summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--testing/linux-virt-grsec/APKBUILD10
-rw-r--r--testing/linux-virt-grsec/grsecurity-2.9-3.3.8-201206042136.patch (renamed from testing/linux-virt-grsec/grsecurity-2.9-3.3.7-201205261259.patch)908
2 files changed, 534 insertions, 384 deletions
diff --git a/testing/linux-virt-grsec/APKBUILD b/testing/linux-virt-grsec/APKBUILD
index 08a58fd32..d50f478f1 100644
--- a/testing/linux-virt-grsec/APKBUILD
+++ b/testing/linux-virt-grsec/APKBUILD
@@ -2,7 +2,7 @@
_flavor=grsec
pkgname=linux-virt-${_flavor}
-pkgver=3.3.7
+pkgver=3.3.8
_kernver=3.3
pkgrel=3
pkgdesc="Linux kernel with grsecurity"
@@ -14,8 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-2.9-3.3.7-201205261259.patch
- pax-out-of-tree-workaround.patch
+ grsecurity-2.9-3.3.8-201206042136.patch
xen-xsave.patch
kernelconfig.x86
@@ -137,8 +136,7 @@ dev() {
}
md5sums="7133f5a2086a7d7ef97abac610c094f5 linux-3.3.tar.xz
-622a3b43238559aeb778279969631260 patch-3.3.7.xz
-097be38de4ae03e4d9dbec3217b15afb grsecurity-2.9-3.3.7-201205261259.patch
-1aa70cff67ae2cca7cf1b8be83573eae pax-out-of-tree-workaround.patch
+e1714b5136a7f4dab1b5d2d7f98e2891 patch-3.3.8.xz
+4a97aa5ad465a5d829e88c8234f75417 grsecurity-2.9-3.3.8-201206042136.patch
0d095dbf194d5609ad260ecd3f0ab15d xen-xsave.patch
db2bba20ed88080a1d78ca5cc26f6ae1 kernelconfig.x86"
diff --git a/testing/linux-virt-grsec/grsecurity-2.9-3.3.7-201205261259.patch b/testing/linux-virt-grsec/grsecurity-2.9-3.3.8-201206042136.patch
index be98c7f60..e7f177dc8 100644
--- a/testing/linux-virt-grsec/grsecurity-2.9-3.3.7-201205261259.patch
+++ b/testing/linux-virt-grsec/grsecurity-2.9-3.3.8-201206042136.patch
@@ -195,7 +195,7 @@ index d99fd9c..8689fef 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 073f74f..b379941 100644
+index db96149..f101728 100644
--- a/Makefile
+++ b/Makefile
@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -210,17 +210,6 @@ index 073f74f..b379941 100644
# Decide whether to build built-in, modular, or both.
# Normally, just do built-in.
-@@ -357,8 +358,8 @@ CFLAGS_GCOV = -fprofile-arcs -ftest-coverage
-
- # Use LINUXINCLUDE when you must reference the include/ directory.
- # Needed to be compatible with the O= option
--LINUXINCLUDE := -I$(srctree)/arch/$(hdr-arch)/include \
-- -Iarch/$(hdr-arch)/include/generated -Iinclude \
-+LINUXINCLUDE := -isystem arch/$(hdr-arch)/include \
-+ -isystem arch/$(hdr-arch)/include/generated -isystem include \
- $(if $(KBUILD_SRC), -I$(srctree)/include) \
- -include $(srctree)/include/linux/kconfig.h
-
@@ -407,8 +408,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn --exc
# Rules shared between *config targets and build targets
@@ -323,7 +312,7 @@ index 073f74f..b379941 100644
prepare: prepare0
# Generate some files
-@@ -1089,6 +1142,8 @@ all: modules
+@@ -1092,6 +1145,8 @@ all: modules
# using awk while concatenating to the final file.
PHONY += modules
@@ -332,7 +321,7 @@ index 073f74f..b379941 100644
modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
$(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
@$(kecho) ' Building modules, stage 2.';
-@@ -1104,7 +1159,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
+@@ -1107,7 +1162,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
# Target to prepare building external modules
PHONY += modules_prepare
@@ -341,7 +330,7 @@ index 073f74f..b379941 100644
# Target to install modules
PHONY += modules_install
-@@ -1201,6 +1256,7 @@ distclean: mrproper
+@@ -1204,6 +1259,7 @@ distclean: mrproper
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
-o -name '.*.rej' \
@@ -349,7 +338,7 @@ index 073f74f..b379941 100644
-o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
-type f -print | xargs rm -f
-@@ -1361,6 +1417,8 @@ PHONY += $(module-dirs) modules
+@@ -1364,6 +1420,8 @@ PHONY += $(module-dirs) modules
$(module-dirs): crmodverdir $(objtree)/Module.symvers
$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
@@ -358,7 +347,7 @@ index 073f74f..b379941 100644
modules: $(module-dirs)
@$(kecho) ' Building modules, stage 2.';
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-@@ -1487,17 +1545,21 @@ else
+@@ -1490,17 +1548,21 @@ else
target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
endif
@@ -384,7 +373,7 @@ index 073f74f..b379941 100644
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
%.symtypes: %.c prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
-@@ -1507,11 +1569,15 @@ endif
+@@ -1510,11 +1572,15 @@ endif
$(cmd_crmodverdir)
$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
$(build)=$(build-dir)
@@ -1336,7 +1325,7 @@ index 75fe66b..2255c86 100644
/*
* Memory returned by kmalloc() may be used for DMA, so we must make
diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
-index d5d8d5c..ad92c96 100644
+index 1252a26..9dc17b5 100644
--- a/arch/arm/include/asm/cacheflush.h
+++ b/arch/arm/include/asm/cacheflush.h
@@ -108,7 +108,7 @@ struct cpu_cache_fns {
@@ -1655,7 +1644,7 @@ index a255c39..4a19b25 100644
#endif
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
-index f84dfe6..13e94f7 100644
+index 504b28a..62f7a7d 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -259,6 +259,8 @@ static int __die(const char *str, int err, struct thread_info *thread, struct pt
@@ -7717,7 +7706,7 @@ index e46c214..7c72b55 100644
This option helps catch unintended modifications to loadable
kernel module's text and read-only data. It also prevents execution
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
-index 209ba12..15140db 100644
+index 015f0c5..b405802 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -46,6 +46,7 @@ else
@@ -7728,7 +7717,7 @@ index 209ba12..15140db 100644
KBUILD_AFLAGS += -m64
KBUILD_CFLAGS += -m64
-@@ -201,3 +202,12 @@ define archhelp
+@@ -205,3 +206,12 @@ define archhelp
echo ' FDARGS="..." arguments for the booted kernel'
echo ' FDINITRD=file initrd for the booted kernel'
endef
@@ -7800,7 +7789,7 @@ index c7093bd..d4247ffe0 100644
return diff;
}
diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
-index fd55a2f..217b501 100644
+index e398bb5..3a382ca 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=small
@@ -7909,201 +7898,6 @@ index 7116dcb..d9ae1d7 100644
error("Wrong destination address");
#endif
-diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c
-index e77f4e4..17e511f 100644
---- a/arch/x86/boot/compressed/relocs.c
-+++ b/arch/x86/boot/compressed/relocs.c
-@@ -13,8 +13,11 @@
-
- static void die(char *fmt, ...);
-
-+#include "../../../../include/generated/autoconf.h"
-+
- #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
- static Elf32_Ehdr ehdr;
-+static Elf32_Phdr *phdr;
- static unsigned long reloc_count, reloc_idx;
- static unsigned long *relocs;
-
-@@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
- }
- }
-
-+static void read_phdrs(FILE *fp)
-+{
-+ unsigned int i;
-+
-+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
-+ if (!phdr) {
-+ die("Unable to allocate %d program headers\n",
-+ ehdr.e_phnum);
-+ }
-+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
-+ die("Seek to %d failed: %s\n",
-+ ehdr.e_phoff, strerror(errno));
-+ }
-+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
-+ die("Cannot read ELF program headers: %s\n",
-+ strerror(errno));
-+ }
-+ for(i = 0; i < ehdr.e_phnum; i++) {
-+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
-+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
-+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
-+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
-+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
-+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
-+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
-+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
-+ }
-+
-+}
-+
- static void read_shdrs(FILE *fp)
- {
-- int i;
-+ unsigned int i;
- Elf32_Shdr shdr;
-
- secs = calloc(ehdr.e_shnum, sizeof(struct section));
-@@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
-
- static void read_strtabs(FILE *fp)
- {
-- int i;
-+ unsigned int i;
- for (i = 0; i < ehdr.e_shnum; i++) {
- struct section *sec = &secs[i];
- if (sec->shdr.sh_type != SHT_STRTAB) {
-@@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
-
- static void read_symtabs(FILE *fp)
- {
-- int i,j;
-+ unsigned int i,j;
- for (i = 0; i < ehdr.e_shnum; i++) {
- struct section *sec = &secs[i];
- if (sec->shdr.sh_type != SHT_SYMTAB) {
-@@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
-
- static void read_relocs(FILE *fp)
- {
-- int i,j;
-+ unsigned int i,j;
-+ uint32_t base;
-+
- for (i = 0; i < ehdr.e_shnum; i++) {
- struct section *sec = &secs[i];
- if (sec->shdr.sh_type != SHT_REL) {
-@@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
- die("Cannot read symbol table: %s\n",
- strerror(errno));
- }
-+ base = 0;
-+ for (j = 0; j < ehdr.e_phnum; j++) {
-+ if (phdr[j].p_type != PT_LOAD )
-+ continue;
-+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
-+ continue;
-+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
-+ break;
-+ }
- for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
- Elf32_Rel *rel = &sec->reltab[j];
-- rel->r_offset = elf32_to_cpu(rel->r_offset);
-+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
- rel->r_info = elf32_to_cpu(rel->r_info);
- }
- }
-@@ -396,13 +440,13 @@ static void read_relocs(FILE *fp)
-
- static void print_absolute_symbols(void)
- {
-- int i;
-+ unsigned int i;
- printf("Absolute symbols\n");
- printf(" Num: Value Size Type Bind Visibility Name\n");
- for (i = 0; i < ehdr.e_shnum; i++) {
- struct section *sec = &secs[i];
- char *sym_strtab;
-- int j;
-+ unsigned int j;
-
- if (sec->shdr.sh_type != SHT_SYMTAB) {
- continue;
-@@ -429,14 +473,14 @@ static void print_absolute_symbols(void)
-
- static void print_absolute_relocs(void)
- {
-- int i, printed = 0;
-+ unsigned int i, printed = 0;
-
- for (i = 0; i < ehdr.e_shnum; i++) {
- struct section *sec = &secs[i];
- struct section *sec_applies, *sec_symtab;
- char *sym_strtab;
- Elf32_Sym *sh_symtab;
-- int j;
-+ unsigned int j;
- if (sec->shdr.sh_type != SHT_REL) {
- continue;
- }
-@@ -497,13 +541,13 @@ static void print_absolute_relocs(void)
-
- static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
- {
-- int i;
-+ unsigned int i;
- /* Walk through the relocations */
- for (i = 0; i < ehdr.e_shnum; i++) {
- char *sym_strtab;
- Elf32_Sym *sh_symtab;
- struct section *sec_applies, *sec_symtab;
-- int j;
-+ unsigned int j;
- struct section *sec = &secs[i];
-
- if (sec->shdr.sh_type != SHT_REL) {
-@@ -528,6 +572,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
- !is_rel_reloc(sym_name(sym_strtab, sym))) {
- continue;
- }
-+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
-+ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
-+ continue;
-+
-+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
-+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
-+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
-+ continue;
-+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
-+ continue;
-+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
-+ continue;
-+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
-+ continue;
-+#endif
-+
- switch (r_type) {
- case R_386_NONE:
- case R_386_PC32:
-@@ -569,7 +629,7 @@ static int cmp_relocs(const void *va, const void *vb)
-
- static void emit_relocs(int as_text)
- {
-- int i;
-+ unsigned int i;
- /* Count how many relocations I have and allocate space for them. */
- reloc_count = 0;
- walk_relocs(count_reloc);
-@@ -663,6 +723,7 @@ int main(int argc, char **argv)
- fname, strerror(errno));
- }
- read_ehdr(fp);
-+ read_phdrs(fp);
- read_shdrs(fp);
- read_strtabs(fp);
- read_symtabs(fp);
diff --git a/arch/x86/boot/cpucheck.c b/arch/x86/boot/cpucheck.c
index 4d3ff03..e4972ff 100644
--- a/arch/x86/boot/cpucheck.c
@@ -10982,7 +10776,7 @@ index 5f55e69..e20bfb1 100644
#ifdef CONFIG_SMP
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 6902152..399f3a2 100644
+index 6902152..da4283a 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *mm);
@@ -11025,8 +10819,8 @@ index 6902152..399f3a2 100644
/* Re-load page tables */
+#ifdef CONFIG_PAX_PER_CPU_PGD
+ pax_open_kernel();
-+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
-+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
++ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd);
++ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd);
+ pax_close_kernel();
+ load_cr3(get_cpu_pgd(cpu));
+#else
@@ -11065,8 +10859,8 @@ index 6902152..399f3a2 100644
+
+#ifdef CONFIG_PAX_PER_CPU_PGD
+ pax_open_kernel();
-+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
-+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
++ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd);
++ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd);
+ pax_close_kernel();
+ load_cr3(get_cpu_pgd(cpu));
+#endif
@@ -11452,7 +11246,7 @@ index effff47..bbb8295 100644
/*
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
-index 49afb3f..ed14d07 100644
+index 49afb3f..91a8c63 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
@@ -11621,13 +11415,13 @@ index 49afb3f..ed14d07 100644
}
+#ifdef CONFIG_PAX_PER_CPU_PGD
-+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
++extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src);
+#endif
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
-+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
++extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src);
+#else
-+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
++static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) {}
+#endif
#include <asm-generic/pgtable.h>
@@ -14357,7 +14151,7 @@ index 3e6ff6c..54b4992 100644
}
#endif
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
-index 5a11ae2..a1a1c8a 100644
+index dee004f..327a57e 100644
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -42,6 +42,7 @@
@@ -14408,7 +14202,7 @@ index 5a11ae2..a1a1c8a 100644
return;
}
/* First print corrected ones that are still unlogged */
-@@ -658,7 +659,7 @@ static int mce_timed_out(u64 *t)
+@@ -666,7 +667,7 @@ static int mce_timed_out(u64 *t)
* might have been modified by someone else.
*/
rmb();
@@ -14417,7 +14211,7 @@ index 5a11ae2..a1a1c8a 100644
wait_for_panic();
if (!monarch_timeout)
goto out;
-@@ -1446,7 +1447,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code)
+@@ -1454,7 +1455,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code)
}
/* Call the installed machine check handler for this CPU setup. */
@@ -14426,7 +14220,7 @@ index 5a11ae2..a1a1c8a 100644
unexpected_machine_check;
/*
-@@ -1469,7 +1470,9 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c)
+@@ -1477,7 +1478,9 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c)
return;
}
@@ -14436,7 +14230,7 @@ index 5a11ae2..a1a1c8a 100644
__mcheck_cpu_init_generic();
__mcheck_cpu_init_vendor(c);
-@@ -1483,7 +1486,7 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c)
+@@ -1491,7 +1494,7 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c)
*/
static DEFINE_SPINLOCK(mce_chrdev_state_lock);
@@ -14445,7 +14239,7 @@ index 5a11ae2..a1a1c8a 100644
static int mce_chrdev_open_exclu; /* already open exclusive? */
static int mce_chrdev_open(struct inode *inode, struct file *file)
-@@ -1491,7 +1494,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
+@@ -1499,7 +1502,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
spin_lock(&mce_chrdev_state_lock);
if (mce_chrdev_open_exclu ||
@@ -14454,7 +14248,7 @@ index 5a11ae2..a1a1c8a 100644
spin_unlock(&mce_chrdev_state_lock);
return -EBUSY;
-@@ -1499,7 +1502,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
+@@ -1507,7 +1510,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
if (file->f_flags & O_EXCL)
mce_chrdev_open_exclu = 1;
@@ -14463,7 +14257,7 @@ index 5a11ae2..a1a1c8a 100644
spin_unlock(&mce_chrdev_state_lock);
-@@ -1510,7 +1513,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file)
+@@ -1518,7 +1521,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file)
{
spin_lock(&mce_chrdev_state_lock);
@@ -14472,7 +14266,7 @@ index 5a11ae2..a1a1c8a 100644
mce_chrdev_open_exclu = 0;
spin_unlock(&mce_chrdev_state_lock);
-@@ -2229,7 +2232,7 @@ struct dentry *mce_get_debugfs_dir(void)
+@@ -2237,7 +2240,7 @@ struct dentry *mce_get_debugfs_dir(void)
static void mce_reset(void)
{
cpu_missing = 0;
@@ -24685,7 +24479,7 @@ index 8ecbb4b..a269cab 100644
}
if (mm->get_unmapped_area == arch_get_unmapped_area)
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index 6cabf65..00139c4 100644
+index 6cabf65..74565da 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -17,6 +17,8 @@
@@ -24762,7 +24556,7 @@ index 6cabf65..00139c4 100644
+ }
+ if (ebda_addr && ebda_size) {
+ ebda_start = ebda_addr >> PAGE_SHIFT;
-+ ebda_end = min(PAGE_ALIGN(ebda_addr + ebda_size), 0xa0000) >> PAGE_SHIFT;
++ ebda_end = min((unsigned int)PAGE_ALIGN(ebda_addr + ebda_size), (unsigned int)0xa0000) >> PAGE_SHIFT;
+ } else {
+ ebda_start = 0x9f000 >> PAGE_SHIFT;
+ ebda_end = 0xa0000 >> PAGE_SHIFT;
@@ -24780,6 +24574,11 @@ index 6cabf65..00139c4 100644
+ unsigned long addr, limit;
+ struct desc_struct d;
+ int cpu;
++#else
++ pgd_t *pgd;
++ pud_t *pud;
++ pmd_t *pmd;
++ unsigned long addr, end;
+#endif
+#endif
+
@@ -24825,11 +24624,6 @@ index 6cabf65..00139c4 100644
+#endif
+
+#else
-+ pgd_t *pgd;
-+ pud_t *pud;
-+ pmd_t *pmd;
-+ unsigned long addr, end;
-+
+ /* PaX: make kernel code/rodata read-only, rest non-executable */
+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
+ pgd = pgd_offset_k(addr);
@@ -25701,10 +25495,10 @@ index 9f0614d..92ae64a 100644
p += get_opcode(p, &opcode);
for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
-index 8573b83..7d9628f 100644
+index 8573b83..4f3ed7e 100644
--- a/arch/x86/mm/pgtable.c
+++ b/arch/x86/mm/pgtable.c
-@@ -84,10 +84,60 @@ static inline void pgd_list_del(pgd_t *pgd)
+@@ -84,10 +84,64 @@ static inline void pgd_list_del(pgd_t *pgd)
list_del(&page->lru);
}
@@ -25713,16 +25507,20 @@ index 8573b83..7d9628f 100644
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
-+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
++void __shadow_user_pgds(pgd_t *dst, const pgd_t *src)
+{
++ unsigned int count = USER_PGD_PTRS;
+
+ while (count--)
+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
+}
+#endif
-
++
+#ifdef CONFIG_PAX_PER_CPU_PGD
-+void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
++void __clone_user_pgds(pgd_t *dst, const pgd_t *src)
+{
++ unsigned int count = USER_PGD_PTRS;
++
+ while (count--) {
+ pgd_t pgd;
+
@@ -25767,7 +25565,7 @@ index 8573b83..7d9628f 100644
static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
{
BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
-@@ -128,6 +178,7 @@ static void pgd_dtor(pgd_t *pgd)
+@@ -128,6 +182,7 @@ static void pgd_dtor(pgd_t *pgd)
pgd_list_del(pgd);
spin_unlock(&pgd_lock);
}
@@ -25775,7 +25573,7 @@ index 8573b83..7d9628f 100644
/*
* List of all pgd's needed for non-PAE so it can invalidate entries
-@@ -140,7 +191,7 @@ static void pgd_dtor(pgd_t *pgd)
+@@ -140,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
* -- wli
*/
@@ -25784,7 +25582,7 @@ index 8573b83..7d9628f 100644
/*
* In PAE mode, we need to do a cr3 reload (=tlb flush) when
* updating the top-level pagetable entries to guarantee the
-@@ -152,7 +203,7 @@ static void pgd_dtor(pgd_t *pgd)
+@@ -152,7 +207,7 @@ static void pgd_dtor(pgd_t *pgd)
* not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
* and initialize the kernel pmds here.
*/
@@ -25793,7 +25591,7 @@ index 8573b83..7d9628f 100644
void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
{
-@@ -170,36 +221,38 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
+@@ -170,36 +225,38 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
*/
flush_tlb_mm(mm);
}
@@ -25843,7 +25641,7 @@ index 8573b83..7d9628f 100644
return -ENOMEM;
}
-@@ -212,51 +265,55 @@ static int preallocate_pmds(pmd_t *pmds[])
+@@ -212,51 +269,55 @@ static int preallocate_pmds(pmd_t *pmds[])
* preallocate which never got a corresponding vma will need to be
* freed manually.
*/
@@ -25916,7 +25714,7 @@ index 8573b83..7d9628f 100644
pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
-@@ -265,11 +322,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+@@ -265,11 +326,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
mm->pgd = pgd;
@@ -25930,7 +25728,7 @@ index 8573b83..7d9628f 100644
/*
* Make sure that pre-populating the pmds is atomic with
-@@ -279,14 +336,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+@@ -279,14 +340,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
spin_lock(&pgd_lock);
pgd_ctor(mm, pgd);
@@ -25948,7 +25746,7 @@ index 8573b83..7d9628f 100644
out_free_pgd:
free_page((unsigned long)pgd);
out:
-@@ -295,7 +352,7 @@ out:
+@@ -295,7 +356,7 @@ out:
void pgd_free(struct mm_struct *mm, pgd_t *pgd)
{
@@ -26852,6 +26650,206 @@ index f10c0af..3ec1f95 100644
syscall_init(); /* This sets MSR_*STAR and related */
#endif
+diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
+index b685296..5cdc8ad 100644
+--- a/arch/x86/tools/relocs.c
++++ b/arch/x86/tools/relocs.c
+@@ -14,8 +14,16 @@
+
+ static void die(char *fmt, ...);
+
++#include "../../../include/generated/autoconf.h"
++#ifdef CONFIG_X86_32
++#define __PAGE_OFFSET CONFIG_PAGE_OFFSET
++#else
++#define __PAGE_OFFSET 0
++#endif
++
+ #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+ static Elf32_Ehdr ehdr;
++static Elf32_Phdr *phdr;
+ static unsigned long reloc_count, reloc_idx;
+ static unsigned long *relocs;
+ static unsigned long reloc16_count, reloc16_idx;
+@@ -323,9 +331,39 @@ static void read_ehdr(FILE *fp)
+ }
+ }
+
++static void read_phdrs(FILE *fp)
++{
++ unsigned int i;
++
++ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
++ if (!phdr) {
++ die("Unable to allocate %d program headers\n",
++ ehdr.e_phnum);
++ }
++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
++ die("Seek to %d failed: %s\n",
++ ehdr.e_phoff, strerror(errno));
++ }
++ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
++ die("Cannot read ELF program headers: %s\n",
++ strerror(errno));
++ }
++ for(i = 0; i < ehdr.e_phnum; i++) {
++ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
++ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
++ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
++ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
++ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
++ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
++ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
++ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
++ }
++
++}
++
+ static void read_shdrs(FILE *fp)
+ {
+- int i;
++ unsigned int i;
+ Elf32_Shdr shdr;
+
+ secs = calloc(ehdr.e_shnum, sizeof(struct section));
+@@ -360,7 +398,7 @@ static void read_shdrs(FILE *fp)
+
+ static void read_strtabs(FILE *fp)
+ {
+- int i;
++ unsigned int i;
+ for (i = 0; i < ehdr.e_shnum; i++) {
+ struct section *sec = &secs[i];
+ if (sec->shdr.sh_type != SHT_STRTAB) {
+@@ -385,7 +423,7 @@ static void read_strtabs(FILE *fp)
+
+ static void read_symtabs(FILE *fp)
+ {
+- int i,j;
++ unsigned int i,j;
+ for (i = 0; i < ehdr.e_shnum; i++) {
+ struct section *sec = &secs[i];
+ if (sec->shdr.sh_type != SHT_SYMTAB) {
+@@ -418,7 +456,9 @@ static void read_symtabs(FILE *fp)
+
+ static void read_relocs(FILE *fp)
+ {
+- int i,j;
++ unsigned int i,j;
++ uint32_t base;
++
+ for (i = 0; i < ehdr.e_shnum; i++) {
+ struct section *sec = &secs[i];
+ if (sec->shdr.sh_type != SHT_REL) {
+@@ -438,9 +478,18 @@ static void read_relocs(FILE *fp)
+ die("Cannot read symbol table: %s\n",
+ strerror(errno));
+ }
++ base = 0;
++ for (j = 0; j < ehdr.e_phnum; j++) {
++ if (phdr[j].p_type != PT_LOAD )
++ continue;
++ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
++ continue;
++ base = __PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
++ break;
++ }
+ for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
+ Elf32_Rel *rel = &sec->reltab[j];
+- rel->r_offset = elf32_to_cpu(rel->r_offset);
++ rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
+ rel->r_info = elf32_to_cpu(rel->r_info);
+ }
+ }
+@@ -449,13 +498,13 @@ static void read_relocs(FILE *fp)
+
+ static void print_absolute_symbols(void)
+ {
+- int i;
++ unsigned int i;
+ printf("Absolute symbols\n");
+ printf(" Num: Value Size Type Bind Visibility Name\n");
+ for (i = 0; i < ehdr.e_shnum; i++) {
+ struct section *sec = &secs[i];
+ char *sym_strtab;
+- int j;
++ unsigned int j;
+
+ if (sec->shdr.sh_type != SHT_SYMTAB) {
+ continue;
+@@ -482,14 +531,14 @@ static void print_absolute_symbols(void)
+
+ static void print_absolute_relocs(void)
+ {
+- int i, printed = 0;
++ unsigned int i, printed = 0;
+
+ for (i = 0; i < ehdr.e_shnum; i++) {
+ struct section *sec = &secs[i];
+ struct section *sec_applies, *sec_symtab;
+ char *sym_strtab;
+ Elf32_Sym *sh_symtab;
+- int j;
++ unsigned int j;
+ if (sec->shdr.sh_type != SHT_REL) {
+ continue;
+ }
+@@ -551,13 +600,13 @@ static void print_absolute_relocs(void)
+ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym),
+ int use_real_mode)
+ {
+- int i;
++ unsigned int i;
+ /* Walk through the relocations */
+ for (i = 0; i < ehdr.e_shnum; i++) {
+ char *sym_strtab;
+ Elf32_Sym *sh_symtab;
+ struct section *sec_applies, *sec_symtab;
+- int j;
++ unsigned int j;
+ struct section *sec = &secs[i];
+
+ if (sec->shdr.sh_type != SHT_REL) {
+@@ -583,6 +632,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym),
+
+ shn_abs = sym->st_shndx == SHN_ABS;
+
++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
++ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
++ continue;
++
++#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
++ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
++ continue;
++ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
++ continue;
++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
++ continue;
++ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
++ continue;
++#endif
++
+ switch (r_type) {
+ case R_386_NONE:
+ case R_386_PC32:
+@@ -674,7 +739,7 @@ static int write32(unsigned int v, FILE *f)
+
+ static void emit_relocs(int as_text, int use_real_mode)
+ {
+- int i;
++ unsigned int i;
+ /* Count how many relocations I have and allocate space for them. */
+ reloc_count = 0;
+ walk_relocs(count_reloc, use_real_mode);
+@@ -801,6 +866,7 @@ int main(int argc, char **argv)
+ fname, strerror(errno));
+ }
+ read_ehdr(fp);
++ read_phdrs(fp);
+ read_shdrs(fp);
+ read_strtabs(fp);
+ read_symtabs(fp);
diff --git a/arch/x86/vdso/Makefile b/arch/x86/vdso/Makefile
index 5d17950..2253fc9 100644
--- a/arch/x86/vdso/Makefile
@@ -27025,7 +27023,7 @@ index 153407c..611cba9 100644
-}
-__setup("vdso=", vdso_setup);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 4e517d4..68a48f5 100644
+index 4e517d4..8426127 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -27037,7 +27035,18 @@ index 4e517d4..68a48f5 100644
RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
__read_mostly int xen_have_vector_callback;
EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -1030,30 +1028,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -982,7 +980,10 @@ static const struct pv_cpu_ops xen_cpu_ops __initconst = {
+ .wbinvd = native_wbinvd,
+
+ .read_msr = native_read_msr_safe,
++ .rdmsr_regs = native_rdmsr_safe_regs,
+ .write_msr = xen_write_msr_safe,
++ .wrmsr_regs = native_wrmsr_safe_regs,
++
+ .read_tsc = native_read_tsc,
+ .read_pmc = native_read_pmc,
+
+@@ -1030,30 +1031,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -27075,7 +27084,7 @@ index 4e517d4..68a48f5 100644
{
if (pm_power_off)
pm_power_off();
-@@ -1156,7 +1154,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1156,7 +1157,17 @@ asmlinkage void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -27094,7 +27103,7 @@ index 4e517d4..68a48f5 100644
xen_setup_features();
-@@ -1187,13 +1195,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1187,13 +1198,6 @@ asmlinkage void __init xen_start_kernel(void)
machine_ops = xen_machine_ops;
@@ -28703,6 +28712,25 @@ index 8493536..31adee0 100644
if (err)
printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
else
+diff --git a/drivers/base/node.c b/drivers/base/node.c
+index 90aa2a1..af1a177 100644
+--- a/drivers/base/node.c
++++ b/drivers/base/node.c
+@@ -592,11 +592,9 @@ static ssize_t print_nodes_state(enum node_states state, char *buf)
+ {
+ int n;
+
+- n = nodelist_scnprintf(buf, PAGE_SIZE, node_states[state]);
+- if (n > 0 && PAGE_SIZE > n + 1) {
+- *(buf + n++) = '\n';
+- *(buf + n++) = '\0';
+- }
++ n = nodelist_scnprintf(buf, PAGE_SIZE-2, node_states[state]);
++ buf[n++] = '\n';
++ buf[n] = '\0';
+ return n;
+ }
+
diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
index caf995f..6f76697 100644
--- a/drivers/base/power/wakeup.c
@@ -30629,10 +30657,10 @@ index e159e33..cdcc663 100644
for (i = 0; i < count; i++) {
char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
-index 5bd4361..0241a42 100644
+index 307c5e6..a1e4216 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
-@@ -475,7 +475,7 @@ static irqreturn_t ivybridge_irq_handler(DRM_IRQ_ARGS)
+@@ -472,7 +472,7 @@ static irqreturn_t ivybridge_irq_handler(DRM_IRQ_ARGS)
u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir;
struct drm_i915_master_private *master_priv;
@@ -30641,7 +30669,7 @@ index 5bd4361..0241a42 100644
/* disable master interrupt before clearing iir */
de_ier = I915_READ(DEIER);
-@@ -566,7 +566,7 @@ static irqreturn_t ironlake_irq_handler(DRM_IRQ_ARGS)
+@@ -563,7 +563,7 @@ static irqreturn_t ironlake_irq_handler(DRM_IRQ_ARGS)
struct drm_i915_master_private *master_priv;
u32 bsd_usr_interrupt = GT_BSD_USER_INTERRUPT;
@@ -30650,7 +30678,7 @@ index 5bd4361..0241a42 100644
if (IS_GEN6(dev))
bsd_usr_interrupt = GT_GEN6_BSD_USER_INTERRUPT;
-@@ -1231,7 +1231,7 @@ static irqreturn_t i915_driver_irq_handler(DRM_IRQ_ARGS)
+@@ -1228,7 +1228,7 @@ static irqreturn_t i915_driver_irq_handler(DRM_IRQ_ARGS)
int ret = IRQ_NONE, pipe;
bool blc_event = false;
@@ -30659,7 +30687,7 @@ index 5bd4361..0241a42 100644
iir = I915_READ(IIR);
-@@ -1743,7 +1743,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev)
+@@ -1740,7 +1740,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev)
{
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
@@ -30668,7 +30696,7 @@ index 5bd4361..0241a42 100644
INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
INIT_WORK(&dev_priv->error_work, i915_error_work_func);
-@@ -1932,7 +1932,7 @@ static void i915_driver_irq_preinstall(struct drm_device * dev)
+@@ -1929,7 +1929,7 @@ static void i915_driver_irq_preinstall(struct drm_device * dev)
drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
int pipe;
@@ -30678,7 +30706,7 @@ index 5bd4361..0241a42 100644
INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
INIT_WORK(&dev_priv->error_work, i915_error_work_func);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index 2163818..cede019 100644
+index 9ab9b16..e5b1b8d 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -2238,7 +2238,7 @@ intel_pipe_set_base(struct drm_crtc *crtc, int x, int y,
@@ -31433,6 +31461,19 @@ index 75dbe34..f9204a8 100644
hid_debug_register(hdev, dev_name(&hdev->dev));
ret = device_add(&hdev->dev);
+diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c
+index 17dabc1..bf248eb 100644
+--- a/drivers/hid/hid-wiimote-debug.c
++++ b/drivers/hid/hid-wiimote-debug.c
+@@ -72,7 +72,7 @@ static ssize_t wiidebug_eeprom_read(struct file *f, char __user *u, size_t s,
+ else if (size == 0)
+ return -EIO;
+
+- if (copy_to_user(u, buf, size))
++ if (size > sizeof(buf) || copy_to_user(u, buf, size))
+ return -EFAULT;
+
+ *off += size;
diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index b1ec0e2..c295a61 100644
--- a/drivers/hid/usbhid/hiddev.c
@@ -33203,6 +33244,19 @@ index 1f355bb..43f1fea 100644
return -EFAULT;
} else
memcpy(msg, buf, count);
+diff --git a/drivers/leds/leds-mc13783.c b/drivers/leds/leds-mc13783.c
+index 8bc4915..4cc6a2e 100644
+--- a/drivers/leds/leds-mc13783.c
++++ b/drivers/leds/leds-mc13783.c
+@@ -280,7 +280,7 @@ static int __devinit mc13783_led_probe(struct platform_device *pdev)
+ return -EINVAL;
+ }
+
+- led = kzalloc(sizeof(*led) * pdata->num_leds, GFP_KERNEL);
++ led = kcalloc(pdata->num_leds, sizeof(*led), GFP_KERNEL);
+ if (led == NULL) {
+ dev_err(&pdev->dev, "failed to alloc memory\n");
+ return -ENOMEM;
diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
index b5fdcb7..5b6c59f 100644
--- a/drivers/lguest/core.c
@@ -33592,7 +33646,7 @@ index b89c548..2af3ce4 100644
void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 363aaf4..d875264 100644
+index 1ae4327..4ecabb5 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -277,10 +277,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
@@ -34002,7 +34056,7 @@ index 8418c02..8555013 100644
NGENE_ID(0x18c3, 0xabc4, ngene_info_cineS2),
NGENE_ID(0x18c3, 0xdb01, ngene_info_satixS2),
diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c
-index 16a089f..ab1667d 100644
+index 16a089f..1661b11 100644
--- a/drivers/media/radio/radio-cadet.c
+++ b/drivers/media/radio/radio-cadet.c
@@ -326,6 +326,8 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
@@ -34014,6 +34068,15 @@ index 16a089f..ab1667d 100644
mutex_lock(&dev->lock);
if (dev->rdsstat == 0) {
dev->rdsstat = 1;
+@@ -347,7 +349,7 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
+ readbuf[i++] = dev->rdsbuf[dev->rdsout++];
+ mutex_unlock(&dev->lock);
+
+- if (copy_to_user(data, readbuf, i))
++ if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
+ return -EFAULT;
+ return i;
+ }
diff --git a/drivers/media/video/au0828/au0828.h b/drivers/media/video/au0828/au0828.h
index 9cde353..8c6a1c3 100644
--- a/drivers/media/video/au0828/au0828.h
@@ -36545,7 +36608,7 @@ index 351dc0b..951dc32 100644
/* These three are default values which can be overridden */
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
-index b96962c..0c82ec2 100644
+index e640b73..2f68432 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -507,7 +507,7 @@ static inline u32 next_command(struct ctlr_info *h)
@@ -36557,7 +36620,7 @@ index b96962c..0c82ec2 100644
if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
a = *(h->reply_pool_head); /* Next cmd in ring buffer */
-@@ -2991,7 +2991,7 @@ static void start_io(struct ctlr_info *h)
+@@ -2987,7 +2987,7 @@ static void start_io(struct ctlr_info *h)
while (!list_empty(&h->reqQ)) {
c = list_entry(h->reqQ.next, struct CommandList, list);
/* can't do anything if fifo is full */
@@ -36566,7 +36629,7 @@ index b96962c..0c82ec2 100644
dev_warn(&h->pdev->dev, "fifo full\n");
break;
}
-@@ -3001,7 +3001,7 @@ static void start_io(struct ctlr_info *h)
+@@ -2997,7 +2997,7 @@ static void start_io(struct ctlr_info *h)
h->Qdepth--;
/* Tell the controller execute command */
@@ -36575,7 +36638,7 @@ index b96962c..0c82ec2 100644
/* Put job onto the completed Q */
addQ(&h->cmpQ, c);
-@@ -3010,17 +3010,17 @@ static void start_io(struct ctlr_info *h)
+@@ -3006,17 +3006,17 @@ static void start_io(struct ctlr_info *h)
static inline unsigned long get_next_completion(struct ctlr_info *h)
{
@@ -36596,7 +36659,7 @@ index b96962c..0c82ec2 100644
(h->interrupts_enabled == 0);
}
-@@ -3919,7 +3919,7 @@ static int __devinit hpsa_pci_init(struct ctlr_info *h)
+@@ -3915,7 +3915,7 @@ static int __devinit hpsa_pci_init(struct ctlr_info *h)
if (prod_index < 0)
return -ENODEV;
h->product_name = products[prod_index].product_name;
@@ -36605,7 +36668,7 @@ index b96962c..0c82ec2 100644
if (hpsa_board_disabled(h->pdev)) {
dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
-@@ -4164,7 +4164,7 @@ static void controller_lockup_detected(struct ctlr_info *h)
+@@ -4160,7 +4160,7 @@ static void controller_lockup_detected(struct ctlr_info *h)
assert_spin_locked(&lockup_detector_lock);
remove_ctlr_from_lockup_detector_list(h);
@@ -36614,7 +36677,7 @@ index b96962c..0c82ec2 100644
spin_lock_irqsave(&h->lock, flags);
h->lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
spin_unlock_irqrestore(&h->lock, flags);
-@@ -4344,7 +4344,7 @@ reinit_after_soft_reset:
+@@ -4340,7 +4340,7 @@ reinit_after_soft_reset:
}
/* make sure the board interrupts are off */
@@ -36623,7 +36686,7 @@ index b96962c..0c82ec2 100644
if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
goto clean2;
-@@ -4378,7 +4378,7 @@ reinit_after_soft_reset:
+@@ -4374,7 +4374,7 @@ reinit_after_soft_reset:
* fake ones to scoop up any residual completions.
*/
spin_lock_irqsave(&h->lock, flags);
@@ -36632,7 +36695,7 @@ index b96962c..0c82ec2 100644
spin_unlock_irqrestore(&h->lock, flags);
free_irq(h->intr[h->intr_mode], h);
rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
-@@ -4397,9 +4397,9 @@ reinit_after_soft_reset:
+@@ -4393,9 +4393,9 @@ reinit_after_soft_reset:
dev_info(&h->pdev->dev, "Board READY.\n");
dev_info(&h->pdev->dev,
"Waiting for stale completions to drain.\n");
@@ -36644,7 +36707,7 @@ index b96962c..0c82ec2 100644
rc = controller_reset_failed(h->cfgtable);
if (rc)
-@@ -4420,7 +4420,7 @@ reinit_after_soft_reset:
+@@ -4416,7 +4416,7 @@ reinit_after_soft_reset:
}
/* Turn the interrupts on so we can service requests */
@@ -36653,7 +36716,7 @@ index b96962c..0c82ec2 100644
hpsa_hba_inquiry(h);
hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
-@@ -4472,7 +4472,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
+@@ -4468,7 +4468,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
* To write all data in the battery backed cache to disks
*/
hpsa_flush_cache(h);
@@ -36662,7 +36725,7 @@ index b96962c..0c82ec2 100644
free_irq(h->intr[h->intr_mode], h);
#ifdef CONFIG_PCI_MSI
if (h->msix_vector)
-@@ -4636,7 +4636,7 @@ static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h,
+@@ -4632,7 +4632,7 @@ static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h,
return;
}
/* Change the access methods to the performant access methods */
@@ -41489,7 +41552,7 @@ index 3c14e43..eafa544 100644
+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
+4 4 4 4 4 4
diff --git a/drivers/video/udlfb.c b/drivers/video/udlfb.c
-index a40c05e..785c583 100644
+index 5fd95e0..b4a96f8 100644
--- a/drivers/video/udlfb.c
+++ b/drivers/video/udlfb.c
@@ -619,11 +619,11 @@ int dlfb_handle_damage(struct dlfb_data *dev, int x, int y,
@@ -41524,7 +41587,7 @@ index a40c05e..785c583 100644
>> 10)), /* Kcycles */
&dev->cpu_kcycles_used);
}
-@@ -1368,7 +1368,7 @@ static ssize_t metrics_bytes_rendered_show(struct device *fbdev,
+@@ -1371,7 +1371,7 @@ static ssize_t metrics_bytes_rendered_show(struct device *fbdev,
struct fb_info *fb_info = dev_get_drvdata(fbdev);
struct dlfb_data *dev = fb_info->par;
return snprintf(buf, PAGE_SIZE, "%u\n",
@@ -41533,7 +41596,7 @@ index a40c05e..785c583 100644
}
static ssize_t metrics_bytes_identical_show(struct device *fbdev,
-@@ -1376,7 +1376,7 @@ static ssize_t metrics_bytes_identical_show(struct device *fbdev,
+@@ -1379,7 +1379,7 @@ static ssize_t metrics_bytes_identical_show(struct device *fbdev,
struct fb_info *fb_info = dev_get_drvdata(fbdev);
struct dlfb_data *dev = fb_info->par;
return snprintf(buf, PAGE_SIZE, "%u\n",
@@ -41542,7 +41605,7 @@ index a40c05e..785c583 100644
}
static ssize_t metrics_bytes_sent_show(struct device *fbdev,
-@@ -1384,7 +1384,7 @@ static ssize_t metrics_bytes_sent_show(struct device *fbdev,
+@@ -1387,7 +1387,7 @@ static ssize_t metrics_bytes_sent_show(struct device *fbdev,
struct fb_info *fb_info = dev_get_drvdata(fbdev);
struct dlfb_data *dev = fb_info->par;
return snprintf(buf, PAGE_SIZE, "%u\n",
@@ -41551,7 +41614,7 @@ index a40c05e..785c583 100644
}
static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
-@@ -1392,7 +1392,7 @@ static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
+@@ -1395,7 +1395,7 @@ static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
struct fb_info *fb_info = dev_get_drvdata(fbdev);
struct dlfb_data *dev = fb_info->par;
return snprintf(buf, PAGE_SIZE, "%u\n",
@@ -41560,7 +41623,7 @@ index a40c05e..785c583 100644
}
static ssize_t edid_show(
-@@ -1449,10 +1449,10 @@ static ssize_t metrics_reset_store(struct device *fbdev,
+@@ -1452,10 +1452,10 @@ static ssize_t metrics_reset_store(struct device *fbdev,
struct fb_info *fb_info = dev_get_drvdata(fbdev);
struct dlfb_data *dev = fb_info->par;
@@ -41849,7 +41912,7 @@ index e95d1b6..3454244 100644
A.out (Assembler.OUTput) is a set of formats for libraries and
executables used in the earliest versions of UNIX. Linux used
diff --git a/fs/aio.c b/fs/aio.c
-index b9d64d8..86cb1d5 100644
+index 3b65ee7..aa6ec34 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx *ctx)
@@ -41861,7 +41924,7 @@ index b9d64d8..86cb1d5 100644
return -EINVAL;
nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
-@@ -1461,22 +1461,27 @@ static ssize_t aio_fsync(struct kiocb *iocb)
+@@ -1461,18 +1461,19 @@ static ssize_t aio_fsync(struct kiocb *iocb)
static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
{
ssize_t ret;
@@ -41883,11 +41946,15 @@ index b9d64d8..86cb1d5 100644
&kiocb->ki_iovec, 1);
if (ret < 0)
goto out;
+@@ -1481,6 +1482,11 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
+ if (ret < 0)
+ goto out;
+ if (kiocb->ki_iovec == &iovstack) {
+ kiocb->ki_inline_vec = iovstack;
+ kiocb->ki_iovec = &kiocb->ki_inline_vec;
+ }
++
kiocb->ki_nr_segs = kiocb->ki_nbytes;
kiocb->ki_cur_seg = 0;
/* ki_nbytes/left now reflect bytes instead of segs */
@@ -42934,10 +43001,10 @@ index 1bffbe0..c8c283e 100644
goto err;
}
diff --git a/fs/bio.c b/fs/bio.c
-index b980ecd..74800bf 100644
+index 4fc4dbb..d3a5b93 100644
--- a/fs/bio.c
+++ b/fs/bio.c
-@@ -833,7 +833,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
+@@ -838,7 +838,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
/*
* Overflow, abort
*/
@@ -42946,7 +43013,7 @@ index b980ecd..74800bf 100644
return ERR_PTR(-EINVAL);
nr_pages += end - start;
-@@ -1229,7 +1229,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err)
+@@ -1234,7 +1234,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err)
const int read = bio_data_dir(bio) == READ;
struct bio_map_data *bmd = bio->bi_private;
int i;
@@ -42956,7 +43023,7 @@ index b980ecd..74800bf 100644
__bio_for_each_segment(bvec, bio, i, 0) {
char *addr = page_address(bvec->bv_page);
diff --git a/fs/block_dev.c b/fs/block_dev.c
-index 5e9f198..6bf9b1c 100644
+index 236dd6c..46c6530 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -703,7 +703,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole,
@@ -44834,6 +44901,19 @@ index cb990b2..4820141 100644
trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
return 0;
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index f9d948f..8601f4b 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -161,6 +161,8 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size)
+ if (flex_gd == NULL)
+ goto out3;
+
++ if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data))
++ goto out2;
+ flex_gd->count = flexbg_size;
+
+ flex_gd->groups = kmalloc(sizeof(struct ext4_new_group_data) *
diff --git a/fs/fcntl.c b/fs/fcntl.c
index 22764c7..86372c9 100644
--- a/fs/fcntl.c
@@ -60608,7 +60688,7 @@ index 84ccf8e..2e9b14c 100644
};
diff --git a/include/linux/fs.h b/include/linux/fs.h
-index f4b6e06..d6ba573 100644
+index fd65e0d..7232c62 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1628,7 +1628,8 @@ struct file_operations {
@@ -60704,7 +60784,7 @@ index c3da42d..c70e0df 100644
int trace_set_clr_event(const char *system, const char *event, int set);
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
-index e61d319..0da8505 100644
+index 017a7fb..33a8507 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -185,7 +185,7 @@ struct gendisk {
@@ -62768,6 +62848,27 @@ index 58969b2..ead129b 100644
/**
* preempt_notifier - key for installing preemption notifiers
+diff --git a/include/linux/printk.h b/include/linux/printk.h
+index f0e22f7..82dd544 100644
+--- a/include/linux/printk.h
++++ b/include/linux/printk.h
+@@ -94,6 +94,8 @@ void early_printk(const char *fmt, ...);
+ extern int printk_needs_cpu(int cpu);
+ extern void printk_tick(void);
+
++extern int kptr_restrict;
++
+ #ifdef CONFIG_PRINTK
+ asmlinkage __printf(1, 0)
+ int vprintk(const char *fmt, va_list args);
+@@ -112,7 +114,6 @@ extern bool printk_timed_ratelimit(unsigned long *caller_jiffies,
+
+ extern int printk_delay_msec;
+ extern int dmesg_restrict;
+-extern int kptr_restrict;
+
+ void log_buf_kexec_setup(void);
+ void __init setup_log_buf(int early);
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
index 85c5073..51fac8b 100644
--- a/include/linux/proc_fs.h
@@ -64480,10 +64581,10 @@ index 1c09820..7f5ec79 100644
TP_ARGS(irq, action, ret),
diff --git a/include/video/udlfb.h b/include/video/udlfb.h
-index c41f308..6918de3 100644
+index f9466fa..f4e2b81 100644
--- a/include/video/udlfb.h
+++ b/include/video/udlfb.h
-@@ -52,10 +52,10 @@ struct dlfb_data {
+@@ -53,10 +53,10 @@ struct dlfb_data {
u32 pseudo_palette[256];
int blank_mode; /*one of FB_BLANK_ */
/* blit-only rendering path metrics, exposed through sysfs */
@@ -64834,7 +64935,7 @@ index 8216c30..25e8e32 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index ff49a6d..5fa0429 100644
+index 45a7bf5..7ba1b61 100644
--- a/init/main.c
+++ b/init/main.c
@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { }
@@ -64896,7 +64997,7 @@ index ff49a6d..5fa0429 100644
static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -675,6 +720,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -672,6 +717,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
{
int count = preempt_count();
int ret;
@@ -64904,7 +65005,7 @@ index ff49a6d..5fa0429 100644
if (initcall_debug)
ret = do_one_initcall_debug(fn);
-@@ -687,15 +733,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -684,15 +730,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
sprintf(msgbuf, "error code %d ", ret);
if (preempt_count() != count) {
@@ -64924,7 +65025,7 @@ index ff49a6d..5fa0429 100644
}
return ret;
-@@ -814,7 +860,7 @@ static int __init kernel_init(void * unused)
+@@ -815,7 +861,7 @@ static int __init kernel_init(void * unused)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -64933,7 +65034,7 @@ index ff49a6d..5fa0429 100644
printk(KERN_WARNING "Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -827,11 +873,13 @@ static int __init kernel_init(void * unused)
+@@ -828,11 +874,13 @@ static int __init kernel_init(void * unused)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -65872,7 +65973,7 @@ index 46c8b14..d868958 100644
{
struct signal_struct *sig = current->signal;
diff --git a/kernel/fork.c b/kernel/fork.c
-index 423d5a4..4608ecf 100644
+index 423d5a4..881923e 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -285,7 +285,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
@@ -65897,7 +65998,7 @@ index 423d5a4..4608ecf 100644
+
+ charge = 0;
+ if (mpnt->vm_flags & VM_ACCOUNT) {
-+ unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
++ unsigned long len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
+ if (security_vm_enough_memory(len))
+ goto fail_nomem;
+ charge = len;
@@ -68891,7 +68992,7 @@ index 888d227..f04b318 100644
break;
}
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index f03a6ef..5fcc8af 100644
+index f03a6ef..735d95c 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -86,6 +86,13 @@
@@ -68908,7 +69009,18 @@ index f03a6ef..5fcc8af 100644
/* External variables not in a header file. */
extern int sysctl_overcommit_memory;
-@@ -191,6 +198,7 @@ static int sysrq_sysctl_handler(ctl_table *table, int write,
+@@ -165,10 +172,8 @@ static int proc_taint(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos);
+ #endif
+
+-#ifdef CONFIG_PRINTK
+ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos);
+-#endif
+
+ #ifdef CONFIG_MAGIC_SYSRQ
+ /* Note: sysrq code uses it's own private copy */
+@@ -191,6 +196,7 @@ static int sysrq_sysctl_handler(ctl_table *table, int write,
}
#endif
@@ -68916,7 +69028,7 @@ index f03a6ef..5fcc8af 100644
static struct ctl_table root_table[];
static struct ctl_table_root sysctl_table_root;
-@@ -220,6 +228,20 @@ extern struct ctl_table epoll_table[];
+@@ -220,6 +226,20 @@ extern struct ctl_table epoll_table[];
int sysctl_legacy_va_layout;
#endif
@@ -68937,7 +69049,7 @@ index f03a6ef..5fcc8af 100644
/* The default sysctl tables: */
static struct ctl_table root_table[] = {
-@@ -266,6 +288,22 @@ static int max_extfrag_threshold = 1000;
+@@ -266,6 +286,22 @@ static int max_extfrag_threshold = 1000;
#endif
static struct ctl_table kern_table[] = {
@@ -68960,7 +69072,7 @@ index f03a6ef..5fcc8af 100644
{
.procname = "sched_child_runs_first",
.data = &sysctl_sched_child_runs_first,
-@@ -550,7 +588,7 @@ static struct ctl_table kern_table[] = {
+@@ -550,7 +586,7 @@ static struct ctl_table kern_table[] = {
.data = &modprobe_path,
.maxlen = KMOD_PATH_LEN,
.mode = 0644,
@@ -68969,7 +69081,7 @@ index f03a6ef..5fcc8af 100644
},
{
.procname = "modules_disabled",
-@@ -717,16 +755,20 @@ static struct ctl_table kern_table[] = {
+@@ -717,16 +753,20 @@ static struct ctl_table kern_table[] = {
.extra1 = &zero,
.extra2 = &one,
},
@@ -68991,7 +69103,7 @@ index f03a6ef..5fcc8af 100644
{
.procname = "ngroups_max",
.data = &ngroups_max,
-@@ -1225,6 +1267,13 @@ static struct ctl_table vm_table[] = {
+@@ -1225,6 +1265,13 @@ static struct ctl_table vm_table[] = {
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
},
@@ -69005,7 +69117,7 @@ index f03a6ef..5fcc8af 100644
#else
{
.procname = "nr_trim_pages",
-@@ -1729,6 +1778,17 @@ static int test_perm(int mode, int op)
+@@ -1729,6 +1776,17 @@ static int test_perm(int mode, int op)
int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
{
int mode;
@@ -69023,7 +69135,7 @@ index f03a6ef..5fcc8af 100644
if (root->permissions)
mode = root->permissions(root, current->nsproxy, table);
-@@ -2133,6 +2193,16 @@ int proc_dostring(struct ctl_table *table, int write,
+@@ -2133,6 +2191,16 @@ int proc_dostring(struct ctl_table *table, int write,
buffer, lenp, ppos);
}
@@ -69040,7 +69152,7 @@ index f03a6ef..5fcc8af 100644
static size_t proc_skip_spaces(char **buf)
{
size_t ret;
-@@ -2238,6 +2308,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
+@@ -2238,6 +2306,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
len = strlen(tmp);
if (len > *size)
len = *size;
@@ -69049,7 +69161,23 @@ index f03a6ef..5fcc8af 100644
if (copy_to_user(*buf, tmp, len))
return -EFAULT;
*size -= len;
-@@ -2554,8 +2626,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
+@@ -2430,7 +2500,6 @@ static int proc_taint(struct ctl_table *table, int write,
+ return err;
+ }
+
+-#ifdef CONFIG_PRINTK
+ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+ {
+@@ -2439,7 +2508,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
+
+ return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ }
+-#endif
+
+ struct do_proc_dointvec_minmax_conv_param {
+ int *min;
+@@ -2554,8 +2622,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
*i = val;
} else {
val = convdiv * (*i) / convmul;
@@ -69062,7 +69190,7 @@ index f03a6ef..5fcc8af 100644
err = proc_put_long(&buffer, &left, val, false);
if (err)
break;
-@@ -2950,6 +3025,12 @@ int proc_dostring(struct ctl_table *table, int write,
+@@ -2950,6 +3021,12 @@ int proc_dostring(struct ctl_table *table, int write,
return -ENOSYS;
}
@@ -69075,7 +69203,7 @@ index f03a6ef..5fcc8af 100644
int proc_dointvec(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
-@@ -3006,6 +3087,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
+@@ -3006,6 +3083,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
EXPORT_SYMBOL(proc_dostring);
@@ -69964,7 +70092,7 @@ index 0000000..7cd6065
@@ -0,0 +1 @@
+-grsec
diff --git a/mm/Kconfig b/mm/Kconfig
-index e338407..49b5b7a 100644
+index e338407..4210331 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -247,10 +247,10 @@ config KSM
@@ -69981,6 +70109,15 @@ index e338407..49b5b7a 100644
This is the portion of low virtual memory which should be protected
from userspace allocation. Keeping a user from writing to low pages
can help reduce the impact of kernel NULL pointer bugs.
+@@ -280,7 +280,7 @@ config MEMORY_FAILURE
+
+ config HWPOISON_INJECT
+ tristate "HWPoison pages injector"
+- depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS
++ depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS && !GRKERNSEC
+ select PROC_PAGE_MONITOR
+
+ config NOMMU_INITIAL_TRIM_EXCESS
diff --git a/mm/filemap.c b/mm/filemap.c
index b662757..3081ddd 100644
--- a/mm/filemap.c
@@ -70061,7 +70198,7 @@ index 8f7fc39..69bf1e9 100644
/* if an huge pmd materialized from under us just retry later */
if (unlikely(pmd_trans_huge(*pmd)))
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index fece520..7fad868 100644
+index fece520..e10da7f 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2146,6 +2146,15 @@ static void hugetlb_vm_op_open(struct vm_area_struct *vma)
@@ -70208,12 +70345,13 @@ index fece520..7fad868 100644
}
/*
-@@ -3009,6 +3076,9 @@ int hugetlb_reserve_pages(struct inode *inode,
+@@ -3009,6 +3076,10 @@ int hugetlb_reserve_pages(struct inode *inode,
if (!vma || vma->vm_flags & VM_MAYSHARE)
region_add(&inode->i_mapping->private_list, from, to);
return 0;
+out_err:
-+ resv_map_put(vma);
++ if (vma)
++ resv_map_put(vma);
+ return ret;
}
@@ -71075,10 +71213,10 @@ index 10b4dda..06857f3 100644
* Make sure the vDSO gets into every core dump.
* Dumping its contents makes post-mortem fully interpretable later
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index 0a37570..2048346 100644
+index a8f97d5..e2ed444 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
-@@ -640,6 +640,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
+@@ -619,6 +619,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
unsigned long vmstart;
unsigned long vmend;
@@ -71089,15 +71227,15 @@ index 0a37570..2048346 100644
vma = find_vma(mm, start);
if (!vma || vma->vm_start > start)
return -EFAULT;
-@@ -679,6 +683,16 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
- err = policy_vma(vma, new_pol);
- if (err)
- goto out;
+@@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
+ if (err)
+ goto out;
+ }
+
+#ifdef CONFIG_PAX_SEGMEXEC
+ vma_m = pax_find_mirror_vma(vma);
-+ if (vma_m) {
-+ err = policy_vma(vma_m, new_pol);
++ if (vma_m && vma_m->vm_ops && vma_m->vm_ops->set_policy) {
++ err = vma_m->vm_ops->set_policy(vma_m, new_pol);
+ if (err)
+ goto out;
+ }
@@ -71106,7 +71244,7 @@ index 0a37570..2048346 100644
}
out:
-@@ -1112,6 +1126,17 @@ static long do_mbind(unsigned long start, unsigned long len,
+@@ -1105,6 +1119,17 @@ static long do_mbind(unsigned long start, unsigned long len,
if (end < start)
return -EINVAL;
@@ -71124,7 +71262,7 @@ index 0a37570..2048346 100644
if (end == start)
return 0;
-@@ -1330,6 +1355,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
+@@ -1323,6 +1348,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
if (!mm)
goto out;
@@ -71139,7 +71277,7 @@ index 0a37570..2048346 100644
/*
* Check if this process has the right to modify the specified
* process. The right exists if the process has administrative
-@@ -1339,8 +1372,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
+@@ -1332,8 +1365,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
rcu_read_lock();
tcred = __task_cred(task);
if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
@@ -73948,7 +74086,7 @@ index 14380e9..e244704 100644
}
diff --git a/mm/swapfile.c b/mm/swapfile.c
-index f31b29d..8bdcae2 100644
+index 099c209..7db7b6f 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -61,7 +61,7 @@ static DEFINE_MUTEX(swapon_mutex);
@@ -74016,7 +74154,7 @@ index 136ac4f..f917fa9 100644
mm->unmap_area = arch_unmap_area;
}
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index 86ce9a5..fc9fb61 100644
+index 86ce9a5..550d03c 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
@@ -74215,6 +74353,17 @@ index 86ce9a5..fc9fb61 100644
if ((PAGE_SIZE-1) & (unsigned long)addr)
return -EINVAL;
+@@ -2375,8 +2442,8 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets,
+ return NULL;
+ }
+
+- vms = kzalloc(sizeof(vms[0]) * nr_vms, GFP_KERNEL);
+- vas = kzalloc(sizeof(vas[0]) * nr_vms, GFP_KERNEL);
++ vms = kcalloc(nr_vms, sizeof(vms[0]), GFP_KERNEL);
++ vas = kcalloc(nr_vms, sizeof(vas[0]), GFP_KERNEL);
+ if (!vas || !vms)
+ goto err_free2;
+
diff --git a/mm/vmstat.c b/mm/vmstat.c
index f600557..1459fc8 100644
--- a/mm/vmstat.c
@@ -78114,28 +78263,6 @@ index 1ac414f..a1c1451 100644
# Remove .so files from "xxx-objs"
host-cobjs := $(filter-out %.so,$(host-cobjs))
-diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
-index 00c368c..bb3f3e9 100644
---- a/scripts/Makefile.lib
-+++ b/scripts/Makefile.lib
-@@ -144,14 +144,14 @@ __a_flags = $(call flags,_a_flags)
- __cpp_flags = $(call flags,_cpp_flags)
- endif
-
--c_flags = -Wp,-MD,$(depfile) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) \
-+c_flags = -Wp,-MD,$(depfile) $(LINUXINCLUDE) $(NOSTDINC_FLAGS) \
- $(__c_flags) $(modkern_cflags) \
- -D"KBUILD_STR(s)=\#s" $(basename_flags) $(modname_flags)
-
--a_flags = -Wp,-MD,$(depfile) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) \
-+a_flags = -Wp,-MD,$(depfile) $(LINUXINCLUDE) $(NOSTDINC_FLAGS) \
- $(__a_flags) $(modkern_aflags)
-
--cpp_flags = -Wp,-MD,$(depfile) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) \
-+cpp_flags = -Wp,-MD,$(depfile) $(LINUXINCLUDE) $(NOSTDINC_FLAGS) \
- $(__cpp_flags)
-
- ld_flags = $(LDFLAGS) $(ldflags-y)
diff --git a/scripts/basic/fixdep.c b/scripts/basic/fixdep.c
index cb1f50c..cef2a7c 100644
--- a/scripts/basic/fixdep.c
@@ -80278,10 +80405,10 @@ index 0000000..ee950d0
+}
diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c
new file mode 100644
-index 0000000..88a7438
+index 0000000..89b7f56
--- /dev/null
+++ b/tools/gcc/constify_plugin.c
-@@ -0,0 +1,303 @@
+@@ -0,0 +1,328 @@
+/*
+ * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
+ * Copyright 2011 by PaX Team <pageexec@freemail.hu>
@@ -80322,24 +80449,47 @@ index 0000000..88a7438
+int plugin_is_GPL_compatible;
+
+static struct plugin_info const_plugin_info = {
-+ .version = "201111150100",
++ .version = "201205300030",
+ .help = "no-constify\tturn off constification\n",
+};
+
-+static void constify_type(tree type);
-+static bool walk_struct(tree node);
++static void deconstify_tree(tree node);
+
-+static tree deconstify_type(tree old_type)
++static void deconstify_type(tree type)
+{
-+ tree new_type, field;
++ tree field;
++
++ for (field = TYPE_FIELDS(type); field; field = TREE_CHAIN(field)) {
++ tree type = TREE_TYPE(field);
++
++ if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
++ continue;
++ if (!TYPE_READONLY(type))
++ continue;
++
++ deconstify_tree(field);
++ }
++ TYPE_READONLY(type) = 0;
++ C_TYPE_FIELDS_READONLY(type) = 0;
++}
++
++static void deconstify_tree(tree node)
++{
++ tree old_type, new_type, field;
++
++ old_type = TREE_TYPE(node);
++
++ gcc_assert(TYPE_READONLY(old_type) && (TYPE_QUALS(old_type) & TYPE_QUAL_CONST));
+
+ new_type = build_qualified_type(old_type, TYPE_QUALS(old_type) & ~TYPE_QUAL_CONST);
+ TYPE_FIELDS(new_type) = copy_list(TYPE_FIELDS(new_type));
+ for (field = TYPE_FIELDS(new_type); field; field = TREE_CHAIN(field))
+ DECL_FIELD_CONTEXT(field) = new_type;
-+ TYPE_READONLY(new_type) = 0;
-+ C_TYPE_FIELDS_READONLY(new_type) = 0;
-+ return new_type;
++
++ deconstify_type(new_type);
++
++ TREE_READONLY(node) = 0;
++ TREE_TYPE(node) = new_type;
+}
+
+static tree handle_no_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
@@ -80383,14 +80533,19 @@ index 0000000..88a7438
+ }
+
+ if (TREE_CODE(*node) == TYPE_DECL) {
-+ TREE_TYPE(*node) = deconstify_type(type);
-+ TREE_READONLY(*node) = 0;
++ deconstify_tree(*node);
+ return NULL_TREE;
+ }
+
+ return NULL_TREE;
+}
+
++static void constify_type(tree type)
++{
++ TYPE_READONLY(type) = 1;
++ C_TYPE_FIELDS_READONLY(type) = 1;
++}
++
+static tree handle_do_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
+{
+ *no_add_attrs = true;
@@ -80441,12 +80596,6 @@ index 0000000..88a7438
+ register_attribute(&do_const_attr);
+}
+
-+static void constify_type(tree type)
-+{
-+ TYPE_READONLY(type) = 1;
-+ C_TYPE_FIELDS_READONLY(type) = 1;
-+}
-+
+static bool is_fptr(tree field)
+{
+ tree ptr = TREE_TYPE(field);
@@ -80461,11 +80610,14 @@ index 0000000..88a7438
+{
+ tree field;
+
-+ if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node)))
++ if (TYPE_FIELDS(node) == NULL_TREE)
+ return false;
+
-+ if (TYPE_FIELDS(node) == NULL_TREE)
++ if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node))) {
++ gcc_assert(!TYPE_READONLY(node));
++ deconstify_type(node);
+ return false;
++ }
+
+ for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
+ tree type = TREE_TYPE(field);
@@ -95132,7 +95284,7 @@ index 0000000..ce7366b
+};
diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
new file mode 100644
-index 0000000..4154daf
+index 0000000..92b8ee6
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin.c
@@ -0,0 +1,1188 @@
@@ -95358,7 +95510,7 @@ index 0000000..4154daf
+ const char *curfunc = NAME(func);
+
+ new_hash = get_hash_num(curfunc, filename, 0);
-+ inform(loc, "Function %s is missing from the size_overflow hash table +%s+%d+%u+%s+", curfunc, curfunc, argnum, new_hash, filename);
++// inform(loc, "Function %s is missing from the size_overflow hash table +%s+%d+%u+%s+", curfunc, curfunc, argnum, new_hash, filename);
+}
+
+static void check_missing_attribute(tree arg)