summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2015-01-23 15:50:19 -0500
committerAnthony G. Basile <blueness@gentoo.org>2015-01-23 15:50:19 -0500
commitc617d17450287c48b74a9eb88cb370ec317eb7d5 (patch)
tree45e303a45784ebf316b72c8a7c764bea9a75b582
parentGrsec/PaX: 3.0-{3.2.66,3.14.28,3.18.2}-201501142325 (diff)
downloadhardened-patchset-c617d17450287c48b74a9eb88cb370ec317eb7d5.tar.gz
hardened-patchset-c617d17450287c48b74a9eb88cb370ec317eb7d5.tar.bz2
hardened-patchset-c617d17450287c48b74a9eb88cb370ec317eb7d5.zip
Grsec/PaX: 3.0-{3.2.66,3.14.29,3.18.3}-20150121194420150121
-rw-r--r--3.14.28/1027_linux-3.14.28.patch1961
-rw-r--r--3.14.29/0000_README (renamed from 3.14.28/0000_README)6
-rw-r--r--3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch (renamed from 3.14.28/4420_grsecurity-3.0-3.14.28-201501142323.patch)357
-rw-r--r--3.14.29/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.28/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--3.14.29/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.28/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--3.14.29/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.28/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--3.14.29/4435_grsec-mute-warnings.patch (renamed from 3.14.28/4435_grsec-mute-warnings.patch)0
-rw-r--r--3.14.29/4440_grsec-remove-protected-paths.patch (renamed from 3.14.28/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--3.14.29/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.28/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--3.14.29/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.28/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--3.14.29/4470_disable-compat_vdso.patch (renamed from 3.14.28/4470_disable-compat_vdso.patch)0
-rw-r--r--3.14.29/4475_emutramp_default_on.patch (renamed from 3.14.28/4475_emutramp_default_on.patch)0
-rw-r--r--3.18.3/0000_README (renamed from 3.18.2/0000_README)2
-rw-r--r--3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch (renamed from 3.18.2/4420_grsecurity-3.0-3.18.2-201501142325.patch)430
-rw-r--r--3.18.3/4425_grsec_remove_EI_PAX.patch (renamed from 3.18.2/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--3.18.3/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.18.2/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--3.18.3/4430_grsec-remove-localversion-grsec.patch (renamed from 3.18.2/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--3.18.3/4435_grsec-mute-warnings.patch (renamed from 3.18.2/4435_grsec-mute-warnings.patch)0
-rw-r--r--3.18.3/4440_grsec-remove-protected-paths.patch (renamed from 3.18.2/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--3.18.3/4450_grsec-kconfig-default-gids.patch (renamed from 3.18.2/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--3.18.3/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.18.2/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--3.18.3/4470_disable-compat_vdso.patch (renamed from 3.18.2/4470_disable-compat_vdso.patch)0
-rw-r--r--3.18.3/4475_emutramp_default_on.patch (renamed from 3.18.2/4475_emutramp_default_on.patch)0
-rw-r--r--3.2.66/0000_README2
-rw-r--r--3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch (renamed from 3.2.66/4420_grsecurity-3.0-3.2.66-201501142321.patch)112
25 files changed, 676 insertions, 2194 deletions
diff --git a/3.14.28/1027_linux-3.14.28.patch b/3.14.28/1027_linux-3.14.28.patch
deleted file mode 100644
index ac1ed3f..0000000
--- a/3.14.28/1027_linux-3.14.28.patch
+++ /dev/null
@@ -1,1961 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 944db23..a2e572b 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 14
--SUBLEVEL = 27
-+SUBLEVEL = 28
- EXTRAVERSION =
- NAME = Remembering Coco
-
-diff --git a/arch/arm/boot/dts/armada-370.dtsi b/arch/arm/boot/dts/armada-370.dtsi
-index 0d8530c..34841fc 100644
---- a/arch/arm/boot/dts/armada-370.dtsi
-+++ b/arch/arm/boot/dts/armada-370.dtsi
-@@ -106,11 +106,6 @@
- reg = <0x11100 0x20>;
- };
-
-- system-controller@18200 {
-- compatible = "marvell,armada-370-xp-system-controller";
-- reg = <0x18200 0x100>;
-- };
--
- pinctrl {
- compatible = "marvell,mv88f6710-pinctrl";
- reg = <0x18000 0x38>;
-@@ -167,6 +162,11 @@
- interrupts = <91>;
- };
-
-+ system-controller@18200 {
-+ compatible = "marvell,armada-370-xp-system-controller";
-+ reg = <0x18200 0x100>;
-+ };
-+
- gateclk: clock-gating-control@18220 {
- compatible = "marvell,armada-370-gating-clock";
- reg = <0x18220 0x4>;
-diff --git a/arch/arm/mach-tegra/reset-handler.S b/arch/arm/mach-tegra/reset-handler.S
-index 8c1ba4f..3505799 100644
---- a/arch/arm/mach-tegra/reset-handler.S
-+++ b/arch/arm/mach-tegra/reset-handler.S
-@@ -51,6 +51,7 @@ ENTRY(tegra_resume)
- THUMB( it ne )
- bne cpu_resume @ no
-
-+ tegra_get_soc_id TEGRA_APB_MISC_BASE, r6
- /* Are we on Tegra20? */
- cmp r6, #TEGRA20
- beq 1f @ Yes
-diff --git a/arch/arm64/include/asm/hwcap.h b/arch/arm64/include/asm/hwcap.h
-index 6cddbb0..e0ec201 100644
---- a/arch/arm64/include/asm/hwcap.h
-+++ b/arch/arm64/include/asm/hwcap.h
-@@ -30,6 +30,7 @@
- #define COMPAT_HWCAP_IDIVA (1 << 17)
- #define COMPAT_HWCAP_IDIVT (1 << 18)
- #define COMPAT_HWCAP_IDIV (COMPAT_HWCAP_IDIVA|COMPAT_HWCAP_IDIVT)
-+#define COMPAT_HWCAP_LPAE (1 << 20)
- #define COMPAT_HWCAP_EVTSTRM (1 << 21)
-
- #ifndef __ASSEMBLY__
-diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
-index c8e9eff..071c382 100644
---- a/arch/arm64/kernel/setup.c
-+++ b/arch/arm64/kernel/setup.c
-@@ -67,7 +67,8 @@ EXPORT_SYMBOL_GPL(elf_hwcap);
- COMPAT_HWCAP_FAST_MULT|COMPAT_HWCAP_EDSP|\
- COMPAT_HWCAP_TLS|COMPAT_HWCAP_VFP|\
- COMPAT_HWCAP_VFPv3|COMPAT_HWCAP_VFPv4|\
-- COMPAT_HWCAP_NEON|COMPAT_HWCAP_IDIV)
-+ COMPAT_HWCAP_NEON|COMPAT_HWCAP_IDIV|\
-+ COMPAT_HWCAP_LPAE)
- unsigned int compat_elf_hwcap __read_mostly = COMPAT_ELF_HWCAP_DEFAULT;
- #endif
-
-diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c
-index db02052..5426c9e 100644
---- a/arch/s390/kernel/compat_linux.c
-+++ b/arch/s390/kernel/compat_linux.c
-@@ -245,7 +245,7 @@ asmlinkage long sys32_setgroups16(int gidsetsize, u16 __user *grouplist)
- struct group_info *group_info;
- int retval;
-
-- if (!capable(CAP_SETGID))
-+ if (!may_setgroups())
- return -EPERM;
- if ((unsigned)gidsetsize > NGROUPS_MAX)
- return -EINVAL;
-diff --git a/arch/x86/include/uapi/asm/ldt.h b/arch/x86/include/uapi/asm/ldt.h
-index 46727eb..6e1aaf7 100644
---- a/arch/x86/include/uapi/asm/ldt.h
-+++ b/arch/x86/include/uapi/asm/ldt.h
-@@ -28,6 +28,13 @@ struct user_desc {
- unsigned int seg_not_present:1;
- unsigned int useable:1;
- #ifdef __x86_64__
-+ /*
-+ * Because this bit is not present in 32-bit user code, user
-+ * programs can pass uninitialized values here. Therefore, in
-+ * any context in which a user_desc comes from a 32-bit program,
-+ * the kernel must act as though lm == 0, regardless of the
-+ * actual value.
-+ */
- unsigned int lm:1;
- #endif
- };
-diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
-index 713f1b3..0b1e1d5 100644
---- a/arch/x86/kernel/kvm.c
-+++ b/arch/x86/kernel/kvm.c
-@@ -280,7 +280,14 @@ do_async_page_fault(struct pt_regs *regs, unsigned long error_code)
- static void __init paravirt_ops_setup(void)
- {
- pv_info.name = "KVM";
-- pv_info.paravirt_enabled = 1;
-+
-+ /*
-+ * KVM isn't paravirt in the sense of paravirt_enabled. A KVM
-+ * guest kernel works like a bare metal kernel with additional
-+ * features, and paravirt_enabled is about features that are
-+ * missing.
-+ */
-+ pv_info.paravirt_enabled = 0;
-
- if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY))
- pv_cpu_ops.io_delay = kvm_io_delay;
-diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
-index e604109..c8e98cd 100644
---- a/arch/x86/kernel/kvmclock.c
-+++ b/arch/x86/kernel/kvmclock.c
-@@ -263,7 +263,6 @@ void __init kvmclock_init(void)
- #endif
- kvm_get_preset_lpj();
- clocksource_register_hz(&kvm_clock, NSEC_PER_SEC);
-- pv_info.paravirt_enabled = 1;
- pv_info.name = "KVM";
-
- if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT))
-diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
-index 9c0280f..e2d26ce 100644
---- a/arch/x86/kernel/process_64.c
-+++ b/arch/x86/kernel/process_64.c
-@@ -286,24 +286,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
-
- fpu = switch_fpu_prepare(prev_p, next_p, cpu);
-
-- /*
-- * Reload esp0, LDT and the page table pointer:
-- */
-+ /* Reload esp0 and ss1. */
- load_sp0(tss, next);
-
-- /*
-- * Switch DS and ES.
-- * This won't pick up thread selector changes, but I guess that is ok.
-- */
-- savesegment(es, prev->es);
-- if (unlikely(next->es | prev->es))
-- loadsegment(es, next->es);
--
-- savesegment(ds, prev->ds);
-- if (unlikely(next->ds | prev->ds))
-- loadsegment(ds, next->ds);
--
--
- /* We must save %fs and %gs before load_TLS() because
- * %fs and %gs may be cleared by load_TLS().
- *
-@@ -312,41 +297,101 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
- savesegment(fs, fsindex);
- savesegment(gs, gsindex);
-
-+ /*
-+ * Load TLS before restoring any segments so that segment loads
-+ * reference the correct GDT entries.
-+ */
- load_TLS(next, cpu);
-
- /*
-- * Leave lazy mode, flushing any hypercalls made here.
-- * This must be done before restoring TLS segments so
-- * the GDT and LDT are properly updated, and must be
-- * done before math_state_restore, so the TS bit is up
-- * to date.
-+ * Leave lazy mode, flushing any hypercalls made here. This
-+ * must be done after loading TLS entries in the GDT but before
-+ * loading segments that might reference them, and and it must
-+ * be done before math_state_restore, so the TS bit is up to
-+ * date.
- */
- arch_end_context_switch(next_p);
-
-+ /* Switch DS and ES.
-+ *
-+ * Reading them only returns the selectors, but writing them (if
-+ * nonzero) loads the full descriptor from the GDT or LDT. The
-+ * LDT for next is loaded in switch_mm, and the GDT is loaded
-+ * above.
-+ *
-+ * We therefore need to write new values to the segment
-+ * registers on every context switch unless both the new and old
-+ * values are zero.
-+ *
-+ * Note that we don't need to do anything for CS and SS, as
-+ * those are saved and restored as part of pt_regs.
-+ */
-+ savesegment(es, prev->es);
-+ if (unlikely(next->es | prev->es))
-+ loadsegment(es, next->es);
-+
-+ savesegment(ds, prev->ds);
-+ if (unlikely(next->ds | prev->ds))
-+ loadsegment(ds, next->ds);
-+
- /*
- * Switch FS and GS.
- *
-- * Segment register != 0 always requires a reload. Also
-- * reload when it has changed. When prev process used 64bit
-- * base always reload to avoid an information leak.
-+ * These are even more complicated than FS and GS: they have
-+ * 64-bit bases are that controlled by arch_prctl. Those bases
-+ * only differ from the values in the GDT or LDT if the selector
-+ * is 0.
-+ *
-+ * Loading the segment register resets the hidden base part of
-+ * the register to 0 or the value from the GDT / LDT. If the
-+ * next base address zero, writing 0 to the segment register is
-+ * much faster than using wrmsr to explicitly zero the base.
-+ *
-+ * The thread_struct.fs and thread_struct.gs values are 0
-+ * if the fs and gs bases respectively are not overridden
-+ * from the values implied by fsindex and gsindex. They
-+ * are nonzero, and store the nonzero base addresses, if
-+ * the bases are overridden.
-+ *
-+ * (fs != 0 && fsindex != 0) || (gs != 0 && gsindex != 0) should
-+ * be impossible.
-+ *
-+ * Therefore we need to reload the segment registers if either
-+ * the old or new selector is nonzero, and we need to override
-+ * the base address if next thread expects it to be overridden.
-+ *
-+ * This code is unnecessarily slow in the case where the old and
-+ * new indexes are zero and the new base is nonzero -- it will
-+ * unnecessarily write 0 to the selector before writing the new
-+ * base address.
-+ *
-+ * Note: This all depends on arch_prctl being the only way that
-+ * user code can override the segment base. Once wrfsbase and
-+ * wrgsbase are enabled, most of this code will need to change.
- */
- if (unlikely(fsindex | next->fsindex | prev->fs)) {
- loadsegment(fs, next->fsindex);
-+
- /*
-- * Check if the user used a selector != 0; if yes
-- * clear 64bit base, since overloaded base is always
-- * mapped to the Null selector
-+ * If user code wrote a nonzero value to FS, then it also
-+ * cleared the overridden base address.
-+ *
-+ * XXX: if user code wrote 0 to FS and cleared the base
-+ * address itself, we won't notice and we'll incorrectly
-+ * restore the prior base address next time we reschdule
-+ * the process.
- */
- if (fsindex)
- prev->fs = 0;
- }
-- /* when next process has a 64bit base use it */
- if (next->fs)
- wrmsrl(MSR_FS_BASE, next->fs);
- prev->fsindex = fsindex;
-
- if (unlikely(gsindex | next->gsindex | prev->gs)) {
- load_gs_index(next->gsindex);
-+
-+ /* This works (and fails) the same way as fsindex above. */
- if (gsindex)
- prev->gs = 0;
- }
-diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
-index f7fec09..4e942f3 100644
---- a/arch/x86/kernel/tls.c
-+++ b/arch/x86/kernel/tls.c
-@@ -27,6 +27,37 @@ static int get_free_idx(void)
- return -ESRCH;
- }
-
-+static bool tls_desc_okay(const struct user_desc *info)
-+{
-+ if (LDT_empty(info))
-+ return true;
-+
-+ /*
-+ * espfix is required for 16-bit data segments, but espfix
-+ * only works for LDT segments.
-+ */
-+ if (!info->seg_32bit)
-+ return false;
-+
-+ /* Only allow data segments in the TLS array. */
-+ if (info->contents > 1)
-+ return false;
-+
-+ /*
-+ * Non-present segments with DPL 3 present an interesting attack
-+ * surface. The kernel should handle such segments correctly,
-+ * but TLS is very difficult to protect in a sandbox, so prevent
-+ * such segments from being created.
-+ *
-+ * If userspace needs to remove a TLS entry, it can still delete
-+ * it outright.
-+ */
-+ if (info->seg_not_present)
-+ return false;
-+
-+ return true;
-+}
-+
- static void set_tls_desc(struct task_struct *p, int idx,
- const struct user_desc *info, int n)
- {
-@@ -66,6 +97,9 @@ int do_set_thread_area(struct task_struct *p, int idx,
- if (copy_from_user(&info, u_info, sizeof(info)))
- return -EFAULT;
-
-+ if (!tls_desc_okay(&info))
-+ return -EINVAL;
-+
- if (idx == -1)
- idx = info.entry_number;
-
-@@ -192,6 +226,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
- {
- struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
- const struct user_desc *info;
-+ int i;
-
- if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
- (pos % sizeof(struct user_desc)) != 0 ||
-@@ -205,6 +240,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
- else
- info = infobuf;
-
-+ for (i = 0; i < count / sizeof(struct user_desc); i++)
-+ if (!tls_desc_okay(info + i))
-+ return -EINVAL;
-+
- set_tls_desc(target,
- GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
- info, count / sizeof(struct user_desc));
-diff --git a/crypto/af_alg.c b/crypto/af_alg.c
-index 6a3ad80..1de4bee 100644
---- a/crypto/af_alg.c
-+++ b/crypto/af_alg.c
-@@ -449,6 +449,9 @@ void af_alg_complete(struct crypto_async_request *req, int err)
- {
- struct af_alg_completion *completion = req->data;
-
-+ if (err == -EINPROGRESS)
-+ return;
-+
- completion->err = err;
- complete(&completion->completion);
- }
-diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
-index 4195a01..8e51b3a 100644
---- a/drivers/md/bitmap.c
-+++ b/drivers/md/bitmap.c
-@@ -883,7 +883,6 @@ void bitmap_unplug(struct bitmap *bitmap)
- {
- unsigned long i;
- int dirty, need_write;
-- int wait = 0;
-
- if (!bitmap || !bitmap->storage.filemap ||
- test_bit(BITMAP_STALE, &bitmap->flags))
-@@ -901,16 +900,13 @@ void bitmap_unplug(struct bitmap *bitmap)
- clear_page_attr(bitmap, i, BITMAP_PAGE_PENDING);
- write_page(bitmap, bitmap->storage.filemap[i], 0);
- }
-- if (dirty)
-- wait = 1;
-- }
-- if (wait) { /* if any writes were performed, we need to wait on them */
-- if (bitmap->storage.file)
-- wait_event(bitmap->write_wait,
-- atomic_read(&bitmap->pending_writes)==0);
-- else
-- md_super_wait(bitmap->mddev);
- }
-+ if (bitmap->storage.file)
-+ wait_event(bitmap->write_wait,
-+ atomic_read(&bitmap->pending_writes)==0);
-+ else
-+ md_super_wait(bitmap->mddev);
-+
- if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))
- bitmap_file_kick(bitmap);
- }
-diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
-index a1cebf7..03c872f 100644
---- a/drivers/md/dm-bufio.c
-+++ b/drivers/md/dm-bufio.c
-@@ -532,6 +532,19 @@ static void use_dmio(struct dm_buffer *b, int rw, sector_t block,
- end_io(&b->bio, r);
- }
-
-+static void inline_endio(struct bio *bio, int error)
-+{
-+ bio_end_io_t *end_fn = bio->bi_private;
-+
-+ /*
-+ * Reset the bio to free any attached resources
-+ * (e.g. bio integrity profiles).
-+ */
-+ bio_reset(bio);
-+
-+ end_fn(bio, error);
-+}
-+
- static void use_inline_bio(struct dm_buffer *b, int rw, sector_t block,
- bio_end_io_t *end_io)
- {
-@@ -543,7 +556,12 @@ static void use_inline_bio(struct dm_buffer *b, int rw, sector_t block,
- b->bio.bi_max_vecs = DM_BUFIO_INLINE_VECS;
- b->bio.bi_iter.bi_sector = block << b->c->sectors_per_block_bits;
- b->bio.bi_bdev = b->c->bdev;
-- b->bio.bi_end_io = end_io;
-+ b->bio.bi_end_io = inline_endio;
-+ /*
-+ * Use of .bi_private isn't a problem here because
-+ * the dm_buffer's inline bio is local to bufio.
-+ */
-+ b->bio.bi_private = end_io;
-
- /*
- * We assume that if len >= PAGE_SIZE ptr is page-aligned.
-diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
-index 2331543..ff284b7 100644
---- a/drivers/md/dm-cache-target.c
-+++ b/drivers/md/dm-cache-target.c
-@@ -946,10 +946,14 @@ static void migration_success_post_commit(struct dm_cache_migration *mg)
- }
-
- } else {
-- clear_dirty(cache, mg->new_oblock, mg->cblock);
-- if (mg->requeue_holder)
-+ if (mg->requeue_holder) {
-+ clear_dirty(cache, mg->new_oblock, mg->cblock);
- cell_defer(cache, mg->new_ocell, true);
-- else {
-+ } else {
-+ /*
-+ * The block was promoted via an overwrite, so it's dirty.
-+ */
-+ set_dirty(cache, mg->new_oblock, mg->cblock);
- bio_endio(mg->new_ocell->holder, 0);
- cell_defer(cache, mg->new_ocell, false);
- }
-@@ -1060,7 +1064,8 @@ static void issue_copy(struct dm_cache_migration *mg)
-
- avoid = is_discarded_oblock(cache, mg->new_oblock);
-
-- if (!avoid && bio_writes_complete_block(cache, bio)) {
-+ if (writeback_mode(&cache->features) &&
-+ !avoid && bio_writes_complete_block(cache, bio)) {
- issue_overwrite(mg, bio);
- return;
- }
-diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
-index 9533f83..4a8d19d 100644
---- a/drivers/md/dm-crypt.c
-+++ b/drivers/md/dm-crypt.c
-@@ -709,7 +709,7 @@ static int crypt_iv_tcw_whitening(struct crypt_config *cc,
- for (i = 0; i < ((1 << SECTOR_SHIFT) / 8); i++)
- crypto_xor(data + i * 8, buf, 8);
- out:
-- memset(buf, 0, sizeof(buf));
-+ memzero_explicit(buf, sizeof(buf));
- return r;
- }
-
-diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
-index 37f2648..f7e052c 100644
---- a/drivers/md/dm-thin.c
-+++ b/drivers/md/dm-thin.c
-@@ -916,6 +916,24 @@ static void schedule_zero(struct thin_c *tc, dm_block_t virt_block,
- }
- }
-
-+static void set_pool_mode(struct pool *pool, enum pool_mode new_mode);
-+
-+static void check_for_space(struct pool *pool)
-+{
-+ int r;
-+ dm_block_t nr_free;
-+
-+ if (get_pool_mode(pool) != PM_OUT_OF_DATA_SPACE)
-+ return;
-+
-+ r = dm_pool_get_free_block_count(pool->pmd, &nr_free);
-+ if (r)
-+ return;
-+
-+ if (nr_free)
-+ set_pool_mode(pool, PM_WRITE);
-+}
-+
- /*
- * A non-zero return indicates read_only or fail_io mode.
- * Many callers don't care about the return value.
-@@ -930,6 +948,8 @@ static int commit(struct pool *pool)
- r = dm_pool_commit_metadata(pool->pmd);
- if (r)
- metadata_operation_failed(pool, "dm_pool_commit_metadata", r);
-+ else
-+ check_for_space(pool);
-
- return r;
- }
-@@ -948,8 +968,6 @@ static void check_low_water_mark(struct pool *pool, dm_block_t free_blocks)
- }
- }
-
--static void set_pool_mode(struct pool *pool, enum pool_mode new_mode);
--
- static int alloc_data_block(struct thin_c *tc, dm_block_t *result)
- {
- int r;
-@@ -1592,7 +1610,7 @@ static void set_pool_mode(struct pool *pool, enum pool_mode new_mode)
- pool->process_bio = process_bio_read_only;
- pool->process_discard = process_discard;
- pool->process_prepared_mapping = process_prepared_mapping;
-- pool->process_prepared_discard = process_prepared_discard_passdown;
-+ pool->process_prepared_discard = process_prepared_discard;
-
- if (!pool->pf.error_if_no_space && no_space_timeout)
- queue_delayed_work(pool->wq, &pool->no_space_timeout, no_space_timeout);
-diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
-index 786b689..f4e22bc 100644
---- a/drivers/md/persistent-data/dm-space-map-metadata.c
-+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
-@@ -564,7 +564,9 @@ static int sm_bootstrap_get_nr_blocks(struct dm_space_map *sm, dm_block_t *count
- {
- struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm);
-
-- return smm->ll.nr_blocks;
-+ *count = smm->ll.nr_blocks;
-+
-+ return 0;
- }
-
- static int sm_bootstrap_get_nr_free(struct dm_space_map *sm, dm_block_t *count)
-diff --git a/drivers/mfd/tc6393xb.c b/drivers/mfd/tc6393xb.c
-index 11c19e5..48579e5 100644
---- a/drivers/mfd/tc6393xb.c
-+++ b/drivers/mfd/tc6393xb.c
-@@ -263,6 +263,17 @@ static int tc6393xb_ohci_disable(struct platform_device *dev)
- return 0;
- }
-
-+static int tc6393xb_ohci_suspend(struct platform_device *dev)
-+{
-+ struct tc6393xb_platform_data *tcpd = dev_get_platdata(dev->dev.parent);
-+
-+ /* We can't properly store/restore OHCI state, so fail here */
-+ if (tcpd->resume_restore)
-+ return -EBUSY;
-+
-+ return tc6393xb_ohci_disable(dev);
-+}
-+
- static int tc6393xb_fb_enable(struct platform_device *dev)
- {
- struct tc6393xb *tc6393xb = dev_get_drvdata(dev->dev.parent);
-@@ -403,7 +414,7 @@ static struct mfd_cell tc6393xb_cells[] = {
- .num_resources = ARRAY_SIZE(tc6393xb_ohci_resources),
- .resources = tc6393xb_ohci_resources,
- .enable = tc6393xb_ohci_enable,
-- .suspend = tc6393xb_ohci_disable,
-+ .suspend = tc6393xb_ohci_suspend,
- .resume = tc6393xb_ohci_enable,
- .disable = tc6393xb_ohci_disable,
- },
-diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
-index 7b5424f..df72c47 100644
---- a/drivers/mmc/card/block.c
-+++ b/drivers/mmc/card/block.c
-@@ -260,7 +260,7 @@ static ssize_t force_ro_show(struct device *dev, struct device_attribute *attr,
- int ret;
- struct mmc_blk_data *md = mmc_blk_get(dev_to_disk(dev));
-
-- ret = snprintf(buf, PAGE_SIZE, "%d",
-+ ret = snprintf(buf, PAGE_SIZE, "%d\n",
- get_disk_ro(dev_to_disk(dev)) ^
- md->read_only);
- mmc_blk_put(md);
-diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
-index 55cd110..caed9d5 100644
---- a/drivers/mmc/host/dw_mmc.c
-+++ b/drivers/mmc/host/dw_mmc.c
-@@ -632,6 +632,13 @@ static void dw_mci_ctrl_rd_thld(struct dw_mci *host, struct mmc_data *data)
-
- WARN_ON(!(data->flags & MMC_DATA_READ));
-
-+ /*
-+ * CDTHRCTL doesn't exist prior to 240A (in fact that register offset is
-+ * in the FIFO region, so we really shouldn't access it).
-+ */
-+ if (host->verid < DW_MMC_240A)
-+ return;
-+
- if (host->timing != MMC_TIMING_MMC_HS200 &&
- host->timing != MMC_TIMING_UHS_SDR104)
- goto disable;
-diff --git a/drivers/mmc/host/sdhci-pci-o2micro.c b/drivers/mmc/host/sdhci-pci-o2micro.c
-index f49666b..257e9ca 100644
---- a/drivers/mmc/host/sdhci-pci-o2micro.c
-+++ b/drivers/mmc/host/sdhci-pci-o2micro.c
-@@ -88,8 +88,6 @@ void sdhci_pci_o2_fujin2_pci_init(struct sdhci_pci_chip *chip)
- return;
- scratch_32 &= ~((1 << 21) | (1 << 30));
-
-- /* Set RTD3 function disabled */
-- scratch_32 |= ((1 << 29) | (1 << 28));
- pci_write_config_dword(chip->pdev, O2_SD_FUNC_REG3, scratch_32);
-
- /* Set L1 Entrance Timer */
-diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c
-index 1e9d6ad..7563b3d 100644
---- a/drivers/scsi/NCR5380.c
-+++ b/drivers/scsi/NCR5380.c
-@@ -2655,14 +2655,14 @@ static void NCR5380_dma_complete(NCR5380_instance * instance) {
- *
- * Purpose : abort a command
- *
-- * Inputs : cmd - the Scsi_Cmnd to abort, code - code to set the
-- * host byte of the result field to, if zero DID_ABORTED is
-+ * Inputs : cmd - the Scsi_Cmnd to abort, code - code to set the
-+ * host byte of the result field to, if zero DID_ABORTED is
- * used.
- *
-- * Returns : 0 - success, -1 on failure.
-+ * Returns : SUCCESS - success, FAILED on failure.
- *
-- * XXX - there is no way to abort the command that is currently
-- * connected, you have to wait for it to complete. If this is
-+ * XXX - there is no way to abort the command that is currently
-+ * connected, you have to wait for it to complete. If this is
- * a problem, we could implement longjmp() / setjmp(), setjmp()
- * called where the loop started in NCR5380_main().
- *
-@@ -2712,7 +2712,7 @@ static int NCR5380_abort(Scsi_Cmnd * cmd) {
- * aborted flag and get back into our main loop.
- */
-
-- return 0;
-+ return SUCCESS;
- }
- #endif
-
-diff --git a/drivers/scsi/aha1740.c b/drivers/scsi/aha1740.c
-index 5f31017..31ace4b 100644
---- a/drivers/scsi/aha1740.c
-+++ b/drivers/scsi/aha1740.c
-@@ -531,7 +531,7 @@ static int aha1740_eh_abort_handler (Scsi_Cmnd *dummy)
- * quiet as possible...
- */
-
-- return 0;
-+ return SUCCESS;
- }
-
- static struct scsi_host_template aha1740_template = {
-diff --git a/drivers/scsi/atari_NCR5380.c b/drivers/scsi/atari_NCR5380.c
-index 0f3cdbc..30073d4 100644
---- a/drivers/scsi/atari_NCR5380.c
-+++ b/drivers/scsi/atari_NCR5380.c
-@@ -2613,7 +2613,7 @@ static void NCR5380_reselect(struct Scsi_Host *instance)
- * host byte of the result field to, if zero DID_ABORTED is
- * used.
- *
-- * Returns : 0 - success, -1 on failure.
-+ * Returns : SUCCESS - success, FAILED on failure.
- *
- * XXX - there is no way to abort the command that is currently
- * connected, you have to wait for it to complete. If this is
-diff --git a/drivers/scsi/esas2r/esas2r_main.c b/drivers/scsi/esas2r/esas2r_main.c
-index f37f3e3..28fe6fe 100644
---- a/drivers/scsi/esas2r/esas2r_main.c
-+++ b/drivers/scsi/esas2r/esas2r_main.c
-@@ -1057,7 +1057,7 @@ int esas2r_eh_abort(struct scsi_cmnd *cmd)
-
- cmd->scsi_done(cmd);
-
-- return 0;
-+ return SUCCESS;
- }
-
- spin_lock_irqsave(&a->queue_lock, flags);
-diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
-index 816db12..52587ce 100644
---- a/drivers/scsi/megaraid.c
-+++ b/drivers/scsi/megaraid.c
-@@ -1967,7 +1967,7 @@ megaraid_abort_and_reset(adapter_t *adapter, Scsi_Cmnd *cmd, int aor)
- cmd->device->id, cmd->device->lun);
-
- if(list_empty(&adapter->pending_list))
-- return FALSE;
-+ return FAILED;
-
- list_for_each_safe(pos, next, &adapter->pending_list) {
-
-@@ -1990,7 +1990,7 @@ megaraid_abort_and_reset(adapter_t *adapter, Scsi_Cmnd *cmd, int aor)
- (aor==SCB_ABORT) ? "ABORTING":"RESET",
- scb->idx);
-
-- return FALSE;
-+ return FAILED;
- }
- else {
-
-@@ -2015,12 +2015,12 @@ megaraid_abort_and_reset(adapter_t *adapter, Scsi_Cmnd *cmd, int aor)
- list_add_tail(SCSI_LIST(cmd),
- &adapter->completed_list);
-
-- return TRUE;
-+ return SUCCESS;
- }
- }
- }
-
-- return FALSE;
-+ return FAILED;
- }
-
- static inline int
-diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
-index 3b7ad10..c80afde 100644
---- a/drivers/scsi/megaraid/megaraid_sas_base.c
-+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
-@@ -953,7 +953,7 @@ megasas_issue_blocked_abort_cmd(struct megasas_instance *instance,
- cpu_to_le32(upper_32_bits(cmd_to_abort->frame_phys_addr));
-
- cmd->sync_cmd = 1;
-- cmd->cmd_status = 0xFF;
-+ cmd->cmd_status = ENODATA;
-
- instance->instancet->issue_dcmd(instance, cmd);
-
-diff --git a/drivers/scsi/sun3_NCR5380.c b/drivers/scsi/sun3_NCR5380.c
-index 636bbe0..fc57c8a 100644
---- a/drivers/scsi/sun3_NCR5380.c
-+++ b/drivers/scsi/sun3_NCR5380.c
-@@ -2597,15 +2597,15 @@ static void NCR5380_reselect (struct Scsi_Host *instance)
- * Purpose : abort a command
- *
- * Inputs : cmd - the struct scsi_cmnd to abort, code - code to set the
-- * host byte of the result field to, if zero DID_ABORTED is
-+ * host byte of the result field to, if zero DID_ABORTED is
- * used.
- *
-- * Returns : 0 - success, -1 on failure.
-+ * Returns : SUCCESS - success, FAILED on failure.
- *
-- * XXX - there is no way to abort the command that is currently
-- * connected, you have to wait for it to complete. If this is
-+ * XXX - there is no way to abort the command that is currently
-+ * connected, you have to wait for it to complete. If this is
- * a problem, we could implement longjmp() / setjmp(), setjmp()
-- * called where the loop started in NCR5380_main().
-+ * called where the loop started in NCR5380_main().
- */
-
- static int NCR5380_abort(struct scsi_cmnd *cmd)
-diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
-index 71b0ec0..284733e 100644
---- a/drivers/thermal/thermal_core.c
-+++ b/drivers/thermal/thermal_core.c
-@@ -1824,10 +1824,10 @@ static int __init thermal_init(void)
-
- exit_netlink:
- genetlink_exit();
--unregister_governors:
-- thermal_unregister_governors();
- unregister_class:
- class_unregister(&thermal_class);
-+unregister_governors:
-+ thermal_unregister_governors();
- error:
- idr_destroy(&thermal_tz_idr);
- idr_destroy(&thermal_cdev_idr);
-diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
-index 370ef74..0db8ded 100644
---- a/fs/btrfs/disk-io.c
-+++ b/fs/btrfs/disk-io.c
-@@ -3978,12 +3978,6 @@ again:
- if (ret)
- break;
-
-- /* opt_discard */
-- if (btrfs_test_opt(root, DISCARD))
-- ret = btrfs_error_discard_extent(root, start,
-- end + 1 - start,
-- NULL);
--
- clear_extent_dirty(unpin, start, end, GFP_NOFS);
- btrfs_error_unpin_extent_range(root, start, end);
- cond_resched();
-diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
-index 3ff98e2..d2f1c01 100644
---- a/fs/btrfs/extent-tree.c
-+++ b/fs/btrfs/extent-tree.c
-@@ -5503,7 +5503,8 @@ void btrfs_prepare_extent_commit(struct btrfs_trans_handle *trans,
- update_global_block_rsv(fs_info);
- }
-
--static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end)
-+static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end,
-+ const bool return_free_space)
- {
- struct btrfs_fs_info *fs_info = root->fs_info;
- struct btrfs_block_group_cache *cache = NULL;
-@@ -5527,7 +5528,8 @@ static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end)
-
- if (start < cache->last_byte_to_unpin) {
- len = min(len, cache->last_byte_to_unpin - start);
-- btrfs_add_free_space(cache, start, len);
-+ if (return_free_space)
-+ btrfs_add_free_space(cache, start, len);
- }
-
- start += len;
-@@ -5590,7 +5592,7 @@ int btrfs_finish_extent_commit(struct btrfs_trans_handle *trans,
- end + 1 - start, NULL);
-
- clear_extent_dirty(unpin, start, end, GFP_NOFS);
-- unpin_extent_range(root, start, end);
-+ unpin_extent_range(root, start, end, true);
- cond_resched();
- }
-
-@@ -8886,7 +8888,7 @@ out:
-
- int btrfs_error_unpin_extent_range(struct btrfs_root *root, u64 start, u64 end)
- {
-- return unpin_extent_range(root, start, end);
-+ return unpin_extent_range(root, start, end, false);
- }
-
- int btrfs_error_discard_extent(struct btrfs_root *root, u64 bytenr,
-diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c
-index 996ad56b..82845a6 100644
---- a/fs/btrfs/extent_map.c
-+++ b/fs/btrfs/extent_map.c
-@@ -290,8 +290,6 @@ int unpin_extent_cache(struct extent_map_tree *tree, u64 start, u64 len,
- if (!em)
- goto out;
-
-- if (!test_bit(EXTENT_FLAG_LOGGING, &em->flags))
-- list_move(&em->list, &tree->modified_extents);
- em->generation = gen;
- clear_bit(EXTENT_FLAG_PINNED, &em->flags);
- em->mod_start = em->start;
-diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
-index 2f6735d..31b148f 100644
---- a/fs/ecryptfs/crypto.c
-+++ b/fs/ecryptfs/crypto.c
-@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size,
- break;
- case 2:
- dst[dst_byte_offset++] |= (src_byte);
-- dst[dst_byte_offset] = 0;
- current_bit_offset = 0;
- break;
- }
-diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
-index b1eaa7a..03df502 100644
---- a/fs/ecryptfs/file.c
-+++ b/fs/ecryptfs/file.c
-@@ -191,23 +191,11 @@ static int ecryptfs_open(struct inode *inode, struct file *file)
- {
- int rc = 0;
- struct ecryptfs_crypt_stat *crypt_stat = NULL;
-- struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
- struct dentry *ecryptfs_dentry = file->f_path.dentry;
- /* Private value of ecryptfs_dentry allocated in
- * ecryptfs_lookup() */
- struct ecryptfs_file_info *file_info;
-
-- mount_crypt_stat = &ecryptfs_superblock_to_private(
-- ecryptfs_dentry->d_sb)->mount_crypt_stat;
-- if ((mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
-- && ((file->f_flags & O_WRONLY) || (file->f_flags & O_RDWR)
-- || (file->f_flags & O_CREAT) || (file->f_flags & O_TRUNC)
-- || (file->f_flags & O_APPEND))) {
-- printk(KERN_WARNING "Mount has encrypted view enabled; "
-- "files may only be read\n");
-- rc = -EPERM;
-- goto out;
-- }
- /* Released in ecryptfs_release or end of function if failure */
- file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL);
- ecryptfs_set_file_private(file, file_info);
-diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
-index 1b119d3..34eb843 100644
---- a/fs/ecryptfs/main.c
-+++ b/fs/ecryptfs/main.c
-@@ -493,6 +493,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
- {
- struct super_block *s;
- struct ecryptfs_sb_info *sbi;
-+ struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
- struct ecryptfs_dentry_info *root_info;
- const char *err = "Getting sb failed";
- struct inode *inode;
-@@ -511,6 +512,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
- err = "Error parsing options";
- goto out;
- }
-+ mount_crypt_stat = &sbi->mount_crypt_stat;
-
- s = sget(fs_type, NULL, set_anon_super, flags, NULL);
- if (IS_ERR(s)) {
-@@ -557,11 +559,19 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
-
- /**
- * Set the POSIX ACL flag based on whether they're enabled in the lower
-- * mount. Force a read-only eCryptfs mount if the lower mount is ro.
-- * Allow a ro eCryptfs mount even when the lower mount is rw.
-+ * mount.
- */
- s->s_flags = flags & ~MS_POSIXACL;
-- s->s_flags |= path.dentry->d_sb->s_flags & (MS_RDONLY | MS_POSIXACL);
-+ s->s_flags |= path.dentry->d_sb->s_flags & MS_POSIXACL;
-+
-+ /**
-+ * Force a read-only eCryptfs mount when:
-+ * 1) The lower mount is ro
-+ * 2) The ecryptfs_encrypted_view mount option is specified
-+ */
-+ if (path.dentry->d_sb->s_flags & MS_RDONLY ||
-+ mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
-+ s->s_flags |= MS_RDONLY;
-
- s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
- s->s_blocksize = path.dentry->d_sb->s_blocksize;
-diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index f488bba..735d752 100644
---- a/fs/isofs/rock.c
-+++ b/fs/isofs/rock.c
-@@ -30,6 +30,7 @@ struct rock_state {
- int cont_size;
- int cont_extent;
- int cont_offset;
-+ int cont_loops;
- struct inode *inode;
- };
-
-@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
- rs->inode = inode;
- }
-
-+/* Maximum number of Rock Ridge continuation entries */
-+#define RR_MAX_CE_ENTRIES 32
-+
- /*
- * Returns 0 if the caller should continue scanning, 1 if the scan must end
- * and -ve on error.
-@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
- goto out;
- }
- ret = -EIO;
-+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
-+ goto out;
- bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
- if (bh) {
- memcpy(rs->buffer, bh->b_data + rs->cont_offset,
-@@ -356,6 +362,9 @@ repeat:
- rs.cont_size = isonum_733(rr->u.CE.size);
- break;
- case SIG('E', 'R'):
-+ /* Invalid length of ER tag id? */
-+ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
-+ goto out;
- ISOFS_SB(inode->i_sb)->s_rock = 1;
- printk(KERN_DEBUG "ISO 9660 Extensions: ");
- {
-diff --git a/fs/namespace.c b/fs/namespace.c
-index d9bf3ef..039f380 100644
---- a/fs/namespace.c
-+++ b/fs/namespace.c
-@@ -1295,6 +1295,8 @@ void umount_tree(struct mount *mnt, int how)
- }
- if (last) {
- last->mnt_hash.next = unmounted.first;
-+ if (unmounted.first)
-+ unmounted.first->pprev = &last->mnt_hash.next;
- unmounted.first = tmp_list.first;
- unmounted.first->pprev = &unmounted.first;
- }
-@@ -1439,6 +1441,9 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
- goto dput_and_out;
- if (mnt->mnt.mnt_flags & MNT_LOCKED)
- goto dput_and_out;
-+ retval = -EPERM;
-+ if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
-+ goto dput_and_out;
-
- retval = do_umount(mnt, flags);
- dput_and_out:
-@@ -1964,7 +1969,13 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
- }
- if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
- !(mnt_flags & MNT_NODEV)) {
-- return -EPERM;
-+ /* Was the nodev implicitly added in mount? */
-+ if ((mnt->mnt_ns->user_ns != &init_user_ns) &&
-+ !(sb->s_type->fs_flags & FS_USERNS_DEV_MOUNT)) {
-+ mnt_flags |= MNT_NODEV;
-+ } else {
-+ return -EPERM;
-+ }
- }
- if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
- !(mnt_flags & MNT_NOSUID)) {
-diff --git a/fs/ncpfs/ioctl.c b/fs/ncpfs/ioctl.c
-index 60426cc..2f970de 100644
---- a/fs/ncpfs/ioctl.c
-+++ b/fs/ncpfs/ioctl.c
-@@ -448,7 +448,6 @@ static long __ncp_ioctl(struct inode *inode, unsigned int cmd, unsigned long arg
- result = -EIO;
- }
- }
-- result = 0;
- }
- mutex_unlock(&server->root_setup_lock);
-
-diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index bd01803..58258ad 100644
---- a/fs/nfs/nfs4proc.c
-+++ b/fs/nfs/nfs4proc.c
-@@ -7589,6 +7589,9 @@ nfs4_proc_layoutget(struct nfs4_layoutget *lgp, gfp_t gfp_flags)
-
- dprintk("--> %s\n", __func__);
-
-+ /* nfs4_layoutget_release calls pnfs_put_layout_hdr */
-+ pnfs_get_layout_hdr(NFS_I(inode)->layout);
-+
- lgp->args.layout.pages = nfs4_alloc_pages(max_pages, gfp_flags);
- if (!lgp->args.layout.pages) {
- nfs4_layoutget_release(lgp);
-@@ -7601,9 +7604,6 @@ nfs4_proc_layoutget(struct nfs4_layoutget *lgp, gfp_t gfp_flags)
- lgp->res.seq_res.sr_slot = NULL;
- nfs4_init_sequence(&lgp->args.seq_args, &lgp->res.seq_res, 0);
-
-- /* nfs4_layoutget_release calls pnfs_put_layout_hdr */
-- pnfs_get_layout_hdr(NFS_I(inode)->layout);
--
- task = rpc_run_task(&task_setup_data);
- if (IS_ERR(task))
- return ERR_CAST(task);
-diff --git a/fs/proc/base.c b/fs/proc/base.c
-index b976062..489ba8c 100644
---- a/fs/proc/base.c
-+++ b/fs/proc/base.c
-@@ -2555,6 +2555,57 @@ static const struct file_operations proc_projid_map_operations = {
- .llseek = seq_lseek,
- .release = proc_id_map_release,
- };
-+
-+static int proc_setgroups_open(struct inode *inode, struct file *file)
-+{
-+ struct user_namespace *ns = NULL;
-+ struct task_struct *task;
-+ int ret;
-+
-+ ret = -ESRCH;
-+ task = get_proc_task(inode);
-+ if (task) {
-+ rcu_read_lock();
-+ ns = get_user_ns(task_cred_xxx(task, user_ns));
-+ rcu_read_unlock();
-+ put_task_struct(task);
-+ }
-+ if (!ns)
-+ goto err;
-+
-+ if (file->f_mode & FMODE_WRITE) {
-+ ret = -EACCES;
-+ if (!ns_capable(ns, CAP_SYS_ADMIN))
-+ goto err_put_ns;
-+ }
-+
-+ ret = single_open(file, &proc_setgroups_show, ns);
-+ if (ret)
-+ goto err_put_ns;
-+
-+ return 0;
-+err_put_ns:
-+ put_user_ns(ns);
-+err:
-+ return ret;
-+}
-+
-+static int proc_setgroups_release(struct inode *inode, struct file *file)
-+{
-+ struct seq_file *seq = file->private_data;
-+ struct user_namespace *ns = seq->private;
-+ int ret = single_release(inode, file);
-+ put_user_ns(ns);
-+ return ret;
-+}
-+
-+static const struct file_operations proc_setgroups_operations = {
-+ .open = proc_setgroups_open,
-+ .write = proc_setgroups_write,
-+ .read = seq_read,
-+ .llseek = seq_lseek,
-+ .release = proc_setgroups_release,
-+};
- #endif /* CONFIG_USER_NS */
-
- static int proc_pid_personality(struct seq_file *m, struct pid_namespace *ns,
-@@ -2663,6 +2714,7 @@ static const struct pid_entry tgid_base_stuff[] = {
- REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
- REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
- REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations),
-+ REG("setgroups", S_IRUGO|S_IWUSR, proc_setgroups_operations),
- #endif
- #ifdef CONFIG_CHECKPOINT_RESTORE
- REG("timers", S_IRUGO, proc_timers_operations),
-@@ -2998,6 +3050,7 @@ static const struct pid_entry tid_base_stuff[] = {
- REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
- REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
- REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations),
-+ REG("setgroups", S_IRUGO|S_IWUSR, proc_setgroups_operations),
- #endif
- };
-
-diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c
-index d7c6dbe..d89f324 100644
---- a/fs/udf/symlink.c
-+++ b/fs/udf/symlink.c
-@@ -80,11 +80,17 @@ static int udf_symlink_filler(struct file *file, struct page *page)
- struct inode *inode = page->mapping->host;
- struct buffer_head *bh = NULL;
- unsigned char *symlink;
-- int err = -EIO;
-+ int err;
- unsigned char *p = kmap(page);
- struct udf_inode_info *iinfo;
- uint32_t pos;
-
-+ /* We don't support symlinks longer than one block */
-+ if (inode->i_size > inode->i_sb->s_blocksize) {
-+ err = -ENAMETOOLONG;
-+ goto out_unmap;
-+ }
-+
- iinfo = UDF_I(inode);
- pos = udf_block_map(inode, 0);
-
-@@ -94,8 +100,10 @@ static int udf_symlink_filler(struct file *file, struct page *page)
- } else {
- bh = sb_bread(inode->i_sb, pos);
-
-- if (!bh)
-- goto out;
-+ if (!bh) {
-+ err = -EIO;
-+ goto out_unlock_inode;
-+ }
-
- symlink = bh->b_data;
- }
-@@ -109,9 +117,10 @@ static int udf_symlink_filler(struct file *file, struct page *page)
- unlock_page(page);
- return 0;
-
--out:
-+out_unlock_inode:
- up_read(&iinfo->i_data_sem);
- SetPageError(page);
-+out_unmap:
- kunmap(page);
- unlock_page(page);
- return err;
-diff --git a/include/linux/audit.h b/include/linux/audit.h
-index ec1464d..419b7d7 100644
---- a/include/linux/audit.h
-+++ b/include/linux/audit.h
-@@ -47,6 +47,7 @@ struct sk_buff;
-
- struct audit_krule {
- int vers_ops;
-+ u32 pflags;
- u32 flags;
- u32 listnr;
- u32 action;
-@@ -64,6 +65,9 @@ struct audit_krule {
- u64 prio;
- };
-
-+/* Flag to indicate legacy AUDIT_LOGINUID unset usage */
-+#define AUDIT_LOGINUID_LEGACY 0x1
-+
- struct audit_field {
- u32 type;
- u32 val;
-diff --git a/include/linux/cred.h b/include/linux/cred.h
-index 04421e8..6c58dd7 100644
---- a/include/linux/cred.h
-+++ b/include/linux/cred.h
-@@ -68,6 +68,7 @@ extern void groups_free(struct group_info *);
- extern int set_current_groups(struct group_info *);
- extern int set_groups(struct cred *, struct group_info *);
- extern int groups_search(const struct group_info *, kgid_t);
-+extern bool may_setgroups(void);
-
- /* access the groups "array" with this macro */
- #define GROUP_AT(gi, i) \
-diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
-index 4836ba3..e92abf9 100644
---- a/include/linux/user_namespace.h
-+++ b/include/linux/user_namespace.h
-@@ -17,6 +17,10 @@ struct uid_gid_map { /* 64 bytes -- 1 cache line */
- } extent[UID_GID_MAP_MAX_EXTENTS];
- };
-
-+#define USERNS_SETGROUPS_ALLOWED 1UL
-+
-+#define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
-+
- struct user_namespace {
- struct uid_gid_map uid_map;
- struct uid_gid_map gid_map;
-@@ -27,6 +31,7 @@ struct user_namespace {
- kuid_t owner;
- kgid_t group;
- unsigned int proc_inum;
-+ unsigned long flags;
-
- /* Register of per-UID persistent keyrings for this namespace */
- #ifdef CONFIG_PERSISTENT_KEYRINGS
-@@ -63,6 +68,9 @@ extern struct seq_operations proc_projid_seq_operations;
- extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
- extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
- extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
-+extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *);
-+extern int proc_setgroups_show(struct seq_file *m, void *v);
-+extern bool userns_may_setgroups(const struct user_namespace *ns);
- #else
-
- static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
-@@ -87,6 +95,10 @@ static inline void put_user_ns(struct user_namespace *ns)
- {
- }
-
-+static inline bool userns_may_setgroups(const struct user_namespace *ns)
-+{
-+ return true;
-+}
- #endif
-
- #endif /* _LINUX_USER_H */
-diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
-index 92062fd..598c1dc 100644
---- a/kernel/auditfilter.c
-+++ b/kernel/auditfilter.c
-@@ -429,6 +429,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
- if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) {
- f->type = AUDIT_LOGINUID_SET;
- f->val = 0;
-+ entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;
- }
-
- err = audit_field_valid(entry, f);
-@@ -604,6 +605,13 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
- data->buflen += data->values[i] =
- audit_pack_string(&bufp, krule->filterkey);
- break;
-+ case AUDIT_LOGINUID_SET:
-+ if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) {
-+ data->fields[i] = AUDIT_LOGINUID;
-+ data->values[i] = AUDIT_UID_UNSET;
-+ break;
-+ }
-+ /* fallthrough if set */
- default:
- data->values[i] = f->val;
- }
-@@ -620,6 +628,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
- int i;
-
- if (a->flags != b->flags ||
-+ a->pflags != b->pflags ||
- a->listnr != b->listnr ||
- a->action != b->action ||
- a->field_count != b->field_count)
-@@ -738,6 +747,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old)
- new = &entry->rule;
- new->vers_ops = old->vers_ops;
- new->flags = old->flags;
-+ new->pflags = old->pflags;
- new->listnr = old->listnr;
- new->action = old->action;
- for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
-diff --git a/kernel/groups.c b/kernel/groups.c
-index 90cf1c3..67b4ba3 100644
---- a/kernel/groups.c
-+++ b/kernel/groups.c
-@@ -6,6 +6,7 @@
- #include <linux/slab.h>
- #include <linux/security.h>
- #include <linux/syscalls.h>
-+#include <linux/user_namespace.h>
- #include <asm/uaccess.h>
-
- /* init to 2 - one for init_task, one to ensure it is never freed */
-@@ -223,6 +224,14 @@ out:
- return i;
- }
-
-+bool may_setgroups(void)
-+{
-+ struct user_namespace *user_ns = current_user_ns();
-+
-+ return ns_capable(user_ns, CAP_SETGID) &&
-+ userns_may_setgroups(user_ns);
-+}
-+
- /*
- * SMP: Our groups are copy-on-write. We can set them safely
- * without another task interfering.
-@@ -233,7 +242,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
- struct group_info *group_info;
- int retval;
-
-- if (!ns_capable(current_user_ns(), CAP_SETGID))
-+ if (!may_setgroups())
- return -EPERM;
- if ((unsigned)gidsetsize > NGROUPS_MAX)
- return -EINVAL;
-diff --git a/kernel/pid.c b/kernel/pid.c
-index 9b9a266..82430c8 100644
---- a/kernel/pid.c
-+++ b/kernel/pid.c
-@@ -341,6 +341,8 @@ out:
-
- out_unlock:
- spin_unlock_irq(&pidmap_lock);
-+ put_pid_ns(ns);
-+
- out_free:
- while (++i <= ns->level)
- free_pidmap(pid->numbers + i);
-diff --git a/kernel/uid16.c b/kernel/uid16.c
-index 602e5bb..d58cc4d 100644
---- a/kernel/uid16.c
-+++ b/kernel/uid16.c
-@@ -176,7 +176,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
- struct group_info *group_info;
- int retval;
-
-- if (!ns_capable(current_user_ns(), CAP_SETGID))
-+ if (!may_setgroups())
- return -EPERM;
- if ((unsigned)gidsetsize > NGROUPS_MAX)
- return -EINVAL;
-diff --git a/kernel/user.c b/kernel/user.c
-index c006131..c2bbb50 100644
---- a/kernel/user.c
-+++ b/kernel/user.c
-@@ -51,6 +51,7 @@ struct user_namespace init_user_ns = {
- .owner = GLOBAL_ROOT_UID,
- .group = GLOBAL_ROOT_GID,
- .proc_inum = PROC_USER_INIT_INO,
-+ .flags = USERNS_INIT_FLAGS,
- #ifdef CONFIG_PERSISTENT_KEYRINGS
- .persistent_keyring_register_sem =
- __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),
-diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index 80a57af..153971e 100644
---- a/kernel/user_namespace.c
-+++ b/kernel/user_namespace.c
-@@ -24,6 +24,7 @@
- #include <linux/fs_struct.h>
-
- static struct kmem_cache *user_ns_cachep __read_mostly;
-+static DEFINE_MUTEX(userns_state_mutex);
-
- static bool new_idmap_permitted(const struct file *file,
- struct user_namespace *ns, int cap_setid,
-@@ -99,6 +100,11 @@ int create_user_ns(struct cred *new)
- ns->owner = owner;
- ns->group = group;
-
-+ /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
-+ mutex_lock(&userns_state_mutex);
-+ ns->flags = parent_ns->flags;
-+ mutex_unlock(&userns_state_mutex);
-+
- set_cred_user_ns(new, ns);
-
- #ifdef CONFIG_PERSISTENT_KEYRINGS
-@@ -581,9 +587,6 @@ static bool mappings_overlap(struct uid_gid_map *new_map, struct uid_gid_extent
- return false;
- }
-
--
--static DEFINE_MUTEX(id_map_mutex);
--
- static ssize_t map_write(struct file *file, const char __user *buf,
- size_t count, loff_t *ppos,
- int cap_setid,
-@@ -600,7 +603,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
- ssize_t ret = -EINVAL;
-
- /*
-- * The id_map_mutex serializes all writes to any given map.
-+ * The userns_state_mutex serializes all writes to any given map.
- *
- * Any map is only ever written once.
- *
-@@ -618,7 +621,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
- * order and smp_rmb() is guaranteed that we don't have crazy
- * architectures returning stale data.
- */
-- mutex_lock(&id_map_mutex);
-+ mutex_lock(&userns_state_mutex);
-
- ret = -EPERM;
- /* Only allow one successful write to the map */
-@@ -745,7 +748,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
- *ppos = count;
- ret = count;
- out:
-- mutex_unlock(&id_map_mutex);
-+ mutex_unlock(&userns_state_mutex);
- if (page)
- free_page(page);
- return ret;
-@@ -804,17 +807,21 @@ static bool new_idmap_permitted(const struct file *file,
- struct user_namespace *ns, int cap_setid,
- struct uid_gid_map *new_map)
- {
-- /* Allow mapping to your own filesystem ids */
-- if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
-+ const struct cred *cred = file->f_cred;
-+ /* Don't allow mappings that would allow anything that wouldn't
-+ * be allowed without the establishment of unprivileged mappings.
-+ */
-+ if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
-+ uid_eq(ns->owner, cred->euid)) {
- u32 id = new_map->extent[0].lower_first;
- if (cap_setid == CAP_SETUID) {
- kuid_t uid = make_kuid(ns->parent, id);
-- if (uid_eq(uid, file->f_cred->fsuid))
-+ if (uid_eq(uid, cred->euid))
- return true;
-- }
-- else if (cap_setid == CAP_SETGID) {
-+ } else if (cap_setid == CAP_SETGID) {
- kgid_t gid = make_kgid(ns->parent, id);
-- if (gid_eq(gid, file->f_cred->fsgid))
-+ if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
-+ gid_eq(gid, cred->egid))
- return true;
- }
- }
-@@ -834,6 +841,100 @@ static bool new_idmap_permitted(const struct file *file,
- return false;
- }
-
-+int proc_setgroups_show(struct seq_file *seq, void *v)
-+{
-+ struct user_namespace *ns = seq->private;
-+ unsigned long userns_flags = ACCESS_ONCE(ns->flags);
-+
-+ seq_printf(seq, "%s\n",
-+ (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
-+ "allow" : "deny");
-+ return 0;
-+}
-+
-+ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
-+ size_t count, loff_t *ppos)
-+{
-+ struct seq_file *seq = file->private_data;
-+ struct user_namespace *ns = seq->private;
-+ char kbuf[8], *pos;
-+ bool setgroups_allowed;
-+ ssize_t ret;
-+
-+ /* Only allow a very narrow range of strings to be written */
-+ ret = -EINVAL;
-+ if ((*ppos != 0) || (count >= sizeof(kbuf)))
-+ goto out;
-+
-+ /* What was written? */
-+ ret = -EFAULT;
-+ if (copy_from_user(kbuf, buf, count))
-+ goto out;
-+ kbuf[count] = '\0';
-+ pos = kbuf;
-+
-+ /* What is being requested? */
-+ ret = -EINVAL;
-+ if (strncmp(pos, "allow", 5) == 0) {
-+ pos += 5;
-+ setgroups_allowed = true;
-+ }
-+ else if (strncmp(pos, "deny", 4) == 0) {
-+ pos += 4;
-+ setgroups_allowed = false;
-+ }
-+ else
-+ goto out;
-+
-+ /* Verify there is not trailing junk on the line */
-+ pos = skip_spaces(pos);
-+ if (*pos != '\0')
-+ goto out;
-+
-+ ret = -EPERM;
-+ mutex_lock(&userns_state_mutex);
-+ if (setgroups_allowed) {
-+ /* Enabling setgroups after setgroups has been disabled
-+ * is not allowed.
-+ */
-+ if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
-+ goto out_unlock;
-+ } else {
-+ /* Permanently disabling setgroups after setgroups has
-+ * been enabled by writing the gid_map is not allowed.
-+ */
-+ if (ns->gid_map.nr_extents != 0)
-+ goto out_unlock;
-+ ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
-+ }
-+ mutex_unlock(&userns_state_mutex);
-+
-+ /* Report a successful write */
-+ *ppos = count;
-+ ret = count;
-+out:
-+ return ret;
-+out_unlock:
-+ mutex_unlock(&userns_state_mutex);
-+ goto out;
-+}
-+
-+bool userns_may_setgroups(const struct user_namespace *ns)
-+{
-+ bool allowed;
-+
-+ mutex_lock(&userns_state_mutex);
-+ /* It is not safe to use setgroups until a gid mapping in
-+ * the user namespace has been established.
-+ */
-+ allowed = ns->gid_map.nr_extents != 0;
-+ /* Is setgroups allowed? */
-+ allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
-+ mutex_unlock(&userns_state_mutex);
-+
-+ return allowed;
-+}
-+
- static void *userns_get(struct task_struct *task)
- {
- struct user_namespace *user_ns;
-diff --git a/net/mac80211/key.c b/net/mac80211/key.c
-index 6ff65a1..d78b37a 100644
---- a/net/mac80211/key.c
-+++ b/net/mac80211/key.c
-@@ -652,7 +652,7 @@ void ieee80211_free_sta_keys(struct ieee80211_local *local,
- int i;
-
- mutex_lock(&local->key_mtx);
-- for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
-+ for (i = 0; i < ARRAY_SIZE(sta->gtk); i++) {
- key = key_mtx_dereference(local, sta->gtk[i]);
- if (!key)
- continue;
-diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
-index 095c160..1e4dc4e 100644
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -1679,14 +1679,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
- sc = le16_to_cpu(hdr->seq_ctrl);
- frag = sc & IEEE80211_SCTL_FRAG;
-
-- if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
-- goto out;
--
- if (is_multicast_ether_addr(hdr->addr1)) {
- rx->local->dot11MulticastReceivedFrameCount++;
-- goto out;
-+ goto out_no_led;
- }
-
-+ if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
-+ goto out;
-+
- I802_DEBUG_INC(rx->local->rx_handlers_fragments);
-
- if (skb_linearize(rx->skb))
-@@ -1777,9 +1777,10 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
- status->rx_flags |= IEEE80211_RX_FRAGMENTED;
-
- out:
-+ ieee80211_led_rx(rx->local);
-+ out_no_led:
- if (rx->sta)
- rx->sta->rx_packets++;
-- ieee80211_led_rx(rx->local);
- return RX_CONTINUE;
- }
-
-diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
-index 9e1e005..c4c8df4 100644
---- a/security/keys/encrypted-keys/encrypted.c
-+++ b/security/keys/encrypted-keys/encrypted.c
-@@ -1018,10 +1018,13 @@ static int __init init_encrypted(void)
- ret = encrypted_shash_alloc();
- if (ret < 0)
- return ret;
-+ ret = aes_get_sizes();
-+ if (ret < 0)
-+ goto out;
- ret = register_key_type(&key_type_encrypted);
- if (ret < 0)
- goto out;
-- return aes_get_sizes();
-+ return 0;
- out:
- encrypted_shash_release();
- return ret;
-diff --git a/tools/testing/selftests/mount/unprivileged-remount-test.c b/tools/testing/selftests/mount/unprivileged-remount-test.c
-index 1b3ff2f..5177850 100644
---- a/tools/testing/selftests/mount/unprivileged-remount-test.c
-+++ b/tools/testing/selftests/mount/unprivileged-remount-test.c
-@@ -6,6 +6,8 @@
- #include <sys/types.h>
- #include <sys/mount.h>
- #include <sys/wait.h>
-+#include <sys/vfs.h>
-+#include <sys/statvfs.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <fcntl.h>
-@@ -32,11 +34,14 @@
- # define CLONE_NEWPID 0x20000000
- #endif
-
-+#ifndef MS_REC
-+# define MS_REC 16384
-+#endif
- #ifndef MS_RELATIME
--#define MS_RELATIME (1 << 21)
-+# define MS_RELATIME (1 << 21)
- #endif
- #ifndef MS_STRICTATIME
--#define MS_STRICTATIME (1 << 24)
-+# define MS_STRICTATIME (1 << 24)
- #endif
-
- static void die(char *fmt, ...)
-@@ -48,17 +53,14 @@ static void die(char *fmt, ...)
- exit(EXIT_FAILURE);
- }
-
--static void write_file(char *filename, char *fmt, ...)
-+static void vmaybe_write_file(bool enoent_ok, char *filename, char *fmt, va_list ap)
- {
- char buf[4096];
- int fd;
- ssize_t written;
- int buf_len;
-- va_list ap;
-
-- va_start(ap, fmt);
- buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
-- va_end(ap);
- if (buf_len < 0) {
- die("vsnprintf failed: %s\n",
- strerror(errno));
-@@ -69,6 +71,8 @@ static void write_file(char *filename, char *fmt, ...)
-
- fd = open(filename, O_WRONLY);
- if (fd < 0) {
-+ if ((errno == ENOENT) && enoent_ok)
-+ return;
- die("open of %s failed: %s\n",
- filename, strerror(errno));
- }
-@@ -87,6 +91,65 @@ static void write_file(char *filename, char *fmt, ...)
- }
- }
-
-+static void maybe_write_file(char *filename, char *fmt, ...)
-+{
-+ va_list ap;
-+
-+ va_start(ap, fmt);
-+ vmaybe_write_file(true, filename, fmt, ap);
-+ va_end(ap);
-+
-+}
-+
-+static void write_file(char *filename, char *fmt, ...)
-+{
-+ va_list ap;
-+
-+ va_start(ap, fmt);
-+ vmaybe_write_file(false, filename, fmt, ap);
-+ va_end(ap);
-+
-+}
-+
-+static int read_mnt_flags(const char *path)
-+{
-+ int ret;
-+ struct statvfs stat;
-+ int mnt_flags;
-+
-+ ret = statvfs(path, &stat);
-+ if (ret != 0) {
-+ die("statvfs of %s failed: %s\n",
-+ path, strerror(errno));
-+ }
-+ if (stat.f_flag & ~(ST_RDONLY | ST_NOSUID | ST_NODEV | \
-+ ST_NOEXEC | ST_NOATIME | ST_NODIRATIME | ST_RELATIME | \
-+ ST_SYNCHRONOUS | ST_MANDLOCK)) {
-+ die("Unrecognized mount flags\n");
-+ }
-+ mnt_flags = 0;
-+ if (stat.f_flag & ST_RDONLY)
-+ mnt_flags |= MS_RDONLY;
-+ if (stat.f_flag & ST_NOSUID)
-+ mnt_flags |= MS_NOSUID;
-+ if (stat.f_flag & ST_NODEV)
-+ mnt_flags |= MS_NODEV;
-+ if (stat.f_flag & ST_NOEXEC)
-+ mnt_flags |= MS_NOEXEC;
-+ if (stat.f_flag & ST_NOATIME)
-+ mnt_flags |= MS_NOATIME;
-+ if (stat.f_flag & ST_NODIRATIME)
-+ mnt_flags |= MS_NODIRATIME;
-+ if (stat.f_flag & ST_RELATIME)
-+ mnt_flags |= MS_RELATIME;
-+ if (stat.f_flag & ST_SYNCHRONOUS)
-+ mnt_flags |= MS_SYNCHRONOUS;
-+ if (stat.f_flag & ST_MANDLOCK)
-+ mnt_flags |= ST_MANDLOCK;
-+
-+ return mnt_flags;
-+}
-+
- static void create_and_enter_userns(void)
- {
- uid_t uid;
-@@ -100,13 +163,10 @@ static void create_and_enter_userns(void)
- strerror(errno));
- }
-
-+ maybe_write_file("/proc/self/setgroups", "deny");
- write_file("/proc/self/uid_map", "0 %d 1", uid);
- write_file("/proc/self/gid_map", "0 %d 1", gid);
-
-- if (setgroups(0, NULL) != 0) {
-- die("setgroups failed: %s\n",
-- strerror(errno));
-- }
- if (setgid(0) != 0) {
- die ("setgid(0) failed %s\n",
- strerror(errno));
-@@ -118,7 +178,8 @@ static void create_and_enter_userns(void)
- }
-
- static
--bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags)
-+bool test_unpriv_remount(const char *fstype, const char *mount_options,
-+ int mount_flags, int remount_flags, int invalid_flags)
- {
- pid_t child;
-
-@@ -151,9 +212,11 @@ bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags)
- strerror(errno));
- }
-
-- if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) {
-- die("mount of /tmp failed: %s\n",
-- strerror(errno));
-+ if (mount("testing", "/tmp", fstype, mount_flags, mount_options) != 0) {
-+ die("mount of %s with options '%s' on /tmp failed: %s\n",
-+ fstype,
-+ mount_options? mount_options : "",
-+ strerror(errno));
- }
-
- create_and_enter_userns();
-@@ -181,62 +244,127 @@ bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags)
-
- static bool test_unpriv_remount_simple(int mount_flags)
- {
-- return test_unpriv_remount(mount_flags, mount_flags, 0);
-+ return test_unpriv_remount("ramfs", NULL, mount_flags, mount_flags, 0);
- }
-
- static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags)
- {
-- return test_unpriv_remount(mount_flags, mount_flags, invalid_flags);
-+ return test_unpriv_remount("ramfs", NULL, mount_flags, mount_flags,
-+ invalid_flags);
-+}
-+
-+static bool test_priv_mount_unpriv_remount(void)
-+{
-+ pid_t child;
-+ int ret;
-+ const char *orig_path = "/dev";
-+ const char *dest_path = "/tmp";
-+ int orig_mnt_flags, remount_mnt_flags;
-+
-+ child = fork();
-+ if (child == -1) {
-+ die("fork failed: %s\n",
-+ strerror(errno));
-+ }
-+ if (child != 0) { /* parent */
-+ pid_t pid;
-+ int status;
-+ pid = waitpid(child, &status, 0);
-+ if (pid == -1) {
-+ die("waitpid failed: %s\n",
-+ strerror(errno));
-+ }
-+ if (pid != child) {
-+ die("waited for %d got %d\n",
-+ child, pid);
-+ }
-+ if (!WIFEXITED(status)) {
-+ die("child did not terminate cleanly\n");
-+ }
-+ return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false;
-+ }
-+
-+ orig_mnt_flags = read_mnt_flags(orig_path);
-+
-+ create_and_enter_userns();
-+ ret = unshare(CLONE_NEWNS);
-+ if (ret != 0) {
-+ die("unshare(CLONE_NEWNS) failed: %s\n",
-+ strerror(errno));
-+ }
-+
-+ ret = mount(orig_path, dest_path, "bind", MS_BIND | MS_REC, NULL);
-+ if (ret != 0) {
-+ die("recursive bind mount of %s onto %s failed: %s\n",
-+ orig_path, dest_path, strerror(errno));
-+ }
-+
-+ ret = mount(dest_path, dest_path, "none",
-+ MS_REMOUNT | MS_BIND | orig_mnt_flags , NULL);
-+ if (ret != 0) {
-+ /* system("cat /proc/self/mounts"); */
-+ die("remount of /tmp failed: %s\n",
-+ strerror(errno));
-+ }
-+
-+ remount_mnt_flags = read_mnt_flags(dest_path);
-+ if (orig_mnt_flags != remount_mnt_flags) {
-+ die("Mount flags unexpectedly changed during remount of %s originally mounted on %s\n",
-+ dest_path, orig_path);
-+ }
-+ exit(EXIT_SUCCESS);
- }
-
- int main(int argc, char **argv)
- {
-- if (!test_unpriv_remount_simple(MS_RDONLY|MS_NODEV)) {
-+ if (!test_unpriv_remount_simple(MS_RDONLY)) {
- die("MS_RDONLY malfunctions\n");
- }
-- if (!test_unpriv_remount_simple(MS_NODEV)) {
-+ if (!test_unpriv_remount("devpts", "newinstance", MS_NODEV, MS_NODEV, 0)) {
- die("MS_NODEV malfunctions\n");
- }
-- if (!test_unpriv_remount_simple(MS_NOSUID|MS_NODEV)) {
-+ if (!test_unpriv_remount_simple(MS_NOSUID)) {
- die("MS_NOSUID malfunctions\n");
- }
-- if (!test_unpriv_remount_simple(MS_NOEXEC|MS_NODEV)) {
-+ if (!test_unpriv_remount_simple(MS_NOEXEC)) {
- die("MS_NOEXEC malfunctions\n");
- }
-- if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODEV,
-- MS_NOATIME|MS_NODEV))
-+ if (!test_unpriv_remount_atime(MS_RELATIME,
-+ MS_NOATIME))
- {
- die("MS_RELATIME malfunctions\n");
- }
-- if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODEV,
-- MS_NOATIME|MS_NODEV))
-+ if (!test_unpriv_remount_atime(MS_STRICTATIME,
-+ MS_NOATIME))
- {
- die("MS_STRICTATIME malfunctions\n");
- }
-- if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODEV,
-- MS_STRICTATIME|MS_NODEV))
-+ if (!test_unpriv_remount_atime(MS_NOATIME,
-+ MS_STRICTATIME))
- {
-- die("MS_RELATIME malfunctions\n");
-+ die("MS_NOATIME malfunctions\n");
- }
-- if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME|MS_NODEV,
-- MS_NOATIME|MS_NODEV))
-+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME,
-+ MS_NOATIME))
- {
-- die("MS_RELATIME malfunctions\n");
-+ die("MS_RELATIME|MS_NODIRATIME malfunctions\n");
- }
-- if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME|MS_NODEV,
-- MS_NOATIME|MS_NODEV))
-+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME,
-+ MS_NOATIME))
- {
-- die("MS_RELATIME malfunctions\n");
-+ die("MS_STRICTATIME|MS_NODIRATIME malfunctions\n");
- }
-- if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME|MS_NODEV,
-- MS_STRICTATIME|MS_NODEV))
-+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME,
-+ MS_STRICTATIME))
- {
-- die("MS_RELATIME malfunctions\n");
-+ die("MS_NOATIME|MS_DIRATIME malfunctions\n");
- }
-- if (!test_unpriv_remount(MS_STRICTATIME|MS_NODEV, MS_NODEV,
-- MS_NOATIME|MS_NODEV))
-+ if (!test_unpriv_remount("ramfs", NULL, MS_STRICTATIME, 0, MS_NOATIME))
- {
- die("Default atime malfunctions\n");
- }
-+ if (!test_priv_mount_unpriv_remount()) {
-+ die("Mount flags unexpectedly changed after remount\n");
-+ }
- return EXIT_SUCCESS;
- }
diff --git a/3.14.28/0000_README b/3.14.29/0000_README
index ae1226b..77bdae3 100644
--- a/3.14.28/0000_README
+++ b/3.14.29/0000_README
@@ -2,11 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 1027_linux-3.14.28.patch
-From: http://www.kernel.org
-Desc: Linux 3.14.28
-
-Patch: 4420_grsecurity-3.0-3.14.28-201501142323.patch
+Patch: 4420_grsecurity-3.0-3.14.29-201501211943.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.28/4420_grsecurity-3.0-3.14.28-201501142323.patch b/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch
index 7a014f0..5df869a 100644
--- a/3.14.28/4420_grsecurity-3.0-3.14.28-201501142323.patch
+++ b/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch
@@ -292,7 +292,7 @@ index 7116fda..2f71588 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index a2e572b..b0e0734 100644
+index 7aff64e..32dc1aa 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3047,7 +3047,7 @@ index 0dd3b79..b67388e 100644
if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
trace_sys_enter(regs, scno);
diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
-index 1e8b030..37c3022 100644
+index aab70f6..bd2751b 100644
--- a/arch/arm/kernel/setup.c
+++ b/arch/arm/kernel/setup.c
@@ -100,21 +100,23 @@ EXPORT_SYMBOL(system_serial_high);
@@ -3153,7 +3153,7 @@ index 04d6388..5115238 100644
- return page;
-}
diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
-index b7b4c86..47c4f77 100644
+index 8cd3724..ea86e94 100644
--- a/arch/arm/kernel/smp.c
+++ b/arch/arm/kernel/smp.c
@@ -73,7 +73,7 @@ enum ipi_msg_type {
@@ -21766,10 +21766,10 @@ index 95700e5..19779f8 100644
.attrs = NULL, /* patched at runtime */
};
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
-index 047f540..afdeba0 100644
+index 2f98588..aa6f3c4 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
-@@ -3326,7 +3326,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
+@@ -3342,7 +3342,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
static int __init uncore_type_init(struct intel_uncore_type *type)
{
struct intel_uncore_pmu *pmus;
@@ -35954,7 +35954,7 @@ index d6bfb87..876ee18 100644
return NULL;
}
diff --git a/arch/x86/vdso/vma.c b/arch/x86/vdso/vma.c
-index 431e875..cbb23f3 100644
+index ab6ba35..7ede14e 100644
--- a/arch/x86/vdso/vma.c
+++ b/arch/x86/vdso/vma.c
@@ -16,8 +16,6 @@
@@ -35966,15 +35966,20 @@ index 431e875..cbb23f3 100644
extern char vdso_start[], vdso_end[];
extern unsigned short vdso_sync_cpuid;
-@@ -141,7 +139,6 @@ static unsigned long vdso_addr(unsigned long start, unsigned len)
- * unaligned here as a result of stack start randomization.
- */
- addr = PAGE_ALIGN(addr);
-- addr = align_vdso_addr(addr);
+@@ -152,12 +150,6 @@ static unsigned long vdso_addr(unsigned long start, unsigned len)
+ addr = start;
+ }
+- /*
+- * Forcibly align the final address in case we have a hardware
+- * issue that requires alignment for performance reasons.
+- */
+- addr = align_vdso_addr(addr);
+-
return addr;
}
-@@ -154,30 +151,31 @@ static int setup_additional_pages(struct linux_binprm *bprm,
+
+@@ -169,30 +161,37 @@ static int setup_additional_pages(struct linux_binprm *bprm,
unsigned size)
{
struct mm_struct *mm = current->mm;
@@ -35992,7 +35997,13 @@ index 431e875..cbb23f3 100644
+#endif
+
addr = vdso_addr(mm->start_stack, size);
++
++ /*
++ * Forcibly align the final address in case we have a hardware
++ * issue that requires alignment for performance reasons.
++ */
+ addr = align_vdso_addr(addr);
++
addr = get_unmapped_area(NULL, addr, size, 0, 0);
if (IS_ERR_VALUE(addr)) {
ret = addr;
@@ -36015,7 +36026,7 @@ index 431e875..cbb23f3 100644
up_fail:
up_write(&mm->mmap_sem);
-@@ -197,10 +195,3 @@ int x32_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
+@@ -212,10 +211,3 @@ int x32_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
vdsox32_size);
}
#endif
@@ -36039,7 +36050,7 @@ index 01b9026..1e476df 100644
This is the Linux Xen port. Enabling this will allow the
kernel to boot in a paravirtualized environment under the
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 201d09a..e4723e5 100644
+index 201d09a..be93768 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -36127,7 +36138,19 @@ index 201d09a..e4723e5 100644
{
if (pm_power_off)
pm_power_off();
-@@ -1564,7 +1560,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1455,8 +1451,9 @@ static void __ref xen_setup_gdt(int cpu)
+ pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
+ pv_cpu_ops.load_gdt = xen_load_gdt_boot;
+
+- setup_stack_canary_segment(0);
+- switch_to_new_gdt(0);
++ setup_stack_canary_segment(cpu);
++ load_percpu_segment(cpu);
++ switch_to_new_gdt(cpu);
+
+ pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
+ pv_cpu_ops.load_gdt = xen_load_gdt;
+@@ -1564,7 +1561,17 @@ asmlinkage void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -36146,7 +36169,7 @@ index 201d09a..e4723e5 100644
/* Get mfn list */
xen_build_dynamic_phys_to_machine();
-@@ -1592,13 +1598,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1592,13 +1599,6 @@ asmlinkage void __init xen_start_kernel(void)
machine_ops = xen_machine_ops;
@@ -36558,7 +36581,7 @@ index a0926a6..b2b14b2 100644
err = -EFAULT;
goto out;
diff --git a/block/genhd.c b/block/genhd.c
-index e6723bd..703e4ac 100644
+index a8d586a..d9910b1 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -469,21 +469,24 @@ static char *bdevt_str(dev_t devt, char *buf)
@@ -38091,10 +38114,10 @@ index 969c3c2..9b72956 100644
}
diff --git a/drivers/base/bus.c b/drivers/base/bus.c
-index 59dc808..f10c74e 100644
+index 45d0fa7..89244c9 100644
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
-@@ -1124,7 +1124,7 @@ int subsys_interface_register(struct subsys_interface *sif)
+@@ -1126,7 +1126,7 @@ int subsys_interface_register(struct subsys_interface *sif)
return -EINVAL;
mutex_lock(&subsys->p->mutex);
@@ -38103,7 +38126,7 @@ index 59dc808..f10c74e 100644
if (sif->add_dev) {
subsys_dev_iter_init(&iter, subsys, NULL, NULL);
while ((dev = subsys_dev_iter_next(&iter)))
-@@ -1149,7 +1149,7 @@ void subsys_interface_unregister(struct subsys_interface *sif)
+@@ -1151,7 +1151,7 @@ void subsys_interface_unregister(struct subsys_interface *sif)
subsys = sif->subsys;
mutex_lock(&subsys->p->mutex);
@@ -42491,10 +42514,10 @@ index 37ac7b5..d52a5c9 100644
/* copy over all the bus versions */
if (dev->bus && dev->bus->pm) {
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 7cd42ea..a367c48 100644
+index d92c7d9..ba3e5c0 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
-@@ -2432,7 +2432,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
+@@ -2433,7 +2433,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
int hid_add_device(struct hid_device *hdev)
{
@@ -42503,7 +42526,7 @@ index 7cd42ea..a367c48 100644
int ret;
if (WARN_ON(hdev->status & HID_STAT_ADDED))
-@@ -2466,7 +2466,7 @@ int hid_add_device(struct hid_device *hdev)
+@@ -2467,7 +2467,7 @@ int hid_add_device(struct hid_device *hdev)
/* XXX hack, any other cleaner solution after the driver core
* is converted to allow more than 20 bytes as the device name? */
dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
@@ -43933,7 +43956,7 @@ index 1946101..09766d2 100644
#include "qib_common.h"
#include "qib_verbs.h"
diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
-index ce953d8..da10215 100644
+index ce953d8..1469995 100644
--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -422,7 +422,7 @@ static int evdev_open(struct inode *inode, struct file *file)
@@ -43945,6 +43968,43 @@ index ce953d8..da10215 100644
return error;
}
+@@ -757,20 +757,23 @@ static int evdev_handle_set_keycode_v2(struct input_dev *dev, void __user *p)
+ */
+ static int evdev_handle_get_val(struct evdev_client *client,
+ struct input_dev *dev, unsigned int type,
+- unsigned long *bits, unsigned int max,
+- unsigned int size, void __user *p, int compat)
++ unsigned long *bits, unsigned int maxbit,
++ unsigned int maxlen, void __user *p,
++ int compat)
+ {
+ int ret;
+ unsigned long *mem;
++ size_t len;
+
+- mem = kmalloc(sizeof(unsigned long) * max, GFP_KERNEL);
++ len = BITS_TO_LONGS(maxbit) * sizeof(unsigned long);
++ mem = kmalloc(len, GFP_KERNEL);
+ if (!mem)
+ return -ENOMEM;
+
+ spin_lock_irq(&dev->event_lock);
+ spin_lock(&client->buffer_lock);
+
+- memcpy(mem, bits, sizeof(unsigned long) * max);
++ memcpy(mem, bits, len);
+
+ spin_unlock(&dev->event_lock);
+
+@@ -778,7 +781,7 @@ static int evdev_handle_get_val(struct evdev_client *client,
+
+ spin_unlock_irq(&client->buffer_lock);
+
+- ret = bits_to_user(mem, max, size, p, compat);
++ ret = bits_to_user(mem, maxbit, maxlen, p, compat);
+ if (ret < 0)
+ evdev_queue_syn_dropped(client);
+
diff --git a/drivers/input/gameport/gameport.c b/drivers/input/gameport/gameport.c
index 24c41ba..102d71f 100644
--- a/drivers/input/gameport/gameport.c
@@ -47918,6 +47978,42 @@ index dff0977..6df4b1d 100644
adapter->vfinfo[vf].spoofchk_enabled = setting;
regval = IXGBE_READ_REG(hw, IXGBE_PFVFSPOOF(vf_target_reg));
+diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c
+index 9eeddbd..6d9e10d 100644
+--- a/drivers/net/ethernet/neterion/s2io.c
++++ b/drivers/net/ethernet/neterion/s2io.c
+@@ -6992,7 +6992,9 @@ static int s2io_add_isr(struct s2io_nic *sp)
+ if (sp->s2io_entries[i].in_use == MSIX_FLG) {
+ if (sp->s2io_entries[i].type ==
+ MSIX_RING_TYPE) {
+- sprintf(sp->desc[i], "%s:MSI-X-%d-RX",
++ snprintf(sp->desc[i],
++ sizeof(sp->desc[i]),
++ "%s:MSI-X-%d-RX",
+ dev->name, i);
+ err = request_irq(sp->entries[i].vector,
+ s2io_msix_ring_handle,
+@@ -7001,7 +7003,9 @@ static int s2io_add_isr(struct s2io_nic *sp)
+ sp->s2io_entries[i].arg);
+ } else if (sp->s2io_entries[i].type ==
+ MSIX_ALARM_TYPE) {
+- sprintf(sp->desc[i], "%s:MSI-X-%d-TX",
++ snprintf(sp->desc[i],
++ sizeof(sp->desc[i]),
++ "%s:MSI-X-%d-TX",
+ dev->name, i);
+ err = request_irq(sp->entries[i].vector,
+ s2io_msix_fifo_handle,
+@@ -8159,7 +8163,8 @@ s2io_init_nic(struct pci_dev *pdev, const struct pci_device_id *pre)
+ "%s: UDP Fragmentation Offload(UFO) enabled\n",
+ dev->name);
+ /* Initialize device name */
+- sprintf(sp->name, "%s Neterion %s", dev->name, sp->product_name);
++ snprintf(sp->name, sizeof(sp->name), "%s Neterion %s", dev->name,
++ sp->product_name);
+
+ if (vlan_tag_strip)
+ sp->vlan_strip_flag = 1;
diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
index 089b713..28d87ae 100644
--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
@@ -48928,7 +49024,7 @@ index 729ffbf..49f50e3 100644
static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
-index 0acd4b5..0591c91 100644
+index 32ae0a4..90fdaf5 100644
--- a/drivers/net/wireless/ath/ath9k/hw.h
+++ b/drivers/net/wireless/ath/ath9k/hw.h
@@ -629,7 +629,7 @@ struct ath_hw_private_ops {
@@ -49736,7 +49832,7 @@ index e1e7026..d28dd33 100644
#define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index 34dff3a..70a5646 100644
+index 5b428db..553e4e3 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -175,7 +175,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
@@ -52932,7 +53028,7 @@ index 2ebe47b..3205833 100644
dlci->modem_rx = 0;
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 28ac3f3..9019b3b 100644
+index d46b4cc..c470f00 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -115,7 +115,7 @@ struct n_tty_data {
@@ -52944,7 +53040,7 @@ index 28ac3f3..9019b3b 100644
size_t line_start;
/* protected by output lock */
-@@ -2520,6 +2520,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
+@@ -2521,6 +2521,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
{
*ops = tty_ldisc_N_TTY;
ops->owner = NULL;
@@ -53160,7 +53256,7 @@ index c0f2b3e..7e3f80c 100644
if (unlikely(pdev->id < 0 || pdev->id >= UART_NR))
return -ENXIO;
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
-index 9cd706d..6ff2de7 100644
+index 7d3a3f5..0ac875e 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -463,11 +463,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port)
@@ -53180,7 +53276,7 @@ index 9cd706d..6ff2de7 100644
dbg("s3c24xx_serial_startup: port=%p (%08lx,%p)\n",
port->mapbase, port->membase);
-@@ -1141,10 +1146,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
+@@ -1145,10 +1150,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
/* setup info for port */
port->dev = &platdev->dev;
@@ -59304,7 +59400,7 @@ index cbd3a7d6f..c6a2881 100644
WARN_ON(trans->transid != btrfs_header_generation(parent));
diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
-index 451b00c..a2cccee 100644
+index 12e3556..eea9bcf 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -459,7 +459,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node,
@@ -64706,7 +64802,7 @@ index 86f5d3e..ae2d35a 100644
static struct nfsd4_operation nfsd4_ops[];
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
-index 8657335..cd3e37f 100644
+index dd1afa3..509afd1 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1542,7 +1542,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
@@ -65022,10 +65118,10 @@ index 0440134..d52c93a 100644
bail:
if (handle)
diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c
-index feed025f..cee9402 100644
+index b242762..04fc642 100644
--- a/fs/ocfs2/namei.c
+++ b/fs/ocfs2/namei.c
-@@ -158,7 +158,7 @@ bail_add:
+@@ -166,7 +166,7 @@ bail_add:
* NOTE: This dentry already has ->d_op set from
* ocfs2_get_parent() and ocfs2_get_dentry()
*/
@@ -83806,7 +83902,7 @@ index 5bba088..7ad4ae7 100644
static inline int
vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst)
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index d5039da..152c9ea 100644
+index 46b8ab5..6823be2 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -127,6 +127,11 @@ extern unsigned int kobjsize(const void *objp);
@@ -89374,7 +89470,7 @@ index 0b097c8..11dd5c5 100644
#ifdef CONFIG_MODULE_UNLOAD
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 4bbb27a..decf605 100644
+index 69cffb4..54dc2d9 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -159,8 +159,15 @@ static struct srcu_struct pmus_srcu;
@@ -92310,6 +92406,28 @@ index 1f4bcb3..99cf7ab 100644
goto out_put_task_struct;
}
+diff --git a/kernel/range.c b/kernel/range.c
+index 322ea8e..82cfc28 100644
+--- a/kernel/range.c
++++ b/kernel/range.c
+@@ -113,12 +113,12 @@ static int cmp_range(const void *x1, const void *x2)
+ {
+ const struct range *r1 = x1;
+ const struct range *r2 = x2;
+- s64 start1, start2;
+
+- start1 = r1->start;
+- start2 = r2->start;
+-
+- return start1 - start2;
++ if (r1->start < r2->start)
++ return -1;
++ if (r1->start > r2->start)
++ return 1;
++ return 0;
+ }
+
+ int clean_sort_range(struct range *range, int az)
diff --git a/kernel/rcu/srcu.c b/kernel/rcu/srcu.c
index 3318d82..1a5b2d1 100644
--- a/kernel/rcu/srcu.c
@@ -96360,7 +96478,7 @@ index a98c7fc..393f8f1 100644
}
unset_migratetype_isolate(page, MIGRATE_MOVABLE);
diff --git a/mm/memory.c b/mm/memory.c
-index 48d7365..732f880 100644
+index 924429e..732f880 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -403,6 +403,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -96799,7 +96917,7 @@ index 48d7365..732f880 100644
- if (prev && prev->vm_end == address)
- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
-
-- expand_downwards(vma, address - PAGE_SIZE);
+- return expand_downwards(vma, address - PAGE_SIZE);
- }
- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
- struct vm_area_struct *next = vma->vm_next;
@@ -96808,7 +96926,7 @@ index 48d7365..732f880 100644
- if (next && next->vm_start == address + PAGE_SIZE)
- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
-
-- expand_upwards(vma, address + PAGE_SIZE);
+- return expand_upwards(vma, address + PAGE_SIZE);
- }
- return 0;
-}
@@ -97245,7 +97363,7 @@ index b1eb536..091d154 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index b91ac80..390920e 100644
+index 085bcd8..cb98f9f 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -37,6 +37,7 @@
@@ -97902,15 +98020,17 @@ index b91ac80..390920e 100644
/*
* Verify that the stack growth is acceptable and
* update accounting. This is shared with both the
-@@ -2065,6 +2370,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
- return -ENOMEM;
+@@ -2066,8 +2371,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
/* Stack limit test */
-+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
- if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
+ actual_size = size;
+- if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
+- actual_size -= PAGE_SIZE;
++ gr_learn_resource(current, RLIMIT_STACK, actual_size, 1);
+ if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
return -ENOMEM;
-@@ -2075,6 +2381,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2078,6 +2382,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
locked = mm->locked_vm + grow;
limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
limit >>= PAGE_SHIFT;
@@ -97918,7 +98038,7 @@ index b91ac80..390920e 100644
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -2104,37 +2411,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2107,37 +2412,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
@@ -97976,7 +98096,7 @@ index b91ac80..390920e 100644
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -2169,6 +2487,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -2172,6 +2488,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
}
}
}
@@ -97985,7 +98105,7 @@ index b91ac80..390920e 100644
vma_unlock_anon_vma(vma);
khugepaged_enter_vma_merge(vma);
validate_mm(vma->vm_mm);
-@@ -2183,6 +2503,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2186,6 +2504,8 @@ int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
int error;
@@ -97994,7 +98114,7 @@ index b91ac80..390920e 100644
/*
* We must make sure the anon_vma is allocated
-@@ -2196,6 +2518,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2199,6 +2519,15 @@ int expand_downwards(struct vm_area_struct *vma,
if (error)
return error;
@@ -98010,7 +98130,7 @@ index b91ac80..390920e 100644
vma_lock_anon_vma(vma);
/*
-@@ -2205,9 +2536,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2208,9 +2537,17 @@ int expand_downwards(struct vm_area_struct *vma,
*/
/* Somebody else might have raced and expanded it already */
@@ -98029,7 +98149,7 @@ index b91ac80..390920e 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -2232,13 +2571,27 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2235,13 +2572,27 @@ int expand_downwards(struct vm_area_struct *vma,
vma->vm_pgoff -= grow;
anon_vma_interval_tree_post_update_vma(vma);
vma_gap_update(vma);
@@ -98057,7 +98177,7 @@ index b91ac80..390920e 100644
khugepaged_enter_vma_merge(vma);
validate_mm(vma->vm_mm);
return error;
-@@ -2336,6 +2689,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2339,6 +2690,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
@@ -98071,7 +98191,7 @@ index b91ac80..390920e 100644
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2380,6 +2740,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2383,6 +2741,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -98088,7 +98208,7 @@ index b91ac80..390920e 100644
vma_rb_erase(vma, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -2407,14 +2777,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2410,14 +2778,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
struct vm_area_struct *new;
int err = -ENOMEM;
@@ -98122,7 +98242,7 @@ index b91ac80..390920e 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -2427,6 +2816,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2430,6 +2817,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -98145,7 +98265,7 @@ index b91ac80..390920e 100644
err = vma_dup_policy(vma, new);
if (err)
goto out_free_vma;
-@@ -2447,6 +2852,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2450,6 +2853,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -98184,7 +98304,7 @@ index b91ac80..390920e 100644
/* Success. */
if (!err)
return 0;
-@@ -2456,10 +2893,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2459,10 +2894,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
new->vm_ops->close(new);
if (new->vm_file)
fput(new->vm_file);
@@ -98204,7 +98324,7 @@ index b91ac80..390920e 100644
kmem_cache_free(vm_area_cachep, new);
out_err:
return err;
-@@ -2472,6 +2917,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2475,6 +2918,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
@@ -98220,7 +98340,7 @@ index b91ac80..390920e 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2483,11 +2937,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2486,11 +2938,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -98251,7 +98371,7 @@ index b91ac80..390920e 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2562,6 +3035,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2565,6 +3036,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -98260,7 +98380,7 @@ index b91ac80..390920e 100644
return 0;
}
-@@ -2570,6 +3045,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2573,6 +3046,13 @@ int vm_munmap(unsigned long start, size_t len)
int ret;
struct mm_struct *mm = current->mm;
@@ -98274,7 +98394,7 @@ index b91ac80..390920e 100644
down_write(&mm->mmap_sem);
ret = do_munmap(mm, start, len);
up_write(&mm->mmap_sem);
-@@ -2583,16 +3065,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2586,16 +3066,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
return vm_munmap(addr, len);
}
@@ -98291,7 +98411,7 @@ index b91ac80..390920e 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2606,6 +3078,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2609,6 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -98299,7 +98419,7 @@ index b91ac80..390920e 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2613,10 +3086,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2616,10 +3087,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -98324,7 +98444,7 @@ index b91ac80..390920e 100644
error = mlock_future_check(mm, mm->def_flags, len);
if (error)
return error;
-@@ -2630,21 +3117,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2633,21 +3118,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -98349,7 +98469,7 @@ index b91ac80..390920e 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2658,7 +3144,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2661,7 +3145,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -98358,7 +98478,7 @@ index b91ac80..390920e 100644
return -ENOMEM;
}
-@@ -2672,10 +3158,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2675,10 +3159,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
perf_event_mmap(vma);
@@ -98372,7 +98492,7 @@ index b91ac80..390920e 100644
return addr;
}
-@@ -2737,6 +3224,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2740,6 +3225,7 @@ void exit_mmap(struct mm_struct *mm)
while (vma) {
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += vma_pages(vma);
@@ -98380,7 +98500,7 @@ index b91ac80..390920e 100644
vma = remove_vma(vma);
}
vm_unacct_memory(nr_accounted);
-@@ -2754,6 +3242,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2757,6 +3243,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
struct vm_area_struct *prev;
struct rb_node **rb_link, *rb_parent;
@@ -98394,7 +98514,7 @@ index b91ac80..390920e 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2777,7 +3272,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2780,7 +3273,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -98416,7 +98536,7 @@ index b91ac80..390920e 100644
return 0;
}
-@@ -2796,6 +3305,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2799,6 +3306,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct rb_node **rb_link, *rb_parent;
bool faulted_in_anon_vma = true;
@@ -98425,7 +98545,7 @@ index b91ac80..390920e 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2860,6 +3371,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2863,6 +3372,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return NULL;
}
@@ -98465,7 +98585,7 @@ index b91ac80..390920e 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2871,6 +3415,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2874,6 +3416,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
@@ -98473,7 +98593,7 @@ index b91ac80..390920e 100644
if (cur + npages > lim)
return 0;
return 1;
-@@ -2941,6 +3486,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2944,6 +3487,22 @@ int install_special_mapping(struct mm_struct *mm,
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -103064,10 +103184,29 @@ index 3d4da2c..40f9c29 100644
ICMP_PROT_UNREACH, 0);
}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 580dd96..9fcef7e 100644
+index 580dd96..41e9720 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
-@@ -1171,7 +1171,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -426,15 +426,12 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+
+ memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+ sin = &errhdr.offender;
+- sin->sin_family = AF_UNSPEC;
++ memset(sin, 0, sizeof(*sin));
++
+ if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) {
+- struct inet_sock *inet = inet_sk(sk);
+-
+ sin->sin_family = AF_INET;
+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+- sin->sin_port = 0;
+- memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
+- if (inet->cmsg_flags)
++ if (inet_sk(sk)->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+ }
+
+@@ -1171,7 +1168,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
len = min_t(unsigned int, len, opt->optlen);
if (put_user(len, optlen))
return -EFAULT;
@@ -103077,7 +103216,7 @@ index 580dd96..9fcef7e 100644
return -EFAULT;
return 0;
}
-@@ -1302,7 +1303,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1302,7 +1300,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
if (sk->sk_type != SOCK_STREAM)
return -ENOPROTOOPT;
@@ -104115,10 +104254,38 @@ index d935889..2f64330 100644
err = ipv6_init_mibs(net);
if (err)
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
-index c3bf2d2..1f00573 100644
+index c3bf2d2..c85df82 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
-@@ -938,5 +938,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
+@@ -382,11 +382,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+
+ memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+ sin = &errhdr.offender;
+- sin->sin6_family = AF_UNSPEC;
++ memset(sin, 0, sizeof(*sin));
++
+ if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) {
+ sin->sin6_family = AF_INET6;
+- sin->sin6_flowinfo = 0;
+- sin->sin6_port = 0;
+ if (np->rxopt.all)
+ ip6_datagram_recv_common_ctl(sk, msg, skb);
+ if (skb->protocol == htons(ETH_P_IPV6)) {
+@@ -397,12 +396,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ ipv6_iface_scope_id(&sin->sin6_addr,
+ IP6CB(skb)->iif);
+ } else {
+- struct inet_sock *inet = inet_sk(sk);
+-
+ ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr,
+ &sin->sin6_addr);
+- sin->sin6_scope_id = 0;
+- if (inet->cmsg_flags)
++ if (inet_sk(sk)->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+ }
+ }
+@@ -938,5 +934,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
0,
sock_i_ino(sp),
atomic_read(&sp->sk_refcnt), sp,
@@ -104529,10 +104696,25 @@ index cc85a9b..526a133 100644
return -ENOMEM;
}
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 7cc1102..7785931 100644
+index 7cc1102..50e95c7 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
-@@ -2973,7 +2973,7 @@ struct ctl_table ipv6_route_table_template[] = {
+@@ -1160,12 +1160,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,
+ struct net *net = dev_net(dst->dev);
+
+ rt6->rt6i_flags |= RTF_MODIFIED;
+- if (mtu < IPV6_MIN_MTU) {
+- u32 features = dst_metric(dst, RTAX_FEATURES);
++ if (mtu < IPV6_MIN_MTU)
+ mtu = IPV6_MIN_MTU;
+- features |= RTAX_FEATURE_ALLFRAG;
+- dst_metric_set(dst, RTAX_FEATURES, features);
+- }
++
+ dst_metric_set(dst, RTAX_MTU, mtu);
+ rt6_update_expires(rt6, net->ipv6.sysctl.ip6_rt_mtu_expires);
+ }
+@@ -2973,7 +2970,7 @@ struct ctl_table ipv6_route_table_template[] = {
struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
{
@@ -110510,10 +110692,10 @@ index 4c41c90..37f3631 100644
return snd_seq_device_register_driver(SNDRV_SEQ_DEV_ID_EMU10K1_SYNTH, &ops,
sizeof(struct snd_emu10k1_synth_arg));
diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
-index dafcf82..dd9356f 100644
+index f6e5c4e..7df65ef 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
-@@ -983,14 +983,10 @@ find_codec_preset(struct hda_codec *codec)
+@@ -985,14 +985,10 @@ find_codec_preset(struct hda_codec *codec)
mutex_unlock(&preset_mutex);
if (mod_requested < HDA_MODREQ_MAX_COUNT) {
@@ -110530,7 +110712,7 @@ index dafcf82..dd9356f 100644
mod_requested++;
goto again;
}
-@@ -2739,7 +2735,7 @@ static int get_kctl_0dB_offset(struct snd_kcontrol *kctl, int *step_to_check)
+@@ -2741,7 +2737,7 @@ static int get_kctl_0dB_offset(struct snd_kcontrol *kctl, int *step_to_check)
/* FIXME: set_fs() hack for obtaining user-space TLV data */
mm_segment_t fs = get_fs();
set_fs(get_ds());
@@ -118439,10 +118621,10 @@ index 0000000..4378111
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..19cb000
+index 0000000..dfb7516
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,6035 @@
+@@ -0,0 +1,6038 @@
+intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
+ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL
+storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
@@ -119357,6 +119539,7 @@ index 0000000..19cb000
+hidg_alloc_ep_req_10159 hidg_alloc_ep_req 2 10159 NULL
+asd_store_update_bios_10165 asd_store_update_bios 4 10165 NULL
+kstrtol_from_user_10168 kstrtol_from_user 2 10168 NULL
++persistent_ram_vmap_10169 persistent_ram_vmap 2-1 10169 NULL
+proc_pid_attr_read_10173 proc_pid_attr_read 3 10173 NULL
+jffs2_user_setxattr_10182 jffs2_user_setxattr 4 10182 NULL
+xfs_attr_rmtval_copyout_10222 xfs_attr_rmtval_copyout 0 10222 NULL nohasharray
@@ -122103,6 +122286,7 @@ index 0000000..19cb000
+sd_completed_bytes_39705 sd_completed_bytes 0 39705 NULL
+ftrace_pid_write_39710 ftrace_pid_write 3 39710 NULL
+adt7316_spi_multi_read_39765 adt7316_spi_multi_read 3 39765 NULL
++persistent_ram_buffer_map_39776 persistent_ram_buffer_map 1-2 39776 NULL
+security_inode_listsecurity_39812 security_inode_listsecurity 0 39812 NULL
+snd_pcm_oss_writev3_39818 snd_pcm_oss_writev3 3 39818 NULL
+get_priv_size_39828 get_priv_size 0-1 39828 NULL
@@ -124216,6 +124400,7 @@ index 0000000..19cb000
+altera_irscan_62396 altera_irscan 2 62396 NULL
+set_ssp_62411 set_ssp 4 62411 NULL
+udf_expand_file_adinicb_62470 udf_expand_file_adinicb 0 62470 NULL
++persistent_ram_new_62493 persistent_ram_new 1-2 62493 NULL
+ext_rts51x_sd_execute_read_data_62501 ext_rts51x_sd_execute_read_data 9 62501 NULL
+pep_sendmsg_62524 pep_sendmsg 4 62524 NULL
+test_iso_queue_62534 test_iso_queue 5 62534 NULL
diff --git a/3.14.28/4425_grsec_remove_EI_PAX.patch b/3.14.29/4425_grsec_remove_EI_PAX.patch
index 86e242a..86e242a 100644
--- a/3.14.28/4425_grsec_remove_EI_PAX.patch
+++ b/3.14.29/4425_grsec_remove_EI_PAX.patch
diff --git a/3.14.28/4427_force_XATTR_PAX_tmpfs.patch b/3.14.29/4427_force_XATTR_PAX_tmpfs.patch
index aa540ad..aa540ad 100644
--- a/3.14.28/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.14.29/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.28/4430_grsec-remove-localversion-grsec.patch b/3.14.29/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.14.28/4430_grsec-remove-localversion-grsec.patch
+++ b/3.14.29/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.28/4435_grsec-mute-warnings.patch b/3.14.29/4435_grsec-mute-warnings.patch
index 392cefb..392cefb 100644
--- a/3.14.28/4435_grsec-mute-warnings.patch
+++ b/3.14.29/4435_grsec-mute-warnings.patch
diff --git a/3.14.28/4440_grsec-remove-protected-paths.patch b/3.14.29/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.14.28/4440_grsec-remove-protected-paths.patch
+++ b/3.14.29/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.28/4450_grsec-kconfig-default-gids.patch b/3.14.29/4450_grsec-kconfig-default-gids.patch
index 722821b..722821b 100644
--- a/3.14.28/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.29/4450_grsec-kconfig-default-gids.patch
diff --git a/3.14.28/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.29/4465_selinux-avc_audit-log-curr_ip.patch
index f92c155..f92c155 100644
--- a/3.14.28/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.14.29/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.28/4470_disable-compat_vdso.patch b/3.14.29/4470_disable-compat_vdso.patch
index cc7c122..cc7c122 100644
--- a/3.14.28/4470_disable-compat_vdso.patch
+++ b/3.14.29/4470_disable-compat_vdso.patch
diff --git a/3.14.28/4475_emutramp_default_on.patch b/3.14.29/4475_emutramp_default_on.patch
index ad4967a..ad4967a 100644
--- a/3.14.28/4475_emutramp_default_on.patch
+++ b/3.14.29/4475_emutramp_default_on.patch
diff --git a/3.18.2/0000_README b/3.18.3/0000_README
index 2c74448..910054e 100644
--- a/3.18.2/0000_README
+++ b/3.18.3/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.18.2-201501142325.patch
+Patch: 4420_grsecurity-3.0-3.18.3-201501211944.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.18.2/4420_grsecurity-3.0-3.18.2-201501142325.patch b/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch
index 462cdbf..93912cb 100644
--- a/3.18.2/4420_grsecurity-3.0-3.18.2-201501142325.patch
+++ b/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch
@@ -370,7 +370,7 @@ index 479f332..2475ac2 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 8f73b41..320950a 100644
+index 91cfe8d..ccf7329 100644
--- a/Makefile
+++ b/Makefile
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3047,7 +3047,7 @@ index ef9119f..31995a3 100644
#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
if (secure_computing() == -1)
diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
-index c031063..e277ab8 100644
+index 306e1ac..1b477ed 100644
--- a/arch/arm/kernel/setup.c
+++ b/arch/arm/kernel/setup.c
@@ -104,21 +104,23 @@ EXPORT_SYMBOL(elf_hwcap);
@@ -3153,7 +3153,7 @@ index bd19834..e4d8c66 100644
- return page;
-}
diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
-index 13396d3..589d615 100644
+index a8e32aa..b2f7198 100644
--- a/arch/arm/kernel/smp.c
+++ b/arch/arm/kernel/smp.c
@@ -76,7 +76,7 @@ enum ipi_msg_type {
@@ -8528,10 +8528,10 @@ index 4aad413..85d86bf 100644
#define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
#define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
-index c998279..d13a9f8 100644
+index a68ee15..552d213 100644
--- a/arch/powerpc/include/asm/reg.h
+++ b/arch/powerpc/include/asm/reg.h
-@@ -251,6 +251,7 @@
+@@ -253,6 +253,7 @@
#define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
#define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
#define DSISR_NOHPTE 0x40000000 /* no translation found */
@@ -21776,10 +21776,10 @@ index d64f275..26522ff 100644
.attrs = NULL, /* patched at runtime */
};
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
-index 9762dbd..53d5d21 100644
+index e98f68c..1992b15 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
-@@ -721,7 +721,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
+@@ -737,7 +737,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
static int __init uncore_type_init(struct intel_uncore_type *type)
{
struct intel_uncore_pmu *pmus;
@@ -21789,7 +21789,7 @@ index 9762dbd..53d5d21 100644
int i, j;
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.h b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
-index 18eb78b..18747cc 100644
+index 863d9b0..6289b63 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.h
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
@@ -114,7 +114,7 @@ struct intel_uncore_box {
@@ -28524,7 +28524,7 @@ index e48b674..a451dd9 100644
.read = native_io_apic_read,
.write = native_io_apic_write,
diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c
-index 4c540c4..0b985b0 100644
+index 0de1fae..298d037 100644
--- a/arch/x86/kernel/xsave.c
+++ b/arch/x86/kernel/xsave.c
@@ -167,18 +167,18 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame)
@@ -28575,7 +28575,7 @@ index 4c540c4..0b985b0 100644
if ((unsigned long)buf % 64 || fx_only) {
u64 init_bv = pcntxt_mask & ~XSTATE_FPSSE;
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
-index 976e3a5..8bb998c 100644
+index 88f9201..0e7f1a3 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -175,15 +175,20 @@ int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
@@ -28626,7 +28626,7 @@ index 976e3a5..8bb998c 100644
out:
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 9f8a2fa..2df3c3f 100644
+index 22e7ed9..e03a378 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -3519,7 +3519,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
@@ -28867,7 +28867,7 @@ index 3e556c6..08bbf7f 100644
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 0033df3..db6236d 100644
+index 506488c..f8df17e 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -732,6 +732,8 @@ EXPORT_SYMBOL_GPL(kvm_set_cr4);
@@ -28899,7 +28899,7 @@ index 0033df3..db6236d 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -5670,7 +5674,7 @@ static struct notifier_block pvclock_gtod_notifier = {
+@@ -5743,7 +5747,7 @@ static struct notifier_block pvclock_gtod_notifier = {
};
#endif
@@ -35468,7 +35468,7 @@ index e904c27..b9eaa03 100644
#ifdef CONFIG_COMPAT_VDSO
#define VDSO_DEFAULT 0
diff --git a/arch/x86/vdso/vma.c b/arch/x86/vdso/vma.c
-index 970463b..da82d3e 100644
+index 208c220..54f1447 100644
--- a/arch/x86/vdso/vma.c
+++ b/arch/x86/vdso/vma.c
@@ -16,10 +16,9 @@
@@ -35483,7 +35483,7 @@ index 970463b..da82d3e 100644
extern unsigned short vdso_sync_cpuid;
#endif
-@@ -101,6 +100,11 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
+@@ -114,6 +113,11 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
.pages = no_pages,
};
@@ -35495,7 +35495,7 @@ index 970463b..da82d3e 100644
if (calculate_addr) {
addr = vdso_addr(current->mm->start_stack,
image->size - image->sym_vvar_start);
-@@ -111,14 +115,14 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
+@@ -124,14 +128,14 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
down_write(&mm->mmap_sem);
addr = get_unmapped_area(NULL, addr,
@@ -35512,7 +35512,7 @@ index 970463b..da82d3e 100644
/*
* MAYWRITE to allow gdb to COW and set breakpoints
-@@ -163,15 +167,12 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
+@@ -176,15 +180,12 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
hpet_address >> PAGE_SHIFT,
PAGE_SIZE,
pgprot_noncached(PAGE_READONLY));
@@ -35529,7 +35529,7 @@ index 970463b..da82d3e 100644
up_write(&mm->mmap_sem);
return ret;
-@@ -191,8 +192,8 @@ static int load_vdso32(void)
+@@ -204,8 +205,8 @@ static int load_vdso32(void)
if (selected_vdso32->sym_VDSO32_SYSENTER_RETURN)
current_thread_info()->sysenter_return =
@@ -35540,7 +35540,7 @@ index 970463b..da82d3e 100644
return 0;
}
-@@ -201,9 +202,6 @@ static int load_vdso32(void)
+@@ -214,9 +215,6 @@ static int load_vdso32(void)
#ifdef CONFIG_X86_64
int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
{
@@ -35550,7 +35550,7 @@ index 970463b..da82d3e 100644
return map_vdso(&vdso_image_64, true);
}
-@@ -212,12 +210,8 @@ int compat_arch_setup_additional_pages(struct linux_binprm *bprm,
+@@ -225,12 +223,8 @@ int compat_arch_setup_additional_pages(struct linux_binprm *bprm,
int uses_interp)
{
#ifdef CONFIG_X86_X32_ABI
@@ -35564,7 +35564,7 @@ index 970463b..da82d3e 100644
#endif
return load_vdso32();
-@@ -229,12 +223,3 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
+@@ -242,12 +236,3 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
return load_vdso32();
}
#endif
@@ -35590,7 +35590,7 @@ index e88fda8..76ce7ce 100644
This is the Linux Xen port. Enabling this will allow the
kernel to boot in a paravirtualized environment under the
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index fac5e4f..5b5cf4f 100644
+index fac5e4f..e421c18 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -35678,7 +35678,19 @@ index fac5e4f..5b5cf4f 100644
{
if (pm_power_off)
pm_power_off();
-@@ -1573,7 +1569,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1456,8 +1452,9 @@ static void __ref xen_setup_gdt(int cpu)
+ pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
+ pv_cpu_ops.load_gdt = xen_load_gdt_boot;
+
+- setup_stack_canary_segment(0);
+- switch_to_new_gdt(0);
++ setup_stack_canary_segment(cpu);
++ load_percpu_segment(cpu);
++ switch_to_new_gdt(cpu);
+
+ pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
+ pv_cpu_ops.load_gdt = xen_load_gdt;
+@@ -1573,7 +1570,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -35697,7 +35709,7 @@ index fac5e4f..5b5cf4f 100644
/* Get mfn list */
xen_build_dynamic_phys_to_machine();
-@@ -1601,13 +1607,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
+@@ -1601,13 +1608,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
machine_ops = xen_machine_ops;
@@ -36072,7 +36084,7 @@ index f678c73..f35aa18 100644
err = -EFAULT;
goto out;
diff --git a/block/genhd.c b/block/genhd.c
-index bd30606..bbc9b90 100644
+index 0a536dc..b8f7aca 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -469,21 +469,24 @@ static char *bdevt_str(dev_t devt, char *buf)
@@ -36339,7 +36351,7 @@ index c68e724..e863008 100644
/* parse the table header to get the table length */
if (count <= sizeof(struct acpi_table_header))
diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c
-index 7db1931..302dd5f 100644
+index 93b7142..5676c75 100644
--- a/drivers/acpi/device_pm.c
+++ b/drivers/acpi/device_pm.c
@@ -1021,6 +1021,8 @@ EXPORT_SYMBOL_GPL(acpi_subsys_freeze);
@@ -37508,10 +37520,10 @@ index 969c3c2..9b72956 100644
}
diff --git a/drivers/base/bus.c b/drivers/base/bus.c
-index 83e910a..b224a73 100644
+index 876bae5..8978785 100644
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
-@@ -1124,7 +1124,7 @@ int subsys_interface_register(struct subsys_interface *sif)
+@@ -1126,7 +1126,7 @@ int subsys_interface_register(struct subsys_interface *sif)
return -EINVAL;
mutex_lock(&subsys->p->mutex);
@@ -37520,7 +37532,7 @@ index 83e910a..b224a73 100644
if (sif->add_dev) {
subsys_dev_iter_init(&iter, subsys, NULL, NULL);
while ((dev = subsys_dev_iter_next(&iter)))
-@@ -1149,7 +1149,7 @@ void subsys_interface_unregister(struct subsys_interface *sif)
+@@ -1151,7 +1151,7 @@ void subsys_interface_unregister(struct subsys_interface *sif)
subsys = sif->subsys;
mutex_lock(&subsys->p->mutex);
@@ -40199,6 +40211,32 @@ index bc3da32..7289357 100644
drm_put_dev(dev);
}
mutex_unlock(&drm_global_mutex);
+diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
+index 0c0c39b..70dd2f4 100644
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -732,7 +732,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info)
+ int i, j, rc = 0;
+ int start;
+
+- drm_modeset_lock_all(dev);
++ if (__drm_modeset_lock_all(dev, !!oops_in_progress)) {
++ return -EBUSY;
++ }
+ if (!drm_fb_helper_is_bound(fb_helper)) {
+ drm_modeset_unlock_all(dev);
+ return -EBUSY;
+@@ -910,7 +912,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var,
+ int ret = 0;
+ int i;
+
+- drm_modeset_lock_all(dev);
++ if (__drm_modeset_lock_all(dev, !!oops_in_progress)) {
++ return -EBUSY;
++ }
+ if (!drm_fb_helper_is_bound(fb_helper)) {
+ drm_modeset_unlock_all(dev);
+ return -EBUSY;
diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
index ed7bc68..0d536af 100644
--- a/drivers/gpu/drm/drm_fops.c
@@ -40672,10 +40710,10 @@ index 462679a..88e32a7 100644
if (nr < DRM_COMMAND_BASE)
diff --git a/drivers/gpu/drm/nouveau/nouveau_ttm.c b/drivers/gpu/drm/nouveau/nouveau_ttm.c
-index 753a6de..dd66b98 100644
+index 3d1cfcb..0542700 100644
--- a/drivers/gpu/drm/nouveau/nouveau_ttm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_ttm.c
-@@ -126,11 +126,11 @@ nouveau_vram_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
+@@ -127,11 +127,11 @@ nouveau_vram_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
}
const struct ttm_mem_type_manager_func nouveau_vram_manager = {
@@ -40692,7 +40730,7 @@ index 753a6de..dd66b98 100644
};
static int
-@@ -194,11 +194,11 @@ nouveau_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
+@@ -195,11 +195,11 @@ nouveau_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
}
const struct ttm_mem_type_manager_func nouveau_gart_manager = {
@@ -40709,7 +40747,7 @@ index 753a6de..dd66b98 100644
};
/*XXX*/
-@@ -267,11 +267,11 @@ nv04_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
+@@ -268,11 +268,11 @@ nv04_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
}
const struct ttm_mem_type_manager_func nv04_gart_manager = {
@@ -41722,10 +41760,10 @@ index 37ac7b5..d52a5c9 100644
/* copy over all the bus versions */
if (dev->bus && dev->bus->pm) {
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 3402033..50b562c 100644
+index dfaccfc..bfea740 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
-@@ -2506,7 +2506,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
+@@ -2507,7 +2507,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
int hid_add_device(struct hid_device *hdev)
{
@@ -41734,7 +41772,7 @@ index 3402033..50b562c 100644
int ret;
if (WARN_ON(hdev->status & HID_STAT_ADDED))
-@@ -2548,7 +2548,7 @@ int hid_add_device(struct hid_device *hdev)
+@@ -2549,7 +2549,7 @@ int hid_add_device(struct hid_device *hdev)
/* XXX hack, any other cleaner solution after the driver core
* is converted to allow more than 20 bytes as the device name? */
dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
@@ -44831,7 +44869,7 @@ index 32e282f..5cec803 100644
rdev_dec_pending(rdev, mddev);
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
-index 9c66e59..42a8eac 100644
+index c1b0d52..07a0a5d 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -1730,6 +1730,10 @@ static int grow_one_stripe(struct r5conf *conf, int hash)
@@ -48094,6 +48132,42 @@ index 454d9fe..59f0f0b 100644
netdev_tx_completed_queue(ring->tx_queue, packets, bytes);
+diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c
+index f5e4b82..db0c7a9 100644
+--- a/drivers/net/ethernet/neterion/s2io.c
++++ b/drivers/net/ethernet/neterion/s2io.c
+@@ -6987,7 +6987,9 @@ static int s2io_add_isr(struct s2io_nic *sp)
+ if (sp->s2io_entries[i].in_use == MSIX_FLG) {
+ if (sp->s2io_entries[i].type ==
+ MSIX_RING_TYPE) {
+- sprintf(sp->desc[i], "%s:MSI-X-%d-RX",
++ snprintf(sp->desc[i],
++ sizeof(sp->desc[i]),
++ "%s:MSI-X-%d-RX",
+ dev->name, i);
+ err = request_irq(sp->entries[i].vector,
+ s2io_msix_ring_handle,
+@@ -6996,7 +6998,9 @@ static int s2io_add_isr(struct s2io_nic *sp)
+ sp->s2io_entries[i].arg);
+ } else if (sp->s2io_entries[i].type ==
+ MSIX_ALARM_TYPE) {
+- sprintf(sp->desc[i], "%s:MSI-X-%d-TX",
++ snprintf(sp->desc[i],
++ sizeof(sp->desc[i]),
++ "%s:MSI-X-%d-TX",
+ dev->name, i);
+ err = request_irq(sp->entries[i].vector,
+ s2io_msix_fifo_handle,
+@@ -8154,7 +8158,8 @@ s2io_init_nic(struct pci_dev *pdev, const struct pci_device_id *pre)
+ "%s: UDP Fragmentation Offload(UFO) enabled\n",
+ dev->name);
+ /* Initialize device name */
+- sprintf(sp->name, "%s Neterion %s", dev->name, sp->product_name);
++ snprintf(sp->name, sizeof(sp->name), "%s Neterion %s", dev->name,
++ sp->product_name);
+
+ if (vlan_tag_strip)
+ sp->vlan_strip_flag = 1;
diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
index 2bbd01f..e8baa64 100644
--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
@@ -49113,7 +49187,7 @@ index 057b165..98ae88f 100644
static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
-index 975074f..e9440da 100644
+index e8e8dd2..030f80e 100644
--- a/drivers/net/wireless/ath/ath9k/hw.h
+++ b/drivers/net/wireless/ath/ath9k/hw.h
@@ -630,7 +630,7 @@ struct ath_hw_private_ops {
@@ -49930,7 +50004,7 @@ index e1e7026..d28dd33 100644
#define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index c8ca98c..b1bc005 100644
+index 3010ffc..5e2e133 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -177,7 +177,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
@@ -52929,7 +53003,7 @@ index c434376..114ce13 100644
dlci->modem_rx = 0;
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 2e900a9..576d216 100644
+index 47ca0f3..3c0b803 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -115,7 +115,7 @@ struct n_tty_data {
@@ -52941,7 +53015,7 @@ index 2e900a9..576d216 100644
size_t line_start;
/* protected by output lock */
-@@ -2522,6 +2522,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
+@@ -2523,6 +2523,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
{
*ops = tty_ldisc_N_TTY;
ops->owner = NULL;
@@ -53172,7 +53246,7 @@ index 4b6c783..9a19db3 100644
if (unlikely(pdev->id < 0 || pdev->id >= UART_NR))
return -ENXIO;
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
-index c78f43a..22b1dab 100644
+index 587d63b..48423a6 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -478,11 +478,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port)
@@ -53192,7 +53266,7 @@ index c78f43a..22b1dab 100644
dbg("s3c24xx_serial_startup: port=%p (%08llx,%p)\n",
port, (unsigned long long)port->mapbase, port->membase);
-@@ -1155,10 +1160,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
+@@ -1159,10 +1164,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
/* setup info for port */
port->dev = &platdev->dev;
@@ -59286,7 +59360,7 @@ index 150822e..75bb326 100644
WARN_ON(trans->transid != btrfs_header_generation(parent));
diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
-index 054577b..9b342cc 100644
+index de4e70f..b41dc45 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -462,7 +462,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node,
@@ -64551,7 +64625,7 @@ index 0beb023..3f685ec 100644
static struct nfsd4_operation nfsd4_ops[];
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
-index eeea7a9..f3ba422 100644
+index 2a77603..68e0e37 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1543,7 +1543,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
@@ -67262,7 +67336,7 @@ index 1894d96..1dfd1c2 100644
#define __fs_changed(gen,s) (gen != get_generation (s))
#define fs_changed(gen,s) \
diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
-index f1376c9..f9378e9 100644
+index b27ef35..d9c6c18 100644
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -1857,6 +1857,10 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
@@ -82836,7 +82910,7 @@ index 3d385c8..deacb6a 100644
static inline int
vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst)
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index b464611..77cbfc1 100644
+index 5ab2da9..5f0b3df 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -128,6 +128,11 @@ extern unsigned int kobjsize(const void *objp);
@@ -86018,10 +86092,10 @@ index 567c681..cd73ac02 100644
struct llc_sap_state {
u8 curr_state;
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
-index 0ad1f47..aaea45b 100644
+index a9de1da..df72057 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
-@@ -4648,7 +4648,7 @@ struct rate_control_ops {
+@@ -4645,7 +4645,7 @@ struct rate_control_ops {
void (*remove_sta_debugfs)(void *priv, void *priv_sta);
u32 (*get_expected_throughput)(void *priv_sta);
@@ -88335,7 +88409,7 @@ index 379650b..30c5180 100644
#ifdef CONFIG_MODULE_UNLOAD
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 1cd5eef..e8b5af9 100644
+index 2ab0238..bf89262f5 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -170,8 +170,15 @@ static struct srcu_struct pmus_srcu;
@@ -88523,7 +88597,7 @@ index ed8f2cd..fe8030c 100644
pagefault_disable();
result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr,
diff --git a/kernel/exit.c b/kernel/exit.c
-index 5d30019..934add5 100644
+index 2116aac..d95df2a 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -174,6 +174,10 @@ void release_task(struct task_struct *p)
@@ -91099,6 +91173,28 @@ index 54e7522..5b82dd6 100644
goto out_put_task_struct;
}
+diff --git a/kernel/range.c b/kernel/range.c
+index 322ea8e..82cfc28 100644
+--- a/kernel/range.c
++++ b/kernel/range.c
+@@ -113,12 +113,12 @@ static int cmp_range(const void *x1, const void *x2)
+ {
+ const struct range *r1 = x1;
+ const struct range *r2 = x2;
+- s64 start1, start2;
+
+- start1 = r1->start;
+- start2 = r2->start;
+-
+- return start1 - start2;
++ if (r1->start < r2->start)
++ return -1;
++ if (r1->start > r2->start)
++ return 1;
++ return 0;
+ }
+
+ int clean_sort_range(struct range *range, int az)
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 240fa90..5fa56bd 100644
--- a/kernel/rcu/rcutorture.c
@@ -92126,10 +92222,10 @@ index a63f4dc..349bbb0 100644
unsigned long timeout)
{
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 89e7283..072bc26 100644
+index efdca2f..e361dfb 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
-@@ -1885,7 +1885,7 @@ void set_numabalancing_state(bool enabled)
+@@ -1890,7 +1890,7 @@ void set_numabalancing_state(bool enabled)
int sysctl_numa_balancing(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -92138,7 +92234,7 @@ index 89e7283..072bc26 100644
int err;
int state = numabalancing_enabled;
-@@ -2348,8 +2348,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
+@@ -2353,8 +2353,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
next->active_mm = oldmm;
atomic_inc(&oldmm->mm_count);
enter_lazy_tlb(oldmm, next);
@@ -92150,7 +92246,7 @@ index 89e7283..072bc26 100644
if (!prev->mm) {
prev->active_mm = NULL;
-@@ -3160,6 +3162,8 @@ int can_nice(const struct task_struct *p, const int nice)
+@@ -3165,6 +3167,8 @@ int can_nice(const struct task_struct *p, const int nice)
/* convert nice value [19,-20] to rlimit style value [1,40] */
int nice_rlim = nice_to_rlimit(nice);
@@ -92159,7 +92255,7 @@ index 89e7283..072bc26 100644
return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
capable(CAP_SYS_NICE));
}
-@@ -3186,7 +3190,8 @@ SYSCALL_DEFINE1(nice, int, increment)
+@@ -3191,7 +3195,8 @@ SYSCALL_DEFINE1(nice, int, increment)
nice = task_nice(current) + increment;
nice = clamp_val(nice, MIN_NICE, MAX_NICE);
@@ -92169,7 +92265,7 @@ index 89e7283..072bc26 100644
return -EPERM;
retval = security_task_setnice(current, nice);
-@@ -3465,6 +3470,7 @@ recheck:
+@@ -3470,6 +3475,7 @@ recheck:
if (policy != p->policy && !rlim_rtprio)
return -EPERM;
@@ -92177,7 +92273,7 @@ index 89e7283..072bc26 100644
/* can't increase priority */
if (attr->sched_priority > p->rt_priority &&
attr->sched_priority > rlim_rtprio)
-@@ -4885,6 +4891,7 @@ void idle_task_exit(void)
+@@ -4890,6 +4896,7 @@ void idle_task_exit(void)
if (mm != &init_mm) {
switch_mm(mm, &init_mm, current);
@@ -92185,7 +92281,7 @@ index 89e7283..072bc26 100644
finish_arch_post_lock_switch();
}
mmdrop(mm);
-@@ -4980,7 +4987,7 @@ static void migrate_tasks(unsigned int dead_cpu)
+@@ -4985,7 +4992,7 @@ static void migrate_tasks(unsigned int dead_cpu)
#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL)
@@ -92194,7 +92290,7 @@ index 89e7283..072bc26 100644
{
.procname = "sched_domain",
.mode = 0555,
-@@ -4997,17 +5004,17 @@ static struct ctl_table sd_ctl_root[] = {
+@@ -5002,17 +5009,17 @@ static struct ctl_table sd_ctl_root[] = {
{}
};
@@ -92216,7 +92312,7 @@ index 89e7283..072bc26 100644
/*
* In the intermediate directories, both the child directory and
-@@ -5015,22 +5022,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
+@@ -5020,22 +5027,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
* will always be set. In the lowest directory the names are
* static strings and all have proc handlers.
*/
@@ -92248,7 +92344,7 @@ index 89e7283..072bc26 100644
const char *procname, void *data, int maxlen,
umode_t mode, proc_handler *proc_handler,
bool load_idx)
-@@ -5050,7 +5060,7 @@ set_table_entry(struct ctl_table *entry,
+@@ -5055,7 +5065,7 @@ set_table_entry(struct ctl_table *entry,
static struct ctl_table *
sd_alloc_ctl_domain_table(struct sched_domain *sd)
{
@@ -92257,7 +92353,7 @@ index 89e7283..072bc26 100644
if (table == NULL)
return NULL;
-@@ -5088,9 +5098,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
+@@ -5093,9 +5103,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
return table;
}
@@ -92269,7 +92365,7 @@ index 89e7283..072bc26 100644
struct sched_domain *sd;
int domain_num = 0, i;
char buf[32];
-@@ -5117,11 +5127,13 @@ static struct ctl_table_header *sd_sysctl_header;
+@@ -5122,11 +5132,13 @@ static struct ctl_table_header *sd_sysctl_header;
static void register_sched_domain_sysctl(void)
{
int i, cpu_num = num_possible_cpus();
@@ -92284,7 +92380,7 @@ index 89e7283..072bc26 100644
if (entry == NULL)
return;
-@@ -5144,8 +5156,12 @@ static void unregister_sched_domain_sysctl(void)
+@@ -5149,8 +5161,12 @@ static void unregister_sched_domain_sysctl(void)
if (sd_sysctl_header)
unregister_sysctl_table(sd_sysctl_header);
sd_sysctl_header = NULL;
@@ -95492,7 +95588,7 @@ index 8639f6b..b623882a 100644
}
unset_migratetype_isolate(page, MIGRATE_MOVABLE);
diff --git a/mm/memory.c b/mm/memory.c
-index d5f2ae9..4d678b2 100644
+index 7f86cf6..0600e22 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -415,6 +415,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -95792,7 +95888,7 @@ index d5f2ae9..4d678b2 100644
/*
* This routine handles present pages, when users try to write
* to a shared page. It is done by copying the page to a new address
-@@ -2218,6 +2425,12 @@ gotten:
+@@ -2225,6 +2432,12 @@ gotten:
*/
page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
if (likely(pte_same(*page_table, orig_pte))) {
@@ -95805,7 +95901,7 @@ index d5f2ae9..4d678b2 100644
if (old_page) {
if (!PageAnon(old_page)) {
dec_mm_counter_fast(mm, MM_FILEPAGES);
-@@ -2271,6 +2484,10 @@ gotten:
+@@ -2278,6 +2491,10 @@ gotten:
page_remove_rmap(old_page);
}
@@ -95816,7 +95912,7 @@ index d5f2ae9..4d678b2 100644
/* Free the old page.. */
new_page = old_page;
ret |= VM_FAULT_WRITE;
-@@ -2545,6 +2762,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2552,6 +2769,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
swap_free(entry);
if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
try_to_free_swap(page);
@@ -95828,7 +95924,7 @@ index d5f2ae9..4d678b2 100644
unlock_page(page);
if (page != swapcache) {
/*
-@@ -2568,6 +2790,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2575,6 +2797,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
/* No need to invalidate - it was non-present before */
update_mmu_cache(vma, address, page_table);
@@ -95840,7 +95936,7 @@ index d5f2ae9..4d678b2 100644
unlock:
pte_unmap_unlock(page_table, ptl);
out:
-@@ -2587,40 +2814,6 @@ out_release:
+@@ -2594,40 +2821,6 @@ out_release:
}
/*
@@ -95863,7 +95959,7 @@ index d5f2ae9..4d678b2 100644
- if (prev && prev->vm_end == address)
- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
-
-- expand_downwards(vma, address - PAGE_SIZE);
+- return expand_downwards(vma, address - PAGE_SIZE);
- }
- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
- struct vm_area_struct *next = vma->vm_next;
@@ -95872,7 +95968,7 @@ index d5f2ae9..4d678b2 100644
- if (next && next->vm_start == address + PAGE_SIZE)
- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
-
-- expand_upwards(vma, address + PAGE_SIZE);
+- return expand_upwards(vma, address + PAGE_SIZE);
- }
- return 0;
-}
@@ -95881,7 +95977,7 @@ index d5f2ae9..4d678b2 100644
* We enter with non-exclusive mmap_sem (to exclude vma changes,
* but allow concurrent faults), and pte mapped but not yet locked.
* We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -2630,27 +2823,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2637,27 +2830,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned int flags)
{
struct mem_cgroup *memcg;
@@ -95914,7 +96010,7 @@ index d5f2ae9..4d678b2 100644
if (unlikely(anon_vma_prepare(vma)))
goto oom;
page = alloc_zeroed_user_highpage_movable(vma, address);
-@@ -2674,6 +2863,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2681,6 +2870,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
if (!pte_none(*page_table))
goto release;
@@ -95926,7 +96022,7 @@ index d5f2ae9..4d678b2 100644
inc_mm_counter_fast(mm, MM_ANONPAGES);
page_add_new_anon_rmap(page, vma, address);
mem_cgroup_commit_charge(page, memcg, false);
-@@ -2683,6 +2877,12 @@ setpte:
+@@ -2690,6 +2884,12 @@ setpte:
/* No need to invalidate - it was non-present before */
update_mmu_cache(vma, address, page_table);
@@ -95939,7 +96035,7 @@ index d5f2ae9..4d678b2 100644
unlock:
pte_unmap_unlock(page_table, ptl);
return 0;
-@@ -2913,6 +3113,11 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2920,6 +3120,11 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma,
return ret;
}
do_set_pte(vma, address, fault_page, pte, false, false);
@@ -95951,7 +96047,7 @@ index d5f2ae9..4d678b2 100644
unlock_page(fault_page);
unlock_out:
pte_unmap_unlock(pte, ptl);
-@@ -2955,7 +3160,18 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2962,7 +3167,18 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma,
page_cache_release(fault_page);
goto uncharge_out;
}
@@ -95970,7 +96066,7 @@ index d5f2ae9..4d678b2 100644
mem_cgroup_commit_charge(new_page, memcg, false);
lru_cache_add_active_or_unevictable(new_page, vma);
pte_unmap_unlock(pte, ptl);
-@@ -3005,6 +3221,11 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3012,6 +3228,11 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma,
return ret;
}
do_set_pte(vma, address, fault_page, pte, true, false);
@@ -95982,7 +96078,7 @@ index d5f2ae9..4d678b2 100644
pte_unmap_unlock(pte, ptl);
if (set_page_dirty(fault_page))
-@@ -3246,6 +3467,12 @@ static int handle_pte_fault(struct mm_struct *mm,
+@@ -3253,6 +3474,12 @@ static int handle_pte_fault(struct mm_struct *mm,
if (flags & FAULT_FLAG_WRITE)
flush_tlb_fix_spurious_fault(vma, address);
}
@@ -95995,7 +96091,7 @@ index d5f2ae9..4d678b2 100644
unlock:
pte_unmap_unlock(pte, ptl);
return 0;
-@@ -3265,9 +3492,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3272,9 +3499,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
pmd_t *pmd;
pte_t *pte;
@@ -96037,7 +96133,7 @@ index d5f2ae9..4d678b2 100644
pgd = pgd_offset(mm, address);
pud = pud_alloc(mm, pgd, address);
if (!pud)
-@@ -3401,6 +3660,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
+@@ -3408,6 +3667,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
spin_unlock(&mm->page_table_lock);
return 0;
}
@@ -96061,7 +96157,7 @@ index d5f2ae9..4d678b2 100644
#endif /* __PAGETABLE_PUD_FOLDED */
#ifndef __PAGETABLE_PMD_FOLDED
-@@ -3431,6 +3707,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
+@@ -3438,6 +3714,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
spin_unlock(&mm->page_table_lock);
return 0;
}
@@ -96092,7 +96188,7 @@ index d5f2ae9..4d678b2 100644
#endif /* __PAGETABLE_PMD_FOLDED */
static int __follow_pte(struct mm_struct *mm, unsigned long address,
-@@ -3540,8 +3840,8 @@ out:
+@@ -3547,8 +3847,8 @@ out:
return ret;
}
@@ -96103,7 +96199,7 @@ index d5f2ae9..4d678b2 100644
{
resource_size_t phys_addr;
unsigned long prot = 0;
-@@ -3567,8 +3867,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys);
+@@ -3574,8 +3874,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys);
* Access another process' address space as given in mm. If non-NULL, use the
* given task for page fault accounting.
*/
@@ -96114,7 +96210,7 @@ index d5f2ae9..4d678b2 100644
{
struct vm_area_struct *vma;
void *old_buf = buf;
-@@ -3576,7 +3876,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+@@ -3583,7 +3883,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
down_read(&mm->mmap_sem);
/* ignore errors, just check how much was successfully transferred */
while (len) {
@@ -96123,7 +96219,7 @@ index d5f2ae9..4d678b2 100644
void *maddr;
struct page *page = NULL;
-@@ -3637,8 +3937,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
+@@ -3644,8 +3944,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
*
* The caller must hold a reference on @mm.
*/
@@ -96134,7 +96230,7 @@ index d5f2ae9..4d678b2 100644
{
return __access_remote_vm(NULL, mm, addr, buf, len, write);
}
-@@ -3648,11 +3948,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
+@@ -3655,11 +3955,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
* Source/target buffer must be kernel space,
* Do not walk the page table directly, use get_user_pages
*/
@@ -96315,7 +96411,7 @@ index 73cf098..ab547c7 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index ae91989..d8308c7 100644
+index 1620adb..348da48 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -41,6 +41,7 @@
@@ -96974,15 +97070,17 @@ index ae91989..d8308c7 100644
/*
* Verify that the stack growth is acceptable and
* update accounting. This is shared with both the
-@@ -2106,6 +2412,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
- return -ENOMEM;
+@@ -2107,8 +2413,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
/* Stack limit test */
-+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
- if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
+ actual_size = size;
+- if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
+- actual_size -= PAGE_SIZE;
++ gr_learn_resource(current, RLIMIT_STACK, actual_size, 1);
+ if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
return -ENOMEM;
-@@ -2116,6 +2423,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2119,6 +2424,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
locked = mm->locked_vm + grow;
limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
limit >>= PAGE_SHIFT;
@@ -96990,7 +97088,7 @@ index ae91989..d8308c7 100644
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -2145,37 +2453,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2148,37 +2454,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
@@ -97048,7 +97146,7 @@ index ae91989..d8308c7 100644
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -2210,6 +2529,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -2213,6 +2530,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
}
}
}
@@ -97057,7 +97155,7 @@ index ae91989..d8308c7 100644
vma_unlock_anon_vma(vma);
khugepaged_enter_vma_merge(vma, vma->vm_flags);
validate_mm(vma->vm_mm);
-@@ -2224,6 +2545,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2227,6 +2546,8 @@ int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
int error;
@@ -97066,7 +97164,7 @@ index ae91989..d8308c7 100644
/*
* We must make sure the anon_vma is allocated
-@@ -2237,6 +2560,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2240,6 +2561,15 @@ int expand_downwards(struct vm_area_struct *vma,
if (error)
return error;
@@ -97082,7 +97180,7 @@ index ae91989..d8308c7 100644
vma_lock_anon_vma(vma);
/*
-@@ -2246,9 +2578,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2249,9 +2579,17 @@ int expand_downwards(struct vm_area_struct *vma,
*/
/* Somebody else might have raced and expanded it already */
@@ -97101,7 +97199,7 @@ index ae91989..d8308c7 100644
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -2273,13 +2613,27 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2276,13 +2614,27 @@ int expand_downwards(struct vm_area_struct *vma,
vma->vm_pgoff -= grow;
anon_vma_interval_tree_post_update_vma(vma);
vma_gap_update(vma);
@@ -97129,7 +97227,7 @@ index ae91989..d8308c7 100644
khugepaged_enter_vma_merge(vma, vma->vm_flags);
validate_mm(vma->vm_mm);
return error;
-@@ -2377,6 +2731,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2380,6 +2732,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
do {
long nrpages = vma_pages(vma);
@@ -97143,7 +97241,7 @@ index ae91989..d8308c7 100644
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2421,6 +2782,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2424,6 +2783,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
@@ -97160,7 +97258,7 @@ index ae91989..d8308c7 100644
vma_rb_erase(vma, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -2448,14 +2819,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2451,14 +2820,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
struct vm_area_struct *new;
int err = -ENOMEM;
@@ -97194,7 +97292,7 @@ index ae91989..d8308c7 100644
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -2468,6 +2858,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2471,6 +2859,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
@@ -97217,7 +97315,7 @@ index ae91989..d8308c7 100644
err = vma_dup_policy(vma, new);
if (err)
goto out_free_vma;
-@@ -2488,6 +2894,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2491,6 +2895,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
@@ -97256,7 +97354,7 @@ index ae91989..d8308c7 100644
/* Success. */
if (!err)
return 0;
-@@ -2497,10 +2935,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2500,10 +2936,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
new->vm_ops->close(new);
if (new->vm_file)
fput(new->vm_file);
@@ -97276,7 +97374,7 @@ index ae91989..d8308c7 100644
kmem_cache_free(vm_area_cachep, new);
out_err:
return err;
-@@ -2513,6 +2959,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2516,6 +2960,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
@@ -97292,7 +97390,7 @@ index ae91989..d8308c7 100644
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2524,11 +2979,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2527,11 +2980,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
@@ -97323,7 +97421,7 @@ index ae91989..d8308c7 100644
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2604,6 +3078,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2607,6 +3079,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* Fix up all other VM information */
remove_vma_list(mm, vma);
@@ -97332,7 +97430,7 @@ index ae91989..d8308c7 100644
return 0;
}
-@@ -2612,6 +3088,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2615,6 +3089,13 @@ int vm_munmap(unsigned long start, size_t len)
int ret;
struct mm_struct *mm = current->mm;
@@ -97346,7 +97444,7 @@ index ae91989..d8308c7 100644
down_write(&mm->mmap_sem);
ret = do_munmap(mm, start, len);
up_write(&mm->mmap_sem);
-@@ -2625,16 +3108,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2628,16 +3109,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
return vm_munmap(addr, len);
}
@@ -97363,7 +97461,7 @@ index ae91989..d8308c7 100644
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2648,6 +3121,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2651,6 +3122,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
struct rb_node **rb_link, *rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
@@ -97371,7 +97469,7 @@ index ae91989..d8308c7 100644
len = PAGE_ALIGN(len);
if (!len)
-@@ -2655,10 +3129,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2658,10 +3130,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
@@ -97396,7 +97494,7 @@ index ae91989..d8308c7 100644
error = mlock_future_check(mm, mm->def_flags, len);
if (error)
return error;
-@@ -2672,21 +3160,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2675,21 +3161,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
/*
* Clear old maps. this also does some error checking for us
*/
@@ -97421,7 +97519,7 @@ index ae91989..d8308c7 100644
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2700,7 +3187,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2703,7 +3188,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
@@ -97430,7 +97528,7 @@ index ae91989..d8308c7 100644
return -ENOMEM;
}
-@@ -2714,10 +3201,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2717,10 +3202,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
perf_event_mmap(vma);
@@ -97444,7 +97542,7 @@ index ae91989..d8308c7 100644
return addr;
}
-@@ -2779,6 +3267,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2782,6 +3268,7 @@ void exit_mmap(struct mm_struct *mm)
while (vma) {
if (vma->vm_flags & VM_ACCOUNT)
nr_accounted += vma_pages(vma);
@@ -97452,7 +97550,7 @@ index ae91989..d8308c7 100644
vma = remove_vma(vma);
}
vm_unacct_memory(nr_accounted);
-@@ -2796,6 +3285,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2799,6 +3286,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
struct vm_area_struct *prev;
struct rb_node **rb_link, *rb_parent;
@@ -97466,7 +97564,7 @@ index ae91989..d8308c7 100644
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2819,7 +3315,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2822,7 +3316,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
@@ -97488,7 +97586,7 @@ index ae91989..d8308c7 100644
return 0;
}
-@@ -2838,6 +3348,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2841,6 +3349,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
struct rb_node **rb_link, *rb_parent;
bool faulted_in_anon_vma = true;
@@ -97497,7 +97595,7 @@ index ae91989..d8308c7 100644
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2902,6 +3414,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2905,6 +3415,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
return NULL;
}
@@ -97537,7 +97635,7 @@ index ae91989..d8308c7 100644
/*
* Return true if the calling process may expand its vm space by the passed
* number of pages
-@@ -2913,6 +3458,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2916,6 +3459,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
@@ -97545,7 +97643,7 @@ index ae91989..d8308c7 100644
if (cur + npages > lim)
return 0;
return 1;
-@@ -2995,6 +3541,22 @@ static struct vm_area_struct *__install_special_mapping(
+@@ -2998,6 +3542,22 @@ static struct vm_area_struct *__install_special_mapping(
vma->vm_start = addr;
vma->vm_end = addr + len;
@@ -97972,7 +98070,7 @@ index bd1808e..b63d87c 100644
struct mm_struct *mm;
diff --git a/mm/page-writeback.c b/mm/page-writeback.c
-index 19ceae8..70848ee 100644
+index 437174a..8b86707 100644
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -664,7 +664,7 @@ static long long pos_ratio_polynom(unsigned long setpoint,
@@ -100380,7 +100478,7 @@ index 8854c05..ee5d5497 100644
atomic_t batman_queue_left;
char num_ifaces;
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
-index c2e0d14..bfa852b 100644
+index cfbb39e..0bbfc9d 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -367,7 +367,6 @@ static int recv_pkt(struct sk_buff *skb, struct net_device *dev,
@@ -102040,10 +102138,29 @@ index 3d4da2c..40f9c29 100644
ICMP_PROT_UNREACH, 0);
}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 9daf217..dc6972d 100644
+index 9daf217..373d454 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
-@@ -1177,7 +1177,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -443,15 +443,12 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+
+ memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+ sin = &errhdr.offender;
+- sin->sin_family = AF_UNSPEC;
++ memset(sin, 0, sizeof(*sin));
++
+ if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) {
+- struct inet_sock *inet = inet_sk(sk);
+-
+ sin->sin_family = AF_INET;
+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+- sin->sin_port = 0;
+- memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
+- if (inet->cmsg_flags)
++ if (inet_sk(sk)->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+ }
+
+@@ -1177,7 +1174,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
len = min_t(unsigned int, len, opt->optlen);
if (put_user(len, optlen))
return -EFAULT;
@@ -102053,7 +102170,7 @@ index 9daf217..dc6972d 100644
return -EFAULT;
return 0;
}
-@@ -1308,7 +1309,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1308,7 +1306,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
if (sk->sk_type != SOCK_STREAM)
return -ENOPROTOOPT;
@@ -103033,10 +103150,38 @@ index e8c4400..a4cd5da 100644
err = ipv6_init_mibs(net);
if (err)
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
-index 2cdc383..09cffb8 100644
+index 2cdc383..4f1b785 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
-@@ -928,5 +928,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
+@@ -383,11 +383,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+
+ memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+ sin = &errhdr.offender;
+- sin->sin6_family = AF_UNSPEC;
++ memset(sin, 0, sizeof(*sin));
++
+ if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) {
+ sin->sin6_family = AF_INET6;
+- sin->sin6_flowinfo = 0;
+- sin->sin6_port = 0;
+ if (np->rxopt.all)
+ ip6_datagram_recv_common_ctl(sk, msg, skb);
+ if (skb->protocol == htons(ETH_P_IPV6)) {
+@@ -398,12 +397,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ ipv6_iface_scope_id(&sin->sin6_addr,
+ IP6CB(skb)->iif);
+ } else {
+- struct inet_sock *inet = inet_sk(sk);
+-
+ ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr,
+ &sin->sin6_addr);
+- sin->sin6_scope_id = 0;
+- if (inet->cmsg_flags)
++ if (inet_sk(sk)->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+ }
+ }
+@@ -928,5 +924,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
0,
sock_i_ino(sp),
atomic_read(&sp->sk_refcnt), sp,
@@ -103453,10 +103598,25 @@ index 1a157ca..9fc05f4 100644
return -ENOMEM;
}
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index a318dd89..7ecfea6 100644
+index a318dd89..42a612c 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
-@@ -2965,7 +2965,7 @@ struct ctl_table ipv6_route_table_template[] = {
+@@ -1150,12 +1150,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,
+ struct net *net = dev_net(dst->dev);
+
+ rt6->rt6i_flags |= RTF_MODIFIED;
+- if (mtu < IPV6_MIN_MTU) {
+- u32 features = dst_metric(dst, RTAX_FEATURES);
++ if (mtu < IPV6_MIN_MTU)
+ mtu = IPV6_MIN_MTU;
+- features |= RTAX_FEATURE_ALLFRAG;
+- dst_metric_set(dst, RTAX_FEATURES, features);
+- }
++
+ dst_metric_set(dst, RTAX_MTU, mtu);
+ rt6_update_expires(rt6, net->ipv6.sysctl.ip6_rt_mtu_expires);
+ }
+@@ -2965,7 +2962,7 @@ struct ctl_table ipv6_route_table_template[] = {
struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
{
@@ -109405,10 +109565,10 @@ index 4c41c90..37f3631 100644
return snd_seq_device_register_driver(SNDRV_SEQ_DEV_ID_EMU10K1_SYNTH, &ops,
sizeof(struct snd_emu10k1_synth_arg));
diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
-index 15e0089..ad6bc9b 100644
+index e708368..764dffe 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
-@@ -966,14 +966,10 @@ find_codec_preset(struct hda_codec *codec)
+@@ -968,14 +968,10 @@ find_codec_preset(struct hda_codec *codec)
mutex_unlock(&preset_mutex);
if (mod_requested < HDA_MODREQ_MAX_COUNT) {
@@ -109425,7 +109585,7 @@ index 15e0089..ad6bc9b 100644
mod_requested++;
goto again;
}
-@@ -2800,7 +2796,7 @@ static int get_kctl_0dB_offset(struct hda_codec *codec,
+@@ -2802,7 +2798,7 @@ static int get_kctl_0dB_offset(struct hda_codec *codec,
/* FIXME: set_fs() hack for obtaining user-space TLV data */
mm_segment_t fs = get_fs();
set_fs(get_ds());
diff --git a/3.18.2/4425_grsec_remove_EI_PAX.patch b/3.18.3/4425_grsec_remove_EI_PAX.patch
index 86e242a..86e242a 100644
--- a/3.18.2/4425_grsec_remove_EI_PAX.patch
+++ b/3.18.3/4425_grsec_remove_EI_PAX.patch
diff --git a/3.18.2/4427_force_XATTR_PAX_tmpfs.patch b/3.18.3/4427_force_XATTR_PAX_tmpfs.patch
index 22c9273..22c9273 100644
--- a/3.18.2/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.18.3/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.18.2/4430_grsec-remove-localversion-grsec.patch b/3.18.3/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.18.2/4430_grsec-remove-localversion-grsec.patch
+++ b/3.18.3/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.18.2/4435_grsec-mute-warnings.patch b/3.18.3/4435_grsec-mute-warnings.patch
index 0585e08..0585e08 100644
--- a/3.18.2/4435_grsec-mute-warnings.patch
+++ b/3.18.3/4435_grsec-mute-warnings.patch
diff --git a/3.18.2/4440_grsec-remove-protected-paths.patch b/3.18.3/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.18.2/4440_grsec-remove-protected-paths.patch
+++ b/3.18.3/4440_grsec-remove-protected-paths.patch
diff --git a/3.18.2/4450_grsec-kconfig-default-gids.patch b/3.18.3/4450_grsec-kconfig-default-gids.patch
index 039bad1..039bad1 100644
--- a/3.18.2/4450_grsec-kconfig-default-gids.patch
+++ b/3.18.3/4450_grsec-kconfig-default-gids.patch
diff --git a/3.18.2/4465_selinux-avc_audit-log-curr_ip.patch b/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch
index 747ac53..747ac53 100644
--- a/3.18.2/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.18.2/4470_disable-compat_vdso.patch b/3.18.3/4470_disable-compat_vdso.patch
index df785ab..df785ab 100644
--- a/3.18.2/4470_disable-compat_vdso.patch
+++ b/3.18.3/4470_disable-compat_vdso.patch
diff --git a/3.18.2/4475_emutramp_default_on.patch b/3.18.3/4475_emutramp_default_on.patch
index ad4967a..ad4967a 100644
--- a/3.18.2/4475_emutramp_default_on.patch
+++ b/3.18.3/4475_emutramp_default_on.patch
diff --git a/3.2.66/0000_README b/3.2.66/0000_README
index f224bbd..f9825bd 100644
--- a/3.2.66/0000_README
+++ b/3.2.66/0000_README
@@ -182,7 +182,7 @@ Patch: 1065_linux-3.2.66.patch
From: http://www.kernel.org
Desc: Linux 3.2.66
-Patch: 4420_grsecurity-3.0-3.2.66-201501142321.patch
+Patch: 4420_grsecurity-3.0-3.2.66-201501211939.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.66/4420_grsecurity-3.0-3.2.66-201501142321.patch b/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch
index 0a514cd..89a8670 100644
--- a/3.2.66/4420_grsecurity-3.0-3.2.66-201501142321.patch
+++ b/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch
@@ -45572,6 +45572,42 @@ index b02adbc..4285b65 100644
#include <linux/mlx4/device.h>
#include <linux/mlx4/doorbell.h>
+diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c
+index c27fb3d..c54df57 100644
+--- a/drivers/net/ethernet/neterion/s2io.c
++++ b/drivers/net/ethernet/neterion/s2io.c
+@@ -6994,7 +6994,9 @@ static int s2io_add_isr(struct s2io_nic *sp)
+ if (sp->s2io_entries[i].in_use == MSIX_FLG) {
+ if (sp->s2io_entries[i].type ==
+ MSIX_RING_TYPE) {
+- sprintf(sp->desc[i], "%s:MSI-X-%d-RX",
++ snprintf(sp->desc[i],
++ sizeof(sp->desc[i]),
++ "%s:MSI-X-%d-RX",
+ dev->name, i);
+ err = request_irq(sp->entries[i].vector,
+ s2io_msix_ring_handle,
+@@ -7003,7 +7005,9 @@ static int s2io_add_isr(struct s2io_nic *sp)
+ sp->s2io_entries[i].arg);
+ } else if (sp->s2io_entries[i].type ==
+ MSIX_ALARM_TYPE) {
+- sprintf(sp->desc[i], "%s:MSI-X-%d-TX",
++ snprintf(sp->desc[i],
++ sizeof(sp->desc[i]),
++ "%s:MSI-X-%d-TX",
+ dev->name, i);
+ err = request_irq(sp->entries[i].vector,
+ s2io_msix_fifo_handle,
+@@ -8166,7 +8170,8 @@ s2io_init_nic(struct pci_dev *pdev, const struct pci_device_id *pre)
+ "%s: UDP Fragmentation Offload(UFO) enabled\n",
+ dev->name);
+ /* Initialize device name */
+- sprintf(sp->name, "%s Neterion %s", dev->name, sp->product_name);
++ snprintf(sp->name, sizeof(sp->name), "%s Neterion %s", dev->name,
++ sp->product_name);
+
+ if (vlan_tag_strip)
+ sp->vlan_strip_flag = 1;
diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
index 98e2c10..79af7f8 100644
--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
@@ -104363,10 +104399,29 @@ index 073a9b0..8c29a4f 100644
ICMP_PROT_UNREACH, 0);
}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 542a9c1..5b792eb 100644
+index 542a9c1..9f73775 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
-@@ -1121,7 +1121,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -416,15 +416,12 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+
+ memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+ sin = &errhdr.offender;
+- sin->sin_family = AF_UNSPEC;
++ memset(sin, 0, sizeof(*sin));
++
+ if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) {
+- struct inet_sock *inet = inet_sk(sk);
+-
+ sin->sin_family = AF_INET;
+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+- sin->sin_port = 0;
+- memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
+- if (inet->cmsg_flags)
++ if (inet_sk(sk)->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+ }
+
+@@ -1121,7 +1118,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
len = min_t(unsigned int, len, opt->optlen);
if (put_user(len, optlen))
return -EFAULT;
@@ -104376,7 +104431,7 @@ index 542a9c1..5b792eb 100644
return -EFAULT;
return 0;
}
-@@ -1249,7 +1250,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1249,7 +1247,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
if (sk->sk_type != SOCK_STREAM)
return -ENOPROTOOPT;
@@ -105491,6 +105546,38 @@ index 3afdd78..2f630fb 100644
}
static struct pernet_operations if6_proc_net_ops = {
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index 3c7c948..33719b7 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -371,12 +371,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+
+ memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+ sin = &errhdr.offender;
+- sin->sin6_family = AF_UNSPEC;
++ memset(sin, 0, sizeof(*sin));
++
+ if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) {
+ sin->sin6_family = AF_INET6;
+- sin->sin6_flowinfo = 0;
+- sin->sin6_port = 0;
+- sin->sin6_scope_id = 0;
+ if (skb->protocol == htons(ETH_P_IPV6)) {
+ ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr);
+ if (np->rxopt.all)
+@@ -384,11 +382,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ if (ipv6_addr_type(&sin->sin6_addr) & IPV6_ADDR_LINKLOCAL)
+ sin->sin6_scope_id = IP6CB(skb)->iif;
+ } else {
+- struct inet_sock *inet = inet_sk(sk);
+-
+ ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr,
+ &sin->sin6_addr);
+- if (inet->cmsg_flags)
++ if (inet_sk(sk)->cmsg_flags)
+ ip_cmsg_recv(msg, skb);
+ }
+ }
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 65dd543..e6c6e6d 100644
--- a/net/ipv6/esp6.c
@@ -105776,10 +105863,25 @@ index eba5deb..61e026f 100644
return -ENOMEM;
}
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 782f67a..9b969f2 100644
+index 782f67a..2dc56bf 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
-@@ -2809,7 +2809,7 @@ ctl_table ipv6_route_table_template[] = {
+@@ -1018,12 +1018,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
+
+ if (mtu < dst_mtu(dst) && rt6->rt6i_dst.plen == 128) {
+ rt6->rt6i_flags |= RTF_MODIFIED;
+- if (mtu < IPV6_MIN_MTU) {
+- u32 features = dst_metric(dst, RTAX_FEATURES);
++ if (mtu < IPV6_MIN_MTU)
+ mtu = IPV6_MIN_MTU;
+- features |= RTAX_FEATURE_ALLFRAG;
+- dst_metric_set(dst, RTAX_FEATURES, features);
+- }
++
+ dst_metric_set(dst, RTAX_MTU, mtu);
+ }
+ }
+@@ -2809,7 +2806,7 @@ ctl_table ipv6_route_table_template[] = {
struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
{