diff options
-rw-r--r-- | main/linux-grsec/APKBUILD | 10 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.6.8-201211261714.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.6.7-201211181105.patch) | 652 |
2 files changed, 420 insertions, 242 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index ec40286cac..6124970174 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,9 +2,9 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.6.7 +pkgver=3.6.8 _kernver=3.6 -pkgrel=0 +pkgrel=1 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.6.7-201211181105.patch + grsecurity-2.9.1-3.6.8-201211261714.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -139,8 +139,8 @@ dev() { } md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz -134936c362d8812b5cafcf3c67afdce0 patch-3.6.7.xz -af1f2097a6e26d36801188193d3eb185 grsecurity-2.9.1-3.6.7-201211181105.patch +f248294551c34753c5c019c8d513280c patch-3.6.8.xz +0dbb7227ccf77f6e02772a5bd505b10d grsecurity-2.9.1-3.6.8-201211261714.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch 0b4abb6b3e32cc7ba656c24e30581349 kernelconfig.x86 0971129c59c7fe0011b3ec46982d9f5c kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.9.1-3.6.7-201211181105.patch b/main/linux-grsec/grsecurity-2.9.1-3.6.8-201211261714.patch index 6f0229a48a..13615ed6dd 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.6.7-201211181105.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.6.8-201211261714.patch @@ -251,7 +251,7 @@ index ad7e2e5..199f49e 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 07f2308..7271d99 100644 +index c5cc2f0..6570abb 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3470,6 +3470,30 @@ index 5e34ccf..672bc9c 100644 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n", me->arch.unwind_section, table, end, gp); +diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c +index fd49aed..5dede04 100644 +--- a/arch/parisc/kernel/signal32.c ++++ b/arch/parisc/kernel/signal32.c +@@ -65,7 +65,8 @@ put_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) + { + compat_sigset_t s; + +- if (sz != sizeof *set) panic("put_sigset32()"); ++ if (sz != sizeof *set) ++ return -EINVAL; + sigset_64to32(&s, set); + + return copy_to_user(up, &s, sizeof s); +@@ -77,7 +78,8 @@ get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) + compat_sigset_t s; + int r; + +- if (sz != sizeof *set) panic("put_sigset32()"); ++ if (sz != sizeof *set) ++ return -EINVAL; + + if ((r = copy_from_user(&s, up, sz)) == 0) { + sigset_32to64(set, &s); diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c index 7426e40..30c8dbe 100644 --- a/arch/parisc/kernel/sys_parisc.c @@ -20537,7 +20561,7 @@ index baead95..90feeb4 100644 local_irq_disable(); diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index b1eb202..254e292 100644 +index ff66a3b..48ad872 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1331,7 +1331,11 @@ static void reload_tss(void) @@ -26100,10 +26124,139 @@ index 877b9a1..a8ecf42 100644 + pax_force_retaddr ret diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c -index 33643a8..8e44870 100644 +index 33643a8..f6211a0 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c -@@ -120,6 +120,11 @@ static inline void bpf_flush_icache(void *start, void *end) +@@ -11,6 +11,7 @@ + #include <asm/cacheflush.h> + #include <linux/netdevice.h> + #include <linux/filter.h> ++#include <linux/random.h> + + /* + * Conventions : +@@ -48,13 +49,87 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len) + return ptr + len; + } + ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++#define MAX_INSTR_CODE_SIZE 96 ++#else ++#define MAX_INSTR_CODE_SIZE 64 ++#endif ++ + #define EMIT(bytes, len) do { prog = emit_code(prog, bytes, len); } while (0) + + #define EMIT1(b1) EMIT(b1, 1) + #define EMIT2(b1, b2) EMIT((b1) + ((b2) << 8), 2) + #define EMIT3(b1, b2, b3) EMIT((b1) + ((b2) << 8) + ((b3) << 16), 3) + #define EMIT4(b1, b2, b3, b4) EMIT((b1) + ((b2) << 8) + ((b3) << 16) + ((b4) << 24), 4) ++ ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++/* original constant will appear in ecx */ ++#define DILUTE_CONST_SEQUENCE(_off, _key) \ ++do { \ ++ /* mov ecx, randkey */ \ ++ EMIT1(0xb9); \ ++ EMIT(_key, 4); \ ++ /* xor ecx, randkey ^ off */ \ ++ EMIT2(0x81, 0xf1); \ ++ EMIT((_key) ^ (_off), 4); \ ++} while (0) ++ ++#define EMIT1_off32(b1, _off) \ ++do { \ ++ switch (b1) { \ ++ case 0x05: /* add eax, imm32 */ \ ++ case 0x2d: /* sub eax, imm32 */ \ ++ case 0x25: /* and eax, imm32 */ \ ++ case 0x0d: /* or eax, imm32 */ \ ++ case 0xb8: /* mov eax, imm32 */ \ ++ case 0x3d: /* cmp eax, imm32 */ \ ++ case 0xa9: /* test eax, imm32 */ \ ++ DILUTE_CONST_SEQUENCE(_off, randkey); \ ++ EMIT2((b1) - 4, 0xc8); /* convert imm instruction to eax, ecx */\ ++ break; \ ++ case 0xbb: /* mov ebx, imm32 */ \ ++ DILUTE_CONST_SEQUENCE(_off, randkey); \ ++ /* mov ebx, ecx */ \ ++ EMIT2(0x89, 0xcb); \ ++ break; \ ++ case 0xbe: /* mov esi, imm32 */ \ ++ DILUTE_CONST_SEQUENCE(_off, randkey); \ ++ /* mov esi, ecx */ \ ++ EMIT2(0x89, 0xce); \ ++ break; \ ++ case 0xe9: /* jmp rel imm32 */ \ ++ EMIT1(b1); \ ++ EMIT(_off, 4); \ ++ /* prevent fall-through, we're not called if off = 0 */ \ ++ EMIT(0xcccccccc, 4); \ ++ EMIT(0xcccccccc, 4); \ ++ break; \ ++ default: \ ++ EMIT1(b1); \ ++ EMIT(_off, 4); \ ++ } \ ++} while (0) ++ ++#define EMIT2_off32(b1, b2, _off) \ ++do { \ ++ if ((b1) == 0x8d && (b2) == 0xb3) { /* lea esi, [rbx+imm32] */ \ ++ EMIT2(0x8d, 0xb3); /* lea esi, [rbx+randkey] */ \ ++ EMIT(randkey, 4); \ ++ EMIT2(0x8d, 0xb6); /* lea esi, [esi+off-randkey] */ \ ++ EMIT((_off) - randkey, 4); \ ++ } else if ((b1) == 0x69 && (b2) == 0xc0) { /* imul eax, imm32 */\ ++ DILUTE_CONST_SEQUENCE(_off, randkey); \ ++ /* imul eax, ecx */ \ ++ EMIT3(0x0f, 0xaf, 0xc1); \ ++ } else { \ ++ EMIT2(b1, b2); \ ++ EMIT(_off, 4); \ ++ } \ ++} while (0) ++#else + #define EMIT1_off32(b1, off) do { EMIT1(b1); EMIT(off, 4);} while (0) ++#define EMIT2_off32(b1, b2, off) do { EMIT2(b1, b2); EMIT(off, 4);} while (0) ++#endif + + #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */ + #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */ +@@ -89,6 +164,24 @@ do { \ + #define X86_JBE 0x76 + #define X86_JA 0x77 + ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++#define APPEND_FLOW_VERIFY() \ ++do { \ ++ /* mov ecx, randkey */ \ ++ EMIT1(0xb9); \ ++ EMIT(randkey, 4); \ ++ /* cmp ecx, randkey */ \ ++ EMIT2(0x81, 0xf9); \ ++ EMIT(randkey, 4); \ ++ /* jz after 8 int 3s */ \ ++ EMIT2(0x74, 0x08); \ ++ EMIT(0xcccccccc, 4); \ ++ EMIT(0xcccccccc, 4); \ ++} while (0) ++#else ++#define APPEND_FLOW_VERIFY() do { } while (0) ++#endif ++ + #define EMIT_COND_JMP(op, offset) \ + do { \ + if (is_near(offset)) \ +@@ -96,6 +189,7 @@ do { \ + else { \ + EMIT2(0x0f, op + 0x10); \ + EMIT(offset, 4); /* jxx .+off32 */ \ ++ APPEND_FLOW_VERIFY(); \ + } \ + } while (0) + +@@ -120,12 +214,17 @@ static inline void bpf_flush_icache(void *start, void *end) set_fs(old_fs); } @@ -26115,7 +26268,24 @@ index 33643a8..8e44870 100644 #define CHOOSE_LOAD_FUNC(K, func) \ ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset) -@@ -146,6 +151,10 @@ void bpf_jit_compile(struct sk_filter *fp) + void bpf_jit_compile(struct sk_filter *fp) + { +- u8 temp[64]; ++ u8 temp[MAX_INSTR_CODE_SIZE]; + u8 *prog; + unsigned int proglen, oldproglen = 0; + int ilen, i; +@@ -138,6 +237,9 @@ void bpf_jit_compile(struct sk_filter *fp) + unsigned int *addrs; + const struct sock_filter *filter = fp->insns; + int flen = fp->len; ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++ unsigned int randkey; ++#endif + + if (!bpf_jit_enable) + return; +@@ -146,11 +248,19 @@ void bpf_jit_compile(struct sk_filter *fp) if (addrs == NULL) return; @@ -26123,10 +26293,59 @@ index 33643a8..8e44870 100644 + if (!fp->work) + goto out; + ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++ randkey = get_random_int(); ++#endif ++ /* Before first pass, make a rough estimation of addrs[] - * each bpf instruction is translated to less than 64 bytes +- * each bpf instruction is translated to less than 64 bytes ++ * each bpf instruction is translated to less than MAX_INSTR_CODE_SIZE bytes */ -@@ -593,17 +602,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; + for (proglen = 0, i = 0; i < flen; i++) { +- proglen += 64; ++ proglen += MAX_INSTR_CODE_SIZE; + addrs[i] = proglen; + } + cleanup_addr = proglen; /* epilogue address */ +@@ -258,10 +368,8 @@ void bpf_jit_compile(struct sk_filter *fp) + case BPF_S_ALU_MUL_K: /* A *= K */ + if (is_imm8(K)) + EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */ +- else { +- EMIT2(0x69, 0xc0); /* imul imm32,%eax */ +- EMIT(K, 4); +- } ++ else ++ EMIT2_off32(0x69, 0xc0, K); /* imul imm32,%eax */ + break; + case BPF_S_ALU_DIV_X: /* A /= X; */ + seen |= SEEN_XREG; +@@ -281,8 +389,14 @@ void bpf_jit_compile(struct sk_filter *fp) + EMIT4(0x31, 0xd2, 0xf7, 0xf3); /* xor %edx,%edx; div %ebx */ + break; + case BPF_S_ALU_DIV_K: /* A = reciprocal_divide(A, K); */ ++#ifdef CONFIG_GRKERNSEC_JIT_HARDEN ++ DILUTE_CONST_SEQUENCE(K, randkey); ++ // imul rax, rcx ++ EMIT4(0x48, 0x0f, 0xaf, 0xc1); ++#else + EMIT3(0x48, 0x69, 0xc0); /* imul imm32,%rax,%rax */ + EMIT(K, 4); ++#endif + EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */ + break; + case BPF_S_ALU_AND_X: +@@ -509,8 +623,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG; + if (is_imm8(K)) { + EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */ + } else { +- EMIT2(0x8d, 0xb3); /* lea imm32(%rbx),%esi */ +- EMIT(K, 4); ++ EMIT2_off32(0x8d, 0xb3, K); /* lea imm32(%rbx),%esi */ + } + } else { + EMIT2(0x89,0xde); /* mov %ebx,%esi */ +@@ -593,17 +706,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; break; default: /* hmm, too complex filter, give up with jit compiler */ @@ -26149,7 +26368,7 @@ index 33643a8..8e44870 100644 } proglen += ilen; addrs[i] = proglen; -@@ -624,11 +634,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; +@@ -624,11 +738,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; break; } if (proglen == oldproglen) { @@ -26163,7 +26382,7 @@ index 33643a8..8e44870 100644 } oldproglen = proglen; } -@@ -644,7 +652,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; +@@ -644,7 +756,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; bpf_flush_icache(image, image + proglen); fp->bpf_func = (void *)image; @@ -26175,7 +26394,7 @@ index 33643a8..8e44870 100644 out: kfree(addrs); return; -@@ -652,18 +663,20 @@ out: +@@ -652,18 +767,20 @@ out: static void jit_free_defer(struct work_struct *arg) { @@ -27822,7 +28041,7 @@ index 9a87daa..fb17486 100644 goto error; diff --git a/crypto/cryptd.c b/crypto/cryptd.c -index 671d4d6..afec999 100644 +index 7bdd61b..afec999 100644 --- a/crypto/cryptd.c +++ b/crypto/cryptd.c @@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx { @@ -27843,28 +28062,6 @@ index 671d4d6..afec999 100644 static void cryptd_queue_worker(struct work_struct *work); -@@ -137,13 +137,18 @@ static void cryptd_queue_worker(struct work_struct *work) - struct crypto_async_request *req, *backlog; - - cpu_queue = container_of(work, struct cryptd_cpu_queue, work); -- /* Only handle one request at a time to avoid hogging crypto -- * workqueue. preempt_disable/enable is used to prevent -- * being preempted by cryptd_enqueue_request() */ -+ /* -+ * Only handle one request at a time to avoid hogging crypto workqueue. -+ * preempt_disable/enable is used to prevent being preempted by -+ * cryptd_enqueue_request(). local_bh_disable/enable is used to prevent -+ * cryptd_enqueue_request() being accessed from software interrupts. -+ */ -+ local_bh_disable(); - preempt_disable(); - backlog = crypto_get_backlog(&cpu_queue->queue); - req = crypto_dequeue_request(&cpu_queue->queue); - preempt_enable(); -+ local_bh_enable(); - - if (!req) - return; diff --git a/drivers/acpi/apei/cper.c b/drivers/acpi/apei/cper.c index e6defd8..c26a225 100644 --- a/drivers/acpi/apei/cper.c @@ -31360,7 +31557,7 @@ index 3b663fc..57850f4 100644 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full && rdev->pm.k8_bandwidth.full) diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c -index ebc6fac..a8313ed 100644 +index 578207e..1073f25 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c @@ -394,9 +394,9 @@ static int ttm_pool_get_num_unused_pages(void) @@ -35401,7 +35598,7 @@ index 4a518a3..936b334 100644 #define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \ ((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next) diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c -index b47d5b3..273a516 100644 +index df7bbba..162f850 100644 --- a/drivers/net/ethernet/realtek/r8169.c +++ b/drivers/net/ethernet/realtek/r8169.c @@ -745,22 +745,22 @@ struct rtl8169_private { @@ -36386,10 +36583,10 @@ index 61859d0..124539e 100644 /* No printks while decoding is disabled! */ if (!dev->mmio_always_on) { diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 27911b5..5b6db88 100644 +index af028c7..654cdfc 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c -@@ -476,7 +476,16 @@ static const struct file_operations proc_bus_pci_dev_operations = { +@@ -484,7 +484,16 @@ static const struct file_operations proc_bus_pci_dev_operations = { static int __init pci_proc_init(void) { struct pci_dev *dev = NULL; @@ -42737,22 +42934,6 @@ index 88714ae..16c2e11 100644 static inline u32 get_pll_internal_frequency(u32 ref_freq, -diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c -index c3b3f7f..abd47c7 100644 ---- a/drivers/virtio/virtio.c -+++ b/drivers/virtio/virtio.c -@@ -225,8 +225,10 @@ EXPORT_SYMBOL_GPL(register_virtio_device); - - void unregister_virtio_device(struct virtio_device *dev) - { -+ int index = dev->index; /* save for after device release */ -+ - device_unregister(&dev->dev); -- ida_simple_remove(&virtio_index_ida, dev->index); -+ ida_simple_remove(&virtio_index_ida, index); - } - EXPORT_SYMBOL_GPL(unregister_virtio_device); - diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c index 453db0c..604973e 100644 --- a/drivers/virtio/virtio_mmio.c @@ -45008,7 +45189,7 @@ index b2a34a1..162fa69 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index fab2c6d..4fa20c0 100644 +index fab2c6d..6a13dff 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,6 +55,15 @@ @@ -45034,7 +45215,7 @@ index fab2c6d..4fa20c0 100644 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS +void __weak pax_set_initial_flags(struct linux_binprm *bprm) +{ -+ WARN_ONCE(1, "PAX: PAX_HAVE_ACL_FLAGS was enabled without providing the pax_set_initial_flags callback, this is probably not what you wanted.\n"); ++ pr_warn_once("PAX: PAX_HAVE_ACL_FLAGS was enabled without providing the pax_set_initial_flags callback, this is probably not what you wanted.\n"); +} +#endif + @@ -45847,7 +46028,7 @@ index cf18217..8f6b9c3 100644 if (free_clusters >= (nclusters + dirty_clusters)) return 1; diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 5c69f2b..05dec7f 100644 +index b686b43..4b46d01 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -1248,19 +1248,19 @@ struct ext4_sb_info { @@ -46151,7 +46332,7 @@ index 96f2428..f5eeb8e 100644 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) { diff --git a/fs/fs_struct.c b/fs/fs_struct.c -index 5df4775..9d9336f 100644 +index 5df4775..f656176 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -4,6 +4,7 @@ @@ -46201,7 +46382,14 @@ index 5df4775..9d9336f 100644 hits += replace_path(&fs->pwd, old_root, new_root); write_seqcount_end(&fs->seq); while (hits--) { -@@ -99,7 +116,8 @@ void exit_fs(struct task_struct *tsk) +@@ -94,12 +111,15 @@ void exit_fs(struct task_struct *tsk) + { + struct fs_struct *fs = tsk->fs; + ++ gr_put_exec_file(tsk); ++ + if (fs) { + int kill; task_lock(tsk); spin_lock(&fs->lock); tsk->fs = NULL; @@ -46211,7 +46399,7 @@ index 5df4775..9d9336f 100644 spin_unlock(&fs->lock); task_unlock(tsk); if (kill) -@@ -112,7 +130,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) +@@ -112,7 +132,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL); /* We don't need to lock fs - think why ;-) */ if (fs) { @@ -46220,7 +46408,7 @@ index 5df4775..9d9336f 100644 fs->in_exec = 0; spin_lock_init(&fs->lock); seqcount_init(&fs->seq); -@@ -121,6 +139,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) +@@ -121,6 +141,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) spin_lock(&old->lock); fs->root = old->root; path_get(&fs->root); @@ -46230,7 +46418,7 @@ index 5df4775..9d9336f 100644 fs->pwd = old->pwd; path_get(&fs->pwd); spin_unlock(&old->lock); -@@ -139,8 +160,9 @@ int unshare_fs_struct(void) +@@ -139,8 +162,9 @@ int unshare_fs_struct(void) task_lock(current); spin_lock(&fs->lock); @@ -46241,7 +46429,7 @@ index 5df4775..9d9336f 100644 spin_unlock(&fs->lock); task_unlock(current); -@@ -153,13 +175,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); +@@ -153,13 +177,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); int current_umask(void) { @@ -46257,7 +46445,15 @@ index 5df4775..9d9336f 100644 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock), .seq = SEQCNT_ZERO, .umask = 0022, -@@ -175,12 +197,13 @@ void daemonize_fs_struct(void) +@@ -169,18 +193,21 @@ void daemonize_fs_struct(void) + { + struct fs_struct *fs = current->fs; + ++ gr_put_exec_file(current); ++ + if (fs) { + int kill; + task_lock(current); spin_lock(&init_fs.lock); @@ -48545,18 +48741,6 @@ index a9269f1..5490437 100644 set_fs(oldfs); if (host_err < 0) -diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c -index f35794b..a506360 100644 ---- a/fs/notify/fanotify/fanotify.c -+++ b/fs/notify/fanotify/fanotify.c -@@ -21,6 +21,7 @@ static bool should_merge(struct fsnotify_event *old, struct fsnotify_event *new) - if ((old->path.mnt == new->path.mnt) && - (old->path.dentry == new->path.dentry)) - return true; -+ break; - case (FSNOTIFY_EVENT_NONE): - return true; - default: diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c index d438036..0ecadde 100644 --- a/fs/notify/fanotify/fanotify_user.c @@ -50187,25 +50371,6 @@ index 1ccfa53..0848f95 100644 } else if (mm) { pid_t tid = vm_is_stack(priv->task, vma, is_pid); -diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c -index 29996e8..2d1e0f3 100644 ---- a/fs/pstore/platform.c -+++ b/fs/pstore/platform.c -@@ -161,12 +161,13 @@ static void pstore_console_write(struct console *con, const char *s, unsigned c) - - while (s < e) { - unsigned long flags; -+ u64 id; - - if (c > psinfo->bufsize) - c = psinfo->bufsize; - spin_lock_irqsave(&psinfo->buf_lock, flags); - memcpy(psinfo->buf, s, c); -- psinfo->write(PSTORE_TYPE_CONSOLE, 0, NULL, 0, c, psinfo); -+ psinfo->write(PSTORE_TYPE_CONSOLE, 0, &id, 0, c, psinfo); - spin_unlock_irqrestore(&psinfo->buf_lock, flags); - s += c; - c = e - s; diff --git a/fs/quota/netlink.c b/fs/quota/netlink.c index d67908b..d13f6a6 100644 --- a/fs/quota/netlink.c @@ -50872,10 +51037,10 @@ index 4e00cf0..3374374 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..d38b430 +index 0000000..10c36fb --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,947 @@ +@@ -0,0 +1,964 @@ +# +# grecurity configuration +# @@ -50938,6 +51103,23 @@ index 0000000..d38b430 + IF YOU USE XFree86. If you use XFree86 and you still want to + protect your kernel against modification, use the RBAC system. + ++config GRKERNSEC_JIT_HARDEN ++ bool "Harden BPF JIT against spray attacks" ++ default y if GRKERNSEC_CONFIG_AUTO ++ depends on BPF_JIT ++ help ++ If you say Y here, the native code generated by the kernel's Berkeley ++ Packet Filter (BPF) JIT engine will be hardened against JIT-spraying ++ attacks that attempt to fit attacker-beneficial instructions in ++ 32bit immediate fields of JIT-generated native instructions. The ++ attacker will generally aim to cause an unintended instruction sequence ++ of JIT-generated native code to execute by jumping into the middle of ++ a generated instruction. This feature effectively randomizes the 32bit ++ immediate constants present in the generated code to thwart such attacks. ++ ++ If you're using KERNEXEC, it's recommended that you enable this option ++ to supplement the hardening of the kernel. ++ +config GRKERNSEC_PROC_MEMMAP + bool "Harden ASLR against information leaks and entropy reduction" + default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR) @@ -51869,10 +52051,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..b736032 +index 0000000..4428c82 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4040 @@ +@@ -0,0 +1,4056 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -55903,6 +56085,22 @@ index 0000000..b736032 + return (obj->mode & GR_FIND) ? 1 : 0; +} + ++void gr_put_exec_file(struct task_struct *task) ++{ ++ struct file *filp; ++ ++ write_lock(&grsec_exec_file_lock); ++ filp = task->exec_file; ++ task->exec_file = NULL; ++ write_unlock(&grsec_exec_file_lock); ++ ++ if (filp) ++ fput(filp); ++ ++ return; ++} ++ ++ +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE +EXPORT_SYMBOL(gr_acl_is_enabled); +#endif @@ -58012,10 +58210,10 @@ index 0000000..9807ee2 +} diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c new file mode 100644 -index 0000000..213ad8b +index 0000000..b79fe50 --- /dev/null +++ b/grsecurity/grsec_disabled.c -@@ -0,0 +1,437 @@ +@@ -0,0 +1,442 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -58447,6 +58645,11 @@ index 0000000..213ad8b + return dentry->d_inode->i_sb->s_dev; +} + ++void gr_put_exec_file(struct task_struct *task) ++{ ++ return; ++} ++ +EXPORT_SYMBOL(gr_learn_resource); +EXPORT_SYMBOL(gr_set_kernel_label); +#ifdef CONFIG_SECURITY @@ -62887,10 +63090,10 @@ index 0000000..54f4e85 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..f9b9a21 +index 0000000..187b3ed --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,238 @@ +@@ -0,0 +1,239 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -63103,6 +63306,7 @@ index 0000000..f9b9a21 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode); +void gr_audit_ptrace(struct task_struct *task); +dev_t gr_get_dev_from_dentry(struct dentry *dentry); ++void gr_put_exec_file(struct task_struct *task); + +int gr_ptrace_readexec(struct file *file, int unsafe_flags); + @@ -63237,50 +63441,68 @@ index aa2e167..84024ce 100644 }; diff --git a/include/linux/init.h b/include/linux/init.h -index 5e664f6..0a1225c 100644 +index 5e664f6..15ae326 100644 --- a/include/linux/init.h +++ b/include/linux/init.h -@@ -39,9 +39,15 @@ +@@ -39,9 +39,33 @@ * Also note, that this data cannot be "const". */ +#ifdef MODULE -+#define add_latent_entropy ++#define add_init_latent_entropy ++#else ++#define add_init_latent_entropy __latent_entropy ++#endif ++ ++#ifdef CONFIG_HOTPLUG ++#define add_devinit_latent_entropy ++#else ++#define add_devinit_latent_entropy __latent_entropy ++#endif ++ ++#ifdef CONFIG_HOTPLUG_CPU ++#define add_cpuinit_latent_entropy ++#else ++#define add_cpuinit_latent_entropy __latent_entropy ++#endif ++ ++#ifdef CONFIG_MEMORY_HOTPLUG ++#define add_meminit_latent_entropy +#else -+#define add_latent_entropy __latent_entropy ++#define add_meminit_latent_entropy __latent_entropy +#endif + /* These are for everybody (although not all archs will actually discard it in modules) */ -#define __init __section(.init.text) __cold notrace -+#define __init __section(.init.text) __cold notrace add_latent_entropy ++#define __init __section(.init.text) __cold notrace add_init_latent_entropy #define __initdata __section(.init.data) #define __initconst __section(.init.rodata) #define __exitdata __section(.exit.data) -@@ -83,7 +89,7 @@ +@@ -83,7 +107,7 @@ #define __exit __section(.exit.text) __exitused __cold notrace /* Used for HOTPLUG */ -#define __devinit __section(.devinit.text) __cold notrace -+#define __devinit __section(.devinit.text) __cold notrace add_latent_entropy ++#define __devinit __section(.devinit.text) __cold notrace add_devinit_latent_entropy #define __devinitdata __section(.devinit.data) #define __devinitconst __section(.devinit.rodata) #define __devexit __section(.devexit.text) __exitused __cold notrace -@@ -91,7 +97,7 @@ +@@ -91,7 +115,7 @@ #define __devexitconst __section(.devexit.rodata) /* Used for HOTPLUG_CPU */ -#define __cpuinit __section(.cpuinit.text) __cold notrace -+#define __cpuinit __section(.cpuinit.text) __cold notrace add_latent_entropy ++#define __cpuinit __section(.cpuinit.text) __cold notrace add_cpuinit_latent_entropy #define __cpuinitdata __section(.cpuinit.data) #define __cpuinitconst __section(.cpuinit.rodata) #define __cpuexit __section(.cpuexit.text) __exitused __cold notrace -@@ -99,7 +105,7 @@ +@@ -99,7 +123,7 @@ #define __cpuexitconst __section(.cpuexit.rodata) /* Used for MEMORY_HOTPLUG */ -#define __meminit __section(.meminit.text) __cold notrace -+#define __meminit __section(.meminit.text) __cold notrace add_latent_entropy ++#define __meminit __section(.meminit.text) __cold notrace add_meminit_latent_entropy #define __meminitdata __section(.meminit.data) #define __meminitconst __section(.meminit.rodata) #define __memexit __section(.memexit.text) __exitused __cold notrace @@ -63762,7 +63984,7 @@ index 1d1b1e1..2a13c78 100644 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \ diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h -index 2daa54f..bfdf2f5 100644 +index a16d929..860ae00 100644 --- a/include/linux/mmzone.h +++ b/include/linux/mmzone.h @@ -414,7 +414,7 @@ struct zone { @@ -67384,21 +67606,10 @@ index 7fee567..8affa2c 100644 /* diff --git a/kernel/exit.c b/kernel/exit.c -index f65345f9..9c28dab 100644 +index f65345f9..1423231 100644 --- a/kernel/exit.c +++ b/kernel/exit.c -@@ -59,6 +59,10 @@ - #include <asm/pgtable.h> - #include <asm/mmu_context.h> - -+#ifdef CONFIG_GRKERNSEC -+extern rwlock_t grsec_exec_file_lock; -+#endif -+ - static void exit_mm(struct task_struct * tsk); - - static void __unhash_process(struct task_struct *p, bool group_dead) -@@ -182,6 +186,10 @@ void release_task(struct task_struct * p) +@@ -182,6 +182,10 @@ void release_task(struct task_struct * p) struct task_struct *leader; int zap_leader; repeat: @@ -67409,7 +67620,7 @@ index f65345f9..9c28dab 100644 /* don't need to get the RCU readlock here - the process is dead and * can't be modifying its own credentials. But shut RCU-lockdep up */ rcu_read_lock(); -@@ -394,7 +402,7 @@ int allow_signal(int sig) +@@ -394,7 +398,7 @@ int allow_signal(int sig) * know it'll be handled, so that they don't get converted to * SIGKILL or just silently dropped. */ @@ -67418,25 +67629,16 @@ index f65345f9..9c28dab 100644 recalc_sigpending(); spin_unlock_irq(¤t->sighand->siglock); return 0; -@@ -430,6 +438,17 @@ void daemonize(const char *name, ...) +@@ -430,6 +434,8 @@ void daemonize(const char *name, ...) vsnprintf(current->comm, sizeof(current->comm), name, args); va_end(args); -+#ifdef CONFIG_GRKERNSEC -+ write_lock(&grsec_exec_file_lock); -+ if (current->exec_file) { -+ fput(current->exec_file); -+ current->exec_file = NULL; -+ } -+ write_unlock(&grsec_exec_file_lock); -+#endif -+ + gr_set_kernel_label(current); + /* * If we were started as result of loading a module, close all of the * user space pages. We don't need them, and if we didn't close them -@@ -907,6 +926,8 @@ void do_exit(long code) +@@ -907,6 +913,8 @@ void do_exit(long code) struct task_struct *tsk = current; int group_dead; @@ -67445,7 +67647,7 @@ index f65345f9..9c28dab 100644 profile_task_exit(tsk); WARN_ON(blk_needs_flush_plug(tsk)); -@@ -923,7 +944,6 @@ void do_exit(long code) +@@ -923,7 +931,6 @@ void do_exit(long code) * mm_release()->clear_child_tid() from writing to a user-controlled * kernel address. */ @@ -67453,7 +67655,7 @@ index f65345f9..9c28dab 100644 ptrace_event(PTRACE_EVENT_EXIT, code); -@@ -982,6 +1002,9 @@ void do_exit(long code) +@@ -982,6 +989,9 @@ void do_exit(long code) tsk->exit_code = code; taskstats_exit(tsk, group_dead); @@ -67463,7 +67665,7 @@ index f65345f9..9c28dab 100644 exit_mm(tsk); if (group_dead) -@@ -1099,7 +1122,7 @@ SYSCALL_DEFINE1(exit, int, error_code) +@@ -1099,7 +1109,7 @@ SYSCALL_DEFINE1(exit, int, error_code) * Take down every thread in the group. This is called by fatal signals * as well as by sys_exit_group (below). */ @@ -68331,7 +68533,7 @@ index 91c32a0..7b88d63 100644 seq_printf(m, "%40s %14lu %29s %pS\n", name, stats->contending_point[i], diff --git a/kernel/module.c b/kernel/module.c -index 9ad9ee9..731c128 100644 +index 2a15c59..731c128 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -58,6 +58,7 @@ @@ -68620,7 +68822,7 @@ index 9ad9ee9..731c128 100644 } } -@@ -2266,28 +2284,33 @@ static void layout_symtab(struct module *mod, struct load_info *info) +@@ -2266,7 +2284,7 @@ static void layout_symtab(struct module *mod, struct load_info *info) /* Put symbol section at end of init part of module. */ symsect->sh_flags |= SHF_ALLOC; @@ -68629,23 +68831,8 @@ index 9ad9ee9..731c128 100644 info->index.sym) | INIT_OFFSET_MASK; pr_debug("\t%s\n", info->secstrings + symsect->sh_name); - src = (void *)info->hdr + symsect->sh_offset; - nsrc = symsect->sh_size / sizeof(*src); - -+ /* strtab always starts with a nul, so offset 0 is the empty string. */ -+ strtab_size = 1; -+ - /* Compute total space required for the core symbols' strtab. */ -- for (ndst = i = strtab_size = 1; i < nsrc; ++i, ++src) -- if (is_core_symbol(src, info->sechdrs, info->hdr->e_shnum)) { -- strtab_size += strlen(&info->strtab[src->st_name]) + 1; -+ for (ndst = i = 0; i < nsrc; i++) { -+ if (i == 0 || -+ is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) { -+ strtab_size += strlen(&info->strtab[src[i].st_name])+1; - ndst++; - } -+ } +@@ -2286,13 +2304,13 @@ static void layout_symtab(struct module *mod, struct load_info *info) + } /* Append room for core symbols at end of core part. */ - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1); @@ -68662,7 +68849,7 @@ index 9ad9ee9..731c128 100644 info->index.str) | INIT_OFFSET_MASK; pr_debug("\t%s\n", info->secstrings + strsect->sh_name); } -@@ -2305,24 +2328,28 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) +@@ -2310,12 +2328,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) /* Make sure we get permanent strtab: don't use info->strtab. */ mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr; @@ -68677,23 +68864,10 @@ index 9ad9ee9..731c128 100644 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs; + mod->core_strtab = s = mod->module_core_rx + info->stroffs; src = mod->symtab; -- *dst = *src; *s++ = 0; -- for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) { -- if (!is_core_symbol(src, info->sechdrs, info->hdr->e_shnum)) -- continue; -- -- dst[ndst] = *src; -- dst[ndst++].st_name = s - mod->core_strtab; -- s += strlcpy(s, &mod->strtab[src->st_name], KSYM_NAME_LEN) + 1; -+ for (ndst = i = 0; i < mod->num_symtab; i++) { -+ if (i == 0 || -+ is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) { -+ dst[ndst] = src[i]; -+ dst[ndst++].st_name = s - mod->core_strtab; -+ s += strlcpy(s, &mod->strtab[src[i].st_name], -+ KSYM_NAME_LEN) + 1; -+ } + for (ndst = i = 0; i < mod->num_symtab; i++) { +@@ -2328,6 +2348,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info) + } } mod->core_num_syms = ndst; + @@ -68701,7 +68875,7 @@ index 9ad9ee9..731c128 100644 } #else static inline void layout_symtab(struct module *mod, struct load_info *info) -@@ -2356,17 +2383,33 @@ void * __weak module_alloc(unsigned long size) +@@ -2361,17 +2383,33 @@ void * __weak module_alloc(unsigned long size) return size == 0 ? NULL : vmalloc_exec(size); } @@ -68740,7 +68914,7 @@ index 9ad9ee9..731c128 100644 mutex_unlock(&module_mutex); } return ret; -@@ -2544,8 +2587,14 @@ static struct module *setup_load_info(struct load_info *info) +@@ -2549,8 +2587,14 @@ static struct module *setup_load_info(struct load_info *info) static int check_modinfo(struct module *mod, struct load_info *info) { const char *modmagic = get_modinfo(info, "vermagic"); @@ -68755,7 +68929,7 @@ index 9ad9ee9..731c128 100644 /* This is allowed: modprobe --force will invalidate it. */ if (!modmagic) { err = try_to_force_load(mod, "bad vermagic"); -@@ -2568,7 +2617,7 @@ static int check_modinfo(struct module *mod, struct load_info *info) +@@ -2573,7 +2617,7 @@ static int check_modinfo(struct module *mod, struct load_info *info) } /* Set up license info based on the info section */ @@ -68764,7 +68938,7 @@ index 9ad9ee9..731c128 100644 return 0; } -@@ -2662,7 +2711,7 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2667,7 +2711,7 @@ static int move_module(struct module *mod, struct load_info *info) void *ptr; /* Do the allocs. */ @@ -68773,7 +68947,7 @@ index 9ad9ee9..731c128 100644 /* * The pointer to this block is stored in the module structure * which is inside the block. Just mark it as not being a -@@ -2672,23 +2721,50 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2677,23 +2721,50 @@ static int move_module(struct module *mod, struct load_info *info) if (!ptr) return -ENOMEM; @@ -68832,7 +69006,7 @@ index 9ad9ee9..731c128 100644 /* Transfer each section which specifies SHF_ALLOC */ pr_debug("final section addresses:\n"); -@@ -2699,16 +2775,45 @@ static int move_module(struct module *mod, struct load_info *info) +@@ -2704,16 +2775,45 @@ static int move_module(struct module *mod, struct load_info *info) if (!(shdr->sh_flags & SHF_ALLOC)) continue; @@ -68885,7 +69059,7 @@ index 9ad9ee9..731c128 100644 pr_debug("\t0x%lx %s\n", (long)shdr->sh_addr, info->secstrings + shdr->sh_name); } -@@ -2763,12 +2868,12 @@ static void flush_module_icache(const struct module *mod) +@@ -2768,12 +2868,12 @@ static void flush_module_icache(const struct module *mod) * Do it before processing of module parameters, so the module * can provide parameter accessor functions of its own. */ @@ -68904,7 +69078,7 @@ index 9ad9ee9..731c128 100644 set_fs(old_fs); } -@@ -2838,8 +2943,10 @@ out: +@@ -2843,8 +2943,10 @@ out: static void module_deallocate(struct module *mod, struct load_info *info) { percpu_modfree(mod); @@ -68917,7 +69091,7 @@ index 9ad9ee9..731c128 100644 } int __weak module_finalize(const Elf_Ehdr *hdr, -@@ -2852,7 +2959,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, +@@ -2857,7 +2959,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, static int post_relocation(struct module *mod, const struct load_info *info) { /* Sort exception table now relocations are done. */ @@ -68927,7 +69101,7 @@ index 9ad9ee9..731c128 100644 /* Copy relocated percpu area over. */ percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr, -@@ -2903,9 +3012,38 @@ static struct module *load_module(void __user *umod, +@@ -2908,9 +3012,38 @@ static struct module *load_module(void __user *umod, if (err) goto free_unload; @@ -68966,7 +69140,7 @@ index 9ad9ee9..731c128 100644 /* Fix up syms, so that st_value is a pointer to location. */ err = simplify_symbols(mod, &info); if (err < 0) -@@ -2921,13 +3059,6 @@ static struct module *load_module(void __user *umod, +@@ -2926,13 +3059,6 @@ static struct module *load_module(void __user *umod, flush_module_icache(mod); @@ -68980,7 +69154,7 @@ index 9ad9ee9..731c128 100644 /* Mark state as coming so strong_try_module_get() ignores us. */ mod->state = MODULE_STATE_COMING; -@@ -2985,11 +3116,10 @@ static struct module *load_module(void __user *umod, +@@ -2990,11 +3116,10 @@ static struct module *load_module(void __user *umod, unlock: mutex_unlock(&module_mutex); synchronize_sched(); @@ -68993,7 +69167,7 @@ index 9ad9ee9..731c128 100644 free_unload: module_unload_free(mod); free_module: -@@ -3030,16 +3160,16 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, +@@ -3035,16 +3160,16 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, MODULE_STATE_COMING, mod); /* Set RO and NX regions for core */ @@ -69018,7 +69192,7 @@ index 9ad9ee9..731c128 100644 do_mod_ctors(mod); /* Start the module */ -@@ -3085,11 +3215,12 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, +@@ -3090,11 +3215,12 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, mod->strtab = mod->core_strtab; #endif unset_module_init_ro_nx(mod); @@ -69036,7 +69210,7 @@ index 9ad9ee9..731c128 100644 mutex_unlock(&module_mutex); return 0; -@@ -3120,10 +3251,16 @@ static const char *get_ksymbol(struct module *mod, +@@ -3125,10 +3251,16 @@ static const char *get_ksymbol(struct module *mod, unsigned long nextval; /* At worse, next value is at end of module */ @@ -69056,7 +69230,7 @@ index 9ad9ee9..731c128 100644 /* Scan for closest preceding symbol, and next symbol. (ELF starts real symbols at 1). */ -@@ -3358,7 +3495,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3363,7 +3495,7 @@ static int m_show(struct seq_file *m, void *p) char buf[8]; seq_printf(m, "%s %u", @@ -69065,7 +69239,7 @@ index 9ad9ee9..731c128 100644 print_unload_info(m, mod); /* Informative for users. */ -@@ -3367,7 +3504,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3372,7 +3504,7 @@ static int m_show(struct seq_file *m, void *p) mod->state == MODULE_STATE_COMING ? "Loading": "Live"); /* Used by oprofile and other similar tools. */ @@ -69074,7 +69248,7 @@ index 9ad9ee9..731c128 100644 /* Taints info */ if (mod->taints) -@@ -3403,7 +3540,17 @@ static const struct file_operations proc_modules_operations = { +@@ -3408,7 +3540,17 @@ static const struct file_operations proc_modules_operations = { static int __init proc_modules_init(void) { @@ -69092,7 +69266,7 @@ index 9ad9ee9..731c128 100644 return 0; } module_init(proc_modules_init); -@@ -3462,12 +3609,12 @@ struct module *__module_address(unsigned long addr) +@@ -3467,12 +3609,12 @@ struct module *__module_address(unsigned long addr) { struct module *mod; @@ -69108,7 +69282,7 @@ index 9ad9ee9..731c128 100644 return mod; return NULL; } -@@ -3501,11 +3648,20 @@ bool is_module_text_address(unsigned long addr) +@@ -3506,11 +3648,20 @@ bool is_module_text_address(unsigned long addr) */ struct module *__module_text_address(unsigned long addr) { @@ -71861,9 +72035,18 @@ index 9ed4fd4..c42648d 100644 * Make sure the vma is shared, that it supports prefaulting, * and that the remapped range is valid and fully within diff --git a/mm/highmem.c b/mm/highmem.c -index d517cd1..006a1c5 100644 +index d517cd1..9568fec 100644 --- a/mm/highmem.c +++ b/mm/highmem.c +@@ -98,7 +98,7 @@ struct page *kmap_to_page(void *vaddr) + { + unsigned long addr = (unsigned long)vaddr; + +- if (addr >= PKMAP_ADDR(0) && addr <= PKMAP_ADDR(LAST_PKMAP)) { ++ if (addr >= PKMAP_ADDR(0) && addr < PKMAP_ADDR(LAST_PKMAP)) { + int i = (addr - PKMAP_ADDR(0)) >> PAGE_SHIFT; + return pte_page(pkmap_page_table[i]); + } @@ -137,9 +137,10 @@ static void flush_all_zero_pkmaps(void) * So no dangers, even with speculative execution. */ @@ -74671,7 +74854,7 @@ index d4b0c10..ed421b5 100644 new->vm_region = region; diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index c13ea75..081ab2c 100644 +index d2d8f54..be2a87c 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -340,7 +340,7 @@ out: @@ -74887,7 +75070,7 @@ index aa95e59..b681a63 100644 struct anon_vma_chain *avc; struct anon_vma *anon_vma; diff --git a/mm/shmem.c b/mm/shmem.c -index d2eeca1..92f3123 100644 +index 31e1506..dbf3647 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -31,7 +31,7 @@ @@ -74908,7 +75091,7 @@ index d2eeca1..92f3123 100644 struct shmem_xattr { struct list_head list; /* anchored by shmem_inode_info->xattr_list */ -@@ -2207,6 +2207,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { +@@ -2219,6 +2219,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { static int shmem_xattr_validate(const char *name) { struct { const char *prefix; size_t len; } arr[] = { @@ -74920,7 +75103,7 @@ index d2eeca1..92f3123 100644 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } }; -@@ -2260,6 +2265,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, +@@ -2272,6 +2277,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, if (err) return err; @@ -74936,7 +75119,7 @@ index d2eeca1..92f3123 100644 if (size == 0) value = ""; /* empty EA, do not remove */ -@@ -2594,8 +2608,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -2606,8 +2620,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ @@ -76125,19 +76308,6 @@ index 2bb90b1..3795e47 100644 v->addr, v->addr + v->size, v->size); if (v->caller) -diff --git a/mm/vmscan.c b/mm/vmscan.c -index 99b434b..a018dfc 100644 ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -2953,6 +2953,8 @@ static int kswapd(void *p) - &balanced_classzone_idx); - } - } -+ -+ current->reclaim_state = NULL; - return 0; - } - diff --git a/mm/vmstat.c b/mm/vmstat.c index df7a674..8b4a4f3 100644 --- a/mm/vmstat.c @@ -76823,7 +76993,7 @@ index 0337e2b..47914a0 100644 return err; diff --git a/net/core/dev.c b/net/core/dev.c -index aed87a4..72cc526 100644 +index 1dce5b5..363a522 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1138,9 +1138,13 @@ void dev_load(struct net *net, const char *name) @@ -76867,7 +77037,7 @@ index aed87a4..72cc526 100644 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb) -@@ -2928,7 +2932,7 @@ enqueue: +@@ -2930,7 +2934,7 @@ enqueue: local_irq_restore(flags); @@ -76876,7 +77046,7 @@ index aed87a4..72cc526 100644 kfree_skb(skb); return NET_RX_DROP; } -@@ -3000,7 +3004,7 @@ int netif_rx_ni(struct sk_buff *skb) +@@ -3002,7 +3006,7 @@ int netif_rx_ni(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_ni); @@ -76885,7 +77055,7 @@ index aed87a4..72cc526 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); -@@ -3331,7 +3335,7 @@ ncls: +@@ -3333,7 +3337,7 @@ ncls: ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev); } else { drop: @@ -76894,7 +77064,7 @@ index aed87a4..72cc526 100644 kfree_skb(skb); /* Jamal, now you will not able to escape explaining * me how you were going to use this. :-) -@@ -3898,7 +3902,7 @@ void netif_napi_del(struct napi_struct *napi) +@@ -3900,7 +3904,7 @@ void netif_napi_del(struct napi_struct *napi) } EXPORT_SYMBOL(netif_napi_del); @@ -76903,7 +77073,7 @@ index aed87a4..72cc526 100644 { struct softnet_data *sd = &__get_cpu_var(softnet_data); unsigned long time_limit = jiffies + 2; -@@ -4368,8 +4372,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) +@@ -4370,8 +4374,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v) else seq_printf(seq, "%04x", ntohs(pt->type)); @@ -76917,7 +77087,7 @@ index aed87a4..72cc526 100644 } return 0; -@@ -5922,7 +5931,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, +@@ -5924,7 +5933,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev, } else { netdev_stats_to_stats64(storage, &dev->stats); } @@ -77291,10 +77461,10 @@ index 8d07c97..d0812ef 100644 rc = qp->q.fragments && (end - start) > max; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index 5eea4a8..49819c2 100644 +index 14bbfcf..644f472 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c -@@ -1142,7 +1142,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1151,7 +1151,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, len = min_t(unsigned int, len, opt->optlen); if (put_user(len, optlen)) return -EFAULT; @@ -77304,7 +77474,7 @@ index 5eea4a8..49819c2 100644 return -EFAULT; return 0; } -@@ -1273,7 +1274,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1282,7 +1283,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -77849,10 +78019,10 @@ index b10374d..0baa1f9 100644 if (ops->ndo_do_ioctl) { mm_segment_t oldfs = get_fs(); diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c -index ba6d13d..6899122 100644 +index e02faed..9780f28 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c -@@ -989,7 +989,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, +@@ -990,7 +990,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -78332,7 +78502,7 @@ index 34e4185..8823368 100644 return res; } diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h -index bb61f77..3788d63 100644 +index 642a2a3..9dcc3dd 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -28,6 +28,7 @@ @@ -78490,7 +78660,7 @@ index c97a065..ff61928 100644 return p; diff --git a/net/mac80211/util.c b/net/mac80211/util.c -index 1cfe6d5..c428ba3 100644 +index 7883449..17c6a9a 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1279,7 +1279,7 @@ int ieee80211_reconfig(struct ieee80211_local *local) @@ -83091,7 +83261,7 @@ index 0000000..92ed719 + return 0; +} diff --git a/tools/gcc/generate_size_overflow_hash.sh b/tools/gcc/generate_size_overflow_hash.sh -new file mode 100644 +new file mode 100755 index 0000000..02c6bec --- /dev/null +++ b/tools/gcc/generate_size_overflow_hash.sh @@ -83365,10 +83535,10 @@ index 0000000..a86e422 +} diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c new file mode 100644 -index 0000000..98011fa +index 0000000..8856202 --- /dev/null +++ b/tools/gcc/kernexec_plugin.c -@@ -0,0 +1,427 @@ +@@ -0,0 +1,432 @@ +/* + * Copyright 2011 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -83409,6 +83579,10 @@ index 0000000..98011fa +extern void print_gimple_stmt(FILE *, gimple, int, int); +extern rtx emit_move_insn(rtx x, rtx y); + ++#if BUILDING_GCC_VERSION <= 4006 ++#define ANY_RETURN_P(rtx) (GET_CODE(rtx) == RETURN) ++#endif ++ +int plugin_is_GPL_compatible; + +static struct plugin_info kernexec_plugin_info = { @@ -83713,6 +83887,7 @@ index 0000000..98011fa + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) { + // rtl match: (jump_insn 41 40 42 2 (return) fptr.c:42 634 {return_internal} (nil)) + // (jump_insn 12 9 11 2 (parallel [ (return) (unspec [ (0) ] UNSPEC_REP) ]) fptr.c:46 635 {return_internal_long} (nil)) ++ // (jump_insn 97 96 98 6 (simple_return) fptr.c:50 -1 (nil) -> simple_return) + rtx body; + + // is it a retn @@ -83721,7 +83896,7 @@ index 0000000..98011fa + body = PATTERN(insn); + if (GET_CODE(body) == PARALLEL) + body = XVECEXP(body, 0, 0); -+ if (GET_CODE(body) != RETURN) ++ if (!ANY_RETURN_P(body)) + continue; + kernexec_instrument_retaddr(insn); + } @@ -84099,10 +84274,10 @@ index 0000000..b8008f7 +} diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data new file mode 100644 -index 0000000..9332f17 +index 0000000..67468e3 --- /dev/null +++ b/tools/gcc/size_overflow_hash.data -@@ -0,0 +1,3597 @@ +@@ -0,0 +1,3600 @@ +_000001_hash alloc_dr 2 65495 _000001_hash NULL +_000002_hash __copy_from_user 3 10918 _000002_hash NULL +_000003_hash copy_from_user 3 17559 _000003_hash NULL @@ -87700,6 +87875,9 @@ index 0000000..9332f17 +_003894_hash io_mapping_map_wc 2 19284 _003894_hash NULL +_003895_hash nfs_dns_resolve_name 3 25036 _003895_hash NULL +_003896_hash nfs_parse_server_name 2 1899 _003896_hash NULL ++_003897_hash acl_alloc 1 35979 _003897_hash NULL ++_003898_hash acl_alloc_stack_init 1 60630 _003898_hash NULL ++_003899_hash create_table 2 16213 _003899_hash NULL diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c new file mode 100644 index 0000000..1aa0dce |