diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2015-01-23 15:50:19 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2015-01-23 15:50:19 -0500 |
commit | c617d17450287c48b74a9eb88cb370ec317eb7d5 (patch) | |
tree | 45e303a45784ebf316b72c8a7c764bea9a75b582 | |
parent | Grsec/PaX: 3.0-{3.2.66,3.14.28,3.18.2}-201501142325 (diff) | |
download | hardened-patchset-c617d17450287c48b74a9eb88cb370ec317eb7d5.tar.gz hardened-patchset-c617d17450287c48b74a9eb88cb370ec317eb7d5.tar.bz2 hardened-patchset-c617d17450287c48b74a9eb88cb370ec317eb7d5.zip |
Grsec/PaX: 3.0-{3.2.66,3.14.29,3.18.3}-20150121194420150121
-rw-r--r-- | 3.14.28/1027_linux-3.14.28.patch | 1961 | ||||
-rw-r--r-- | 3.14.29/0000_README (renamed from 3.14.28/0000_README) | 6 | ||||
-rw-r--r-- | 3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch (renamed from 3.14.28/4420_grsecurity-3.0-3.14.28-201501142323.patch) | 357 | ||||
-rw-r--r-- | 3.14.29/4425_grsec_remove_EI_PAX.patch (renamed from 3.14.28/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.14.29/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.14.28/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.14.29/4430_grsec-remove-localversion-grsec.patch (renamed from 3.14.28/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.14.29/4435_grsec-mute-warnings.patch (renamed from 3.14.28/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.14.29/4440_grsec-remove-protected-paths.patch (renamed from 3.14.28/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.14.29/4450_grsec-kconfig-default-gids.patch (renamed from 3.14.28/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.14.29/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.14.28/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.14.29/4470_disable-compat_vdso.patch (renamed from 3.14.28/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.14.29/4475_emutramp_default_on.patch (renamed from 3.14.28/4475_emutramp_default_on.patch) | 0 | ||||
-rw-r--r-- | 3.18.3/0000_README (renamed from 3.18.2/0000_README) | 2 | ||||
-rw-r--r-- | 3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch (renamed from 3.18.2/4420_grsecurity-3.0-3.18.2-201501142325.patch) | 430 | ||||
-rw-r--r-- | 3.18.3/4425_grsec_remove_EI_PAX.patch (renamed from 3.18.2/4425_grsec_remove_EI_PAX.patch) | 0 | ||||
-rw-r--r-- | 3.18.3/4427_force_XATTR_PAX_tmpfs.patch (renamed from 3.18.2/4427_force_XATTR_PAX_tmpfs.patch) | 0 | ||||
-rw-r--r-- | 3.18.3/4430_grsec-remove-localversion-grsec.patch (renamed from 3.18.2/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.18.3/4435_grsec-mute-warnings.patch (renamed from 3.18.2/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.18.3/4440_grsec-remove-protected-paths.patch (renamed from 3.18.2/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.18.3/4450_grsec-kconfig-default-gids.patch (renamed from 3.18.2/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.18.3/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.18.2/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.18.3/4470_disable-compat_vdso.patch (renamed from 3.18.2/4470_disable-compat_vdso.patch) | 0 | ||||
-rw-r--r-- | 3.18.3/4475_emutramp_default_on.patch (renamed from 3.18.2/4475_emutramp_default_on.patch) | 0 | ||||
-rw-r--r-- | 3.2.66/0000_README | 2 | ||||
-rw-r--r-- | 3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch (renamed from 3.2.66/4420_grsecurity-3.0-3.2.66-201501142321.patch) | 112 |
25 files changed, 676 insertions, 2194 deletions
diff --git a/3.14.28/1027_linux-3.14.28.patch b/3.14.28/1027_linux-3.14.28.patch deleted file mode 100644 index ac1ed3f..0000000 --- a/3.14.28/1027_linux-3.14.28.patch +++ /dev/null @@ -1,1961 +0,0 @@ -diff --git a/Makefile b/Makefile -index 944db23..a2e572b 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,6 +1,6 @@ - VERSION = 3 - PATCHLEVEL = 14 --SUBLEVEL = 27 -+SUBLEVEL = 28 - EXTRAVERSION = - NAME = Remembering Coco - -diff --git a/arch/arm/boot/dts/armada-370.dtsi b/arch/arm/boot/dts/armada-370.dtsi -index 0d8530c..34841fc 100644 ---- a/arch/arm/boot/dts/armada-370.dtsi -+++ b/arch/arm/boot/dts/armada-370.dtsi -@@ -106,11 +106,6 @@ - reg = <0x11100 0x20>; - }; - -- system-controller@18200 { -- compatible = "marvell,armada-370-xp-system-controller"; -- reg = <0x18200 0x100>; -- }; -- - pinctrl { - compatible = "marvell,mv88f6710-pinctrl"; - reg = <0x18000 0x38>; -@@ -167,6 +162,11 @@ - interrupts = <91>; - }; - -+ system-controller@18200 { -+ compatible = "marvell,armada-370-xp-system-controller"; -+ reg = <0x18200 0x100>; -+ }; -+ - gateclk: clock-gating-control@18220 { - compatible = "marvell,armada-370-gating-clock"; - reg = <0x18220 0x4>; -diff --git a/arch/arm/mach-tegra/reset-handler.S b/arch/arm/mach-tegra/reset-handler.S -index 8c1ba4f..3505799 100644 ---- a/arch/arm/mach-tegra/reset-handler.S -+++ b/arch/arm/mach-tegra/reset-handler.S -@@ -51,6 +51,7 @@ ENTRY(tegra_resume) - THUMB( it ne ) - bne cpu_resume @ no - -+ tegra_get_soc_id TEGRA_APB_MISC_BASE, r6 - /* Are we on Tegra20? */ - cmp r6, #TEGRA20 - beq 1f @ Yes -diff --git a/arch/arm64/include/asm/hwcap.h b/arch/arm64/include/asm/hwcap.h -index 6cddbb0..e0ec201 100644 ---- a/arch/arm64/include/asm/hwcap.h -+++ b/arch/arm64/include/asm/hwcap.h -@@ -30,6 +30,7 @@ - #define COMPAT_HWCAP_IDIVA (1 << 17) - #define COMPAT_HWCAP_IDIVT (1 << 18) - #define COMPAT_HWCAP_IDIV (COMPAT_HWCAP_IDIVA|COMPAT_HWCAP_IDIVT) -+#define COMPAT_HWCAP_LPAE (1 << 20) - #define COMPAT_HWCAP_EVTSTRM (1 << 21) - - #ifndef __ASSEMBLY__ -diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c -index c8e9eff..071c382 100644 ---- a/arch/arm64/kernel/setup.c -+++ b/arch/arm64/kernel/setup.c -@@ -67,7 +67,8 @@ EXPORT_SYMBOL_GPL(elf_hwcap); - COMPAT_HWCAP_FAST_MULT|COMPAT_HWCAP_EDSP|\ - COMPAT_HWCAP_TLS|COMPAT_HWCAP_VFP|\ - COMPAT_HWCAP_VFPv3|COMPAT_HWCAP_VFPv4|\ -- COMPAT_HWCAP_NEON|COMPAT_HWCAP_IDIV) -+ COMPAT_HWCAP_NEON|COMPAT_HWCAP_IDIV|\ -+ COMPAT_HWCAP_LPAE) - unsigned int compat_elf_hwcap __read_mostly = COMPAT_ELF_HWCAP_DEFAULT; - #endif - -diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c -index db02052..5426c9e 100644 ---- a/arch/s390/kernel/compat_linux.c -+++ b/arch/s390/kernel/compat_linux.c -@@ -245,7 +245,7 @@ asmlinkage long sys32_setgroups16(int gidsetsize, u16 __user *grouplist) - struct group_info *group_info; - int retval; - -- if (!capable(CAP_SETGID)) -+ if (!may_setgroups()) - return -EPERM; - if ((unsigned)gidsetsize > NGROUPS_MAX) - return -EINVAL; -diff --git a/arch/x86/include/uapi/asm/ldt.h b/arch/x86/include/uapi/asm/ldt.h -index 46727eb..6e1aaf7 100644 ---- a/arch/x86/include/uapi/asm/ldt.h -+++ b/arch/x86/include/uapi/asm/ldt.h -@@ -28,6 +28,13 @@ struct user_desc { - unsigned int seg_not_present:1; - unsigned int useable:1; - #ifdef __x86_64__ -+ /* -+ * Because this bit is not present in 32-bit user code, user -+ * programs can pass uninitialized values here. Therefore, in -+ * any context in which a user_desc comes from a 32-bit program, -+ * the kernel must act as though lm == 0, regardless of the -+ * actual value. -+ */ - unsigned int lm:1; - #endif - }; -diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c -index 713f1b3..0b1e1d5 100644 ---- a/arch/x86/kernel/kvm.c -+++ b/arch/x86/kernel/kvm.c -@@ -280,7 +280,14 @@ do_async_page_fault(struct pt_regs *regs, unsigned long error_code) - static void __init paravirt_ops_setup(void) - { - pv_info.name = "KVM"; -- pv_info.paravirt_enabled = 1; -+ -+ /* -+ * KVM isn't paravirt in the sense of paravirt_enabled. A KVM -+ * guest kernel works like a bare metal kernel with additional -+ * features, and paravirt_enabled is about features that are -+ * missing. -+ */ -+ pv_info.paravirt_enabled = 0; - - if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY)) - pv_cpu_ops.io_delay = kvm_io_delay; -diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c -index e604109..c8e98cd 100644 ---- a/arch/x86/kernel/kvmclock.c -+++ b/arch/x86/kernel/kvmclock.c -@@ -263,7 +263,6 @@ void __init kvmclock_init(void) - #endif - kvm_get_preset_lpj(); - clocksource_register_hz(&kvm_clock, NSEC_PER_SEC); -- pv_info.paravirt_enabled = 1; - pv_info.name = "KVM"; - - if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT)) -diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c -index 9c0280f..e2d26ce 100644 ---- a/arch/x86/kernel/process_64.c -+++ b/arch/x86/kernel/process_64.c -@@ -286,24 +286,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) - - fpu = switch_fpu_prepare(prev_p, next_p, cpu); - -- /* -- * Reload esp0, LDT and the page table pointer: -- */ -+ /* Reload esp0 and ss1. */ - load_sp0(tss, next); - -- /* -- * Switch DS and ES. -- * This won't pick up thread selector changes, but I guess that is ok. -- */ -- savesegment(es, prev->es); -- if (unlikely(next->es | prev->es)) -- loadsegment(es, next->es); -- -- savesegment(ds, prev->ds); -- if (unlikely(next->ds | prev->ds)) -- loadsegment(ds, next->ds); -- -- - /* We must save %fs and %gs before load_TLS() because - * %fs and %gs may be cleared by load_TLS(). - * -@@ -312,41 +297,101 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p) - savesegment(fs, fsindex); - savesegment(gs, gsindex); - -+ /* -+ * Load TLS before restoring any segments so that segment loads -+ * reference the correct GDT entries. -+ */ - load_TLS(next, cpu); - - /* -- * Leave lazy mode, flushing any hypercalls made here. -- * This must be done before restoring TLS segments so -- * the GDT and LDT are properly updated, and must be -- * done before math_state_restore, so the TS bit is up -- * to date. -+ * Leave lazy mode, flushing any hypercalls made here. This -+ * must be done after loading TLS entries in the GDT but before -+ * loading segments that might reference them, and and it must -+ * be done before math_state_restore, so the TS bit is up to -+ * date. - */ - arch_end_context_switch(next_p); - -+ /* Switch DS and ES. -+ * -+ * Reading them only returns the selectors, but writing them (if -+ * nonzero) loads the full descriptor from the GDT or LDT. The -+ * LDT for next is loaded in switch_mm, and the GDT is loaded -+ * above. -+ * -+ * We therefore need to write new values to the segment -+ * registers on every context switch unless both the new and old -+ * values are zero. -+ * -+ * Note that we don't need to do anything for CS and SS, as -+ * those are saved and restored as part of pt_regs. -+ */ -+ savesegment(es, prev->es); -+ if (unlikely(next->es | prev->es)) -+ loadsegment(es, next->es); -+ -+ savesegment(ds, prev->ds); -+ if (unlikely(next->ds | prev->ds)) -+ loadsegment(ds, next->ds); -+ - /* - * Switch FS and GS. - * -- * Segment register != 0 always requires a reload. Also -- * reload when it has changed. When prev process used 64bit -- * base always reload to avoid an information leak. -+ * These are even more complicated than FS and GS: they have -+ * 64-bit bases are that controlled by arch_prctl. Those bases -+ * only differ from the values in the GDT or LDT if the selector -+ * is 0. -+ * -+ * Loading the segment register resets the hidden base part of -+ * the register to 0 or the value from the GDT / LDT. If the -+ * next base address zero, writing 0 to the segment register is -+ * much faster than using wrmsr to explicitly zero the base. -+ * -+ * The thread_struct.fs and thread_struct.gs values are 0 -+ * if the fs and gs bases respectively are not overridden -+ * from the values implied by fsindex and gsindex. They -+ * are nonzero, and store the nonzero base addresses, if -+ * the bases are overridden. -+ * -+ * (fs != 0 && fsindex != 0) || (gs != 0 && gsindex != 0) should -+ * be impossible. -+ * -+ * Therefore we need to reload the segment registers if either -+ * the old or new selector is nonzero, and we need to override -+ * the base address if next thread expects it to be overridden. -+ * -+ * This code is unnecessarily slow in the case where the old and -+ * new indexes are zero and the new base is nonzero -- it will -+ * unnecessarily write 0 to the selector before writing the new -+ * base address. -+ * -+ * Note: This all depends on arch_prctl being the only way that -+ * user code can override the segment base. Once wrfsbase and -+ * wrgsbase are enabled, most of this code will need to change. - */ - if (unlikely(fsindex | next->fsindex | prev->fs)) { - loadsegment(fs, next->fsindex); -+ - /* -- * Check if the user used a selector != 0; if yes -- * clear 64bit base, since overloaded base is always -- * mapped to the Null selector -+ * If user code wrote a nonzero value to FS, then it also -+ * cleared the overridden base address. -+ * -+ * XXX: if user code wrote 0 to FS and cleared the base -+ * address itself, we won't notice and we'll incorrectly -+ * restore the prior base address next time we reschdule -+ * the process. - */ - if (fsindex) - prev->fs = 0; - } -- /* when next process has a 64bit base use it */ - if (next->fs) - wrmsrl(MSR_FS_BASE, next->fs); - prev->fsindex = fsindex; - - if (unlikely(gsindex | next->gsindex | prev->gs)) { - load_gs_index(next->gsindex); -+ -+ /* This works (and fails) the same way as fsindex above. */ - if (gsindex) - prev->gs = 0; - } -diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c -index f7fec09..4e942f3 100644 ---- a/arch/x86/kernel/tls.c -+++ b/arch/x86/kernel/tls.c -@@ -27,6 +27,37 @@ static int get_free_idx(void) - return -ESRCH; - } - -+static bool tls_desc_okay(const struct user_desc *info) -+{ -+ if (LDT_empty(info)) -+ return true; -+ -+ /* -+ * espfix is required for 16-bit data segments, but espfix -+ * only works for LDT segments. -+ */ -+ if (!info->seg_32bit) -+ return false; -+ -+ /* Only allow data segments in the TLS array. */ -+ if (info->contents > 1) -+ return false; -+ -+ /* -+ * Non-present segments with DPL 3 present an interesting attack -+ * surface. The kernel should handle such segments correctly, -+ * but TLS is very difficult to protect in a sandbox, so prevent -+ * such segments from being created. -+ * -+ * If userspace needs to remove a TLS entry, it can still delete -+ * it outright. -+ */ -+ if (info->seg_not_present) -+ return false; -+ -+ return true; -+} -+ - static void set_tls_desc(struct task_struct *p, int idx, - const struct user_desc *info, int n) - { -@@ -66,6 +97,9 @@ int do_set_thread_area(struct task_struct *p, int idx, - if (copy_from_user(&info, u_info, sizeof(info))) - return -EFAULT; - -+ if (!tls_desc_okay(&info)) -+ return -EINVAL; -+ - if (idx == -1) - idx = info.entry_number; - -@@ -192,6 +226,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, - { - struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; - const struct user_desc *info; -+ int i; - - if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || - (pos % sizeof(struct user_desc)) != 0 || -@@ -205,6 +240,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, - else - info = infobuf; - -+ for (i = 0; i < count / sizeof(struct user_desc); i++) -+ if (!tls_desc_okay(info + i)) -+ return -EINVAL; -+ - set_tls_desc(target, - GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), - info, count / sizeof(struct user_desc)); -diff --git a/crypto/af_alg.c b/crypto/af_alg.c -index 6a3ad80..1de4bee 100644 ---- a/crypto/af_alg.c -+++ b/crypto/af_alg.c -@@ -449,6 +449,9 @@ void af_alg_complete(struct crypto_async_request *req, int err) - { - struct af_alg_completion *completion = req->data; - -+ if (err == -EINPROGRESS) -+ return; -+ - completion->err = err; - complete(&completion->completion); - } -diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c -index 4195a01..8e51b3a 100644 ---- a/drivers/md/bitmap.c -+++ b/drivers/md/bitmap.c -@@ -883,7 +883,6 @@ void bitmap_unplug(struct bitmap *bitmap) - { - unsigned long i; - int dirty, need_write; -- int wait = 0; - - if (!bitmap || !bitmap->storage.filemap || - test_bit(BITMAP_STALE, &bitmap->flags)) -@@ -901,16 +900,13 @@ void bitmap_unplug(struct bitmap *bitmap) - clear_page_attr(bitmap, i, BITMAP_PAGE_PENDING); - write_page(bitmap, bitmap->storage.filemap[i], 0); - } -- if (dirty) -- wait = 1; -- } -- if (wait) { /* if any writes were performed, we need to wait on them */ -- if (bitmap->storage.file) -- wait_event(bitmap->write_wait, -- atomic_read(&bitmap->pending_writes)==0); -- else -- md_super_wait(bitmap->mddev); - } -+ if (bitmap->storage.file) -+ wait_event(bitmap->write_wait, -+ atomic_read(&bitmap->pending_writes)==0); -+ else -+ md_super_wait(bitmap->mddev); -+ - if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags)) - bitmap_file_kick(bitmap); - } -diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c -index a1cebf7..03c872f 100644 ---- a/drivers/md/dm-bufio.c -+++ b/drivers/md/dm-bufio.c -@@ -532,6 +532,19 @@ static void use_dmio(struct dm_buffer *b, int rw, sector_t block, - end_io(&b->bio, r); - } - -+static void inline_endio(struct bio *bio, int error) -+{ -+ bio_end_io_t *end_fn = bio->bi_private; -+ -+ /* -+ * Reset the bio to free any attached resources -+ * (e.g. bio integrity profiles). -+ */ -+ bio_reset(bio); -+ -+ end_fn(bio, error); -+} -+ - static void use_inline_bio(struct dm_buffer *b, int rw, sector_t block, - bio_end_io_t *end_io) - { -@@ -543,7 +556,12 @@ static void use_inline_bio(struct dm_buffer *b, int rw, sector_t block, - b->bio.bi_max_vecs = DM_BUFIO_INLINE_VECS; - b->bio.bi_iter.bi_sector = block << b->c->sectors_per_block_bits; - b->bio.bi_bdev = b->c->bdev; -- b->bio.bi_end_io = end_io; -+ b->bio.bi_end_io = inline_endio; -+ /* -+ * Use of .bi_private isn't a problem here because -+ * the dm_buffer's inline bio is local to bufio. -+ */ -+ b->bio.bi_private = end_io; - - /* - * We assume that if len >= PAGE_SIZE ptr is page-aligned. -diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c -index 2331543..ff284b7 100644 ---- a/drivers/md/dm-cache-target.c -+++ b/drivers/md/dm-cache-target.c -@@ -946,10 +946,14 @@ static void migration_success_post_commit(struct dm_cache_migration *mg) - } - - } else { -- clear_dirty(cache, mg->new_oblock, mg->cblock); -- if (mg->requeue_holder) -+ if (mg->requeue_holder) { -+ clear_dirty(cache, mg->new_oblock, mg->cblock); - cell_defer(cache, mg->new_ocell, true); -- else { -+ } else { -+ /* -+ * The block was promoted via an overwrite, so it's dirty. -+ */ -+ set_dirty(cache, mg->new_oblock, mg->cblock); - bio_endio(mg->new_ocell->holder, 0); - cell_defer(cache, mg->new_ocell, false); - } -@@ -1060,7 +1064,8 @@ static void issue_copy(struct dm_cache_migration *mg) - - avoid = is_discarded_oblock(cache, mg->new_oblock); - -- if (!avoid && bio_writes_complete_block(cache, bio)) { -+ if (writeback_mode(&cache->features) && -+ !avoid && bio_writes_complete_block(cache, bio)) { - issue_overwrite(mg, bio); - return; - } -diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c -index 9533f83..4a8d19d 100644 ---- a/drivers/md/dm-crypt.c -+++ b/drivers/md/dm-crypt.c -@@ -709,7 +709,7 @@ static int crypt_iv_tcw_whitening(struct crypt_config *cc, - for (i = 0; i < ((1 << SECTOR_SHIFT) / 8); i++) - crypto_xor(data + i * 8, buf, 8); - out: -- memset(buf, 0, sizeof(buf)); -+ memzero_explicit(buf, sizeof(buf)); - return r; - } - -diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c -index 37f2648..f7e052c 100644 ---- a/drivers/md/dm-thin.c -+++ b/drivers/md/dm-thin.c -@@ -916,6 +916,24 @@ static void schedule_zero(struct thin_c *tc, dm_block_t virt_block, - } - } - -+static void set_pool_mode(struct pool *pool, enum pool_mode new_mode); -+ -+static void check_for_space(struct pool *pool) -+{ -+ int r; -+ dm_block_t nr_free; -+ -+ if (get_pool_mode(pool) != PM_OUT_OF_DATA_SPACE) -+ return; -+ -+ r = dm_pool_get_free_block_count(pool->pmd, &nr_free); -+ if (r) -+ return; -+ -+ if (nr_free) -+ set_pool_mode(pool, PM_WRITE); -+} -+ - /* - * A non-zero return indicates read_only or fail_io mode. - * Many callers don't care about the return value. -@@ -930,6 +948,8 @@ static int commit(struct pool *pool) - r = dm_pool_commit_metadata(pool->pmd); - if (r) - metadata_operation_failed(pool, "dm_pool_commit_metadata", r); -+ else -+ check_for_space(pool); - - return r; - } -@@ -948,8 +968,6 @@ static void check_low_water_mark(struct pool *pool, dm_block_t free_blocks) - } - } - --static void set_pool_mode(struct pool *pool, enum pool_mode new_mode); -- - static int alloc_data_block(struct thin_c *tc, dm_block_t *result) - { - int r; -@@ -1592,7 +1610,7 @@ static void set_pool_mode(struct pool *pool, enum pool_mode new_mode) - pool->process_bio = process_bio_read_only; - pool->process_discard = process_discard; - pool->process_prepared_mapping = process_prepared_mapping; -- pool->process_prepared_discard = process_prepared_discard_passdown; -+ pool->process_prepared_discard = process_prepared_discard; - - if (!pool->pf.error_if_no_space && no_space_timeout) - queue_delayed_work(pool->wq, &pool->no_space_timeout, no_space_timeout); -diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c -index 786b689..f4e22bc 100644 ---- a/drivers/md/persistent-data/dm-space-map-metadata.c -+++ b/drivers/md/persistent-data/dm-space-map-metadata.c -@@ -564,7 +564,9 @@ static int sm_bootstrap_get_nr_blocks(struct dm_space_map *sm, dm_block_t *count - { - struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm); - -- return smm->ll.nr_blocks; -+ *count = smm->ll.nr_blocks; -+ -+ return 0; - } - - static int sm_bootstrap_get_nr_free(struct dm_space_map *sm, dm_block_t *count) -diff --git a/drivers/mfd/tc6393xb.c b/drivers/mfd/tc6393xb.c -index 11c19e5..48579e5 100644 ---- a/drivers/mfd/tc6393xb.c -+++ b/drivers/mfd/tc6393xb.c -@@ -263,6 +263,17 @@ static int tc6393xb_ohci_disable(struct platform_device *dev) - return 0; - } - -+static int tc6393xb_ohci_suspend(struct platform_device *dev) -+{ -+ struct tc6393xb_platform_data *tcpd = dev_get_platdata(dev->dev.parent); -+ -+ /* We can't properly store/restore OHCI state, so fail here */ -+ if (tcpd->resume_restore) -+ return -EBUSY; -+ -+ return tc6393xb_ohci_disable(dev); -+} -+ - static int tc6393xb_fb_enable(struct platform_device *dev) - { - struct tc6393xb *tc6393xb = dev_get_drvdata(dev->dev.parent); -@@ -403,7 +414,7 @@ static struct mfd_cell tc6393xb_cells[] = { - .num_resources = ARRAY_SIZE(tc6393xb_ohci_resources), - .resources = tc6393xb_ohci_resources, - .enable = tc6393xb_ohci_enable, -- .suspend = tc6393xb_ohci_disable, -+ .suspend = tc6393xb_ohci_suspend, - .resume = tc6393xb_ohci_enable, - .disable = tc6393xb_ohci_disable, - }, -diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c -index 7b5424f..df72c47 100644 ---- a/drivers/mmc/card/block.c -+++ b/drivers/mmc/card/block.c -@@ -260,7 +260,7 @@ static ssize_t force_ro_show(struct device *dev, struct device_attribute *attr, - int ret; - struct mmc_blk_data *md = mmc_blk_get(dev_to_disk(dev)); - -- ret = snprintf(buf, PAGE_SIZE, "%d", -+ ret = snprintf(buf, PAGE_SIZE, "%d\n", - get_disk_ro(dev_to_disk(dev)) ^ - md->read_only); - mmc_blk_put(md); -diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c -index 55cd110..caed9d5 100644 ---- a/drivers/mmc/host/dw_mmc.c -+++ b/drivers/mmc/host/dw_mmc.c -@@ -632,6 +632,13 @@ static void dw_mci_ctrl_rd_thld(struct dw_mci *host, struct mmc_data *data) - - WARN_ON(!(data->flags & MMC_DATA_READ)); - -+ /* -+ * CDTHRCTL doesn't exist prior to 240A (in fact that register offset is -+ * in the FIFO region, so we really shouldn't access it). -+ */ -+ if (host->verid < DW_MMC_240A) -+ return; -+ - if (host->timing != MMC_TIMING_MMC_HS200 && - host->timing != MMC_TIMING_UHS_SDR104) - goto disable; -diff --git a/drivers/mmc/host/sdhci-pci-o2micro.c b/drivers/mmc/host/sdhci-pci-o2micro.c -index f49666b..257e9ca 100644 ---- a/drivers/mmc/host/sdhci-pci-o2micro.c -+++ b/drivers/mmc/host/sdhci-pci-o2micro.c -@@ -88,8 +88,6 @@ void sdhci_pci_o2_fujin2_pci_init(struct sdhci_pci_chip *chip) - return; - scratch_32 &= ~((1 << 21) | (1 << 30)); - -- /* Set RTD3 function disabled */ -- scratch_32 |= ((1 << 29) | (1 << 28)); - pci_write_config_dword(chip->pdev, O2_SD_FUNC_REG3, scratch_32); - - /* Set L1 Entrance Timer */ -diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c -index 1e9d6ad..7563b3d 100644 ---- a/drivers/scsi/NCR5380.c -+++ b/drivers/scsi/NCR5380.c -@@ -2655,14 +2655,14 @@ static void NCR5380_dma_complete(NCR5380_instance * instance) { - * - * Purpose : abort a command - * -- * Inputs : cmd - the Scsi_Cmnd to abort, code - code to set the -- * host byte of the result field to, if zero DID_ABORTED is -+ * Inputs : cmd - the Scsi_Cmnd to abort, code - code to set the -+ * host byte of the result field to, if zero DID_ABORTED is - * used. - * -- * Returns : 0 - success, -1 on failure. -+ * Returns : SUCCESS - success, FAILED on failure. - * -- * XXX - there is no way to abort the command that is currently -- * connected, you have to wait for it to complete. If this is -+ * XXX - there is no way to abort the command that is currently -+ * connected, you have to wait for it to complete. If this is - * a problem, we could implement longjmp() / setjmp(), setjmp() - * called where the loop started in NCR5380_main(). - * -@@ -2712,7 +2712,7 @@ static int NCR5380_abort(Scsi_Cmnd * cmd) { - * aborted flag and get back into our main loop. - */ - -- return 0; -+ return SUCCESS; - } - #endif - -diff --git a/drivers/scsi/aha1740.c b/drivers/scsi/aha1740.c -index 5f31017..31ace4b 100644 ---- a/drivers/scsi/aha1740.c -+++ b/drivers/scsi/aha1740.c -@@ -531,7 +531,7 @@ static int aha1740_eh_abort_handler (Scsi_Cmnd *dummy) - * quiet as possible... - */ - -- return 0; -+ return SUCCESS; - } - - static struct scsi_host_template aha1740_template = { -diff --git a/drivers/scsi/atari_NCR5380.c b/drivers/scsi/atari_NCR5380.c -index 0f3cdbc..30073d4 100644 ---- a/drivers/scsi/atari_NCR5380.c -+++ b/drivers/scsi/atari_NCR5380.c -@@ -2613,7 +2613,7 @@ static void NCR5380_reselect(struct Scsi_Host *instance) - * host byte of the result field to, if zero DID_ABORTED is - * used. - * -- * Returns : 0 - success, -1 on failure. -+ * Returns : SUCCESS - success, FAILED on failure. - * - * XXX - there is no way to abort the command that is currently - * connected, you have to wait for it to complete. If this is -diff --git a/drivers/scsi/esas2r/esas2r_main.c b/drivers/scsi/esas2r/esas2r_main.c -index f37f3e3..28fe6fe 100644 ---- a/drivers/scsi/esas2r/esas2r_main.c -+++ b/drivers/scsi/esas2r/esas2r_main.c -@@ -1057,7 +1057,7 @@ int esas2r_eh_abort(struct scsi_cmnd *cmd) - - cmd->scsi_done(cmd); - -- return 0; -+ return SUCCESS; - } - - spin_lock_irqsave(&a->queue_lock, flags); -diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c -index 816db12..52587ce 100644 ---- a/drivers/scsi/megaraid.c -+++ b/drivers/scsi/megaraid.c -@@ -1967,7 +1967,7 @@ megaraid_abort_and_reset(adapter_t *adapter, Scsi_Cmnd *cmd, int aor) - cmd->device->id, cmd->device->lun); - - if(list_empty(&adapter->pending_list)) -- return FALSE; -+ return FAILED; - - list_for_each_safe(pos, next, &adapter->pending_list) { - -@@ -1990,7 +1990,7 @@ megaraid_abort_and_reset(adapter_t *adapter, Scsi_Cmnd *cmd, int aor) - (aor==SCB_ABORT) ? "ABORTING":"RESET", - scb->idx); - -- return FALSE; -+ return FAILED; - } - else { - -@@ -2015,12 +2015,12 @@ megaraid_abort_and_reset(adapter_t *adapter, Scsi_Cmnd *cmd, int aor) - list_add_tail(SCSI_LIST(cmd), - &adapter->completed_list); - -- return TRUE; -+ return SUCCESS; - } - } - } - -- return FALSE; -+ return FAILED; - } - - static inline int -diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c -index 3b7ad10..c80afde 100644 ---- a/drivers/scsi/megaraid/megaraid_sas_base.c -+++ b/drivers/scsi/megaraid/megaraid_sas_base.c -@@ -953,7 +953,7 @@ megasas_issue_blocked_abort_cmd(struct megasas_instance *instance, - cpu_to_le32(upper_32_bits(cmd_to_abort->frame_phys_addr)); - - cmd->sync_cmd = 1; -- cmd->cmd_status = 0xFF; -+ cmd->cmd_status = ENODATA; - - instance->instancet->issue_dcmd(instance, cmd); - -diff --git a/drivers/scsi/sun3_NCR5380.c b/drivers/scsi/sun3_NCR5380.c -index 636bbe0..fc57c8a 100644 ---- a/drivers/scsi/sun3_NCR5380.c -+++ b/drivers/scsi/sun3_NCR5380.c -@@ -2597,15 +2597,15 @@ static void NCR5380_reselect (struct Scsi_Host *instance) - * Purpose : abort a command - * - * Inputs : cmd - the struct scsi_cmnd to abort, code - code to set the -- * host byte of the result field to, if zero DID_ABORTED is -+ * host byte of the result field to, if zero DID_ABORTED is - * used. - * -- * Returns : 0 - success, -1 on failure. -+ * Returns : SUCCESS - success, FAILED on failure. - * -- * XXX - there is no way to abort the command that is currently -- * connected, you have to wait for it to complete. If this is -+ * XXX - there is no way to abort the command that is currently -+ * connected, you have to wait for it to complete. If this is - * a problem, we could implement longjmp() / setjmp(), setjmp() -- * called where the loop started in NCR5380_main(). -+ * called where the loop started in NCR5380_main(). - */ - - static int NCR5380_abort(struct scsi_cmnd *cmd) -diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c -index 71b0ec0..284733e 100644 ---- a/drivers/thermal/thermal_core.c -+++ b/drivers/thermal/thermal_core.c -@@ -1824,10 +1824,10 @@ static int __init thermal_init(void) - - exit_netlink: - genetlink_exit(); --unregister_governors: -- thermal_unregister_governors(); - unregister_class: - class_unregister(&thermal_class); -+unregister_governors: -+ thermal_unregister_governors(); - error: - idr_destroy(&thermal_tz_idr); - idr_destroy(&thermal_cdev_idr); -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index 370ef74..0db8ded 100644 ---- a/fs/btrfs/disk-io.c -+++ b/fs/btrfs/disk-io.c -@@ -3978,12 +3978,6 @@ again: - if (ret) - break; - -- /* opt_discard */ -- if (btrfs_test_opt(root, DISCARD)) -- ret = btrfs_error_discard_extent(root, start, -- end + 1 - start, -- NULL); -- - clear_extent_dirty(unpin, start, end, GFP_NOFS); - btrfs_error_unpin_extent_range(root, start, end); - cond_resched(); -diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c -index 3ff98e2..d2f1c01 100644 ---- a/fs/btrfs/extent-tree.c -+++ b/fs/btrfs/extent-tree.c -@@ -5503,7 +5503,8 @@ void btrfs_prepare_extent_commit(struct btrfs_trans_handle *trans, - update_global_block_rsv(fs_info); - } - --static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end) -+static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end, -+ const bool return_free_space) - { - struct btrfs_fs_info *fs_info = root->fs_info; - struct btrfs_block_group_cache *cache = NULL; -@@ -5527,7 +5528,8 @@ static int unpin_extent_range(struct btrfs_root *root, u64 start, u64 end) - - if (start < cache->last_byte_to_unpin) { - len = min(len, cache->last_byte_to_unpin - start); -- btrfs_add_free_space(cache, start, len); -+ if (return_free_space) -+ btrfs_add_free_space(cache, start, len); - } - - start += len; -@@ -5590,7 +5592,7 @@ int btrfs_finish_extent_commit(struct btrfs_trans_handle *trans, - end + 1 - start, NULL); - - clear_extent_dirty(unpin, start, end, GFP_NOFS); -- unpin_extent_range(root, start, end); -+ unpin_extent_range(root, start, end, true); - cond_resched(); - } - -@@ -8886,7 +8888,7 @@ out: - - int btrfs_error_unpin_extent_range(struct btrfs_root *root, u64 start, u64 end) - { -- return unpin_extent_range(root, start, end); -+ return unpin_extent_range(root, start, end, false); - } - - int btrfs_error_discard_extent(struct btrfs_root *root, u64 bytenr, -diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c -index 996ad56b..82845a6 100644 ---- a/fs/btrfs/extent_map.c -+++ b/fs/btrfs/extent_map.c -@@ -290,8 +290,6 @@ int unpin_extent_cache(struct extent_map_tree *tree, u64 start, u64 len, - if (!em) - goto out; - -- if (!test_bit(EXTENT_FLAG_LOGGING, &em->flags)) -- list_move(&em->list, &tree->modified_extents); - em->generation = gen; - clear_bit(EXTENT_FLAG_PINNED, &em->flags); - em->mod_start = em->start; -diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c -index 2f6735d..31b148f 100644 ---- a/fs/ecryptfs/crypto.c -+++ b/fs/ecryptfs/crypto.c -@@ -1917,7 +1917,6 @@ ecryptfs_decode_from_filename(unsigned char *dst, size_t *dst_size, - break; - case 2: - dst[dst_byte_offset++] |= (src_byte); -- dst[dst_byte_offset] = 0; - current_bit_offset = 0; - break; - } -diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c -index b1eaa7a..03df502 100644 ---- a/fs/ecryptfs/file.c -+++ b/fs/ecryptfs/file.c -@@ -191,23 +191,11 @@ static int ecryptfs_open(struct inode *inode, struct file *file) - { - int rc = 0; - struct ecryptfs_crypt_stat *crypt_stat = NULL; -- struct ecryptfs_mount_crypt_stat *mount_crypt_stat; - struct dentry *ecryptfs_dentry = file->f_path.dentry; - /* Private value of ecryptfs_dentry allocated in - * ecryptfs_lookup() */ - struct ecryptfs_file_info *file_info; - -- mount_crypt_stat = &ecryptfs_superblock_to_private( -- ecryptfs_dentry->d_sb)->mount_crypt_stat; -- if ((mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) -- && ((file->f_flags & O_WRONLY) || (file->f_flags & O_RDWR) -- || (file->f_flags & O_CREAT) || (file->f_flags & O_TRUNC) -- || (file->f_flags & O_APPEND))) { -- printk(KERN_WARNING "Mount has encrypted view enabled; " -- "files may only be read\n"); -- rc = -EPERM; -- goto out; -- } - /* Released in ecryptfs_release or end of function if failure */ - file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL); - ecryptfs_set_file_private(file, file_info); -diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c -index 1b119d3..34eb843 100644 ---- a/fs/ecryptfs/main.c -+++ b/fs/ecryptfs/main.c -@@ -493,6 +493,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags - { - struct super_block *s; - struct ecryptfs_sb_info *sbi; -+ struct ecryptfs_mount_crypt_stat *mount_crypt_stat; - struct ecryptfs_dentry_info *root_info; - const char *err = "Getting sb failed"; - struct inode *inode; -@@ -511,6 +512,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags - err = "Error parsing options"; - goto out; - } -+ mount_crypt_stat = &sbi->mount_crypt_stat; - - s = sget(fs_type, NULL, set_anon_super, flags, NULL); - if (IS_ERR(s)) { -@@ -557,11 +559,19 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags - - /** - * Set the POSIX ACL flag based on whether they're enabled in the lower -- * mount. Force a read-only eCryptfs mount if the lower mount is ro. -- * Allow a ro eCryptfs mount even when the lower mount is rw. -+ * mount. - */ - s->s_flags = flags & ~MS_POSIXACL; -- s->s_flags |= path.dentry->d_sb->s_flags & (MS_RDONLY | MS_POSIXACL); -+ s->s_flags |= path.dentry->d_sb->s_flags & MS_POSIXACL; -+ -+ /** -+ * Force a read-only eCryptfs mount when: -+ * 1) The lower mount is ro -+ * 2) The ecryptfs_encrypted_view mount option is specified -+ */ -+ if (path.dentry->d_sb->s_flags & MS_RDONLY || -+ mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) -+ s->s_flags |= MS_RDONLY; - - s->s_maxbytes = path.dentry->d_sb->s_maxbytes; - s->s_blocksize = path.dentry->d_sb->s_blocksize; -diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index f488bba..735d752 100644 ---- a/fs/isofs/rock.c -+++ b/fs/isofs/rock.c -@@ -30,6 +30,7 @@ struct rock_state { - int cont_size; - int cont_extent; - int cont_offset; -+ int cont_loops; - struct inode *inode; - }; - -@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode) - rs->inode = inode; - } - -+/* Maximum number of Rock Ridge continuation entries */ -+#define RR_MAX_CE_ENTRIES 32 -+ - /* - * Returns 0 if the caller should continue scanning, 1 if the scan must end - * and -ve on error. -@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs) - goto out; - } - ret = -EIO; -+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES) -+ goto out; - bh = sb_bread(rs->inode->i_sb, rs->cont_extent); - if (bh) { - memcpy(rs->buffer, bh->b_data + rs->cont_offset, -@@ -356,6 +362,9 @@ repeat: - rs.cont_size = isonum_733(rr->u.CE.size); - break; - case SIG('E', 'R'): -+ /* Invalid length of ER tag id? */ -+ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) -+ goto out; - ISOFS_SB(inode->i_sb)->s_rock = 1; - printk(KERN_DEBUG "ISO 9660 Extensions: "); - { -diff --git a/fs/namespace.c b/fs/namespace.c -index d9bf3ef..039f380 100644 ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -1295,6 +1295,8 @@ void umount_tree(struct mount *mnt, int how) - } - if (last) { - last->mnt_hash.next = unmounted.first; -+ if (unmounted.first) -+ unmounted.first->pprev = &last->mnt_hash.next; - unmounted.first = tmp_list.first; - unmounted.first->pprev = &unmounted.first; - } -@@ -1439,6 +1441,9 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags) - goto dput_and_out; - if (mnt->mnt.mnt_flags & MNT_LOCKED) - goto dput_and_out; -+ retval = -EPERM; -+ if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN)) -+ goto dput_and_out; - - retval = do_umount(mnt, flags); - dput_and_out: -@@ -1964,7 +1969,13 @@ static int do_remount(struct path *path, int flags, int mnt_flags, - } - if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) && - !(mnt_flags & MNT_NODEV)) { -- return -EPERM; -+ /* Was the nodev implicitly added in mount? */ -+ if ((mnt->mnt_ns->user_ns != &init_user_ns) && -+ !(sb->s_type->fs_flags & FS_USERNS_DEV_MOUNT)) { -+ mnt_flags |= MNT_NODEV; -+ } else { -+ return -EPERM; -+ } - } - if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) && - !(mnt_flags & MNT_NOSUID)) { -diff --git a/fs/ncpfs/ioctl.c b/fs/ncpfs/ioctl.c -index 60426cc..2f970de 100644 ---- a/fs/ncpfs/ioctl.c -+++ b/fs/ncpfs/ioctl.c -@@ -448,7 +448,6 @@ static long __ncp_ioctl(struct inode *inode, unsigned int cmd, unsigned long arg - result = -EIO; - } - } -- result = 0; - } - mutex_unlock(&server->root_setup_lock); - -diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c -index bd01803..58258ad 100644 ---- a/fs/nfs/nfs4proc.c -+++ b/fs/nfs/nfs4proc.c -@@ -7589,6 +7589,9 @@ nfs4_proc_layoutget(struct nfs4_layoutget *lgp, gfp_t gfp_flags) - - dprintk("--> %s\n", __func__); - -+ /* nfs4_layoutget_release calls pnfs_put_layout_hdr */ -+ pnfs_get_layout_hdr(NFS_I(inode)->layout); -+ - lgp->args.layout.pages = nfs4_alloc_pages(max_pages, gfp_flags); - if (!lgp->args.layout.pages) { - nfs4_layoutget_release(lgp); -@@ -7601,9 +7604,6 @@ nfs4_proc_layoutget(struct nfs4_layoutget *lgp, gfp_t gfp_flags) - lgp->res.seq_res.sr_slot = NULL; - nfs4_init_sequence(&lgp->args.seq_args, &lgp->res.seq_res, 0); - -- /* nfs4_layoutget_release calls pnfs_put_layout_hdr */ -- pnfs_get_layout_hdr(NFS_I(inode)->layout); -- - task = rpc_run_task(&task_setup_data); - if (IS_ERR(task)) - return ERR_CAST(task); -diff --git a/fs/proc/base.c b/fs/proc/base.c -index b976062..489ba8c 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -2555,6 +2555,57 @@ static const struct file_operations proc_projid_map_operations = { - .llseek = seq_lseek, - .release = proc_id_map_release, - }; -+ -+static int proc_setgroups_open(struct inode *inode, struct file *file) -+{ -+ struct user_namespace *ns = NULL; -+ struct task_struct *task; -+ int ret; -+ -+ ret = -ESRCH; -+ task = get_proc_task(inode); -+ if (task) { -+ rcu_read_lock(); -+ ns = get_user_ns(task_cred_xxx(task, user_ns)); -+ rcu_read_unlock(); -+ put_task_struct(task); -+ } -+ if (!ns) -+ goto err; -+ -+ if (file->f_mode & FMODE_WRITE) { -+ ret = -EACCES; -+ if (!ns_capable(ns, CAP_SYS_ADMIN)) -+ goto err_put_ns; -+ } -+ -+ ret = single_open(file, &proc_setgroups_show, ns); -+ if (ret) -+ goto err_put_ns; -+ -+ return 0; -+err_put_ns: -+ put_user_ns(ns); -+err: -+ return ret; -+} -+ -+static int proc_setgroups_release(struct inode *inode, struct file *file) -+{ -+ struct seq_file *seq = file->private_data; -+ struct user_namespace *ns = seq->private; -+ int ret = single_release(inode, file); -+ put_user_ns(ns); -+ return ret; -+} -+ -+static const struct file_operations proc_setgroups_operations = { -+ .open = proc_setgroups_open, -+ .write = proc_setgroups_write, -+ .read = seq_read, -+ .llseek = seq_lseek, -+ .release = proc_setgroups_release, -+}; - #endif /* CONFIG_USER_NS */ - - static int proc_pid_personality(struct seq_file *m, struct pid_namespace *ns, -@@ -2663,6 +2714,7 @@ static const struct pid_entry tgid_base_stuff[] = { - REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations), - REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations), - REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations), -+ REG("setgroups", S_IRUGO|S_IWUSR, proc_setgroups_operations), - #endif - #ifdef CONFIG_CHECKPOINT_RESTORE - REG("timers", S_IRUGO, proc_timers_operations), -@@ -2998,6 +3050,7 @@ static const struct pid_entry tid_base_stuff[] = { - REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations), - REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations), - REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations), -+ REG("setgroups", S_IRUGO|S_IWUSR, proc_setgroups_operations), - #endif - }; - -diff --git a/fs/udf/symlink.c b/fs/udf/symlink.c -index d7c6dbe..d89f324 100644 ---- a/fs/udf/symlink.c -+++ b/fs/udf/symlink.c -@@ -80,11 +80,17 @@ static int udf_symlink_filler(struct file *file, struct page *page) - struct inode *inode = page->mapping->host; - struct buffer_head *bh = NULL; - unsigned char *symlink; -- int err = -EIO; -+ int err; - unsigned char *p = kmap(page); - struct udf_inode_info *iinfo; - uint32_t pos; - -+ /* We don't support symlinks longer than one block */ -+ if (inode->i_size > inode->i_sb->s_blocksize) { -+ err = -ENAMETOOLONG; -+ goto out_unmap; -+ } -+ - iinfo = UDF_I(inode); - pos = udf_block_map(inode, 0); - -@@ -94,8 +100,10 @@ static int udf_symlink_filler(struct file *file, struct page *page) - } else { - bh = sb_bread(inode->i_sb, pos); - -- if (!bh) -- goto out; -+ if (!bh) { -+ err = -EIO; -+ goto out_unlock_inode; -+ } - - symlink = bh->b_data; - } -@@ -109,9 +117,10 @@ static int udf_symlink_filler(struct file *file, struct page *page) - unlock_page(page); - return 0; - --out: -+out_unlock_inode: - up_read(&iinfo->i_data_sem); - SetPageError(page); -+out_unmap: - kunmap(page); - unlock_page(page); - return err; -diff --git a/include/linux/audit.h b/include/linux/audit.h -index ec1464d..419b7d7 100644 ---- a/include/linux/audit.h -+++ b/include/linux/audit.h -@@ -47,6 +47,7 @@ struct sk_buff; - - struct audit_krule { - int vers_ops; -+ u32 pflags; - u32 flags; - u32 listnr; - u32 action; -@@ -64,6 +65,9 @@ struct audit_krule { - u64 prio; - }; - -+/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ -+#define AUDIT_LOGINUID_LEGACY 0x1 -+ - struct audit_field { - u32 type; - u32 val; -diff --git a/include/linux/cred.h b/include/linux/cred.h -index 04421e8..6c58dd7 100644 ---- a/include/linux/cred.h -+++ b/include/linux/cred.h -@@ -68,6 +68,7 @@ extern void groups_free(struct group_info *); - extern int set_current_groups(struct group_info *); - extern int set_groups(struct cred *, struct group_info *); - extern int groups_search(const struct group_info *, kgid_t); -+extern bool may_setgroups(void); - - /* access the groups "array" with this macro */ - #define GROUP_AT(gi, i) \ -diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h -index 4836ba3..e92abf9 100644 ---- a/include/linux/user_namespace.h -+++ b/include/linux/user_namespace.h -@@ -17,6 +17,10 @@ struct uid_gid_map { /* 64 bytes -- 1 cache line */ - } extent[UID_GID_MAP_MAX_EXTENTS]; - }; - -+#define USERNS_SETGROUPS_ALLOWED 1UL -+ -+#define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED -+ - struct user_namespace { - struct uid_gid_map uid_map; - struct uid_gid_map gid_map; -@@ -27,6 +31,7 @@ struct user_namespace { - kuid_t owner; - kgid_t group; - unsigned int proc_inum; -+ unsigned long flags; - - /* Register of per-UID persistent keyrings for this namespace */ - #ifdef CONFIG_PERSISTENT_KEYRINGS -@@ -63,6 +68,9 @@ extern struct seq_operations proc_projid_seq_operations; - extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *); - extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *); - extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *); -+extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *); -+extern int proc_setgroups_show(struct seq_file *m, void *v); -+extern bool userns_may_setgroups(const struct user_namespace *ns); - #else - - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) -@@ -87,6 +95,10 @@ static inline void put_user_ns(struct user_namespace *ns) - { - } - -+static inline bool userns_may_setgroups(const struct user_namespace *ns) -+{ -+ return true; -+} - #endif - - #endif /* _LINUX_USER_H */ -diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c -index 92062fd..598c1dc 100644 ---- a/kernel/auditfilter.c -+++ b/kernel/auditfilter.c -@@ -429,6 +429,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, - if ((f->type == AUDIT_LOGINUID) && (f->val == AUDIT_UID_UNSET)) { - f->type = AUDIT_LOGINUID_SET; - f->val = 0; -+ entry->rule.pflags |= AUDIT_LOGINUID_LEGACY; - } - - err = audit_field_valid(entry, f); -@@ -604,6 +605,13 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) - data->buflen += data->values[i] = - audit_pack_string(&bufp, krule->filterkey); - break; -+ case AUDIT_LOGINUID_SET: -+ if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) { -+ data->fields[i] = AUDIT_LOGINUID; -+ data->values[i] = AUDIT_UID_UNSET; -+ break; -+ } -+ /* fallthrough if set */ - default: - data->values[i] = f->val; - } -@@ -620,6 +628,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) - int i; - - if (a->flags != b->flags || -+ a->pflags != b->pflags || - a->listnr != b->listnr || - a->action != b->action || - a->field_count != b->field_count) -@@ -738,6 +747,7 @@ struct audit_entry *audit_dupe_rule(struct audit_krule *old) - new = &entry->rule; - new->vers_ops = old->vers_ops; - new->flags = old->flags; -+ new->pflags = old->pflags; - new->listnr = old->listnr; - new->action = old->action; - for (i = 0; i < AUDIT_BITMASK_SIZE; i++) -diff --git a/kernel/groups.c b/kernel/groups.c -index 90cf1c3..67b4ba3 100644 ---- a/kernel/groups.c -+++ b/kernel/groups.c -@@ -6,6 +6,7 @@ - #include <linux/slab.h> - #include <linux/security.h> - #include <linux/syscalls.h> -+#include <linux/user_namespace.h> - #include <asm/uaccess.h> - - /* init to 2 - one for init_task, one to ensure it is never freed */ -@@ -223,6 +224,14 @@ out: - return i; - } - -+bool may_setgroups(void) -+{ -+ struct user_namespace *user_ns = current_user_ns(); -+ -+ return ns_capable(user_ns, CAP_SETGID) && -+ userns_may_setgroups(user_ns); -+} -+ - /* - * SMP: Our groups are copy-on-write. We can set them safely - * without another task interfering. -@@ -233,7 +242,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist) - struct group_info *group_info; - int retval; - -- if (!ns_capable(current_user_ns(), CAP_SETGID)) -+ if (!may_setgroups()) - return -EPERM; - if ((unsigned)gidsetsize > NGROUPS_MAX) - return -EINVAL; -diff --git a/kernel/pid.c b/kernel/pid.c -index 9b9a266..82430c8 100644 ---- a/kernel/pid.c -+++ b/kernel/pid.c -@@ -341,6 +341,8 @@ out: - - out_unlock: - spin_unlock_irq(&pidmap_lock); -+ put_pid_ns(ns); -+ - out_free: - while (++i <= ns->level) - free_pidmap(pid->numbers + i); -diff --git a/kernel/uid16.c b/kernel/uid16.c -index 602e5bb..d58cc4d 100644 ---- a/kernel/uid16.c -+++ b/kernel/uid16.c -@@ -176,7 +176,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist) - struct group_info *group_info; - int retval; - -- if (!ns_capable(current_user_ns(), CAP_SETGID)) -+ if (!may_setgroups()) - return -EPERM; - if ((unsigned)gidsetsize > NGROUPS_MAX) - return -EINVAL; -diff --git a/kernel/user.c b/kernel/user.c -index c006131..c2bbb50 100644 ---- a/kernel/user.c -+++ b/kernel/user.c -@@ -51,6 +51,7 @@ struct user_namespace init_user_ns = { - .owner = GLOBAL_ROOT_UID, - .group = GLOBAL_ROOT_GID, - .proc_inum = PROC_USER_INIT_INO, -+ .flags = USERNS_INIT_FLAGS, - #ifdef CONFIG_PERSISTENT_KEYRINGS - .persistent_keyring_register_sem = - __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem), -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 80a57af..153971e 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -24,6 +24,7 @@ - #include <linux/fs_struct.h> - - static struct kmem_cache *user_ns_cachep __read_mostly; -+static DEFINE_MUTEX(userns_state_mutex); - - static bool new_idmap_permitted(const struct file *file, - struct user_namespace *ns, int cap_setid, -@@ -99,6 +100,11 @@ int create_user_ns(struct cred *new) - ns->owner = owner; - ns->group = group; - -+ /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */ -+ mutex_lock(&userns_state_mutex); -+ ns->flags = parent_ns->flags; -+ mutex_unlock(&userns_state_mutex); -+ - set_cred_user_ns(new, ns); - - #ifdef CONFIG_PERSISTENT_KEYRINGS -@@ -581,9 +587,6 @@ static bool mappings_overlap(struct uid_gid_map *new_map, struct uid_gid_extent - return false; - } - -- --static DEFINE_MUTEX(id_map_mutex); -- - static ssize_t map_write(struct file *file, const char __user *buf, - size_t count, loff_t *ppos, - int cap_setid, -@@ -600,7 +603,7 @@ static ssize_t map_write(struct file *file, const char __user *buf, - ssize_t ret = -EINVAL; - - /* -- * The id_map_mutex serializes all writes to any given map. -+ * The userns_state_mutex serializes all writes to any given map. - * - * Any map is only ever written once. - * -@@ -618,7 +621,7 @@ static ssize_t map_write(struct file *file, const char __user *buf, - * order and smp_rmb() is guaranteed that we don't have crazy - * architectures returning stale data. - */ -- mutex_lock(&id_map_mutex); -+ mutex_lock(&userns_state_mutex); - - ret = -EPERM; - /* Only allow one successful write to the map */ -@@ -745,7 +748,7 @@ static ssize_t map_write(struct file *file, const char __user *buf, - *ppos = count; - ret = count; - out: -- mutex_unlock(&id_map_mutex); -+ mutex_unlock(&userns_state_mutex); - if (page) - free_page(page); - return ret; -@@ -804,17 +807,21 @@ static bool new_idmap_permitted(const struct file *file, - struct user_namespace *ns, int cap_setid, - struct uid_gid_map *new_map) - { -- /* Allow mapping to your own filesystem ids */ -- if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) { -+ const struct cred *cred = file->f_cred; -+ /* Don't allow mappings that would allow anything that wouldn't -+ * be allowed without the establishment of unprivileged mappings. -+ */ -+ if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && -+ uid_eq(ns->owner, cred->euid)) { - u32 id = new_map->extent[0].lower_first; - if (cap_setid == CAP_SETUID) { - kuid_t uid = make_kuid(ns->parent, id); -- if (uid_eq(uid, file->f_cred->fsuid)) -+ if (uid_eq(uid, cred->euid)) - return true; -- } -- else if (cap_setid == CAP_SETGID) { -+ } else if (cap_setid == CAP_SETGID) { - kgid_t gid = make_kgid(ns->parent, id); -- if (gid_eq(gid, file->f_cred->fsgid)) -+ if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) && -+ gid_eq(gid, cred->egid)) - return true; - } - } -@@ -834,6 +841,100 @@ static bool new_idmap_permitted(const struct file *file, - return false; - } - -+int proc_setgroups_show(struct seq_file *seq, void *v) -+{ -+ struct user_namespace *ns = seq->private; -+ unsigned long userns_flags = ACCESS_ONCE(ns->flags); -+ -+ seq_printf(seq, "%s\n", -+ (userns_flags & USERNS_SETGROUPS_ALLOWED) ? -+ "allow" : "deny"); -+ return 0; -+} -+ -+ssize_t proc_setgroups_write(struct file *file, const char __user *buf, -+ size_t count, loff_t *ppos) -+{ -+ struct seq_file *seq = file->private_data; -+ struct user_namespace *ns = seq->private; -+ char kbuf[8], *pos; -+ bool setgroups_allowed; -+ ssize_t ret; -+ -+ /* Only allow a very narrow range of strings to be written */ -+ ret = -EINVAL; -+ if ((*ppos != 0) || (count >= sizeof(kbuf))) -+ goto out; -+ -+ /* What was written? */ -+ ret = -EFAULT; -+ if (copy_from_user(kbuf, buf, count)) -+ goto out; -+ kbuf[count] = '\0'; -+ pos = kbuf; -+ -+ /* What is being requested? */ -+ ret = -EINVAL; -+ if (strncmp(pos, "allow", 5) == 0) { -+ pos += 5; -+ setgroups_allowed = true; -+ } -+ else if (strncmp(pos, "deny", 4) == 0) { -+ pos += 4; -+ setgroups_allowed = false; -+ } -+ else -+ goto out; -+ -+ /* Verify there is not trailing junk on the line */ -+ pos = skip_spaces(pos); -+ if (*pos != '\0') -+ goto out; -+ -+ ret = -EPERM; -+ mutex_lock(&userns_state_mutex); -+ if (setgroups_allowed) { -+ /* Enabling setgroups after setgroups has been disabled -+ * is not allowed. -+ */ -+ if (!(ns->flags & USERNS_SETGROUPS_ALLOWED)) -+ goto out_unlock; -+ } else { -+ /* Permanently disabling setgroups after setgroups has -+ * been enabled by writing the gid_map is not allowed. -+ */ -+ if (ns->gid_map.nr_extents != 0) -+ goto out_unlock; -+ ns->flags &= ~USERNS_SETGROUPS_ALLOWED; -+ } -+ mutex_unlock(&userns_state_mutex); -+ -+ /* Report a successful write */ -+ *ppos = count; -+ ret = count; -+out: -+ return ret; -+out_unlock: -+ mutex_unlock(&userns_state_mutex); -+ goto out; -+} -+ -+bool userns_may_setgroups(const struct user_namespace *ns) -+{ -+ bool allowed; -+ -+ mutex_lock(&userns_state_mutex); -+ /* It is not safe to use setgroups until a gid mapping in -+ * the user namespace has been established. -+ */ -+ allowed = ns->gid_map.nr_extents != 0; -+ /* Is setgroups allowed? */ -+ allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED); -+ mutex_unlock(&userns_state_mutex); -+ -+ return allowed; -+} -+ - static void *userns_get(struct task_struct *task) - { - struct user_namespace *user_ns; -diff --git a/net/mac80211/key.c b/net/mac80211/key.c -index 6ff65a1..d78b37a 100644 ---- a/net/mac80211/key.c -+++ b/net/mac80211/key.c -@@ -652,7 +652,7 @@ void ieee80211_free_sta_keys(struct ieee80211_local *local, - int i; - - mutex_lock(&local->key_mtx); -- for (i = 0; i < NUM_DEFAULT_KEYS; i++) { -+ for (i = 0; i < ARRAY_SIZE(sta->gtk); i++) { - key = key_mtx_dereference(local, sta->gtk[i]); - if (!key) - continue; -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c -index 095c160..1e4dc4e 100644 ---- a/net/mac80211/rx.c -+++ b/net/mac80211/rx.c -@@ -1679,14 +1679,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) - sc = le16_to_cpu(hdr->seq_ctrl); - frag = sc & IEEE80211_SCTL_FRAG; - -- if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) -- goto out; -- - if (is_multicast_ether_addr(hdr->addr1)) { - rx->local->dot11MulticastReceivedFrameCount++; -- goto out; -+ goto out_no_led; - } - -+ if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) -+ goto out; -+ - I802_DEBUG_INC(rx->local->rx_handlers_fragments); - - if (skb_linearize(rx->skb)) -@@ -1777,9 +1777,10 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) - status->rx_flags |= IEEE80211_RX_FRAGMENTED; - - out: -+ ieee80211_led_rx(rx->local); -+ out_no_led: - if (rx->sta) - rx->sta->rx_packets++; -- ieee80211_led_rx(rx->local); - return RX_CONTINUE; - } - -diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c -index 9e1e005..c4c8df4 100644 ---- a/security/keys/encrypted-keys/encrypted.c -+++ b/security/keys/encrypted-keys/encrypted.c -@@ -1018,10 +1018,13 @@ static int __init init_encrypted(void) - ret = encrypted_shash_alloc(); - if (ret < 0) - return ret; -+ ret = aes_get_sizes(); -+ if (ret < 0) -+ goto out; - ret = register_key_type(&key_type_encrypted); - if (ret < 0) - goto out; -- return aes_get_sizes(); -+ return 0; - out: - encrypted_shash_release(); - return ret; -diff --git a/tools/testing/selftests/mount/unprivileged-remount-test.c b/tools/testing/selftests/mount/unprivileged-remount-test.c -index 1b3ff2f..5177850 100644 ---- a/tools/testing/selftests/mount/unprivileged-remount-test.c -+++ b/tools/testing/selftests/mount/unprivileged-remount-test.c -@@ -6,6 +6,8 @@ - #include <sys/types.h> - #include <sys/mount.h> - #include <sys/wait.h> -+#include <sys/vfs.h> -+#include <sys/statvfs.h> - #include <stdlib.h> - #include <unistd.h> - #include <fcntl.h> -@@ -32,11 +34,14 @@ - # define CLONE_NEWPID 0x20000000 - #endif - -+#ifndef MS_REC -+# define MS_REC 16384 -+#endif - #ifndef MS_RELATIME --#define MS_RELATIME (1 << 21) -+# define MS_RELATIME (1 << 21) - #endif - #ifndef MS_STRICTATIME --#define MS_STRICTATIME (1 << 24) -+# define MS_STRICTATIME (1 << 24) - #endif - - static void die(char *fmt, ...) -@@ -48,17 +53,14 @@ static void die(char *fmt, ...) - exit(EXIT_FAILURE); - } - --static void write_file(char *filename, char *fmt, ...) -+static void vmaybe_write_file(bool enoent_ok, char *filename, char *fmt, va_list ap) - { - char buf[4096]; - int fd; - ssize_t written; - int buf_len; -- va_list ap; - -- va_start(ap, fmt); - buf_len = vsnprintf(buf, sizeof(buf), fmt, ap); -- va_end(ap); - if (buf_len < 0) { - die("vsnprintf failed: %s\n", - strerror(errno)); -@@ -69,6 +71,8 @@ static void write_file(char *filename, char *fmt, ...) - - fd = open(filename, O_WRONLY); - if (fd < 0) { -+ if ((errno == ENOENT) && enoent_ok) -+ return; - die("open of %s failed: %s\n", - filename, strerror(errno)); - } -@@ -87,6 +91,65 @@ static void write_file(char *filename, char *fmt, ...) - } - } - -+static void maybe_write_file(char *filename, char *fmt, ...) -+{ -+ va_list ap; -+ -+ va_start(ap, fmt); -+ vmaybe_write_file(true, filename, fmt, ap); -+ va_end(ap); -+ -+} -+ -+static void write_file(char *filename, char *fmt, ...) -+{ -+ va_list ap; -+ -+ va_start(ap, fmt); -+ vmaybe_write_file(false, filename, fmt, ap); -+ va_end(ap); -+ -+} -+ -+static int read_mnt_flags(const char *path) -+{ -+ int ret; -+ struct statvfs stat; -+ int mnt_flags; -+ -+ ret = statvfs(path, &stat); -+ if (ret != 0) { -+ die("statvfs of %s failed: %s\n", -+ path, strerror(errno)); -+ } -+ if (stat.f_flag & ~(ST_RDONLY | ST_NOSUID | ST_NODEV | \ -+ ST_NOEXEC | ST_NOATIME | ST_NODIRATIME | ST_RELATIME | \ -+ ST_SYNCHRONOUS | ST_MANDLOCK)) { -+ die("Unrecognized mount flags\n"); -+ } -+ mnt_flags = 0; -+ if (stat.f_flag & ST_RDONLY) -+ mnt_flags |= MS_RDONLY; -+ if (stat.f_flag & ST_NOSUID) -+ mnt_flags |= MS_NOSUID; -+ if (stat.f_flag & ST_NODEV) -+ mnt_flags |= MS_NODEV; -+ if (stat.f_flag & ST_NOEXEC) -+ mnt_flags |= MS_NOEXEC; -+ if (stat.f_flag & ST_NOATIME) -+ mnt_flags |= MS_NOATIME; -+ if (stat.f_flag & ST_NODIRATIME) -+ mnt_flags |= MS_NODIRATIME; -+ if (stat.f_flag & ST_RELATIME) -+ mnt_flags |= MS_RELATIME; -+ if (stat.f_flag & ST_SYNCHRONOUS) -+ mnt_flags |= MS_SYNCHRONOUS; -+ if (stat.f_flag & ST_MANDLOCK) -+ mnt_flags |= ST_MANDLOCK; -+ -+ return mnt_flags; -+} -+ - static void create_and_enter_userns(void) - { - uid_t uid; -@@ -100,13 +163,10 @@ static void create_and_enter_userns(void) - strerror(errno)); - } - -+ maybe_write_file("/proc/self/setgroups", "deny"); - write_file("/proc/self/uid_map", "0 %d 1", uid); - write_file("/proc/self/gid_map", "0 %d 1", gid); - -- if (setgroups(0, NULL) != 0) { -- die("setgroups failed: %s\n", -- strerror(errno)); -- } - if (setgid(0) != 0) { - die ("setgid(0) failed %s\n", - strerror(errno)); -@@ -118,7 +178,8 @@ static void create_and_enter_userns(void) - } - - static --bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags) -+bool test_unpriv_remount(const char *fstype, const char *mount_options, -+ int mount_flags, int remount_flags, int invalid_flags) - { - pid_t child; - -@@ -151,9 +212,11 @@ bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags) - strerror(errno)); - } - -- if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) { -- die("mount of /tmp failed: %s\n", -- strerror(errno)); -+ if (mount("testing", "/tmp", fstype, mount_flags, mount_options) != 0) { -+ die("mount of %s with options '%s' on /tmp failed: %s\n", -+ fstype, -+ mount_options? mount_options : "", -+ strerror(errno)); - } - - create_and_enter_userns(); -@@ -181,62 +244,127 @@ bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags) - - static bool test_unpriv_remount_simple(int mount_flags) - { -- return test_unpriv_remount(mount_flags, mount_flags, 0); -+ return test_unpriv_remount("ramfs", NULL, mount_flags, mount_flags, 0); - } - - static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags) - { -- return test_unpriv_remount(mount_flags, mount_flags, invalid_flags); -+ return test_unpriv_remount("ramfs", NULL, mount_flags, mount_flags, -+ invalid_flags); -+} -+ -+static bool test_priv_mount_unpriv_remount(void) -+{ -+ pid_t child; -+ int ret; -+ const char *orig_path = "/dev"; -+ const char *dest_path = "/tmp"; -+ int orig_mnt_flags, remount_mnt_flags; -+ -+ child = fork(); -+ if (child == -1) { -+ die("fork failed: %s\n", -+ strerror(errno)); -+ } -+ if (child != 0) { /* parent */ -+ pid_t pid; -+ int status; -+ pid = waitpid(child, &status, 0); -+ if (pid == -1) { -+ die("waitpid failed: %s\n", -+ strerror(errno)); -+ } -+ if (pid != child) { -+ die("waited for %d got %d\n", -+ child, pid); -+ } -+ if (!WIFEXITED(status)) { -+ die("child did not terminate cleanly\n"); -+ } -+ return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false; -+ } -+ -+ orig_mnt_flags = read_mnt_flags(orig_path); -+ -+ create_and_enter_userns(); -+ ret = unshare(CLONE_NEWNS); -+ if (ret != 0) { -+ die("unshare(CLONE_NEWNS) failed: %s\n", -+ strerror(errno)); -+ } -+ -+ ret = mount(orig_path, dest_path, "bind", MS_BIND | MS_REC, NULL); -+ if (ret != 0) { -+ die("recursive bind mount of %s onto %s failed: %s\n", -+ orig_path, dest_path, strerror(errno)); -+ } -+ -+ ret = mount(dest_path, dest_path, "none", -+ MS_REMOUNT | MS_BIND | orig_mnt_flags , NULL); -+ if (ret != 0) { -+ /* system("cat /proc/self/mounts"); */ -+ die("remount of /tmp failed: %s\n", -+ strerror(errno)); -+ } -+ -+ remount_mnt_flags = read_mnt_flags(dest_path); -+ if (orig_mnt_flags != remount_mnt_flags) { -+ die("Mount flags unexpectedly changed during remount of %s originally mounted on %s\n", -+ dest_path, orig_path); -+ } -+ exit(EXIT_SUCCESS); - } - - int main(int argc, char **argv) - { -- if (!test_unpriv_remount_simple(MS_RDONLY|MS_NODEV)) { -+ if (!test_unpriv_remount_simple(MS_RDONLY)) { - die("MS_RDONLY malfunctions\n"); - } -- if (!test_unpriv_remount_simple(MS_NODEV)) { -+ if (!test_unpriv_remount("devpts", "newinstance", MS_NODEV, MS_NODEV, 0)) { - die("MS_NODEV malfunctions\n"); - } -- if (!test_unpriv_remount_simple(MS_NOSUID|MS_NODEV)) { -+ if (!test_unpriv_remount_simple(MS_NOSUID)) { - die("MS_NOSUID malfunctions\n"); - } -- if (!test_unpriv_remount_simple(MS_NOEXEC|MS_NODEV)) { -+ if (!test_unpriv_remount_simple(MS_NOEXEC)) { - die("MS_NOEXEC malfunctions\n"); - } -- if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODEV, -- MS_NOATIME|MS_NODEV)) -+ if (!test_unpriv_remount_atime(MS_RELATIME, -+ MS_NOATIME)) - { - die("MS_RELATIME malfunctions\n"); - } -- if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODEV, -- MS_NOATIME|MS_NODEV)) -+ if (!test_unpriv_remount_atime(MS_STRICTATIME, -+ MS_NOATIME)) - { - die("MS_STRICTATIME malfunctions\n"); - } -- if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODEV, -- MS_STRICTATIME|MS_NODEV)) -+ if (!test_unpriv_remount_atime(MS_NOATIME, -+ MS_STRICTATIME)) - { -- die("MS_RELATIME malfunctions\n"); -+ die("MS_NOATIME malfunctions\n"); - } -- if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME|MS_NODEV, -- MS_NOATIME|MS_NODEV)) -+ if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME, -+ MS_NOATIME)) - { -- die("MS_RELATIME malfunctions\n"); -+ die("MS_RELATIME|MS_NODIRATIME malfunctions\n"); - } -- if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME|MS_NODEV, -- MS_NOATIME|MS_NODEV)) -+ if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME, -+ MS_NOATIME)) - { -- die("MS_RELATIME malfunctions\n"); -+ die("MS_STRICTATIME|MS_NODIRATIME malfunctions\n"); - } -- if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME|MS_NODEV, -- MS_STRICTATIME|MS_NODEV)) -+ if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME, -+ MS_STRICTATIME)) - { -- die("MS_RELATIME malfunctions\n"); -+ die("MS_NOATIME|MS_DIRATIME malfunctions\n"); - } -- if (!test_unpriv_remount(MS_STRICTATIME|MS_NODEV, MS_NODEV, -- MS_NOATIME|MS_NODEV)) -+ if (!test_unpriv_remount("ramfs", NULL, MS_STRICTATIME, 0, MS_NOATIME)) - { - die("Default atime malfunctions\n"); - } -+ if (!test_priv_mount_unpriv_remount()) { -+ die("Mount flags unexpectedly changed after remount\n"); -+ } - return EXIT_SUCCESS; - } diff --git a/3.14.28/0000_README b/3.14.29/0000_README index ae1226b..77bdae3 100644 --- a/3.14.28/0000_README +++ b/3.14.29/0000_README @@ -2,11 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1027_linux-3.14.28.patch -From: http://www.kernel.org -Desc: Linux 3.14.28 - -Patch: 4420_grsecurity-3.0-3.14.28-201501142323.patch +Patch: 4420_grsecurity-3.0-3.14.29-201501211943.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.28/4420_grsecurity-3.0-3.14.28-201501142323.patch b/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch index 7a014f0..5df869a 100644 --- a/3.14.28/4420_grsecurity-3.0-3.14.28-201501142323.patch +++ b/3.14.29/4420_grsecurity-3.0-3.14.29-201501211943.patch @@ -292,7 +292,7 @@ index 7116fda..2f71588 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index a2e572b..b0e0734 100644 +index 7aff64e..32dc1aa 100644 --- a/Makefile +++ b/Makefile @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3047,7 +3047,7 @@ index 0dd3b79..b67388e 100644 if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, scno); diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c -index 1e8b030..37c3022 100644 +index aab70f6..bd2751b 100644 --- a/arch/arm/kernel/setup.c +++ b/arch/arm/kernel/setup.c @@ -100,21 +100,23 @@ EXPORT_SYMBOL(system_serial_high); @@ -3153,7 +3153,7 @@ index 04d6388..5115238 100644 - return page; -} diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c -index b7b4c86..47c4f77 100644 +index 8cd3724..ea86e94 100644 --- a/arch/arm/kernel/smp.c +++ b/arch/arm/kernel/smp.c @@ -73,7 +73,7 @@ enum ipi_msg_type { @@ -21766,10 +21766,10 @@ index 95700e5..19779f8 100644 .attrs = NULL, /* patched at runtime */ }; diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c -index 047f540..afdeba0 100644 +index 2f98588..aa6f3c4 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c -@@ -3326,7 +3326,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) +@@ -3342,7 +3342,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) static int __init uncore_type_init(struct intel_uncore_type *type) { struct intel_uncore_pmu *pmus; @@ -35954,7 +35954,7 @@ index d6bfb87..876ee18 100644 return NULL; } diff --git a/arch/x86/vdso/vma.c b/arch/x86/vdso/vma.c -index 431e875..cbb23f3 100644 +index ab6ba35..7ede14e 100644 --- a/arch/x86/vdso/vma.c +++ b/arch/x86/vdso/vma.c @@ -16,8 +16,6 @@ @@ -35966,15 +35966,20 @@ index 431e875..cbb23f3 100644 extern char vdso_start[], vdso_end[]; extern unsigned short vdso_sync_cpuid; -@@ -141,7 +139,6 @@ static unsigned long vdso_addr(unsigned long start, unsigned len) - * unaligned here as a result of stack start randomization. - */ - addr = PAGE_ALIGN(addr); -- addr = align_vdso_addr(addr); +@@ -152,12 +150,6 @@ static unsigned long vdso_addr(unsigned long start, unsigned len) + addr = start; + } +- /* +- * Forcibly align the final address in case we have a hardware +- * issue that requires alignment for performance reasons. +- */ +- addr = align_vdso_addr(addr); +- return addr; } -@@ -154,30 +151,31 @@ static int setup_additional_pages(struct linux_binprm *bprm, + +@@ -169,30 +161,37 @@ static int setup_additional_pages(struct linux_binprm *bprm, unsigned size) { struct mm_struct *mm = current->mm; @@ -35992,7 +35997,13 @@ index 431e875..cbb23f3 100644 +#endif + addr = vdso_addr(mm->start_stack, size); ++ ++ /* ++ * Forcibly align the final address in case we have a hardware ++ * issue that requires alignment for performance reasons. ++ */ + addr = align_vdso_addr(addr); ++ addr = get_unmapped_area(NULL, addr, size, 0, 0); if (IS_ERR_VALUE(addr)) { ret = addr; @@ -36015,7 +36026,7 @@ index 431e875..cbb23f3 100644 up_fail: up_write(&mm->mmap_sem); -@@ -197,10 +195,3 @@ int x32_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) +@@ -212,10 +211,3 @@ int x32_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) vdsox32_size); } #endif @@ -36039,7 +36050,7 @@ index 01b9026..1e476df 100644 This is the Linux Xen port. Enabling this will allow the kernel to boot in a paravirtualized environment under the diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 201d09a..e4723e5 100644 +index 201d09a..be93768 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -36127,7 +36138,19 @@ index 201d09a..e4723e5 100644 { if (pm_power_off) pm_power_off(); -@@ -1564,7 +1560,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1455,8 +1451,9 @@ static void __ref xen_setup_gdt(int cpu) + pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot; + pv_cpu_ops.load_gdt = xen_load_gdt_boot; + +- setup_stack_canary_segment(0); +- switch_to_new_gdt(0); ++ setup_stack_canary_segment(cpu); ++ load_percpu_segment(cpu); ++ switch_to_new_gdt(cpu); + + pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; + pv_cpu_ops.load_gdt = xen_load_gdt; +@@ -1564,7 +1561,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -36146,7 +36169,7 @@ index 201d09a..e4723e5 100644 /* Get mfn list */ xen_build_dynamic_phys_to_machine(); -@@ -1592,13 +1598,6 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1592,13 +1599,6 @@ asmlinkage void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -36558,7 +36581,7 @@ index a0926a6..b2b14b2 100644 err = -EFAULT; goto out; diff --git a/block/genhd.c b/block/genhd.c -index e6723bd..703e4ac 100644 +index a8d586a..d9910b1 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -469,21 +469,24 @@ static char *bdevt_str(dev_t devt, char *buf) @@ -38091,10 +38114,10 @@ index 969c3c2..9b72956 100644 } diff --git a/drivers/base/bus.c b/drivers/base/bus.c -index 59dc808..f10c74e 100644 +index 45d0fa7..89244c9 100644 --- a/drivers/base/bus.c +++ b/drivers/base/bus.c -@@ -1124,7 +1124,7 @@ int subsys_interface_register(struct subsys_interface *sif) +@@ -1126,7 +1126,7 @@ int subsys_interface_register(struct subsys_interface *sif) return -EINVAL; mutex_lock(&subsys->p->mutex); @@ -38103,7 +38126,7 @@ index 59dc808..f10c74e 100644 if (sif->add_dev) { subsys_dev_iter_init(&iter, subsys, NULL, NULL); while ((dev = subsys_dev_iter_next(&iter))) -@@ -1149,7 +1149,7 @@ void subsys_interface_unregister(struct subsys_interface *sif) +@@ -1151,7 +1151,7 @@ void subsys_interface_unregister(struct subsys_interface *sif) subsys = sif->subsys; mutex_lock(&subsys->p->mutex); @@ -42491,10 +42514,10 @@ index 37ac7b5..d52a5c9 100644 /* copy over all the bus versions */ if (dev->bus && dev->bus->pm) { diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 7cd42ea..a367c48 100644 +index d92c7d9..ba3e5c0 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c -@@ -2432,7 +2432,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); +@@ -2433,7 +2433,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); int hid_add_device(struct hid_device *hdev) { @@ -42503,7 +42526,7 @@ index 7cd42ea..a367c48 100644 int ret; if (WARN_ON(hdev->status & HID_STAT_ADDED)) -@@ -2466,7 +2466,7 @@ int hid_add_device(struct hid_device *hdev) +@@ -2467,7 +2467,7 @@ int hid_add_device(struct hid_device *hdev) /* XXX hack, any other cleaner solution after the driver core * is converted to allow more than 20 bytes as the device name? */ dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, @@ -43933,7 +43956,7 @@ index 1946101..09766d2 100644 #include "qib_common.h" #include "qib_verbs.h" diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c -index ce953d8..da10215 100644 +index ce953d8..1469995 100644 --- a/drivers/input/evdev.c +++ b/drivers/input/evdev.c @@ -422,7 +422,7 @@ static int evdev_open(struct inode *inode, struct file *file) @@ -43945,6 +43968,43 @@ index ce953d8..da10215 100644 return error; } +@@ -757,20 +757,23 @@ static int evdev_handle_set_keycode_v2(struct input_dev *dev, void __user *p) + */ + static int evdev_handle_get_val(struct evdev_client *client, + struct input_dev *dev, unsigned int type, +- unsigned long *bits, unsigned int max, +- unsigned int size, void __user *p, int compat) ++ unsigned long *bits, unsigned int maxbit, ++ unsigned int maxlen, void __user *p, ++ int compat) + { + int ret; + unsigned long *mem; ++ size_t len; + +- mem = kmalloc(sizeof(unsigned long) * max, GFP_KERNEL); ++ len = BITS_TO_LONGS(maxbit) * sizeof(unsigned long); ++ mem = kmalloc(len, GFP_KERNEL); + if (!mem) + return -ENOMEM; + + spin_lock_irq(&dev->event_lock); + spin_lock(&client->buffer_lock); + +- memcpy(mem, bits, sizeof(unsigned long) * max); ++ memcpy(mem, bits, len); + + spin_unlock(&dev->event_lock); + +@@ -778,7 +781,7 @@ static int evdev_handle_get_val(struct evdev_client *client, + + spin_unlock_irq(&client->buffer_lock); + +- ret = bits_to_user(mem, max, size, p, compat); ++ ret = bits_to_user(mem, maxbit, maxlen, p, compat); + if (ret < 0) + evdev_queue_syn_dropped(client); + diff --git a/drivers/input/gameport/gameport.c b/drivers/input/gameport/gameport.c index 24c41ba..102d71f 100644 --- a/drivers/input/gameport/gameport.c @@ -47918,6 +47978,42 @@ index dff0977..6df4b1d 100644 adapter->vfinfo[vf].spoofchk_enabled = setting; regval = IXGBE_READ_REG(hw, IXGBE_PFVFSPOOF(vf_target_reg)); +diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c +index 9eeddbd..6d9e10d 100644 +--- a/drivers/net/ethernet/neterion/s2io.c ++++ b/drivers/net/ethernet/neterion/s2io.c +@@ -6992,7 +6992,9 @@ static int s2io_add_isr(struct s2io_nic *sp) + if (sp->s2io_entries[i].in_use == MSIX_FLG) { + if (sp->s2io_entries[i].type == + MSIX_RING_TYPE) { +- sprintf(sp->desc[i], "%s:MSI-X-%d-RX", ++ snprintf(sp->desc[i], ++ sizeof(sp->desc[i]), ++ "%s:MSI-X-%d-RX", + dev->name, i); + err = request_irq(sp->entries[i].vector, + s2io_msix_ring_handle, +@@ -7001,7 +7003,9 @@ static int s2io_add_isr(struct s2io_nic *sp) + sp->s2io_entries[i].arg); + } else if (sp->s2io_entries[i].type == + MSIX_ALARM_TYPE) { +- sprintf(sp->desc[i], "%s:MSI-X-%d-TX", ++ snprintf(sp->desc[i], ++ sizeof(sp->desc[i]), ++ "%s:MSI-X-%d-TX", + dev->name, i); + err = request_irq(sp->entries[i].vector, + s2io_msix_fifo_handle, +@@ -8159,7 +8163,8 @@ s2io_init_nic(struct pci_dev *pdev, const struct pci_device_id *pre) + "%s: UDP Fragmentation Offload(UFO) enabled\n", + dev->name); + /* Initialize device name */ +- sprintf(sp->name, "%s Neterion %s", dev->name, sp->product_name); ++ snprintf(sp->name, sizeof(sp->name), "%s Neterion %s", dev->name, ++ sp->product_name); + + if (vlan_tag_strip) + sp->vlan_strip_flag = 1; diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c index 089b713..28d87ae 100644 --- a/drivers/net/ethernet/neterion/vxge/vxge-config.c @@ -48928,7 +49024,7 @@ index 729ffbf..49f50e3 100644 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads) diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h -index 0acd4b5..0591c91 100644 +index 32ae0a4..90fdaf5 100644 --- a/drivers/net/wireless/ath/ath9k/hw.h +++ b/drivers/net/wireless/ath/ath9k/hw.h @@ -629,7 +629,7 @@ struct ath_hw_private_ops { @@ -49736,7 +49832,7 @@ index e1e7026..d28dd33 100644 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c -index 34dff3a..70a5646 100644 +index 5b428db..553e4e3 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -175,7 +175,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, @@ -52932,7 +53028,7 @@ index 2ebe47b..3205833 100644 dlci->modem_rx = 0; diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 28ac3f3..9019b3b 100644 +index d46b4cc..c470f00 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -115,7 +115,7 @@ struct n_tty_data { @@ -52944,7 +53040,7 @@ index 28ac3f3..9019b3b 100644 size_t line_start; /* protected by output lock */ -@@ -2520,6 +2520,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) +@@ -2521,6 +2521,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = tty_ldisc_N_TTY; ops->owner = NULL; @@ -53160,7 +53256,7 @@ index c0f2b3e..7e3f80c 100644 if (unlikely(pdev->id < 0 || pdev->id >= UART_NR)) return -ENXIO; diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c -index 9cd706d..6ff2de7 100644 +index 7d3a3f5..0ac875e 100644 --- a/drivers/tty/serial/samsung.c +++ b/drivers/tty/serial/samsung.c @@ -463,11 +463,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port) @@ -53180,7 +53276,7 @@ index 9cd706d..6ff2de7 100644 dbg("s3c24xx_serial_startup: port=%p (%08lx,%p)\n", port->mapbase, port->membase); -@@ -1141,10 +1146,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport, +@@ -1145,10 +1150,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport, /* setup info for port */ port->dev = &platdev->dev; @@ -59304,7 +59400,7 @@ index cbd3a7d6f..c6a2881 100644 WARN_ON(trans->transid != btrfs_header_generation(parent)); diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c -index 451b00c..a2cccee 100644 +index 12e3556..eea9bcf 100644 --- a/fs/btrfs/delayed-inode.c +++ b/fs/btrfs/delayed-inode.c @@ -459,7 +459,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node, @@ -64706,7 +64802,7 @@ index 86f5d3e..ae2d35a 100644 static struct nfsd4_operation nfsd4_ops[]; diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index 8657335..cd3e37f 100644 +index dd1afa3..509afd1 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -1542,7 +1542,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p) @@ -65022,10 +65118,10 @@ index 0440134..d52c93a 100644 bail: if (handle) diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c -index feed025f..cee9402 100644 +index b242762..04fc642 100644 --- a/fs/ocfs2/namei.c +++ b/fs/ocfs2/namei.c -@@ -158,7 +158,7 @@ bail_add: +@@ -166,7 +166,7 @@ bail_add: * NOTE: This dentry already has ->d_op set from * ocfs2_get_parent() and ocfs2_get_dentry() */ @@ -83806,7 +83902,7 @@ index 5bba088..7ad4ae7 100644 static inline int vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst) diff --git a/include/linux/mm.h b/include/linux/mm.h -index d5039da..152c9ea 100644 +index 46b8ab5..6823be2 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -127,6 +127,11 @@ extern unsigned int kobjsize(const void *objp); @@ -89374,7 +89470,7 @@ index 0b097c8..11dd5c5 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index 4bbb27a..decf605 100644 +index 69cffb4..54dc2d9 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -159,8 +159,15 @@ static struct srcu_struct pmus_srcu; @@ -92310,6 +92406,28 @@ index 1f4bcb3..99cf7ab 100644 goto out_put_task_struct; } +diff --git a/kernel/range.c b/kernel/range.c +index 322ea8e..82cfc28 100644 +--- a/kernel/range.c ++++ b/kernel/range.c +@@ -113,12 +113,12 @@ static int cmp_range(const void *x1, const void *x2) + { + const struct range *r1 = x1; + const struct range *r2 = x2; +- s64 start1, start2; + +- start1 = r1->start; +- start2 = r2->start; +- +- return start1 - start2; ++ if (r1->start < r2->start) ++ return -1; ++ if (r1->start > r2->start) ++ return 1; ++ return 0; + } + + int clean_sort_range(struct range *range, int az) diff --git a/kernel/rcu/srcu.c b/kernel/rcu/srcu.c index 3318d82..1a5b2d1 100644 --- a/kernel/rcu/srcu.c @@ -96360,7 +96478,7 @@ index a98c7fc..393f8f1 100644 } unset_migratetype_isolate(page, MIGRATE_MOVABLE); diff --git a/mm/memory.c b/mm/memory.c -index 48d7365..732f880 100644 +index 924429e..732f880 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -403,6 +403,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -96799,7 +96917,7 @@ index 48d7365..732f880 100644 - if (prev && prev->vm_end == address) - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM; - -- expand_downwards(vma, address - PAGE_SIZE); +- return expand_downwards(vma, address - PAGE_SIZE); - } - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) { - struct vm_area_struct *next = vma->vm_next; @@ -96808,7 +96926,7 @@ index 48d7365..732f880 100644 - if (next && next->vm_start == address + PAGE_SIZE) - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM; - -- expand_upwards(vma, address + PAGE_SIZE); +- return expand_upwards(vma, address + PAGE_SIZE); - } - return 0; -} @@ -97245,7 +97363,7 @@ index b1eb536..091d154 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index b91ac80..390920e 100644 +index 085bcd8..cb98f9f 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -37,6 +37,7 @@ @@ -97902,15 +98020,17 @@ index b91ac80..390920e 100644 /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -2065,6 +2370,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns - return -ENOMEM; +@@ -2066,8 +2371,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns /* Stack limit test */ -+ gr_learn_resource(current, RLIMIT_STACK, size, 1); - if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) + actual_size = size; +- if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN))) +- actual_size -= PAGE_SIZE; ++ gr_learn_resource(current, RLIMIT_STACK, actual_size, 1); + if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -2075,6 +2381,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2078,6 +2382,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -97918,7 +98038,7 @@ index b91ac80..390920e 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -2104,37 +2411,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2107,37 +2412,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -97976,7 +98096,7 @@ index b91ac80..390920e 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -2169,6 +2487,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -2172,6 +2488,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) } } } @@ -97985,7 +98105,7 @@ index b91ac80..390920e 100644 vma_unlock_anon_vma(vma); khugepaged_enter_vma_merge(vma); validate_mm(vma->vm_mm); -@@ -2183,6 +2503,8 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2186,6 +2504,8 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -97994,7 +98114,7 @@ index b91ac80..390920e 100644 /* * We must make sure the anon_vma is allocated -@@ -2196,6 +2518,15 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2199,6 +2519,15 @@ int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -98010,7 +98130,7 @@ index b91ac80..390920e 100644 vma_lock_anon_vma(vma); /* -@@ -2205,9 +2536,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2208,9 +2537,17 @@ int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -98029,7 +98149,7 @@ index b91ac80..390920e 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -2232,13 +2571,27 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2235,13 +2572,27 @@ int expand_downwards(struct vm_area_struct *vma, vma->vm_pgoff -= grow; anon_vma_interval_tree_post_update_vma(vma); vma_gap_update(vma); @@ -98057,7 +98177,7 @@ index b91ac80..390920e 100644 khugepaged_enter_vma_merge(vma); validate_mm(vma->vm_mm); return error; -@@ -2336,6 +2689,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2339,6 +2690,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -98071,7 +98191,7 @@ index b91ac80..390920e 100644 if (vma->vm_flags & VM_ACCOUNT) nr_accounted += nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); -@@ -2380,6 +2740,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2383,6 +2741,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -98088,7 +98208,7 @@ index b91ac80..390920e 100644 vma_rb_erase(vma, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -2407,14 +2777,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2410,14 +2778,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct *new; int err = -ENOMEM; @@ -98122,7 +98242,7 @@ index b91ac80..390920e 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -2427,6 +2816,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2430,6 +2817,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -98145,7 +98265,7 @@ index b91ac80..390920e 100644 err = vma_dup_policy(vma, new); if (err) goto out_free_vma; -@@ -2447,6 +2852,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2450,6 +2853,38 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -98184,7 +98304,7 @@ index b91ac80..390920e 100644 /* Success. */ if (!err) return 0; -@@ -2456,10 +2893,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2459,10 +2894,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, new->vm_ops->close(new); if (new->vm_file) fput(new->vm_file); @@ -98204,7 +98324,7 @@ index b91ac80..390920e 100644 kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2472,6 +2917,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, +@@ -2475,6 +2918,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -98220,7 +98340,7 @@ index b91ac80..390920e 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2483,11 +2937,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2486,11 +2938,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -98251,7 +98371,7 @@ index b91ac80..390920e 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2562,6 +3035,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2565,6 +3036,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -98260,7 +98380,7 @@ index b91ac80..390920e 100644 return 0; } -@@ -2570,6 +3045,13 @@ int vm_munmap(unsigned long start, size_t len) +@@ -2573,6 +3046,13 @@ int vm_munmap(unsigned long start, size_t len) int ret; struct mm_struct *mm = current->mm; @@ -98274,7 +98394,7 @@ index b91ac80..390920e 100644 down_write(&mm->mmap_sem); ret = do_munmap(mm, start, len); up_write(&mm->mmap_sem); -@@ -2583,16 +3065,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -2586,16 +3066,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) return vm_munmap(addr, len); } @@ -98291,7 +98411,7 @@ index b91ac80..390920e 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2606,6 +3078,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2609,6 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -98299,7 +98419,7 @@ index b91ac80..390920e 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2613,10 +3086,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2616,10 +3087,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -98324,7 +98444,7 @@ index b91ac80..390920e 100644 error = mlock_future_check(mm, mm->def_flags, len); if (error) return error; -@@ -2630,21 +3117,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2633,21 +3118,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -98349,7 +98469,7 @@ index b91ac80..390920e 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2658,7 +3144,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2661,7 +3145,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -98358,7 +98478,7 @@ index b91ac80..390920e 100644 return -ENOMEM; } -@@ -2672,10 +3158,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2675,10 +3159,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -98372,7 +98492,7 @@ index b91ac80..390920e 100644 return addr; } -@@ -2737,6 +3224,7 @@ void exit_mmap(struct mm_struct *mm) +@@ -2740,6 +3225,7 @@ void exit_mmap(struct mm_struct *mm) while (vma) { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); @@ -98380,7 +98500,7 @@ index b91ac80..390920e 100644 vma = remove_vma(vma); } vm_unacct_memory(nr_accounted); -@@ -2754,6 +3242,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2757,6 +3243,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) struct vm_area_struct *prev; struct rb_node **rb_link, *rb_parent; @@ -98394,7 +98514,7 @@ index b91ac80..390920e 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2777,7 +3272,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2780,7 +3273,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -98416,7 +98536,7 @@ index b91ac80..390920e 100644 return 0; } -@@ -2796,6 +3305,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2799,6 +3306,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; bool faulted_in_anon_vma = true; @@ -98425,7 +98545,7 @@ index b91ac80..390920e 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2860,6 +3371,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2863,6 +3372,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return NULL; } @@ -98465,7 +98585,7 @@ index b91ac80..390920e 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2871,6 +3415,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2874,6 +3416,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -98473,7 +98593,7 @@ index b91ac80..390920e 100644 if (cur + npages > lim) return 0; return 1; -@@ -2941,6 +3486,22 @@ int install_special_mapping(struct mm_struct *mm, +@@ -2944,6 +3487,22 @@ int install_special_mapping(struct mm_struct *mm, vma->vm_start = addr; vma->vm_end = addr + len; @@ -103064,10 +103184,29 @@ index 3d4da2c..40f9c29 100644 ICMP_PROT_UNREACH, 0); } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index 580dd96..9fcef7e 100644 +index 580dd96..41e9720 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c -@@ -1171,7 +1171,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -426,15 +426,12 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); + sin = &errhdr.offender; +- sin->sin_family = AF_UNSPEC; ++ memset(sin, 0, sizeof(*sin)); ++ + if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) { +- struct inet_sock *inet = inet_sk(sk); +- + sin->sin_family = AF_INET; + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; +- sin->sin_port = 0; +- memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); +- if (inet->cmsg_flags) ++ if (inet_sk(sk)->cmsg_flags) + ip_cmsg_recv(msg, skb); + } + +@@ -1171,7 +1168,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, len = min_t(unsigned int, len, opt->optlen); if (put_user(len, optlen)) return -EFAULT; @@ -103077,7 +103216,7 @@ index 580dd96..9fcef7e 100644 return -EFAULT; return 0; } -@@ -1302,7 +1303,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1302,7 +1300,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -104115,10 +104254,38 @@ index d935889..2f64330 100644 err = ipv6_init_mibs(net); if (err) diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c -index c3bf2d2..1f00573 100644 +index c3bf2d2..c85df82 100644 --- a/net/ipv6/datagram.c +++ b/net/ipv6/datagram.c -@@ -938,5 +938,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp, +@@ -382,11 +382,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); + sin = &errhdr.offender; +- sin->sin6_family = AF_UNSPEC; ++ memset(sin, 0, sizeof(*sin)); ++ + if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) { + sin->sin6_family = AF_INET6; +- sin->sin6_flowinfo = 0; +- sin->sin6_port = 0; + if (np->rxopt.all) + ip6_datagram_recv_common_ctl(sk, msg, skb); + if (skb->protocol == htons(ETH_P_IPV6)) { +@@ -397,12 +396,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + ipv6_iface_scope_id(&sin->sin6_addr, + IP6CB(skb)->iif); + } else { +- struct inet_sock *inet = inet_sk(sk); +- + ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, + &sin->sin6_addr); +- sin->sin6_scope_id = 0; +- if (inet->cmsg_flags) ++ if (inet_sk(sk)->cmsg_flags) + ip_cmsg_recv(msg, skb); + } + } +@@ -938,5 +934,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp, 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -104529,10 +104696,25 @@ index cc85a9b..526a133 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 7cc1102..7785931 100644 +index 7cc1102..50e95c7 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c -@@ -2973,7 +2973,7 @@ struct ctl_table ipv6_route_table_template[] = { +@@ -1160,12 +1160,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk, + struct net *net = dev_net(dst->dev); + + rt6->rt6i_flags |= RTF_MODIFIED; +- if (mtu < IPV6_MIN_MTU) { +- u32 features = dst_metric(dst, RTAX_FEATURES); ++ if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; +- features |= RTAX_FEATURE_ALLFRAG; +- dst_metric_set(dst, RTAX_FEATURES, features); +- } ++ + dst_metric_set(dst, RTAX_MTU, mtu); + rt6_update_expires(rt6, net->ipv6.sysctl.ip6_rt_mtu_expires); + } +@@ -2973,7 +2970,7 @@ struct ctl_table ipv6_route_table_template[] = { struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net) { @@ -110510,10 +110692,10 @@ index 4c41c90..37f3631 100644 return snd_seq_device_register_driver(SNDRV_SEQ_DEV_ID_EMU10K1_SYNTH, &ops, sizeof(struct snd_emu10k1_synth_arg)); diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c -index dafcf82..dd9356f 100644 +index f6e5c4e..7df65ef 100644 --- a/sound/pci/hda/hda_codec.c +++ b/sound/pci/hda/hda_codec.c -@@ -983,14 +983,10 @@ find_codec_preset(struct hda_codec *codec) +@@ -985,14 +985,10 @@ find_codec_preset(struct hda_codec *codec) mutex_unlock(&preset_mutex); if (mod_requested < HDA_MODREQ_MAX_COUNT) { @@ -110530,7 +110712,7 @@ index dafcf82..dd9356f 100644 mod_requested++; goto again; } -@@ -2739,7 +2735,7 @@ static int get_kctl_0dB_offset(struct snd_kcontrol *kctl, int *step_to_check) +@@ -2741,7 +2737,7 @@ static int get_kctl_0dB_offset(struct snd_kcontrol *kctl, int *step_to_check) /* FIXME: set_fs() hack for obtaining user-space TLV data */ mm_segment_t fs = get_fs(); set_fs(get_ds()); @@ -118439,10 +118621,10 @@ index 0000000..4378111 +} diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data new file mode 100644 -index 0000000..19cb000 +index 0000000..dfb7516 --- /dev/null +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data -@@ -0,0 +1,6035 @@ +@@ -0,0 +1,6038 @@ +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL @@ -119357,6 +119539,7 @@ index 0000000..19cb000 +hidg_alloc_ep_req_10159 hidg_alloc_ep_req 2 10159 NULL +asd_store_update_bios_10165 asd_store_update_bios 4 10165 NULL +kstrtol_from_user_10168 kstrtol_from_user 2 10168 NULL ++persistent_ram_vmap_10169 persistent_ram_vmap 2-1 10169 NULL +proc_pid_attr_read_10173 proc_pid_attr_read 3 10173 NULL +jffs2_user_setxattr_10182 jffs2_user_setxattr 4 10182 NULL +xfs_attr_rmtval_copyout_10222 xfs_attr_rmtval_copyout 0 10222 NULL nohasharray @@ -122103,6 +122286,7 @@ index 0000000..19cb000 +sd_completed_bytes_39705 sd_completed_bytes 0 39705 NULL +ftrace_pid_write_39710 ftrace_pid_write 3 39710 NULL +adt7316_spi_multi_read_39765 adt7316_spi_multi_read 3 39765 NULL ++persistent_ram_buffer_map_39776 persistent_ram_buffer_map 1-2 39776 NULL +security_inode_listsecurity_39812 security_inode_listsecurity 0 39812 NULL +snd_pcm_oss_writev3_39818 snd_pcm_oss_writev3 3 39818 NULL +get_priv_size_39828 get_priv_size 0-1 39828 NULL @@ -124216,6 +124400,7 @@ index 0000000..19cb000 +altera_irscan_62396 altera_irscan 2 62396 NULL +set_ssp_62411 set_ssp 4 62411 NULL +udf_expand_file_adinicb_62470 udf_expand_file_adinicb 0 62470 NULL ++persistent_ram_new_62493 persistent_ram_new 1-2 62493 NULL +ext_rts51x_sd_execute_read_data_62501 ext_rts51x_sd_execute_read_data 9 62501 NULL +pep_sendmsg_62524 pep_sendmsg 4 62524 NULL +test_iso_queue_62534 test_iso_queue 5 62534 NULL diff --git a/3.14.28/4425_grsec_remove_EI_PAX.patch b/3.14.29/4425_grsec_remove_EI_PAX.patch index 86e242a..86e242a 100644 --- a/3.14.28/4425_grsec_remove_EI_PAX.patch +++ b/3.14.29/4425_grsec_remove_EI_PAX.patch diff --git a/3.14.28/4427_force_XATTR_PAX_tmpfs.patch b/3.14.29/4427_force_XATTR_PAX_tmpfs.patch index aa540ad..aa540ad 100644 --- a/3.14.28/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.29/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.14.28/4430_grsec-remove-localversion-grsec.patch b/3.14.29/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.14.28/4430_grsec-remove-localversion-grsec.patch +++ b/3.14.29/4430_grsec-remove-localversion-grsec.patch diff --git a/3.14.28/4435_grsec-mute-warnings.patch b/3.14.29/4435_grsec-mute-warnings.patch index 392cefb..392cefb 100644 --- a/3.14.28/4435_grsec-mute-warnings.patch +++ b/3.14.29/4435_grsec-mute-warnings.patch diff --git a/3.14.28/4440_grsec-remove-protected-paths.patch b/3.14.29/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.14.28/4440_grsec-remove-protected-paths.patch +++ b/3.14.29/4440_grsec-remove-protected-paths.patch diff --git a/3.14.28/4450_grsec-kconfig-default-gids.patch b/3.14.29/4450_grsec-kconfig-default-gids.patch index 722821b..722821b 100644 --- a/3.14.28/4450_grsec-kconfig-default-gids.patch +++ b/3.14.29/4450_grsec-kconfig-default-gids.patch diff --git a/3.14.28/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.29/4465_selinux-avc_audit-log-curr_ip.patch index f92c155..f92c155 100644 --- a/3.14.28/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.29/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.14.28/4470_disable-compat_vdso.patch b/3.14.29/4470_disable-compat_vdso.patch index cc7c122..cc7c122 100644 --- a/3.14.28/4470_disable-compat_vdso.patch +++ b/3.14.29/4470_disable-compat_vdso.patch diff --git a/3.14.28/4475_emutramp_default_on.patch b/3.14.29/4475_emutramp_default_on.patch index ad4967a..ad4967a 100644 --- a/3.14.28/4475_emutramp_default_on.patch +++ b/3.14.29/4475_emutramp_default_on.patch diff --git a/3.18.2/0000_README b/3.18.3/0000_README index 2c74448..910054e 100644 --- a/3.18.2/0000_README +++ b/3.18.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.18.2-201501142325.patch +Patch: 4420_grsecurity-3.0-3.18.3-201501211944.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.18.2/4420_grsecurity-3.0-3.18.2-201501142325.patch b/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch index 462cdbf..93912cb 100644 --- a/3.18.2/4420_grsecurity-3.0-3.18.2-201501142325.patch +++ b/3.18.3/4420_grsecurity-3.0-3.18.3-201501211944.patch @@ -370,7 +370,7 @@ index 479f332..2475ac2 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 8f73b41..320950a 100644 +index 91cfe8d..ccf7329 100644 --- a/Makefile +++ b/Makefile @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3047,7 +3047,7 @@ index ef9119f..31995a3 100644 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER if (secure_computing() == -1) diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c -index c031063..e277ab8 100644 +index 306e1ac..1b477ed 100644 --- a/arch/arm/kernel/setup.c +++ b/arch/arm/kernel/setup.c @@ -104,21 +104,23 @@ EXPORT_SYMBOL(elf_hwcap); @@ -3153,7 +3153,7 @@ index bd19834..e4d8c66 100644 - return page; -} diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c -index 13396d3..589d615 100644 +index a8e32aa..b2f7198 100644 --- a/arch/arm/kernel/smp.c +++ b/arch/arm/kernel/smp.c @@ -76,7 +76,7 @@ enum ipi_msg_type { @@ -8528,10 +8528,10 @@ index 4aad413..85d86bf 100644 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */ #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */ diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h -index c998279..d13a9f8 100644 +index a68ee15..552d213 100644 --- a/arch/powerpc/include/asm/reg.h +++ b/arch/powerpc/include/asm/reg.h -@@ -251,6 +251,7 @@ +@@ -253,6 +253,7 @@ #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */ #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */ #define DSISR_NOHPTE 0x40000000 /* no translation found */ @@ -21776,10 +21776,10 @@ index d64f275..26522ff 100644 .attrs = NULL, /* patched at runtime */ }; diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c -index 9762dbd..53d5d21 100644 +index e98f68c..1992b15 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c -@@ -721,7 +721,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) +@@ -737,7 +737,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types) static int __init uncore_type_init(struct intel_uncore_type *type) { struct intel_uncore_pmu *pmus; @@ -21789,7 +21789,7 @@ index 9762dbd..53d5d21 100644 int i, j; diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.h b/arch/x86/kernel/cpu/perf_event_intel_uncore.h -index 18eb78b..18747cc 100644 +index 863d9b0..6289b63 100644 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.h +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.h @@ -114,7 +114,7 @@ struct intel_uncore_box { @@ -28524,7 +28524,7 @@ index e48b674..a451dd9 100644 .read = native_io_apic_read, .write = native_io_apic_write, diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c -index 4c540c4..0b985b0 100644 +index 0de1fae..298d037 100644 --- a/arch/x86/kernel/xsave.c +++ b/arch/x86/kernel/xsave.c @@ -167,18 +167,18 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame) @@ -28575,7 +28575,7 @@ index 4c540c4..0b985b0 100644 if ((unsigned long)buf % 64 || fx_only) { u64 init_bv = pcntxt_mask & ~XSTATE_FPSSE; diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c -index 976e3a5..8bb998c 100644 +index 88f9201..0e7f1a3 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -175,15 +175,20 @@ int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, @@ -28626,7 +28626,7 @@ index 976e3a5..8bb998c 100644 out: diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 9f8a2fa..2df3c3f 100644 +index 22e7ed9..e03a378 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -3519,7 +3519,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) @@ -28867,7 +28867,7 @@ index 3e556c6..08bbf7f 100644 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 0033df3..db6236d 100644 +index 506488c..f8df17e 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -732,6 +732,8 @@ EXPORT_SYMBOL_GPL(kvm_set_cr4); @@ -28899,7 +28899,7 @@ index 0033df3..db6236d 100644 if (copy_to_user(user_msr_list->indices, &msrs_to_save, num_msrs_to_save * sizeof(u32))) goto out; -@@ -5670,7 +5674,7 @@ static struct notifier_block pvclock_gtod_notifier = { +@@ -5743,7 +5747,7 @@ static struct notifier_block pvclock_gtod_notifier = { }; #endif @@ -35468,7 +35468,7 @@ index e904c27..b9eaa03 100644 #ifdef CONFIG_COMPAT_VDSO #define VDSO_DEFAULT 0 diff --git a/arch/x86/vdso/vma.c b/arch/x86/vdso/vma.c -index 970463b..da82d3e 100644 +index 208c220..54f1447 100644 --- a/arch/x86/vdso/vma.c +++ b/arch/x86/vdso/vma.c @@ -16,10 +16,9 @@ @@ -35483,7 +35483,7 @@ index 970463b..da82d3e 100644 extern unsigned short vdso_sync_cpuid; #endif -@@ -101,6 +100,11 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr) +@@ -114,6 +113,11 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr) .pages = no_pages, }; @@ -35495,7 +35495,7 @@ index 970463b..da82d3e 100644 if (calculate_addr) { addr = vdso_addr(current->mm->start_stack, image->size - image->sym_vvar_start); -@@ -111,14 +115,14 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr) +@@ -124,14 +128,14 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr) down_write(&mm->mmap_sem); addr = get_unmapped_area(NULL, addr, @@ -35512,7 +35512,7 @@ index 970463b..da82d3e 100644 /* * MAYWRITE to allow gdb to COW and set breakpoints -@@ -163,15 +167,12 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr) +@@ -176,15 +180,12 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr) hpet_address >> PAGE_SHIFT, PAGE_SIZE, pgprot_noncached(PAGE_READONLY)); @@ -35529,7 +35529,7 @@ index 970463b..da82d3e 100644 up_write(&mm->mmap_sem); return ret; -@@ -191,8 +192,8 @@ static int load_vdso32(void) +@@ -204,8 +205,8 @@ static int load_vdso32(void) if (selected_vdso32->sym_VDSO32_SYSENTER_RETURN) current_thread_info()->sysenter_return = @@ -35540,7 +35540,7 @@ index 970463b..da82d3e 100644 return 0; } -@@ -201,9 +202,6 @@ static int load_vdso32(void) +@@ -214,9 +215,6 @@ static int load_vdso32(void) #ifdef CONFIG_X86_64 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) { @@ -35550,7 +35550,7 @@ index 970463b..da82d3e 100644 return map_vdso(&vdso_image_64, true); } -@@ -212,12 +210,8 @@ int compat_arch_setup_additional_pages(struct linux_binprm *bprm, +@@ -225,12 +223,8 @@ int compat_arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) { #ifdef CONFIG_X86_X32_ABI @@ -35564,7 +35564,7 @@ index 970463b..da82d3e 100644 #endif return load_vdso32(); -@@ -229,12 +223,3 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) +@@ -242,12 +236,3 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) return load_vdso32(); } #endif @@ -35590,7 +35590,7 @@ index e88fda8..76ce7ce 100644 This is the Linux Xen port. Enabling this will allow the kernel to boot in a paravirtualized environment under the diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index fac5e4f..5b5cf4f 100644 +index fac5e4f..e421c18 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -35678,7 +35678,19 @@ index fac5e4f..5b5cf4f 100644 { if (pm_power_off) pm_power_off(); -@@ -1573,7 +1569,17 @@ asmlinkage __visible void __init xen_start_kernel(void) +@@ -1456,8 +1452,9 @@ static void __ref xen_setup_gdt(int cpu) + pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot; + pv_cpu_ops.load_gdt = xen_load_gdt_boot; + +- setup_stack_canary_segment(0); +- switch_to_new_gdt(0); ++ setup_stack_canary_segment(cpu); ++ load_percpu_segment(cpu); ++ switch_to_new_gdt(cpu); + + pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry; + pv_cpu_ops.load_gdt = xen_load_gdt; +@@ -1573,7 +1570,17 @@ asmlinkage __visible void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -35697,7 +35709,7 @@ index fac5e4f..5b5cf4f 100644 /* Get mfn list */ xen_build_dynamic_phys_to_machine(); -@@ -1601,13 +1607,6 @@ asmlinkage __visible void __init xen_start_kernel(void) +@@ -1601,13 +1608,6 @@ asmlinkage __visible void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -36072,7 +36084,7 @@ index f678c73..f35aa18 100644 err = -EFAULT; goto out; diff --git a/block/genhd.c b/block/genhd.c -index bd30606..bbc9b90 100644 +index 0a536dc..b8f7aca 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -469,21 +469,24 @@ static char *bdevt_str(dev_t devt, char *buf) @@ -36339,7 +36351,7 @@ index c68e724..e863008 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c -index 7db1931..302dd5f 100644 +index 93b7142..5676c75 100644 --- a/drivers/acpi/device_pm.c +++ b/drivers/acpi/device_pm.c @@ -1021,6 +1021,8 @@ EXPORT_SYMBOL_GPL(acpi_subsys_freeze); @@ -37508,10 +37520,10 @@ index 969c3c2..9b72956 100644 } diff --git a/drivers/base/bus.c b/drivers/base/bus.c -index 83e910a..b224a73 100644 +index 876bae5..8978785 100644 --- a/drivers/base/bus.c +++ b/drivers/base/bus.c -@@ -1124,7 +1124,7 @@ int subsys_interface_register(struct subsys_interface *sif) +@@ -1126,7 +1126,7 @@ int subsys_interface_register(struct subsys_interface *sif) return -EINVAL; mutex_lock(&subsys->p->mutex); @@ -37520,7 +37532,7 @@ index 83e910a..b224a73 100644 if (sif->add_dev) { subsys_dev_iter_init(&iter, subsys, NULL, NULL); while ((dev = subsys_dev_iter_next(&iter))) -@@ -1149,7 +1149,7 @@ void subsys_interface_unregister(struct subsys_interface *sif) +@@ -1151,7 +1151,7 @@ void subsys_interface_unregister(struct subsys_interface *sif) subsys = sif->subsys; mutex_lock(&subsys->p->mutex); @@ -40199,6 +40211,32 @@ index bc3da32..7289357 100644 drm_put_dev(dev); } mutex_unlock(&drm_global_mutex); +diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c +index 0c0c39b..70dd2f4 100644 +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -732,7 +732,9 @@ int drm_fb_helper_setcmap(struct fb_cmap *cmap, struct fb_info *info) + int i, j, rc = 0; + int start; + +- drm_modeset_lock_all(dev); ++ if (__drm_modeset_lock_all(dev, !!oops_in_progress)) { ++ return -EBUSY; ++ } + if (!drm_fb_helper_is_bound(fb_helper)) { + drm_modeset_unlock_all(dev); + return -EBUSY; +@@ -910,7 +912,9 @@ int drm_fb_helper_pan_display(struct fb_var_screeninfo *var, + int ret = 0; + int i; + +- drm_modeset_lock_all(dev); ++ if (__drm_modeset_lock_all(dev, !!oops_in_progress)) { ++ return -EBUSY; ++ } + if (!drm_fb_helper_is_bound(fb_helper)) { + drm_modeset_unlock_all(dev); + return -EBUSY; diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c index ed7bc68..0d536af 100644 --- a/drivers/gpu/drm/drm_fops.c @@ -40672,10 +40710,10 @@ index 462679a..88e32a7 100644 if (nr < DRM_COMMAND_BASE) diff --git a/drivers/gpu/drm/nouveau/nouveau_ttm.c b/drivers/gpu/drm/nouveau/nouveau_ttm.c -index 753a6de..dd66b98 100644 +index 3d1cfcb..0542700 100644 --- a/drivers/gpu/drm/nouveau/nouveau_ttm.c +++ b/drivers/gpu/drm/nouveau/nouveau_ttm.c -@@ -126,11 +126,11 @@ nouveau_vram_manager_debug(struct ttm_mem_type_manager *man, const char *prefix) +@@ -127,11 +127,11 @@ nouveau_vram_manager_debug(struct ttm_mem_type_manager *man, const char *prefix) } const struct ttm_mem_type_manager_func nouveau_vram_manager = { @@ -40692,7 +40730,7 @@ index 753a6de..dd66b98 100644 }; static int -@@ -194,11 +194,11 @@ nouveau_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix) +@@ -195,11 +195,11 @@ nouveau_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix) } const struct ttm_mem_type_manager_func nouveau_gart_manager = { @@ -40709,7 +40747,7 @@ index 753a6de..dd66b98 100644 }; /*XXX*/ -@@ -267,11 +267,11 @@ nv04_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix) +@@ -268,11 +268,11 @@ nv04_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix) } const struct ttm_mem_type_manager_func nv04_gart_manager = { @@ -41722,10 +41760,10 @@ index 37ac7b5..d52a5c9 100644 /* copy over all the bus versions */ if (dev->bus && dev->bus->pm) { diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 3402033..50b562c 100644 +index dfaccfc..bfea740 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c -@@ -2506,7 +2506,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); +@@ -2507,7 +2507,7 @@ EXPORT_SYMBOL_GPL(hid_ignore); int hid_add_device(struct hid_device *hdev) { @@ -41734,7 +41772,7 @@ index 3402033..50b562c 100644 int ret; if (WARN_ON(hdev->status & HID_STAT_ADDED)) -@@ -2548,7 +2548,7 @@ int hid_add_device(struct hid_device *hdev) +@@ -2549,7 +2549,7 @@ int hid_add_device(struct hid_device *hdev) /* XXX hack, any other cleaner solution after the driver core * is converted to allow more than 20 bytes as the device name? */ dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus, @@ -44831,7 +44869,7 @@ index 32e282f..5cec803 100644 rdev_dec_pending(rdev, mddev); diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c -index 9c66e59..42a8eac 100644 +index c1b0d52..07a0a5d 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -1730,6 +1730,10 @@ static int grow_one_stripe(struct r5conf *conf, int hash) @@ -48094,6 +48132,42 @@ index 454d9fe..59f0f0b 100644 netdev_tx_completed_queue(ring->tx_queue, packets, bytes); +diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c +index f5e4b82..db0c7a9 100644 +--- a/drivers/net/ethernet/neterion/s2io.c ++++ b/drivers/net/ethernet/neterion/s2io.c +@@ -6987,7 +6987,9 @@ static int s2io_add_isr(struct s2io_nic *sp) + if (sp->s2io_entries[i].in_use == MSIX_FLG) { + if (sp->s2io_entries[i].type == + MSIX_RING_TYPE) { +- sprintf(sp->desc[i], "%s:MSI-X-%d-RX", ++ snprintf(sp->desc[i], ++ sizeof(sp->desc[i]), ++ "%s:MSI-X-%d-RX", + dev->name, i); + err = request_irq(sp->entries[i].vector, + s2io_msix_ring_handle, +@@ -6996,7 +6998,9 @@ static int s2io_add_isr(struct s2io_nic *sp) + sp->s2io_entries[i].arg); + } else if (sp->s2io_entries[i].type == + MSIX_ALARM_TYPE) { +- sprintf(sp->desc[i], "%s:MSI-X-%d-TX", ++ snprintf(sp->desc[i], ++ sizeof(sp->desc[i]), ++ "%s:MSI-X-%d-TX", + dev->name, i); + err = request_irq(sp->entries[i].vector, + s2io_msix_fifo_handle, +@@ -8154,7 +8158,8 @@ s2io_init_nic(struct pci_dev *pdev, const struct pci_device_id *pre) + "%s: UDP Fragmentation Offload(UFO) enabled\n", + dev->name); + /* Initialize device name */ +- sprintf(sp->name, "%s Neterion %s", dev->name, sp->product_name); ++ snprintf(sp->name, sizeof(sp->name), "%s Neterion %s", dev->name, ++ sp->product_name); + + if (vlan_tag_strip) + sp->vlan_strip_flag = 1; diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c index 2bbd01f..e8baa64 100644 --- a/drivers/net/ethernet/neterion/vxge/vxge-config.c @@ -49113,7 +49187,7 @@ index 057b165..98ae88f 100644 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads) diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h -index 975074f..e9440da 100644 +index e8e8dd2..030f80e 100644 --- a/drivers/net/wireless/ath/ath9k/hw.h +++ b/drivers/net/wireless/ath/ath9k/hw.h @@ -630,7 +630,7 @@ struct ath_hw_private_ops { @@ -49930,7 +50004,7 @@ index e1e7026..d28dd33 100644 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c -index c8ca98c..b1bc005 100644 +index 3010ffc..5e2e133 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -177,7 +177,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type, @@ -52929,7 +53003,7 @@ index c434376..114ce13 100644 dlci->modem_rx = 0; diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 2e900a9..576d216 100644 +index 47ca0f3..3c0b803 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -115,7 +115,7 @@ struct n_tty_data { @@ -52941,7 +53015,7 @@ index 2e900a9..576d216 100644 size_t line_start; /* protected by output lock */ -@@ -2522,6 +2522,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) +@@ -2523,6 +2523,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) { *ops = tty_ldisc_N_TTY; ops->owner = NULL; @@ -53172,7 +53246,7 @@ index 4b6c783..9a19db3 100644 if (unlikely(pdev->id < 0 || pdev->id >= UART_NR)) return -ENXIO; diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c -index c78f43a..22b1dab 100644 +index 587d63b..48423a6 100644 --- a/drivers/tty/serial/samsung.c +++ b/drivers/tty/serial/samsung.c @@ -478,11 +478,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port) @@ -53192,7 +53266,7 @@ index c78f43a..22b1dab 100644 dbg("s3c24xx_serial_startup: port=%p (%08llx,%p)\n", port, (unsigned long long)port->mapbase, port->membase); -@@ -1155,10 +1160,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport, +@@ -1159,10 +1164,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport, /* setup info for port */ port->dev = &platdev->dev; @@ -59286,7 +59360,7 @@ index 150822e..75bb326 100644 WARN_ON(trans->transid != btrfs_header_generation(parent)); diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c -index 054577b..9b342cc 100644 +index de4e70f..b41dc45 100644 --- a/fs/btrfs/delayed-inode.c +++ b/fs/btrfs/delayed-inode.c @@ -462,7 +462,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node, @@ -64551,7 +64625,7 @@ index 0beb023..3f685ec 100644 static struct nfsd4_operation nfsd4_ops[]; diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c -index eeea7a9..f3ba422 100644 +index 2a77603..68e0e37 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -1543,7 +1543,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p) @@ -67262,7 +67336,7 @@ index 1894d96..1dfd1c2 100644 #define __fs_changed(gen,s) (gen != get_generation (s)) #define fs_changed(gen,s) \ diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c -index f1376c9..f9378e9 100644 +index b27ef35..d9c6c18 100644 --- a/fs/reiserfs/super.c +++ b/fs/reiserfs/super.c @@ -1857,6 +1857,10 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) @@ -82836,7 +82910,7 @@ index 3d385c8..deacb6a 100644 static inline int vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst) diff --git a/include/linux/mm.h b/include/linux/mm.h -index b464611..77cbfc1 100644 +index 5ab2da9..5f0b3df 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -128,6 +128,11 @@ extern unsigned int kobjsize(const void *objp); @@ -86018,10 +86092,10 @@ index 567c681..cd73ac02 100644 struct llc_sap_state { u8 curr_state; diff --git a/include/net/mac80211.h b/include/net/mac80211.h -index 0ad1f47..aaea45b 100644 +index a9de1da..df72057 100644 --- a/include/net/mac80211.h +++ b/include/net/mac80211.h -@@ -4648,7 +4648,7 @@ struct rate_control_ops { +@@ -4645,7 +4645,7 @@ struct rate_control_ops { void (*remove_sta_debugfs)(void *priv, void *priv_sta); u32 (*get_expected_throughput)(void *priv_sta); @@ -88335,7 +88409,7 @@ index 379650b..30c5180 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index 1cd5eef..e8b5af9 100644 +index 2ab0238..bf89262f5 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -170,8 +170,15 @@ static struct srcu_struct pmus_srcu; @@ -88523,7 +88597,7 @@ index ed8f2cd..fe8030c 100644 pagefault_disable(); result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr, diff --git a/kernel/exit.c b/kernel/exit.c -index 5d30019..934add5 100644 +index 2116aac..d95df2a 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -174,6 +174,10 @@ void release_task(struct task_struct *p) @@ -91099,6 +91173,28 @@ index 54e7522..5b82dd6 100644 goto out_put_task_struct; } +diff --git a/kernel/range.c b/kernel/range.c +index 322ea8e..82cfc28 100644 +--- a/kernel/range.c ++++ b/kernel/range.c +@@ -113,12 +113,12 @@ static int cmp_range(const void *x1, const void *x2) + { + const struct range *r1 = x1; + const struct range *r2 = x2; +- s64 start1, start2; + +- start1 = r1->start; +- start2 = r2->start; +- +- return start1 - start2; ++ if (r1->start < r2->start) ++ return -1; ++ if (r1->start > r2->start) ++ return 1; ++ return 0; + } + + int clean_sort_range(struct range *range, int az) diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c index 240fa90..5fa56bd 100644 --- a/kernel/rcu/rcutorture.c @@ -92126,10 +92222,10 @@ index a63f4dc..349bbb0 100644 unsigned long timeout) { diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index 89e7283..072bc26 100644 +index efdca2f..e361dfb 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c -@@ -1885,7 +1885,7 @@ void set_numabalancing_state(bool enabled) +@@ -1890,7 +1890,7 @@ void set_numabalancing_state(bool enabled) int sysctl_numa_balancing(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -92138,7 +92234,7 @@ index 89e7283..072bc26 100644 int err; int state = numabalancing_enabled; -@@ -2348,8 +2348,10 @@ context_switch(struct rq *rq, struct task_struct *prev, +@@ -2353,8 +2353,10 @@ context_switch(struct rq *rq, struct task_struct *prev, next->active_mm = oldmm; atomic_inc(&oldmm->mm_count); enter_lazy_tlb(oldmm, next); @@ -92150,7 +92246,7 @@ index 89e7283..072bc26 100644 if (!prev->mm) { prev->active_mm = NULL; -@@ -3160,6 +3162,8 @@ int can_nice(const struct task_struct *p, const int nice) +@@ -3165,6 +3167,8 @@ int can_nice(const struct task_struct *p, const int nice) /* convert nice value [19,-20] to rlimit style value [1,40] */ int nice_rlim = nice_to_rlimit(nice); @@ -92159,7 +92255,7 @@ index 89e7283..072bc26 100644 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || capable(CAP_SYS_NICE)); } -@@ -3186,7 +3190,8 @@ SYSCALL_DEFINE1(nice, int, increment) +@@ -3191,7 +3195,8 @@ SYSCALL_DEFINE1(nice, int, increment) nice = task_nice(current) + increment; nice = clamp_val(nice, MIN_NICE, MAX_NICE); @@ -92169,7 +92265,7 @@ index 89e7283..072bc26 100644 return -EPERM; retval = security_task_setnice(current, nice); -@@ -3465,6 +3470,7 @@ recheck: +@@ -3470,6 +3475,7 @@ recheck: if (policy != p->policy && !rlim_rtprio) return -EPERM; @@ -92177,7 +92273,7 @@ index 89e7283..072bc26 100644 /* can't increase priority */ if (attr->sched_priority > p->rt_priority && attr->sched_priority > rlim_rtprio) -@@ -4885,6 +4891,7 @@ void idle_task_exit(void) +@@ -4890,6 +4896,7 @@ void idle_task_exit(void) if (mm != &init_mm) { switch_mm(mm, &init_mm, current); @@ -92185,7 +92281,7 @@ index 89e7283..072bc26 100644 finish_arch_post_lock_switch(); } mmdrop(mm); -@@ -4980,7 +4987,7 @@ static void migrate_tasks(unsigned int dead_cpu) +@@ -4985,7 +4992,7 @@ static void migrate_tasks(unsigned int dead_cpu) #if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL) @@ -92194,7 +92290,7 @@ index 89e7283..072bc26 100644 { .procname = "sched_domain", .mode = 0555, -@@ -4997,17 +5004,17 @@ static struct ctl_table sd_ctl_root[] = { +@@ -5002,17 +5009,17 @@ static struct ctl_table sd_ctl_root[] = { {} }; @@ -92216,7 +92312,7 @@ index 89e7283..072bc26 100644 /* * In the intermediate directories, both the child directory and -@@ -5015,22 +5022,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep) +@@ -5020,22 +5027,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep) * will always be set. In the lowest directory the names are * static strings and all have proc handlers. */ @@ -92248,7 +92344,7 @@ index 89e7283..072bc26 100644 const char *procname, void *data, int maxlen, umode_t mode, proc_handler *proc_handler, bool load_idx) -@@ -5050,7 +5060,7 @@ set_table_entry(struct ctl_table *entry, +@@ -5055,7 +5065,7 @@ set_table_entry(struct ctl_table *entry, static struct ctl_table * sd_alloc_ctl_domain_table(struct sched_domain *sd) { @@ -92257,7 +92353,7 @@ index 89e7283..072bc26 100644 if (table == NULL) return NULL; -@@ -5088,9 +5098,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd) +@@ -5093,9 +5103,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd) return table; } @@ -92269,7 +92365,7 @@ index 89e7283..072bc26 100644 struct sched_domain *sd; int domain_num = 0, i; char buf[32]; -@@ -5117,11 +5127,13 @@ static struct ctl_table_header *sd_sysctl_header; +@@ -5122,11 +5132,13 @@ static struct ctl_table_header *sd_sysctl_header; static void register_sched_domain_sysctl(void) { int i, cpu_num = num_possible_cpus(); @@ -92284,7 +92380,7 @@ index 89e7283..072bc26 100644 if (entry == NULL) return; -@@ -5144,8 +5156,12 @@ static void unregister_sched_domain_sysctl(void) +@@ -5149,8 +5161,12 @@ static void unregister_sched_domain_sysctl(void) if (sd_sysctl_header) unregister_sysctl_table(sd_sysctl_header); sd_sysctl_header = NULL; @@ -95492,7 +95588,7 @@ index 8639f6b..b623882a 100644 } unset_migratetype_isolate(page, MIGRATE_MOVABLE); diff --git a/mm/memory.c b/mm/memory.c -index d5f2ae9..4d678b2 100644 +index 7f86cf6..0600e22 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -415,6 +415,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud, @@ -95792,7 +95888,7 @@ index d5f2ae9..4d678b2 100644 /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address -@@ -2218,6 +2425,12 @@ gotten: +@@ -2225,6 +2432,12 @@ gotten: */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); if (likely(pte_same(*page_table, orig_pte))) { @@ -95805,7 +95901,7 @@ index d5f2ae9..4d678b2 100644 if (old_page) { if (!PageAnon(old_page)) { dec_mm_counter_fast(mm, MM_FILEPAGES); -@@ -2271,6 +2484,10 @@ gotten: +@@ -2278,6 +2491,10 @@ gotten: page_remove_rmap(old_page); } @@ -95816,7 +95912,7 @@ index d5f2ae9..4d678b2 100644 /* Free the old page.. */ new_page = old_page; ret |= VM_FAULT_WRITE; -@@ -2545,6 +2762,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2552,6 +2769,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, swap_free(entry); if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); @@ -95828,7 +95924,7 @@ index d5f2ae9..4d678b2 100644 unlock_page(page); if (page != swapcache) { /* -@@ -2568,6 +2790,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2575,6 +2797,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -95840,7 +95936,7 @@ index d5f2ae9..4d678b2 100644 unlock: pte_unmap_unlock(page_table, ptl); out: -@@ -2587,40 +2814,6 @@ out_release: +@@ -2594,40 +2821,6 @@ out_release: } /* @@ -95863,7 +95959,7 @@ index d5f2ae9..4d678b2 100644 - if (prev && prev->vm_end == address) - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM; - -- expand_downwards(vma, address - PAGE_SIZE); +- return expand_downwards(vma, address - PAGE_SIZE); - } - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) { - struct vm_area_struct *next = vma->vm_next; @@ -95872,7 +95968,7 @@ index d5f2ae9..4d678b2 100644 - if (next && next->vm_start == address + PAGE_SIZE) - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM; - -- expand_upwards(vma, address + PAGE_SIZE); +- return expand_upwards(vma, address + PAGE_SIZE); - } - return 0; -} @@ -95881,7 +95977,7 @@ index d5f2ae9..4d678b2 100644 * We enter with non-exclusive mmap_sem (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. * We return with mmap_sem still held, but pte unmapped and unlocked. -@@ -2630,27 +2823,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2637,27 +2830,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, unsigned int flags) { struct mem_cgroup *memcg; @@ -95914,7 +96010,7 @@ index d5f2ae9..4d678b2 100644 if (unlikely(anon_vma_prepare(vma))) goto oom; page = alloc_zeroed_user_highpage_movable(vma, address); -@@ -2674,6 +2863,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2681,6 +2870,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, if (!pte_none(*page_table)) goto release; @@ -95926,7 +96022,7 @@ index d5f2ae9..4d678b2 100644 inc_mm_counter_fast(mm, MM_ANONPAGES); page_add_new_anon_rmap(page, vma, address); mem_cgroup_commit_charge(page, memcg, false); -@@ -2683,6 +2877,12 @@ setpte: +@@ -2690,6 +2884,12 @@ setpte: /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, page_table); @@ -95939,7 +96035,7 @@ index d5f2ae9..4d678b2 100644 unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -2913,6 +3113,11 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2920,6 +3120,11 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma, return ret; } do_set_pte(vma, address, fault_page, pte, false, false); @@ -95951,7 +96047,7 @@ index d5f2ae9..4d678b2 100644 unlock_page(fault_page); unlock_out: pte_unmap_unlock(pte, ptl); -@@ -2955,7 +3160,18 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2962,7 +3167,18 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma, page_cache_release(fault_page); goto uncharge_out; } @@ -95970,7 +96066,7 @@ index d5f2ae9..4d678b2 100644 mem_cgroup_commit_charge(new_page, memcg, false); lru_cache_add_active_or_unevictable(new_page, vma); pte_unmap_unlock(pte, ptl); -@@ -3005,6 +3221,11 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3012,6 +3228,11 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma, return ret; } do_set_pte(vma, address, fault_page, pte, true, false); @@ -95982,7 +96078,7 @@ index d5f2ae9..4d678b2 100644 pte_unmap_unlock(pte, ptl); if (set_page_dirty(fault_page)) -@@ -3246,6 +3467,12 @@ static int handle_pte_fault(struct mm_struct *mm, +@@ -3253,6 +3474,12 @@ static int handle_pte_fault(struct mm_struct *mm, if (flags & FAULT_FLAG_WRITE) flush_tlb_fix_spurious_fault(vma, address); } @@ -95995,7 +96091,7 @@ index d5f2ae9..4d678b2 100644 unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -3265,9 +3492,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -3272,9 +3499,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, pmd_t *pmd; pte_t *pte; @@ -96037,7 +96133,7 @@ index d5f2ae9..4d678b2 100644 pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); if (!pud) -@@ -3401,6 +3660,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) +@@ -3408,6 +3667,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -96061,7 +96157,7 @@ index d5f2ae9..4d678b2 100644 #endif /* __PAGETABLE_PUD_FOLDED */ #ifndef __PAGETABLE_PMD_FOLDED -@@ -3431,6 +3707,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) +@@ -3438,6 +3714,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address) spin_unlock(&mm->page_table_lock); return 0; } @@ -96092,7 +96188,7 @@ index d5f2ae9..4d678b2 100644 #endif /* __PAGETABLE_PMD_FOLDED */ static int __follow_pte(struct mm_struct *mm, unsigned long address, -@@ -3540,8 +3840,8 @@ out: +@@ -3547,8 +3847,8 @@ out: return ret; } @@ -96103,7 +96199,7 @@ index d5f2ae9..4d678b2 100644 { resource_size_t phys_addr; unsigned long prot = 0; -@@ -3567,8 +3867,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); +@@ -3574,8 +3874,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys); * Access another process' address space as given in mm. If non-NULL, use the * given task for page fault accounting. */ @@ -96114,7 +96210,7 @@ index d5f2ae9..4d678b2 100644 { struct vm_area_struct *vma; void *old_buf = buf; -@@ -3576,7 +3876,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -3583,7 +3883,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, down_read(&mm->mmap_sem); /* ignore errors, just check how much was successfully transferred */ while (len) { @@ -96123,7 +96219,7 @@ index d5f2ae9..4d678b2 100644 void *maddr; struct page *page = NULL; -@@ -3637,8 +3937,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, +@@ -3644,8 +3944,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, * * The caller must hold a reference on @mm. */ @@ -96134,7 +96230,7 @@ index d5f2ae9..4d678b2 100644 { return __access_remote_vm(NULL, mm, addr, buf, len, write); } -@@ -3648,11 +3948,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, +@@ -3655,11 +3955,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr, * Source/target buffer must be kernel space, * Do not walk the page table directly, use get_user_pages */ @@ -96315,7 +96411,7 @@ index 73cf098..ab547c7 100644 capable(CAP_IPC_LOCK)) ret = do_mlockall(flags); diff --git a/mm/mmap.c b/mm/mmap.c -index ae91989..d8308c7 100644 +index 1620adb..348da48 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -41,6 +41,7 @@ @@ -96974,15 +97070,17 @@ index ae91989..d8308c7 100644 /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -2106,6 +2412,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns - return -ENOMEM; +@@ -2107,8 +2413,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns /* Stack limit test */ -+ gr_learn_resource(current, RLIMIT_STACK, size, 1); - if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) + actual_size = size; +- if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN))) +- actual_size -= PAGE_SIZE; ++ gr_learn_resource(current, RLIMIT_STACK, actual_size, 1); + if (actual_size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -2116,6 +2423,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2119,6 +2424,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -96990,7 +97088,7 @@ index ae91989..d8308c7 100644 if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -2145,37 +2453,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns +@@ -2148,37 +2454,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -97048,7 +97146,7 @@ index ae91989..d8308c7 100644 unsigned long size, grow; size = address - vma->vm_start; -@@ -2210,6 +2529,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) +@@ -2213,6 +2530,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) } } } @@ -97057,7 +97155,7 @@ index ae91989..d8308c7 100644 vma_unlock_anon_vma(vma); khugepaged_enter_vma_merge(vma, vma->vm_flags); validate_mm(vma->vm_mm); -@@ -2224,6 +2545,8 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2227,6 +2546,8 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) { int error; @@ -97066,7 +97164,7 @@ index ae91989..d8308c7 100644 /* * We must make sure the anon_vma is allocated -@@ -2237,6 +2560,15 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2240,6 +2561,15 @@ int expand_downwards(struct vm_area_struct *vma, if (error) return error; @@ -97082,7 +97180,7 @@ index ae91989..d8308c7 100644 vma_lock_anon_vma(vma); /* -@@ -2246,9 +2578,17 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2249,9 +2579,17 @@ int expand_downwards(struct vm_area_struct *vma, */ /* Somebody else might have raced and expanded it already */ @@ -97101,7 +97199,7 @@ index ae91989..d8308c7 100644 size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -2273,13 +2613,27 @@ int expand_downwards(struct vm_area_struct *vma, +@@ -2276,13 +2614,27 @@ int expand_downwards(struct vm_area_struct *vma, vma->vm_pgoff -= grow; anon_vma_interval_tree_post_update_vma(vma); vma_gap_update(vma); @@ -97129,7 +97227,7 @@ index ae91989..d8308c7 100644 khugepaged_enter_vma_merge(vma, vma->vm_flags); validate_mm(vma->vm_mm); return error; -@@ -2377,6 +2731,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2380,6 +2732,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma) do { long nrpages = vma_pages(vma); @@ -97143,7 +97241,7 @@ index ae91989..d8308c7 100644 if (vma->vm_flags & VM_ACCOUNT) nr_accounted += nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); -@@ -2421,6 +2782,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2424,6 +2783,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -97160,7 +97258,7 @@ index ae91989..d8308c7 100644 vma_rb_erase(vma, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -2448,14 +2819,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2451,14 +2820,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, struct vm_area_struct *new; int err = -ENOMEM; @@ -97194,7 +97292,7 @@ index ae91989..d8308c7 100644 /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -2468,6 +2858,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2471,6 +2859,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -97217,7 +97315,7 @@ index ae91989..d8308c7 100644 err = vma_dup_policy(vma, new); if (err) goto out_free_vma; -@@ -2488,6 +2894,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2491,6 +2895,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -97256,7 +97354,7 @@ index ae91989..d8308c7 100644 /* Success. */ if (!err) return 0; -@@ -2497,10 +2935,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2500,10 +2936,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, new->vm_ops->close(new); if (new->vm_file) fput(new->vm_file); @@ -97276,7 +97374,7 @@ index ae91989..d8308c7 100644 kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2513,6 +2959,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2516,6 +2960,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma, int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -97292,7 +97390,7 @@ index ae91989..d8308c7 100644 if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2524,11 +2979,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -2527,11 +2980,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -97323,7 +97421,7 @@ index ae91989..d8308c7 100644 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2604,6 +3078,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +@@ -2607,6 +3079,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -97332,7 +97430,7 @@ index ae91989..d8308c7 100644 return 0; } -@@ -2612,6 +3088,13 @@ int vm_munmap(unsigned long start, size_t len) +@@ -2615,6 +3089,13 @@ int vm_munmap(unsigned long start, size_t len) int ret; struct mm_struct *mm = current->mm; @@ -97346,7 +97444,7 @@ index ae91989..d8308c7 100644 down_write(&mm->mmap_sem); ret = do_munmap(mm, start, len); up_write(&mm->mmap_sem); -@@ -2625,16 +3108,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) +@@ -2628,16 +3109,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len) return vm_munmap(addr, len); } @@ -97363,7 +97461,7 @@ index ae91989..d8308c7 100644 /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2648,6 +3121,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2651,6 +3122,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) struct rb_node **rb_link, *rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -97371,7 +97469,7 @@ index ae91989..d8308c7 100644 len = PAGE_ALIGN(len); if (!len) -@@ -2655,10 +3129,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2658,10 +3130,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -97396,7 +97494,7 @@ index ae91989..d8308c7 100644 error = mlock_future_check(mm, mm->def_flags, len); if (error) return error; -@@ -2672,21 +3160,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2675,21 +3161,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) /* * Clear old maps. this also does some error checking for us */ @@ -97421,7 +97519,7 @@ index ae91989..d8308c7 100644 return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2700,7 +3187,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2703,7 +3188,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -97430,7 +97528,7 @@ index ae91989..d8308c7 100644 return -ENOMEM; } -@@ -2714,10 +3201,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) +@@ -2717,10 +3202,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len) vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -97444,7 +97542,7 @@ index ae91989..d8308c7 100644 return addr; } -@@ -2779,6 +3267,7 @@ void exit_mmap(struct mm_struct *mm) +@@ -2782,6 +3268,7 @@ void exit_mmap(struct mm_struct *mm) while (vma) { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); @@ -97452,7 +97550,7 @@ index ae91989..d8308c7 100644 vma = remove_vma(vma); } vm_unacct_memory(nr_accounted); -@@ -2796,6 +3285,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2799,6 +3286,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) struct vm_area_struct *prev; struct rb_node **rb_link, *rb_parent; @@ -97466,7 +97564,7 @@ index ae91989..d8308c7 100644 /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2819,7 +3315,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) +@@ -2822,7 +3316,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -97488,7 +97586,7 @@ index ae91989..d8308c7 100644 return 0; } -@@ -2838,6 +3348,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2841,6 +3349,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, struct rb_node **rb_link, *rb_parent; bool faulted_in_anon_vma = true; @@ -97497,7 +97595,7 @@ index ae91989..d8308c7 100644 /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2902,6 +3414,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, +@@ -2905,6 +3415,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return NULL; } @@ -97537,7 +97635,7 @@ index ae91989..d8308c7 100644 /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2913,6 +3458,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) +@@ -2916,6 +3459,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages) lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -97545,7 +97643,7 @@ index ae91989..d8308c7 100644 if (cur + npages > lim) return 0; return 1; -@@ -2995,6 +3541,22 @@ static struct vm_area_struct *__install_special_mapping( +@@ -2998,6 +3542,22 @@ static struct vm_area_struct *__install_special_mapping( vma->vm_start = addr; vma->vm_end = addr + len; @@ -97972,7 +98070,7 @@ index bd1808e..b63d87c 100644 struct mm_struct *mm; diff --git a/mm/page-writeback.c b/mm/page-writeback.c -index 19ceae8..70848ee 100644 +index 437174a..8b86707 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -664,7 +664,7 @@ static long long pos_ratio_polynom(unsigned long setpoint, @@ -100380,7 +100478,7 @@ index 8854c05..ee5d5497 100644 atomic_t batman_queue_left; char num_ifaces; diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c -index c2e0d14..bfa852b 100644 +index cfbb39e..0bbfc9d 100644 --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c @@ -367,7 +367,6 @@ static int recv_pkt(struct sk_buff *skb, struct net_device *dev, @@ -102040,10 +102138,29 @@ index 3d4da2c..40f9c29 100644 ICMP_PROT_UNREACH, 0); } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index 9daf217..dc6972d 100644 +index 9daf217..373d454 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c -@@ -1177,7 +1177,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -443,15 +443,12 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); + sin = &errhdr.offender; +- sin->sin_family = AF_UNSPEC; ++ memset(sin, 0, sizeof(*sin)); ++ + if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) { +- struct inet_sock *inet = inet_sk(sk); +- + sin->sin_family = AF_INET; + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; +- sin->sin_port = 0; +- memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); +- if (inet->cmsg_flags) ++ if (inet_sk(sk)->cmsg_flags) + ip_cmsg_recv(msg, skb); + } + +@@ -1177,7 +1174,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, len = min_t(unsigned int, len, opt->optlen); if (put_user(len, optlen)) return -EFAULT; @@ -102053,7 +102170,7 @@ index 9daf217..dc6972d 100644 return -EFAULT; return 0; } -@@ -1308,7 +1309,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1308,7 +1306,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -103033,10 +103150,38 @@ index e8c4400..a4cd5da 100644 err = ipv6_init_mibs(net); if (err) diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c -index 2cdc383..09cffb8 100644 +index 2cdc383..4f1b785 100644 --- a/net/ipv6/datagram.c +++ b/net/ipv6/datagram.c -@@ -928,5 +928,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp, +@@ -383,11 +383,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); + sin = &errhdr.offender; +- sin->sin6_family = AF_UNSPEC; ++ memset(sin, 0, sizeof(*sin)); ++ + if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) { + sin->sin6_family = AF_INET6; +- sin->sin6_flowinfo = 0; +- sin->sin6_port = 0; + if (np->rxopt.all) + ip6_datagram_recv_common_ctl(sk, msg, skb); + if (skb->protocol == htons(ETH_P_IPV6)) { +@@ -398,12 +397,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + ipv6_iface_scope_id(&sin->sin6_addr, + IP6CB(skb)->iif); + } else { +- struct inet_sock *inet = inet_sk(sk); +- + ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, + &sin->sin6_addr); +- sin->sin6_scope_id = 0; +- if (inet->cmsg_flags) ++ if (inet_sk(sk)->cmsg_flags) + ip_cmsg_recv(msg, skb); + } + } +@@ -928,5 +924,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp, 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -103453,10 +103598,25 @@ index 1a157ca..9fc05f4 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index a318dd89..7ecfea6 100644 +index a318dd89..42a612c 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c -@@ -2965,7 +2965,7 @@ struct ctl_table ipv6_route_table_template[] = { +@@ -1150,12 +1150,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk, + struct net *net = dev_net(dst->dev); + + rt6->rt6i_flags |= RTF_MODIFIED; +- if (mtu < IPV6_MIN_MTU) { +- u32 features = dst_metric(dst, RTAX_FEATURES); ++ if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; +- features |= RTAX_FEATURE_ALLFRAG; +- dst_metric_set(dst, RTAX_FEATURES, features); +- } ++ + dst_metric_set(dst, RTAX_MTU, mtu); + rt6_update_expires(rt6, net->ipv6.sysctl.ip6_rt_mtu_expires); + } +@@ -2965,7 +2962,7 @@ struct ctl_table ipv6_route_table_template[] = { struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net) { @@ -109405,10 +109565,10 @@ index 4c41c90..37f3631 100644 return snd_seq_device_register_driver(SNDRV_SEQ_DEV_ID_EMU10K1_SYNTH, &ops, sizeof(struct snd_emu10k1_synth_arg)); diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c -index 15e0089..ad6bc9b 100644 +index e708368..764dffe 100644 --- a/sound/pci/hda/hda_codec.c +++ b/sound/pci/hda/hda_codec.c -@@ -966,14 +966,10 @@ find_codec_preset(struct hda_codec *codec) +@@ -968,14 +968,10 @@ find_codec_preset(struct hda_codec *codec) mutex_unlock(&preset_mutex); if (mod_requested < HDA_MODREQ_MAX_COUNT) { @@ -109425,7 +109585,7 @@ index 15e0089..ad6bc9b 100644 mod_requested++; goto again; } -@@ -2800,7 +2796,7 @@ static int get_kctl_0dB_offset(struct hda_codec *codec, +@@ -2802,7 +2798,7 @@ static int get_kctl_0dB_offset(struct hda_codec *codec, /* FIXME: set_fs() hack for obtaining user-space TLV data */ mm_segment_t fs = get_fs(); set_fs(get_ds()); diff --git a/3.18.2/4425_grsec_remove_EI_PAX.patch b/3.18.3/4425_grsec_remove_EI_PAX.patch index 86e242a..86e242a 100644 --- a/3.18.2/4425_grsec_remove_EI_PAX.patch +++ b/3.18.3/4425_grsec_remove_EI_PAX.patch diff --git a/3.18.2/4427_force_XATTR_PAX_tmpfs.patch b/3.18.3/4427_force_XATTR_PAX_tmpfs.patch index 22c9273..22c9273 100644 --- a/3.18.2/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.18.3/4427_force_XATTR_PAX_tmpfs.patch diff --git a/3.18.2/4430_grsec-remove-localversion-grsec.patch b/3.18.3/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.18.2/4430_grsec-remove-localversion-grsec.patch +++ b/3.18.3/4430_grsec-remove-localversion-grsec.patch diff --git a/3.18.2/4435_grsec-mute-warnings.patch b/3.18.3/4435_grsec-mute-warnings.patch index 0585e08..0585e08 100644 --- a/3.18.2/4435_grsec-mute-warnings.patch +++ b/3.18.3/4435_grsec-mute-warnings.patch diff --git a/3.18.2/4440_grsec-remove-protected-paths.patch b/3.18.3/4440_grsec-remove-protected-paths.patch index 741546d..741546d 100644 --- a/3.18.2/4440_grsec-remove-protected-paths.patch +++ b/3.18.3/4440_grsec-remove-protected-paths.patch diff --git a/3.18.2/4450_grsec-kconfig-default-gids.patch b/3.18.3/4450_grsec-kconfig-default-gids.patch index 039bad1..039bad1 100644 --- a/3.18.2/4450_grsec-kconfig-default-gids.patch +++ b/3.18.3/4450_grsec-kconfig-default-gids.patch diff --git a/3.18.2/4465_selinux-avc_audit-log-curr_ip.patch b/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch index 747ac53..747ac53 100644 --- a/3.18.2/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.18.3/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.18.2/4470_disable-compat_vdso.patch b/3.18.3/4470_disable-compat_vdso.patch index df785ab..df785ab 100644 --- a/3.18.2/4470_disable-compat_vdso.patch +++ b/3.18.3/4470_disable-compat_vdso.patch diff --git a/3.18.2/4475_emutramp_default_on.patch b/3.18.3/4475_emutramp_default_on.patch index ad4967a..ad4967a 100644 --- a/3.18.2/4475_emutramp_default_on.patch +++ b/3.18.3/4475_emutramp_default_on.patch diff --git a/3.2.66/0000_README b/3.2.66/0000_README index f224bbd..f9825bd 100644 --- a/3.2.66/0000_README +++ b/3.2.66/0000_README @@ -182,7 +182,7 @@ Patch: 1065_linux-3.2.66.patch From: http://www.kernel.org Desc: Linux 3.2.66 -Patch: 4420_grsecurity-3.0-3.2.66-201501142321.patch +Patch: 4420_grsecurity-3.0-3.2.66-201501211939.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.66/4420_grsecurity-3.0-3.2.66-201501142321.patch b/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch index 0a514cd..89a8670 100644 --- a/3.2.66/4420_grsecurity-3.0-3.2.66-201501142321.patch +++ b/3.2.66/4420_grsecurity-3.0-3.2.66-201501211939.patch @@ -45572,6 +45572,42 @@ index b02adbc..4285b65 100644 #include <linux/mlx4/device.h> #include <linux/mlx4/doorbell.h> +diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c +index c27fb3d..c54df57 100644 +--- a/drivers/net/ethernet/neterion/s2io.c ++++ b/drivers/net/ethernet/neterion/s2io.c +@@ -6994,7 +6994,9 @@ static int s2io_add_isr(struct s2io_nic *sp) + if (sp->s2io_entries[i].in_use == MSIX_FLG) { + if (sp->s2io_entries[i].type == + MSIX_RING_TYPE) { +- sprintf(sp->desc[i], "%s:MSI-X-%d-RX", ++ snprintf(sp->desc[i], ++ sizeof(sp->desc[i]), ++ "%s:MSI-X-%d-RX", + dev->name, i); + err = request_irq(sp->entries[i].vector, + s2io_msix_ring_handle, +@@ -7003,7 +7005,9 @@ static int s2io_add_isr(struct s2io_nic *sp) + sp->s2io_entries[i].arg); + } else if (sp->s2io_entries[i].type == + MSIX_ALARM_TYPE) { +- sprintf(sp->desc[i], "%s:MSI-X-%d-TX", ++ snprintf(sp->desc[i], ++ sizeof(sp->desc[i]), ++ "%s:MSI-X-%d-TX", + dev->name, i); + err = request_irq(sp->entries[i].vector, + s2io_msix_fifo_handle, +@@ -8166,7 +8170,8 @@ s2io_init_nic(struct pci_dev *pdev, const struct pci_device_id *pre) + "%s: UDP Fragmentation Offload(UFO) enabled\n", + dev->name); + /* Initialize device name */ +- sprintf(sp->name, "%s Neterion %s", dev->name, sp->product_name); ++ snprintf(sp->name, sizeof(sp->name), "%s Neterion %s", dev->name, ++ sp->product_name); + + if (vlan_tag_strip) + sp->vlan_strip_flag = 1; diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c index 98e2c10..79af7f8 100644 --- a/drivers/net/ethernet/neterion/vxge/vxge-config.c @@ -104363,10 +104399,29 @@ index 073a9b0..8c29a4f 100644 ICMP_PROT_UNREACH, 0); } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index 542a9c1..5b792eb 100644 +index 542a9c1..9f73775 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c -@@ -1121,7 +1121,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -416,15 +416,12 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); + sin = &errhdr.offender; +- sin->sin_family = AF_UNSPEC; ++ memset(sin, 0, sizeof(*sin)); ++ + if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) { +- struct inet_sock *inet = inet_sk(sk); +- + sin->sin_family = AF_INET; + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; +- sin->sin_port = 0; +- memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); +- if (inet->cmsg_flags) ++ if (inet_sk(sk)->cmsg_flags) + ip_cmsg_recv(msg, skb); + } + +@@ -1121,7 +1118,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, len = min_t(unsigned int, len, opt->optlen); if (put_user(len, optlen)) return -EFAULT; @@ -104376,7 +104431,7 @@ index 542a9c1..5b792eb 100644 return -EFAULT; return 0; } -@@ -1249,7 +1250,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, +@@ -1249,7 +1247,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname, if (sk->sk_type != SOCK_STREAM) return -ENOPROTOOPT; @@ -105491,6 +105546,38 @@ index 3afdd78..2f630fb 100644 } static struct pernet_operations if6_proc_net_ops = { +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index 3c7c948..33719b7 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -371,12 +371,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); + sin = &errhdr.offender; +- sin->sin6_family = AF_UNSPEC; ++ memset(sin, 0, sizeof(*sin)); ++ + if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) { + sin->sin6_family = AF_INET6; +- sin->sin6_flowinfo = 0; +- sin->sin6_port = 0; +- sin->sin6_scope_id = 0; + if (skb->protocol == htons(ETH_P_IPV6)) { + ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr); + if (np->rxopt.all) +@@ -384,11 +382,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + if (ipv6_addr_type(&sin->sin6_addr) & IPV6_ADDR_LINKLOCAL) + sin->sin6_scope_id = IP6CB(skb)->iif; + } else { +- struct inet_sock *inet = inet_sk(sk); +- + ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr, + &sin->sin6_addr); +- if (inet->cmsg_flags) ++ if (inet_sk(sk)->cmsg_flags) + ip_cmsg_recv(msg, skb); + } + } diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 65dd543..e6c6e6d 100644 --- a/net/ipv6/esp6.c @@ -105776,10 +105863,25 @@ index eba5deb..61e026f 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 782f67a..9b969f2 100644 +index 782f67a..2dc56bf 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c -@@ -2809,7 +2809,7 @@ ctl_table ipv6_route_table_template[] = { +@@ -1018,12 +1018,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu) + + if (mtu < dst_mtu(dst) && rt6->rt6i_dst.plen == 128) { + rt6->rt6i_flags |= RTF_MODIFIED; +- if (mtu < IPV6_MIN_MTU) { +- u32 features = dst_metric(dst, RTAX_FEATURES); ++ if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; +- features |= RTAX_FEATURE_ALLFRAG; +- dst_metric_set(dst, RTAX_FEATURES, features); +- } ++ + dst_metric_set(dst, RTAX_MTU, mtu); + } + } +@@ -2809,7 +2806,7 @@ ctl_table ipv6_route_table_template[] = { struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net) { |