_num_ops(oldstmt) == 3 && rhs2 == NULL_TREE) { + rhs2 = gimple_assign_rhs2(oldstmt); -+ rhs2 = create_assign(visited, potentionally_overflowed, oldstmt, rhs2, BEFORE_STMT); ++ rhs2 = create_assign(visited, overflowed, oldstmt, rhs2, BEFORE_STMT); + } + + stmt = gimple_copy(oldstmt); + gimple_set_location(stmt, gimple_location(oldstmt)); ++ gimple_set_plf(stmt, MY_STMT, true); + + if (gimple_assign_rhs_code(oldstmt) == WIDEN_MULT_EXPR) + gimple_assign_set_rhs_code(stmt, MULT_EXPR); @@ -83786,13 +85984,13 @@ index 0000000..cc96254 + if (is_bool(lhs)) + new_var = SSA_NAME_VAR(lhs); + else -+ new_var = create_new_var(signed_size_overflow_type); ++ new_var = create_new_var(size_overflow_type); + new_var = make_ssa_name(new_var, stmt); + gimple_set_lhs(stmt, new_var); + + if (rhs1 != NULL_TREE) { + if (!gimple_assign_cast_p(oldstmt)) -+ rhs1 = signed_cast(rhs1); ++ rhs1 = cast_a_tree(size_overflow_type, rhs1); + gimple_assign_set_rhs1(stmt, rhs1); + } + @@ -83827,6 +86025,7 @@ index 0000000..cc96254 + gsi = gsi_for_stmt(oldstmt); + gsi_insert_after(&gsi, phi, GSI_NEW_STMT); + gimple_set_bb(phi, bb); ++ gimple_set_plf(phi, MY_STMT, true); + return phi; +} + @@ -83840,28 +86039,29 @@ index 0000000..cc96254 + return first_bb; +} + -+static gimple cast_old_phi_arg(gimple oldstmt, tree arg, tree new_var, unsigned int i) ++static tree cast_old_phi_arg(gimple oldstmt, tree size_overflow_type, tree arg, tree new_var, unsigned int i) +{ + basic_block bb; -+ gimple newstmt, def_stmt; ++ gimple newstmt; + gimple_stmt_iterator gsi; ++ bool before = BEFORE_STMT; + -+ newstmt = build_cast_stmt(signed_size_overflow_type, arg, new_var, gimple_location(oldstmt)); -+ if (TREE_CODE(arg) == SSA_NAME) { -+ def_stmt = get_def_stmt(arg); -+ if (gimple_code(def_stmt) != GIMPLE_NOP) { -+ gsi = gsi_for_stmt(def_stmt); -+ gsi_insert_after(&gsi, newstmt, GSI_NEW_STMT); -+ return newstmt; -+ } ++ if (TREE_CODE(arg) == SSA_NAME && gimple_code(get_def_stmt(arg)) != GIMPLE_NOP) { ++ gsi = gsi_for_stmt(get_def_stmt(arg)); ++ newstmt = build_cast_stmt(size_overflow_type, arg, new_var, &gsi, AFTER_STMT); ++ return gimple_get_lhs(newstmt); + } + + bb = gimple_phi_arg_edge(oldstmt, i)->src; -+ if (bb->index == 0) -+ bb = create_a_first_bb(); + gsi = gsi_after_labels(bb); -+ gsi_insert_before(&gsi, newstmt, GSI_NEW_STMT); -+ return newstmt; ++ if (bb->index == 0) { ++ bb = create_a_first_bb(); ++ gsi = gsi_start_bb(bb); ++ } ++ if (gsi_end_p(gsi)) ++ before = AFTER_STMT; ++ newstmt = build_cast_stmt(size_overflow_type, arg, new_var, &gsi, before); ++ return gimple_get_lhs(newstmt); +} + +static gimple handle_new_phi_arg(tree arg, tree new_var, tree new_rhs) @@ -83894,30 +86094,36 @@ index 0000000..cc96254 + + gimple_set_lhs(newstmt, make_ssa_name(new_var, newstmt)); + gsi_insert(&gsi, newstmt, GSI_NEW_STMT); ++ gimple_set_plf(newstmt, MY_STMT, true); + update_stmt(newstmt); + return newstmt; +} + -+static tree build_new_phi_arg(struct pointer_set_t *visited, bool *potentionally_overflowed, tree arg, tree new_var) ++static tree build_new_phi_arg(struct pointer_set_t *visited, bool *potentionally_overflowed, tree size_overflow_type, tree arg, tree new_var) +{ + gimple newstmt; + tree new_rhs; + + new_rhs = expand(visited, potentionally_overflowed, arg); -+ + if (new_rhs == NULL_TREE) + return NULL_TREE; + ++ new_rhs = cast_to_new_size_overflow_type(get_def_stmt(new_rhs), new_rhs, size_overflow_type, AFTER_STMT); ++ + newstmt = handle_new_phi_arg(arg, new_var, new_rhs); + return gimple_get_lhs(newstmt); +} + -+static tree build_new_phi(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple oldstmt) ++static tree build_new_phi(struct pointer_set_t *visited, bool *potentionally_overflowed, tree var) +{ -+ gimple phi; -+ tree new_var = create_new_var(signed_size_overflow_type); ++ gimple phi, oldstmt = get_def_stmt(var); ++ tree new_var, size_overflow_type; + unsigned int i, n = gimple_phi_num_args(oldstmt); + ++ size_overflow_type = get_size_overflow_type(oldstmt, var); ++ ++ new_var = create_new_var(size_overflow_type); ++ + pointer_set_insert(visited, oldstmt); + phi = overflow_create_phi_node(oldstmt, new_var); + for (i = 0; i < n; i++) { @@ -83925,10 +86131,10 @@ index 0000000..cc96254 + + arg = gimple_phi_arg_def(oldstmt, i); + if (is_gimple_constant(arg)) -+ arg = signed_cast(arg); -+ lhs = build_new_phi_arg(visited, potentionally_overflowed, arg, new_var); ++ arg = cast_a_tree(size_overflow_type, arg); ++ lhs = build_new_phi_arg(visited, potentionally_overflowed, size_overflow_type, arg, new_var); + if (lhs == NULL_TREE) -+ lhs = gimple_get_lhs(cast_old_phi_arg(oldstmt, arg, new_var, i)); ++ lhs = cast_old_phi_arg(oldstmt, size_overflow_type, arg, new_var, i); + add_phi_arg(phi, lhs, gimple_phi_arg_edge(oldstmt, i), gimple_location(oldstmt)); + } + @@ -83936,35 +86142,132 @@ index 0000000..cc96254 + return gimple_phi_result(phi); +} + -+static tree handle_unary_rhs(struct pointer_set_t *visited, bool *potentionally_overflowed, tree var) ++static tree change_assign_rhs(gimple stmt, tree orig_rhs, tree new_rhs) +{ -+ gimple def_stmt = get_def_stmt(var); -+ tree new_rhs1, rhs1 = gimple_assign_rhs1(def_stmt); ++ gimple assign; ++ gimple_stmt_iterator gsi = gsi_for_stmt(stmt); ++ tree origtype = TREE_TYPE(orig_rhs); ++ ++ gcc_assert(gimple_code(stmt) == GIMPLE_ASSIGN); ++ ++ assign = build_cast_stmt(origtype, new_rhs, CREATE_NEW_VAR, &gsi, BEFORE_STMT); ++ return gimple_get_lhs(assign); ++} ++ ++static void change_rhs1(gimple stmt, tree new_rhs1) ++{ ++ tree assign_rhs; ++ tree rhs = gimple_assign_rhs1(stmt); ++ ++ assign_rhs = change_assign_rhs(stmt, rhs, new_rhs1); ++ gimple_assign_set_rhs1(stmt, assign_rhs); ++ update_stmt(stmt); ++} ++ ++static bool check_mode_type(gimple stmt) ++{ ++ tree lhs = gimple_get_lhs(stmt); ++ tree lhs_type = TREE_TYPE(lhs); ++ tree rhs_type = TREE_TYPE(gimple_assign_rhs1(stmt)); ++ enum machine_mode lhs_mode = TYPE_MODE(lhs_type); ++ enum machine_mode rhs_mode = TYPE_MODE(rhs_type); ++ ++ if (rhs_mode == lhs_mode && TYPE_UNSIGNED(rhs_type) == TYPE_UNSIGNED(lhs_type)) ++ return false; ++ ++ if (rhs_mode == SImode && lhs_mode == DImode && (TYPE_UNSIGNED(rhs_type) || !TYPE_UNSIGNED(lhs_type))) ++ return false; ++ ++ return true; ++} ++ ++static bool check_undefined_integer_operation(gimple stmt) ++{ ++ gimple def_stmt; ++ tree lhs = gimple_get_lhs(stmt); ++ tree rhs1 = gimple_assign_rhs1(stmt); ++ tree rhs1_type = TREE_TYPE(rhs1); ++ tree lhs_type = TREE_TYPE(lhs); ++ ++ if (TYPE_MODE(rhs1_type) != TYPE_MODE(lhs_type) || TYPE_UNSIGNED(rhs1_type) == TYPE_UNSIGNED(lhs_type)) ++ return false; ++ ++ def_stmt = get_def_stmt(rhs1); ++ if (gimple_code(def_stmt) != GIMPLE_ASSIGN) ++ return false; ++ ++ if (gimple_assign_rhs_code(def_stmt) != MINUS_EXPR) ++ return false; ++ return true; ++} ++ ++static tree handle_unary_rhs(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple stmt) ++{ ++ tree size_overflow_type, lhs = gimple_get_lhs(stmt); ++ tree new_rhs1, rhs1 = gimple_assign_rhs1(stmt); ++ tree rhs1_type = TREE_TYPE(rhs1); ++ tree lhs_type = TREE_TYPE(lhs); + + *potentionally_overflowed = true; ++ + new_rhs1 = expand(visited, potentionally_overflowed, rhs1); -+ if (new_rhs1 == NULL_TREE) { -+ if (TREE_CODE(TREE_TYPE(rhs1)) == POINTER_TYPE) -+ return create_assign(visited, potentionally_overflowed, def_stmt, var, AFTER_STMT); -+ else -+ return create_assign(visited, potentionally_overflowed, def_stmt, rhs1, AFTER_STMT); ++ ++ if (new_rhs1 == NULL_TREE || TREE_CODE(rhs1_type) == POINTER_TYPE) ++ return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT); ++ ++ if (gimple_plf(stmt, MY_STMT)) ++ return lhs; ++ ++ if (gimple_plf(stmt, NO_CAST_CHECK)) { ++ size_overflow_type = get_size_overflow_type(stmt, rhs1); ++ new_rhs1 = cast_to_new_size_overflow_type(stmt, new_rhs1, size_overflow_type, BEFORE_STMT); ++ return dup_assign(visited, potentionally_overflowed, stmt, size_overflow_type, new_rhs1, NULL_TREE, NULL_TREE); ++ } ++ ++ if (!gimple_assign_cast_p(stmt)) { ++ size_overflow_type = get_size_overflow_type(stmt, lhs); ++ new_rhs1 = cast_to_new_size_overflow_type(stmt, new_rhs1, size_overflow_type, BEFORE_STMT); ++ return dup_assign(visited, potentionally_overflowed, stmt, size_overflow_type, new_rhs1, NULL_TREE, NULL_TREE); + } -+ return dup_assign(visited, potentionally_overflowed, def_stmt, new_rhs1, NULL_TREE, NULL_TREE); ++ ++ if (check_undefined_integer_operation(stmt)) { ++ size_overflow_type = get_size_overflow_type(stmt, lhs); ++ new_rhs1 = cast_to_new_size_overflow_type(stmt, new_rhs1, size_overflow_type, BEFORE_STMT); ++ return dup_assign(visited, potentionally_overflowed, stmt, size_overflow_type, new_rhs1, NULL_TREE, NULL_TREE); ++ } ++ ++ size_overflow_type = get_size_overflow_type(stmt, rhs1); ++ new_rhs1 = cast_to_new_size_overflow_type(stmt, new_rhs1, size_overflow_type, BEFORE_STMT); ++ ++ change_rhs1(stmt, new_rhs1); ++ check_size_overflow(stmt, size_overflow_type, new_rhs1, rhs1, potentionally_overflowed, BEFORE_STMT); ++ ++ if (TYPE_UNSIGNED(rhs1_type) != TYPE_UNSIGNED(lhs_type)) ++ return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT); ++ ++ if (!check_mode_type(stmt)) ++ return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT); ++ ++ size_overflow_type = get_size_overflow_type(stmt, lhs); ++ new_rhs1 = cast_to_new_size_overflow_type(stmt, new_rhs1, size_overflow_type, BEFORE_STMT); ++ ++ check_size_overflow(stmt, size_overflow_type, new_rhs1, lhs, potentionally_overflowed, BEFORE_STMT); ++ ++ return create_assign(visited, potentionally_overflowed, stmt, lhs, AFTER_STMT); +} + -+static tree handle_unary_ops(struct pointer_set_t *visited, bool *potentionally_overflowed, tree var) ++static tree handle_unary_ops(struct pointer_set_t *visited, bool *potentionally_overflowed, tree lhs) +{ -+ gimple def_stmt = get_def_stmt(var); ++ gimple def_stmt = get_def_stmt(lhs); + tree rhs1 = gimple_assign_rhs1(def_stmt); + + if (is_gimple_constant(rhs1)) -+ return dup_assign(visited, potentionally_overflowed, def_stmt, signed_cast(rhs1), NULL_TREE, NULL_TREE); ++ return create_assign(visited, potentionally_overflowed, def_stmt, lhs, AFTER_STMT); + + gcc_assert(TREE_CODE(rhs1) != COND_EXPR); + switch (TREE_CODE(rhs1)) { + case SSA_NAME: -+ return handle_unary_rhs(visited, potentionally_overflowed, var); -+ ++ return handle_unary_rhs(visited, potentionally_overflowed, def_stmt); + case ARRAY_REF: + case BIT_FIELD_REF: + case ADDR_EXPR: @@ -83976,7 +86279,7 @@ index 0000000..cc96254 + case PARM_DECL: + case TARGET_MEM_REF: + case VAR_DECL: -+ return create_assign(visited, potentionally_overflowed, def_stmt, var, AFTER_STMT); ++ return create_assign(visited, overflowed, def_stmt, lhs, AFTER_STMT); + + default: + debug_gimple_stmt(def_stmt); @@ -84012,11 +86315,12 @@ index 0000000..cc96254 + return build1(ADDR_EXPR, ptr_type_node, string); +} + -+static void insert_cond_result(basic_block bb_true, gimple stmt, tree arg) ++static void insert_cond_result(basic_block bb_true, gimple stmt, tree arg, bool min) +{ + gimple func_stmt, def_stmt; -+ tree current_func, loc_file, loc_line; ++ tree current_func, loc_file, loc_line, ssa_name; + expanded_location xloc; ++ char ssa_name_buf[100]; + gimple_stmt_iterator gsi = gsi_start_bb(bb_true); + + def_stmt = get_def_stmt(arg); @@ -84036,8 +86340,15 @@ index 0000000..cc96254 + current_func = build_string(NAME_LEN(current_function_decl) + 1, NAME(current_function_decl)); + current_func = create_string_param(current_func); + -+ // void report_size_overflow(const char *file, unsigned int line, const char *func) -+ func_stmt = gimple_build_call(report_size_overflow_decl, 3, loc_file, loc_line, current_func); ++ if (min) ++ snprintf(ssa_name_buf, 100, "%s_%u (min)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg)); ++ else ++ snprintf(ssa_name_buf, 100, "%s_%u (max)\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg)); ++ ssa_name = build_string(100, ssa_name_buf); ++ ssa_name = create_string_param(ssa_name); ++ ++ // void report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name) ++ func_stmt = gimple_build_call(report_size_overflow_decl, 4, loc_file, loc_line, current_func, ssa_name); + + gsi_insert_after(&gsi, func_stmt, GSI_CONTINUE_LINKING); +} @@ -84049,14 +86360,15 @@ index 0000000..cc96254 + inform(loc, "Integer size_overflow check applied here."); +} + -+static void insert_check_size_overflow(gimple stmt, enum tree_code cond_code, tree arg, tree type_value) ++static void insert_check_size_overflow(gimple stmt, enum tree_code cond_code, tree arg, tree type_value, bool before, bool min) +{ + basic_block cond_bb, join_bb, bb_true; + edge e; + gimple_stmt_iterator gsi = gsi_for_stmt(stmt); + + cond_bb = gimple_bb(stmt); -+ gsi_prev(&gsi); ++ if (before) ++ gsi_prev(&gsi); + if (gsi_end_p(gsi)) + e = split_block_after_labels(cond_bb); + else @@ -84082,80 +86394,221 @@ index 0000000..cc96254 + } + + insert_cond(cond_bb, arg, cond_code, type_value); -+ insert_cond_result(bb_true, stmt, arg); ++ insert_cond_result(bb_true, stmt, arg, min); + +// print_the_code_insertions(stmt); +} + -+static gimple cast_to_unsigned_size_overflow_type(gimple stmt, tree cast_rhs) ++static void check_size_overflow(gimple stmt, tree size_overflow_type, tree cast_rhs, tree rhs, bool *potentionally_overflowed, bool before) +{ -+ gimple ucast_stmt; -+ gimple_stmt_iterator gsi; -+ location_t loc = gimple_location(stmt); ++ tree cast_rhs_type, type_max_type, type_min_type, type_max, type_min, rhs_type = TREE_TYPE(rhs); ++ gcc_assert(rhs_type != NULL_TREE); ++ gcc_assert(TREE_CODE(rhs_type) == INTEGER_TYPE || TREE_CODE(rhs_type) == BOOLEAN_TYPE || TREE_CODE(rhs_type) == ENUMERAL_TYPE); + -+ ucast_stmt = build_cast_stmt(unsigned_size_overflow_type, cast_rhs, CREATE_NEW_VAR, loc); -+ gsi = gsi_for_stmt(stmt); -+ gsi_insert_before(&gsi, ucast_stmt, GSI_SAME_STMT); -+ return ucast_stmt; ++ if (!*potentionally_overflowed) ++ return; ++ ++ type_max = cast_a_tree(size_overflow_type, TYPE_MAX_VALUE(rhs_type)); ++ type_min = cast_a_tree(size_overflow_type, TYPE_MIN_VALUE(rhs_type)); ++ ++ gcc_assert(!TREE_OVERFLOW(type_max)); ++ ++ cast_rhs_type = TREE_TYPE(cast_rhs); ++ type_max_type = TREE_TYPE(type_max); ++ type_min_type = TREE_TYPE(type_min); ++ gcc_assert(useless_type_conversion_p(cast_rhs_type, type_max_type)); ++ gcc_assert(useless_type_conversion_p(type_max_type, type_min_type)); ++ ++ insert_check_size_overflow(stmt, GT_EXPR, cast_rhs, type_max, before, false); ++ insert_check_size_overflow(stmt, LT_EXPR, cast_rhs, type_min, before, true); +} + -+static void check_size_overflow(gimple stmt, tree cast_rhs, tree rhs, bool *potentionally_overflowed) ++static tree get_handle_const_assign_size_overflow_type(gimple def_stmt, tree var_rhs) +{ -+ tree type_max, type_min, rhs_type = TREE_TYPE(rhs); -+ gimple ucast_stmt; ++ gimple var_rhs_def_stmt; ++ tree lhs = gimple_get_lhs(def_stmt); ++ tree lhs_type = TREE_TYPE(lhs); ++ tree rhs1_type = TREE_TYPE(gimple_assign_rhs1(def_stmt)); ++ tree rhs2_type = TREE_TYPE(gimple_assign_rhs2(def_stmt)); + -+ if (!*potentionally_overflowed) -+ return; ++ if (var_rhs == NULL_TREE) ++ return get_size_overflow_type(def_stmt, lhs); + -+ if (TYPE_UNSIGNED(rhs_type)) { -+ ucast_stmt = cast_to_unsigned_size_overflow_type(stmt, cast_rhs); -+ type_max = cast_a_tree(unsigned_size_overflow_type, TYPE_MAX_VALUE(rhs_type)); -+ insert_check_size_overflow(stmt, GT_EXPR, gimple_get_lhs(ucast_stmt), type_max); -+ } else { -+ type_max = signed_cast(TYPE_MAX_VALUE(rhs_type)); -+ insert_check_size_overflow(stmt, GT_EXPR, cast_rhs, type_max); ++ var_rhs_def_stmt = get_def_stmt(var_rhs); ++ ++ if (TREE_CODE_CLASS(gimple_assign_rhs_code(def_stmt)) == tcc_comparison) ++ return get_size_overflow_type(var_rhs_def_stmt, var_rhs); + -+ type_min = signed_cast(TYPE_MIN_VALUE(rhs_type)); -+ insert_check_size_overflow(stmt, LT_EXPR, cast_rhs, type_min); ++ if (gimple_assign_rhs_code(def_stmt) == LSHIFT_EXPR) ++ return get_size_overflow_type(var_rhs_def_stmt, var_rhs); ++ ++ if (gimple_assign_rhs_code(def_stmt) == RSHIFT_EXPR) ++ return get_size_overflow_type(var_rhs_def_stmt, var_rhs); ++ ++ if (!useless_type_conversion_p(lhs_type, rhs1_type) || !useless_type_conversion_p(rhs1_type, rhs2_type)) { ++ debug_gimple_stmt(def_stmt); ++ gcc_unreachable(); + } ++ ++ return get_size_overflow_type(def_stmt, lhs); +} + -+static tree change_assign_rhs(gimple stmt, tree orig_rhs, tree new_rhs) ++static tree handle_const_assign(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple def_stmt, tree var_rhs, tree new_rhs1, tree new_rhs2) +{ -+ gimple assign; -+ gimple_stmt_iterator gsi = gsi_for_stmt(stmt); -+ tree origtype = TREE_TYPE(orig_rhs); ++ tree new_rhs, size_overflow_type, orig_rhs; ++ void (*gimple_assign_set_rhs)(gimple, tree); ++ tree rhs1 = gimple_assign_rhs1(def_stmt); ++ tree rhs2 = gimple_assign_rhs2(def_stmt); ++ tree lhs = gimple_get_lhs(def_stmt); + -+ gcc_assert(gimple_code(stmt) == GIMPLE_ASSIGN); ++ if (var_rhs == NULL_TREE) ++ return create_assign(visited, potentionally_overflowed, def_stmt, lhs, AFTER_STMT); + -+ assign = build_cast_stmt(origtype, new_rhs, CREATE_NEW_VAR, gimple_location(stmt)); -+ gsi_insert_before(&gsi, assign, GSI_SAME_STMT); -+ update_stmt(assign); -+ return gimple_get_lhs(assign); -+} ++ if (new_rhs2 == NULL_TREE) { ++ size_overflow_type = get_handle_const_assign_size_overflow_type(def_stmt, new_rhs1); ++ new_rhs2 = cast_a_tree(size_overflow_type, rhs2); ++ orig_rhs = rhs1; ++ gimple_assign_set_rhs = &gimple_assign_set_rhs1; ++ } else { ++ size_overflow_type = get_handle_const_assign_size_overflow_type(def_stmt, new_rhs2); ++ new_rhs1 = cast_a_tree(size_overflow_type, rhs1); ++ orig_rhs = rhs2; ++ gimple_assign_set_rhs = &gimple_assign_set_rhs2; ++ } + -+static tree handle_const_assign(struct pointer_set_t *visited, bool *potentionally_overflowed, gimple def_stmt, tree var, tree orig_rhs, tree var_rhs, tree new_rhs1, tree new_rhs2, void (*gimple_assign_set_rhs)(gimple, tree)) -+{ -+ tree new_rhs; ++ var_rhs = cast_to_new_size_overflow_type(def_stmt, var_rhs, size_overflow_type, BEFORE_STMT); + + if (gimple_assign_rhs_code(def_stmt) == MIN_EXPR) -+ return dup_assign(visited, potentionally_overflowed, def_stmt, new_rhs1, new_rhs2, NULL_TREE); ++ return dup_assign(visited, potentionally_overflowed, def_stmt, size_overflow_type, new_rhs1, new_rhs2, NULL_TREE); + -+ if (var_rhs == NULL_TREE) -+ return create_assign(visited, potentionally_overflowed, def_stmt, var, AFTER_STMT); ++ check_size_overflow(def_stmt, size_overflow_type, var_rhs, orig_rhs, potentionally_overflowed, BEFORE_STMT); + + new_rhs = change_assign_rhs(def_stmt, orig_rhs, var_rhs); + gimple_assign_set_rhs(def_stmt, new_rhs); + update_stmt(def_stmt); + -+ check_size_overflow(def_stmt, var_rhs, orig_rhs, potentionally_overflowed); -+ return create_assign(visited, potentionally_overflowed, def_stmt, var, AFTER_STMT); ++ return create_assign(visited, potentionally_overflowed, def_stmt, lhs, AFTER_STMT); +} + -+static tree handle_binary_ops(struct pointer_set_t *visited, bool *potentionally_overflowed, tree var) ++static tree get_cast_def_stmt_rhs(tree new_rhs) +{ -+ tree rhs1, rhs2; -+ gimple def_stmt = get_def_stmt(var); ++ gimple def_stmt; ++ ++ def_stmt = get_def_stmt(new_rhs); ++ // get_size_overflow_type ++ if (LONG_TYPE_SIZE != GET_MODE_BITSIZE(SImode)) ++ gcc_assert(gimple_assign_cast_p(def_stmt)); ++ return gimple_assign_rhs1(def_stmt); ++} ++ ++static tree cast_to_int_TI_type_and_check(bool *potentionally_overflowed, gimple stmt, tree new_rhs) ++{ ++ gimple_stmt_iterator gsi; ++ gimple cast_stmt, def_stmt; ++ enum machine_mode mode = TYPE_MODE(TREE_TYPE(new_rhs)); ++ ++ if (mode != TImode && mode != DImode) { ++ def_stmt = get_def_stmt(new_rhs); ++ gcc_assert(gimple_assign_cast_p(def_stmt)); ++ new_rhs = gimple_assign_rhs1(def_stmt); ++ mode = TYPE_MODE(TREE_TYPE(new_rhs)); ++ } ++ ++ gcc_assert(mode == TImode || mode == DImode); ++ ++ if (mode == TYPE_MODE(intTI_type_node) && useless_type_conversion_p(TREE_TYPE(new_rhs), intTI_type_node)) ++ return new_rhs; ++ ++ gsi = gsi_for_stmt(stmt); ++ cast_stmt = build_cast_stmt(intTI_type_node, new_rhs, CREATE_NEW_VAR, &gsi, BEFORE_STMT); ++ new_rhs = gimple_get_lhs(cast_stmt); ++ ++ if (mode == DImode) ++ return new_rhs; ++ ++ check_size_overflow(stmt, intTI_type_node, new_rhs, new_rhs, overflowed, BEFORE_STMT); ++ ++ return new_rhs; ++} ++ ++static bool is_an_integer_trunction(gimple stmt) ++{ ++ gimple rhs1_def_stmt, rhs2_def_stmt; ++ tree rhs1_def_stmt_rhs1, rhs2_def_stmt_rhs1; ++ enum machine_mode rhs1_def_stmt_rhs1_mode, rhs2_def_stmt_rhs1_mode; ++ tree rhs1 = gimple_assign_rhs1(stmt); ++ tree rhs2 = gimple_assign_rhs2(stmt); ++ enum machine_mode rhs1_mode = TYPE_MODE(TREE_TYPE(rhs1)); ++ enum machine_mode rhs2_mode = TYPE_MODE(TREE_TYPE(rhs2)); ++ ++ if (is_gimple_constant(rhs1) || is_gimple_constant(rhs2)) ++ return false; ++ ++ gcc_assert(TREE_CODE(rhs1) == SSA_NAME && TREE_CODE(rhs2) == SSA_NAME); ++ ++ if (gimple_assign_rhs_code(stmt) != MINUS_EXPR || rhs1_mode != SImode || rhs2_mode != SImode) ++ return false; ++ ++ rhs1_def_stmt = get_def_stmt(rhs1); ++ rhs2_def_stmt = get_def_stmt(rhs2); ++ if (!gimple_assign_cast_p(rhs1_def_stmt) || !gimple_assign_cast_p(rhs2_def_stmt)) ++ return false; ++ ++ rhs1_def_stmt_rhs1 = gimple_assign_rhs1(rhs1_def_stmt); ++ rhs2_def_stmt_rhs1 = gimple_assign_rhs1(rhs2_def_stmt); ++ rhs1_def_stmt_rhs1_mode = TYPE_MODE(TREE_TYPE(rhs1_def_stmt_rhs1)); ++ rhs2_def_stmt_rhs1_mode = TYPE_MODE(TREE_TYPE(rhs2_def_stmt_rhs1)); ++ if (rhs1_def_stmt_rhs1_mode != DImode || rhs2_def_stmt_rhs1_mode != DImode) ++ return false; ++ ++ gimple_set_plf(rhs1_def_stmt, NO_CAST_CHECK, true); ++ gimple_set_plf(rhs2_def_stmt, NO_CAST_CHECK, true); ++ return true; ++} ++ ++static tree handle_integer_truncation(struct pointer_set_t *visited, bool *potentionally_overflowed, tree lhs) ++{ ++ tree new_rhs1, new_rhs2, size_overflow_type; ++ tree new_rhs1_def_stmt_rhs1, new_rhs2_def_stmt_rhs1, new_lhs; ++ tree new_rhs1_def_stmt_rhs1_type, new_rhs2_def_stmt_rhs1_type; ++ gimple assign, stmt = get_def_stmt(lhs); ++ tree rhs1 = gimple_assign_rhs1(stmt); ++ tree rhs2 = gimple_assign_rhs2(stmt); ++ ++ if (!is_an_integer_trunction(stmt)) ++ return NULL_TREE; ++ ++ new_rhs1 = expand(visited, overflowed, rhs1); ++ new_rhs2 = expand(visited, overflowed, rhs2); ++ ++ if (*overflowed == OVERFLOW_INTENTIONAL) ++ return NULL_TREE; ++ ++ new_rhs1_def_stmt_rhs1 = get_cast_def_stmt_rhs(new_rhs1); ++ new_rhs2_def_stmt_rhs1 = get_cast_def_stmt_rhs(new_rhs2); ++ ++ new_rhs1_def_stmt_rhs1_type = TREE_TYPE(new_rhs1_def_stmt_rhs1); ++ new_rhs2_def_stmt_rhs1_type = TREE_TYPE(new_rhs2_def_stmt_rhs1); ++ ++ if (!useless_type_conversion_p(new_rhs1_def_stmt_rhs1_type, new_rhs2_def_stmt_rhs1_type)) { ++ new_rhs1_def_stmt_rhs1 = cast_to_int_TI_type_and_check(potentionally_overflowed, stmt, new_rhs1_def_stmt_rhs1); ++ new_rhs2_def_stmt_rhs1 = cast_to_int_TI_type_and_check(potentionally_overflowed, stmt, new_rhs2_def_stmt_rhs1); ++ } ++ ++ assign = create_binary_assign(MINUS_EXPR, stmt, new_rhs1_def_stmt_rhs1, new_rhs2_def_stmt_rhs1); ++ new_lhs = gimple_get_lhs(assign); ++ check_size_overflow(assign, TREE_TYPE(new_lhs), new_lhs, rhs1, potentionally_overflowed, AFTER_STMT); ++ ++ size_overflow_type = get_size_overflow_type(stmt, lhs); ++ new_rhs1 = cast_to_new_size_overflow_type(stmt, new_rhs1, size_overflow_type, BEFORE_STMT); ++ new_rhs2 = cast_to_new_size_overflow_type(stmt, new_rhs2, size_overflow_type, BEFORE_STMT); ++ return dup_assign(visited, potentionally_overflowed, stmt, size_overflow_type, new_rhs1, new_rhs2, NULL_TREE); ++} ++ ++static tree handle_binary_ops(struct pointer_set_t *visited, bool *potentionally_overflowed, tree lhs) ++{ ++ tree rhs1, rhs2, size_overflow_type, new_lhs; ++ gimple def_stmt = get_def_stmt(lhs); + tree new_rhs1 = NULL_TREE; + tree new_rhs2 = NULL_TREE; + @@ -84176,32 +86629,41 @@ index 0000000..cc96254 + case EXACT_DIV_EXPR: + case POINTER_PLUS_EXPR: + case BIT_AND_EXPR: -+ return create_assign(visited, potentionally_overflowed, def_stmt, var, AFTER_STMT); ++ return create_assign(visited, potentionally_overflowed, def_stmt, lhs, AFTER_STMT); + default: + break; + } + + *potentionally_overflowed = true; + ++ new_lhs = handle_integer_truncation(visited, potentionally_overflowed, lhs); ++ if (new_lhs != NULL_TREE) ++ return new_lhs; ++ + if (TREE_CODE(rhs1) == SSA_NAME) + new_rhs1 = expand(visited, potentionally_overflowed, rhs1); + if (TREE_CODE(rhs2) == SSA_NAME) + new_rhs2 = expand(visited, potentionally_overflowed, rhs2); + + if (is_gimple_constant(rhs2)) -+ return handle_const_assign(visited, potentionally_overflowed, def_stmt, var, rhs1, new_rhs1, new_rhs1, signed_cast(rhs2), &gimple_assign_set_rhs1); ++ return handle_const_assign(visited, potentionally_overflowed, def_stmt, new_rhs1, new_rhs1, NULL_TREE); + + if (is_gimple_constant(rhs1)) -+ return handle_const_assign(visited, potentionally_overflowed, def_stmt, var, rhs2, new_rhs2, signed_cast(rhs1), new_rhs2, &gimple_assign_set_rhs2); ++ return handle_const_assign(visited, potentionally_overflowed, def_stmt, new_rhs2, NULL_TREE, new_rhs2); ++ ++ size_overflow_type = get_size_overflow_type(def_stmt, lhs); + -+ return dup_assign(visited, potentionally_overflowed, def_stmt, new_rhs1, new_rhs2, NULL_TREE); ++ new_rhs1 = cast_to_new_size_overflow_type(def_stmt, new_rhs1, size_overflow_type, BEFORE_STMT); ++ new_rhs2 = cast_to_new_size_overflow_type(def_stmt, new_rhs2, size_overflow_type, BEFORE_STMT); ++ ++ return dup_assign(visited, potentionally_overflowed, def_stmt, size_overflow_type, new_rhs1, new_rhs2, NULL_TREE); +} + +#if BUILDING_GCC_VERSION >= 4007 -+static tree get_new_rhs(struct pointer_set_t *visited, bool *potentionally_overflowed, tree rhs) ++static tree get_new_rhs(struct pointer_set_t *visited, bool *potentionally_overflowed, tree size_overflow_type, tree rhs) +{ + if (is_gimple_constant(rhs)) -+ return signed_cast(rhs); ++ return cast_a_tree(size_overflow_type, rhs); + if (TREE_CODE(rhs) != SSA_NAME) + return NULL_TREE; + return expand(visited, potentionally_overflowed, rhs); @@ -84209,61 +86671,72 @@ index 0000000..cc96254 + +static tree handle_ternary_ops(struct pointer_set_t *visited, bool *potentionally_overflowed, tree var) +{ -+ tree rhs1, rhs2, rhs3, new_rhs1, new_rhs2, new_rhs3; ++ tree rhs1, rhs2, rhs3, new_rhs1, new_rhs2, new_rhs3, size_overflow_type; + gimple def_stmt = get_def_stmt(var); + + *potentionally_overflowed = true; + ++ size_overflow_type = get_size_overflow_type(def_stmt, var); ++ + rhs1 = gimple_assign_rhs1(def_stmt); + rhs2 = gimple_assign_rhs2(def_stmt); + rhs3 = gimple_assign_rhs3(def_stmt); -+ new_rhs1 = get_new_rhs(visited, potentionally_overflowed, rhs1); -+ new_rhs2 = get_new_rhs(visited, potentionally_overflowed, rhs2); -+ new_rhs3 = get_new_rhs(visited, potentionally_overflowed, rhs3); ++ new_rhs1 = get_new_rhs(visited, potentionally_overflowed, size_overflow_type, rhs1); ++ new_rhs2 = get_new_rhs(visited, potentionally_overflowed, size_overflow_type, rhs2); ++ new_rhs3 = get_new_rhs(visited, potentionally_overflowed, size_overflow_type, rhs3); ++ ++ new_rhs1 = cast_to_new_size_overflow_type(def_stmt, new_rhs1, size_overflow_type, BEFORE_STMT); ++ new_rhs2 = cast_to_new_size_overflow_type(def_stmt, new_rhs2, size_overflow_type, BEFORE_STMT); ++ new_rhs3 = cast_to_new_size_overflow_type(def_stmt, new_rhs3, size_overflow_type, BEFORE_STMT); + -+ if (new_rhs1 == NULL_TREE && new_rhs2 != NULL_TREE && new_rhs3 != NULL_TREE) -+ return dup_assign(visited, potentionally_overflowed, def_stmt, new_rhs1, new_rhs2, new_rhs3); -+ error("handle_ternary_ops: unknown rhs"); -+ gcc_unreachable(); ++ return dup_assign(visited, potentionally_overflowed, def_stmt, size_overflow_type, new_rhs1, new_rhs2, new_rhs3); +} +#endif + -+static void set_size_overflow_type(tree node) ++static tree get_size_overflow_type(gimple stmt, tree node) +{ -+ switch (TYPE_MODE(TREE_TYPE(node))) { ++ tree type; ++ ++ gcc_assert(node != NULL_TREE); ++ ++ type = TREE_TYPE(node); ++ ++ if (gimple_plf(stmt, MY_STMT)) ++ return TREE_TYPE(node); ++ ++ switch (TYPE_MODE(type)) { ++ case QImode: ++ return (TYPE_UNSIGNED(type)) ? unsigned_intHI_type_node : intHI_type_node; ++ case HImode: ++ return (TYPE_UNSIGNED(type)) ? unsigned_intSI_type_node : intSI_type_node; + case SImode: -+ signed_size_overflow_type = intDI_type_node; -+ unsigned_size_overflow_type = unsigned_intDI_type_node; -+ break; ++ return (TYPE_UNSIGNED(type)) ? unsigned_intDI_type_node : intDI_type_node; + case DImode: -+ if (LONG_TYPE_SIZE == GET_MODE_BITSIZE(SImode)) { -+ signed_size_overflow_type = intDI_type_node; -+ unsigned_size_overflow_type = unsigned_intDI_type_node; -+ } else { -+ signed_size_overflow_type = intTI_type_node; -+ unsigned_size_overflow_type = unsigned_intTI_type_node; -+ } -+ break; ++ if (LONG_TYPE_SIZE == GET_MODE_BITSIZE(SImode)) ++ return (TYPE_UNSIGNED(type)) ? unsigned_intDI_type_node : intDI_type_node; ++ return (TYPE_UNSIGNED(type)) ? unsigned_intTI_type_node : intTI_type_node; + default: -+ error("set_size_overflow_type: unsupported gcc configuration."); ++ debug_tree((tree)node); ++ error("get_size_overflow_type: unsupported gcc configuration."); + gcc_unreachable(); + } +} + +static tree expand_visited(gimple def_stmt) +{ -+ gimple tmp; ++ gimple next_stmt; + gimple_stmt_iterator gsi = gsi_for_stmt(def_stmt); + + gsi_next(&gsi); -+ tmp = gsi_stmt(gsi); -+ switch (gimple_code(tmp)) { ++ next_stmt = gsi_stmt(gsi); ++ ++ switch (gimple_code(next_stmt)) { + case GIMPLE_ASSIGN: -+ return gimple_get_lhs(tmp); ++ return gimple_get_lhs(next_stmt); + case GIMPLE_PHI: -+ return gimple_phi_result(tmp); ++ return gimple_phi_result(next_stmt); + case GIMPLE_CALL: -+ return gimple_call_lhs(tmp); ++ return gimple_call_lhs(next_stmt); + default: + return NULL_TREE; + } @@ -84281,19 +86754,18 @@ index 0000000..cc96254 + return NULL_TREE; + + gcc_assert(code == INTEGER_TYPE || code == POINTER_TYPE || code == BOOLEAN_TYPE || code == ENUMERAL_TYPE); -+ if (code != INTEGER_TYPE) -+ return NULL_TREE; + -+ if (SSA_NAME_IS_DEFAULT_DEF(var)) { ++ if (TREE_CODE(SSA_NAME_VAR(var)) == PARM_DECL) + check_missing_attribute(var); -+ return NULL_TREE; -+ } + + def_stmt = get_def_stmt(var); + + if (!def_stmt) + return NULL_TREE; + ++ if (gimple_plf(def_stmt, MY_STMT)) ++ return var; ++ + if (pointer_set_contains(visited, def_stmt)) + return expand_visited(def_stmt); + @@ -84302,7 +86774,7 @@ index 0000000..cc96254 + check_missing_attribute(var); + return NULL_TREE; + case GIMPLE_PHI: -+ return build_new_phi(visited, potentionally_overflowed, def_stmt); ++ return build_new_phi(visited, potentionally_overflowed, var); + case GIMPLE_CALL: + case GIMPLE_ASM: + return create_assign(visited, potentionally_overflowed, def_stmt, var, AFTER_STMT); @@ -84332,9 +86804,7 @@ index 0000000..cc96254 + + gcc_assert(gimple_code(stmt) == GIMPLE_CALL); + -+ assign = build_cast_stmt(origtype, newarg, CREATE_NEW_VAR, gimple_location(stmt)); -+ gsi_insert_before(&gsi, assign, GSI_SAME_STMT); -+ update_stmt(assign); ++ assign = build_cast_stmt(origtype, newarg, CREATE_NEW_VAR, &gsi, BEFORE_STMT); + + gimple_call_set_arg(stmt, argnum, gimple_get_lhs(assign)); + update_stmt(stmt); @@ -84371,7 +86841,9 @@ index 0000000..cc96254 +{ + struct pointer_set_t *visited; + tree arg, newarg; -+ bool potentionally_overflowed; ++ enum overflow_reason overflowed = OVERFLOW_NONE; ++ location_t loc; ++ enum marked is_marked; + + arg = get_function_arg(argnum, stmt, fndecl); + if (arg == NULL_TREE) @@ -84384,8 +86856,6 @@ index 0000000..cc96254 + + check_arg_type(arg); + -+ set_size_overflow_type(arg); -+ + visited = pointer_set_create(); + potentionally_overflowed = false; + newarg = expand(visited, &potentionally_overflowed, arg); @@ -84396,7 +86866,7 @@ index 0000000..cc96254 + + change_function_arg(stmt, arg, argnum, newarg); + -+ check_size_overflow(stmt, newarg, arg, &potentionally_overflowed); ++ check_size_overflow(stmt, TREE_TYPE(newarg), newarg, arg, &potentionally_overflowed, BEFORE_STMT); +} + +static void handle_function_by_attribute(gimple stmt, tree attr, tree fndecl) @@ -84424,14 +86894,29 @@ index 0000000..cc96254 + handle_function_arg(stmt, fndecl, num - 1); +} + ++static void set_plf_false(void) ++{ ++ basic_block bb; ++ ++ FOR_ALL_BB(bb) { ++ gimple_stmt_iterator si; ++ ++ for (si = gsi_start_bb(bb); !gsi_end_p(si); gsi_next(&si)) ++ gimple_set_plf(gsi_stmt(si), MY_STMT, false); ++ for (si = gsi_start_phis(bb); !gsi_end_p(si); gsi_next(&si)) ++ gimple_set_plf(gsi_stmt(si), MY_STMT, false); ++ } ++} ++ +static unsigned int handle_function(void) +{ -+ basic_block bb = ENTRY_BLOCK_PTR->next_bb; -+ int saved_last_basic_block = last_basic_block; ++ basic_block next, bb = ENTRY_BLOCK_PTR->next_bb; ++ ++ set_plf_false(); + + do { + gimple_stmt_iterator gsi; -+ basic_block next = bb->next_bb; ++ next = bb->next_bb; + + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { + tree fndecl, attr; @@ -84444,15 +86929,16 @@ index 0000000..cc96254 + continue; + if (gimple_call_num_args(stmt) == 0) + continue; -+ attr = lookup_attribute("size_overflow", TYPE_ATTRIBUTES(TREE_TYPE(fndecl))); ++ attr = lookup_attribute("size_overflow", DECL_ATTRIBUTES(fndecl)); + if (!attr || !TREE_VALUE(attr)) + handle_function_by_hash(stmt, fndecl); + else + handle_function_by_attribute(stmt, attr, fndecl); + gsi = gsi_for_stmt(stmt); ++ next = gimple_bb(stmt)->next_bb; + } + bb = next; -+ } while (bb && bb->index <= saved_last_basic_block); ++ } while (bb); + return 0; +} + @@ -84480,11 +86966,12 @@ index 0000000..cc96254 + + const_char_ptr_type_node = build_pointer_type(build_type_variant(char_type_node, 1, 0)); + -+ // void report_size_overflow(const char *loc_file, unsigned int loc_line, const char *current_func) ++ // void report_size_overflow(const char *loc_file, unsigned int loc_line, const char *current_func, const char *ssa_var) + fntype = build_function_type_list(void_type_node, + const_char_ptr_type_node, + unsigned_type_node, + const_char_ptr_type_node, ++ const_char_ptr_type_node, + NULL_TREE); + report_size_overflow_decl = build_fn_decl("report_size_overflow", fntype); + @@ -84492,6 +86979,7 @@ index 0000000..cc96254 + TREE_PUBLIC(report_size_overflow_decl) = 1; + DECL_EXTERNAL(report_size_overflow_decl) = 1; + DECL_ARTIFICIAL(report_size_overflow_decl) = 1; ++ TREE_THIS_VOLATILE(report_size_overflow_decl) = 1; +} + +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version) @@ -84524,7 +87012,7 @@ index 0000000..cc96254 + + register_callback(plugin_name, PLUGIN_INFO, NULL, &size_overflow_plugin_info); + if (enable) { -+ register_callback ("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL); ++ register_callback("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL); + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &size_overflow_pass_info); + } + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL); @@ -84533,7 +87021,7 @@ index 0000000..cc96254 +} diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c new file mode 100644 -index 0000000..b87ec9d +index 0000000..38d2014 --- /dev/null +++ b/tools/gcc/stackleak_plugin.c @@ -0,0 +1,313 @@ @@ -84806,13 +87294,13 @@ index 0000000..b87ec9d + .pass = &stackleak_tree_instrument_pass.pass, +// .reference_pass_name = "tree_profile", + .reference_pass_name = "optimized", -+ .ref_pass_instance_number = 0, ++ .ref_pass_instance_number = 1, + .pos_op = PASS_POS_INSERT_BEFORE + }; + struct register_pass_info stackleak_final_pass_info = { + .pass = &stackleak_final_rtl_opt_pass.pass, + .reference_pass_name = "final", -+ .ref_pass_instance_number = 0, ++ .ref_pass_instance_number = 1, + .pos_op = PASS_POS_INSERT_BEFORE + }; + diff --git a/testing/linux-virt-grsec/kernelconfig.x86 b/testing/linux-virt-grsec/kernelconfig.x86 index bf72d2f68..f1633f262 100644 --- a/testing/linux-virt-grsec/kernelconfig.x86 +++ b/testing/linux-virt-grsec/kernelconfig.x86 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/i386 3.4.5 Kernel Configuration +# Linux/i386 3.4.11 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -3281,6 +3281,7 @@ CONFIG_PAX_RANDMMAP=y CONFIG_PAX_REFCOUNT=y # CONFIG_PAX_USERCOPY is not set # CONFIG_PAX_SIZE_OVERFLOW is not set +# CONFIG_PAX_LATENT_ENTROPY is not set # # Memory Protections diff --git a/testing/linux-virt-grsec/kernelconfig.x86_64 b/testing/linux-virt-grsec/kernelconfig.x86_64 index 7e4285d34..b63baab15 100644 --- a/testing/linux-virt-grsec/kernelconfig.x86_64 +++ b/testing/linux-virt-grsec/kernelconfig.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 3.4.5 Kernel Configuration +# Linux/x86_64 3.4.11 Kernel Configuration # CONFIG_64BIT=y # CONFIG_X86_32 is not set @@ -3230,6 +3230,7 @@ CONFIG_PAX_RANDMMAP=y CONFIG_PAX_REFCOUNT=y # CONFIG_PAX_USERCOPY is not set # CONFIG_PAX_SIZE_OVERFLOW is not set +# CONFIG_PAX_LATENT_ENTROPY is not set # # Memory Protections |