* [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.11/, 2.6.32/
@ 2012-03-19 12:11 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2012-03-19 12:11 UTC (permalink / raw
To: gentoo-commits
commit: 51dd5f4138d705adced12d72056f83d949055ae0
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 19 12:10:47 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Mar 19 12:10:47 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=51dd5f41
Grsec/PaX: 2.9-2.6.32.59-201203181400 + 2.9-3.2.11-201203181401
---
2.6.32/0000_README | 2 +-
...20_grsecurity-2.9-2.6.32.59-201203181400.patch} | 4238 +++++++++++---
2.6.32/4425_grsec_enable_xtpax.patch | 16 -
3.2.11/0000_README | 2 +-
... 4420_grsecurity-2.9-3.2.11-201203181401.patch} | 6382 ++++++++++++++++++--
3.2.11/4425_grsec_enable_xtpax.patch | 16 -
6 files changed, 9342 insertions(+), 1314 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 1858adf..ff587f9 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -22,7 +22,7 @@ Patch: 1056_linux-2.6.32.57.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.57
-Patch: 4420_grsecurity-2.9-2.6.32.58-201203131839.patch
+Patch: 4420_grsecurity-2.9-2.6.32.59-201203181400.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9-2.6.32.58-201203131839.patch b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203181400.patch
similarity index 96%
rename from 2.6.32/4420_grsecurity-2.9-2.6.32.58-201203131839.patch
rename to 2.6.32/4420_grsecurity-2.9-2.6.32.59-201203181400.patch
index 325d13c..2e58a75 100644
--- a/2.6.32/4420_grsecurity-2.9-2.6.32.58-201203131839.patch
+++ b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203181400.patch
@@ -1,11 +1,12 @@
diff --git a/Documentation/dontdiff b/Documentation/dontdiff
-index e1efc40..76e689e 100644
+index e1efc40..4e87324 100644
--- a/Documentation/dontdiff
+++ b/Documentation/dontdiff
-@@ -1,15 +1,19 @@
+@@ -1,15 +1,20 @@
*.a
*.aux
*.bin
++*.c.[012].*
+*.cis
*.cpio
*.csp
@@ -22,7 +23,7 @@ index e1efc40..76e689e 100644
*.grep
*.grp
*.gz
-@@ -38,8 +42,10 @@
+@@ -38,8 +43,10 @@
*.tab.h
*.tex
*.ver
@@ -33,7 +34,7 @@ index e1efc40..76e689e 100644
*_vga16.c
*~
*.9
-@@ -49,11 +55,16 @@
+@@ -49,11 +56,16 @@
53c700_d.h
CVS
ChangeSet
@@ -50,7 +51,7 @@ index e1efc40..76e689e 100644
SCCS
System.map*
TAGS
-@@ -76,7 +87,11 @@ btfixupprep
+@@ -76,7 +88,11 @@ btfixupprep
build
bvmlinux
bzImage*
@@ -62,7 +63,7 @@ index e1efc40..76e689e 100644
comp*.log
compile.h*
conf
-@@ -84,6 +99,8 @@ config
+@@ -84,6 +100,8 @@ config
config-*
config_data.h*
config_data.gz*
@@ -71,7 +72,7 @@ index e1efc40..76e689e 100644
conmakehash
consolemap_deftbl.c*
cpustr.h
-@@ -97,19 +114,23 @@ elfconfig.h*
+@@ -97,19 +115,23 @@ elfconfig.h*
fixdep
fore200e_mkfirm
fore200e_pca_fw.c*
@@ -96,7 +97,7 @@ index e1efc40..76e689e 100644
keywords.c
ksym.c*
ksym.h*
-@@ -117,6 +138,7 @@ kxgettext
+@@ -117,6 +139,7 @@ kxgettext
lkc_defs.h
lex.c
lex.*.c
@@ -104,7 +105,7 @@ index e1efc40..76e689e 100644
logo_*.c
logo_*_clut224.c
logo_*_mono.c
-@@ -127,13 +149,16 @@ machtypes.h
+@@ -127,13 +150,16 @@ machtypes.h
map
maui_boot.h
mconf
@@ -121,7 +122,7 @@ index e1efc40..76e689e 100644
mktables
mktree
modpost
-@@ -149,6 +174,7 @@ patches*
+@@ -149,6 +175,7 @@ patches*
pca200e.bin
pca200e_ecd.bin2
piggy.gz
@@ -129,7 +130,7 @@ index e1efc40..76e689e 100644
piggyback
pnmtologo
ppc_defs.h*
-@@ -157,12 +183,15 @@ qconf
+@@ -157,12 +184,15 @@ qconf
raid6altivec*.c
raid6int*.c
raid6tables.c
@@ -145,7 +146,7 @@ index e1efc40..76e689e 100644
sm_tbl*
split-include
syscalltab.h
-@@ -171,6 +200,7 @@ tftpboot.img
+@@ -171,6 +201,7 @@ tftpboot.img
timeconst.h
times.h*
trix_boot.h
@@ -153,7 +154,7 @@ index e1efc40..76e689e 100644
utsrelease.h*
vdso-syms.lds
vdso.lds
-@@ -186,14 +216,20 @@ version.h*
+@@ -186,14 +217,20 @@ version.h*
vmlinux
vmlinux-*
vmlinux.aout
@@ -212,7 +213,7 @@ index 613da5d..4fe3eda 100644
M: Liam Girdwood <lrg@slimlogic.co.uk>
M: Mark Brown <broonie@opensource.wolfsonmicro.com>
diff --git a/Makefile b/Makefile
-index ed78982..cb8fa66 100644
+index 3a9a721..e5a22f7 100644
--- a/Makefile
+++ b/Makefile
@@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -247,7 +248,7 @@ index ed78982..cb8fa66 100644
include/linux/version.h headers_% \
kernelrelease kernelversion
-@@ -526,6 +527,50 @@ else
+@@ -526,6 +527,53 @@ else
KBUILD_CFLAGS += -O2
endif
@@ -274,10 +275,13 @@ index ed78982..cb8fa66 100644
+endif
+endif
+COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so
++ifdef CONFIG_PAX_SIZE_OVERFLOW
++SIZE_OVERFLOW_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/size_overflow_plugin.so -DSIZE_OVERFLOW_PLUGIN
++endif
+GCC_PLUGINS_CFLAGS := $(CONSTIFY_PLUGIN_CFLAGS) $(STACKLEAK_PLUGIN_CFLAGS) $(KALLOCSTAT_PLUGIN_CFLAGS)
-+GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS)
++GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS) $(SIZE_OVERFLOW_PLUGIN_CFLAGS)
+GCC_PLUGINS_AFLAGS := $(KERNEXEC_PLUGIN_AFLAGS)
-+export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
++export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN SIZE_OVERFLOW_PLUGIN
+ifeq ($(KBUILD_EXTMOD),)
+gcc-plugins:
+ $(Q)$(MAKE) $(build)=tools/gcc
@@ -298,7 +302,7 @@ index ed78982..cb8fa66 100644
include $(srctree)/arch/$(SRCARCH)/Makefile
ifneq ($(CONFIG_FRAME_WARN),0)
-@@ -647,7 +692,7 @@ export mod_strip_cmd
+@@ -647,7 +695,7 @@ export mod_strip_cmd
ifeq ($(KBUILD_EXTMOD),)
@@ -307,7 +311,7 @@ index ed78982..cb8fa66 100644
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-@@ -868,6 +913,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE
+@@ -868,6 +916,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE
# The actual objects are generated when descending,
# make sure no implicit rule kicks in
@@ -316,7 +320,7 @@ index ed78982..cb8fa66 100644
$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
# Handle descending into subdirectories listed in $(vmlinux-dirs)
-@@ -877,7 +924,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
+@@ -877,7 +927,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
# Error messages still appears in the original language
PHONY += $(vmlinux-dirs)
@@ -325,7 +329,7 @@ index ed78982..cb8fa66 100644
$(Q)$(MAKE) $(build)=$@
# Build the kernel release string
-@@ -986,6 +1033,7 @@ prepare0: archprepare FORCE
+@@ -986,6 +1036,7 @@ prepare0: archprepare FORCE
$(Q)$(MAKE) $(build)=. missing-syscalls
# All the preparing..
@@ -333,7 +337,7 @@ index ed78982..cb8fa66 100644
prepare: prepare0
# The asm symlink changes when $(ARCH) changes.
-@@ -1127,6 +1175,8 @@ all: modules
+@@ -1127,6 +1178,8 @@ all: modules
# using awk while concatenating to the final file.
PHONY += modules
@@ -342,7 +346,7 @@ index ed78982..cb8fa66 100644
modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
$(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
@$(kecho) ' Building modules, stage 2.';
-@@ -1136,7 +1186,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
+@@ -1136,7 +1189,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
# Target to prepare building external modules
PHONY += modules_prepare
@@ -351,7 +355,7 @@ index ed78982..cb8fa66 100644
# Target to install modules
PHONY += modules_install
-@@ -1201,7 +1251,7 @@ MRPROPER_FILES += .config .config.old include/asm .version .old_version \
+@@ -1201,7 +1254,7 @@ MRPROPER_FILES += .config .config.old include/asm .version .old_version \
include/linux/autoconf.h include/linux/version.h \
include/linux/utsrelease.h \
include/linux/bounds.h include/asm*/asm-offsets.h \
@@ -360,7 +364,7 @@ index ed78982..cb8fa66 100644
# clean - Delete most, but leave enough to build external modules
#
-@@ -1245,7 +1295,7 @@ distclean: mrproper
+@@ -1245,7 +1298,7 @@ distclean: mrproper
@find $(srctree) $(RCS_FIND_IGNORE) \
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
@@ -369,7 +373,7 @@ index ed78982..cb8fa66 100644
-o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
-type f -print | xargs rm -f
-@@ -1292,6 +1342,7 @@ help:
+@@ -1292,6 +1345,7 @@ help:
@echo ' modules_prepare - Set up for building external modules'
@echo ' tags/TAGS - Generate tags file for editors'
@echo ' cscope - Generate cscope index'
@@ -377,7 +381,7 @@ index ed78982..cb8fa66 100644
@echo ' kernelrelease - Output the release version string'
@echo ' kernelversion - Output the version stored in Makefile'
@echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \
-@@ -1393,6 +1444,8 @@ PHONY += $(module-dirs) modules
+@@ -1393,6 +1447,8 @@ PHONY += $(module-dirs) modules
$(module-dirs): crmodverdir $(objtree)/Module.symvers
$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
@@ -386,7 +390,7 @@ index ed78982..cb8fa66 100644
modules: $(module-dirs)
@$(kecho) ' Building modules, stage 2.';
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-@@ -1448,7 +1501,7 @@ endif # KBUILD_EXTMOD
+@@ -1448,7 +1504,7 @@ endif # KBUILD_EXTMOD
quiet_cmd_tags = GEN $@
cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@
@@ -395,7 +399,7 @@ index ed78982..cb8fa66 100644
$(call cmd,tags)
# Scripts to check various things for consistency
-@@ -1513,17 +1566,21 @@ else
+@@ -1513,17 +1569,21 @@ else
target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
endif
@@ -421,7 +425,7 @@ index ed78982..cb8fa66 100644
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
%.symtypes: %.c prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
-@@ -1533,11 +1590,15 @@ endif
+@@ -1533,11 +1593,15 @@ endif
$(cmd_crmodverdir)
$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
$(build)=$(build-dir)
@@ -4740,10 +4744,10 @@ index f0e6f28..60d53ed 100644
select PPC_RTAS
select RTAS_ERROR_LOGGING
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
-index 43c0aca..42c045b 100644
+index aca7fff..76c2b6b 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
-@@ -194,28 +194,26 @@ config AUDIT_ARCH
+@@ -197,28 +197,26 @@ config AUDIT_ARCH
config S390_SWITCH_AMODE
bool "Switch kernel/user addressing modes"
@@ -4967,10 +4971,10 @@ index 639380a..72e3c02 100644
if (r_type == R_390_GOTPC)
*(unsigned int *) loc = val;
diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
-index 0b2573a..71a22ec 100644
+index 358e545..051e4f4 100644
--- a/arch/s390/kernel/setup.c
+++ b/arch/s390/kernel/setup.c
-@@ -306,9 +306,6 @@ static int __init early_parse_mem(char *p)
+@@ -307,9 +307,6 @@ static int __init early_parse_mem(char *p)
early_param("mem", early_parse_mem);
#ifdef CONFIG_S390_SWITCH_AMODE
@@ -4980,7 +4984,7 @@ index 0b2573a..71a22ec 100644
static int set_amode_and_uaccess(unsigned long user_amode,
unsigned long user32_amode)
{
-@@ -334,17 +331,6 @@ static int set_amode_and_uaccess(unsigned long user_amode,
+@@ -335,17 +332,6 @@ static int set_amode_and_uaccess(unsigned long user_amode,
return 0;
}
}
@@ -4998,7 +5002,7 @@ index 0b2573a..71a22ec 100644
#else /* CONFIG_S390_SWITCH_AMODE */
static inline int set_amode_and_uaccess(unsigned long user_amode,
unsigned long user32_amode)
-@@ -353,24 +339,6 @@ static inline int set_amode_and_uaccess(unsigned long user_amode,
+@@ -354,24 +340,6 @@ static inline int set_amode_and_uaccess(unsigned long user_amode,
}
#endif /* CONFIG_S390_SWITCH_AMODE */
@@ -11132,6 +11136,18 @@ index cc70c1c..d96d011 100644
+extern void machine_emergency_restart(void) __noreturn;
#endif /* _ASM_X86_EMERGENCY_RESTART_H */
+diff --git a/arch/x86/include/asm/floppy.h b/arch/x86/include/asm/floppy.h
+index dbe82a5..c6d8a00 100644
+--- a/arch/x86/include/asm/floppy.h
++++ b/arch/x86/include/asm/floppy.h
+@@ -157,6 +157,7 @@ static unsigned long dma_mem_alloc(unsigned long size)
+ }
+
+
++static unsigned long vdma_mem_alloc(unsigned long size) __size_overflow(1);
+ static unsigned long vdma_mem_alloc(unsigned long size)
+ {
+ return (unsigned long)vmalloc(size);
diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h
index 1f11ce4..7caabd1 100644
--- a/arch/x86/include/asm/futex.h
@@ -11381,7 +11397,7 @@ index 4fe681d..bb6d40c 100644
#define flush_insn_slot(p) do { } while (0)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index 08bc2ff..2e88d1f 100644
+index 08bc2ff..acafd8f 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -534,9 +534,9 @@ struct kvm_x86_ops {
@@ -11396,6 +11412,36 @@ index 08bc2ff..2e88d1f 100644
int kvm_mmu_module_init(void);
void kvm_mmu_module_exit(void);
+@@ -558,9 +558,9 @@ void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages);
+ int load_pdptrs(struct kvm_vcpu *vcpu, unsigned long cr3);
+
+ int emulator_write_phys(struct kvm_vcpu *vcpu, gpa_t gpa,
+- const void *val, int bytes);
++ const void *val, int bytes) __size_overflow(2);
+ int kvm_pv_mmu_op(struct kvm_vcpu *vcpu, unsigned long bytes,
+- gpa_t addr, unsigned long *ret);
++ gpa_t addr, unsigned long *ret) __size_overflow(2,3);
+ u8 kvm_get_guest_memory_type(struct kvm_vcpu *vcpu, gfn_t gfn);
+
+ extern bool tdp_enabled;
+@@ -619,7 +619,7 @@ void kvm_lmsw(struct kvm_vcpu *vcpu, unsigned long msw);
+ void kvm_get_cs_db_l_bits(struct kvm_vcpu *vcpu, int *db, int *l);
+
+ int kvm_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata);
+-int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data);
++int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data) __size_overflow(3);
+
+ void kvm_queue_exception(struct kvm_vcpu *vcpu, unsigned nr);
+ void kvm_queue_exception_e(struct kvm_vcpu *vcpu, unsigned nr, u32 error_code);
+@@ -643,7 +643,7 @@ unsigned long segment_base(u16 selector);
+ void kvm_mmu_flush_tlb(struct kvm_vcpu *vcpu);
+ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
+ const u8 *new, int bytes,
+- bool guest_initiated);
++ bool guest_initiated) __size_overflow(2);
+ int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva);
+ void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu);
+ int kvm_mmu_load(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h
index 47b9b6f..815aaa1 100644
--- a/arch/x86/include/asm/local.h
@@ -12252,7 +12298,7 @@ index af6fd36..867ff74 100644
#include <asm-generic/pgtable.h>
#endif /* __ASSEMBLY__ */
diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h
-index 750f1bf..971e839 100644
+index 750f1bf..971e8394 100644
--- a/arch/x86/include/asm/pgtable_32.h
+++ b/arch/x86/include/asm/pgtable_32.h
@@ -26,9 +26,6 @@
@@ -13037,6 +13083,19 @@ index 1575177..cb23f52 100644
asm volatile ("mov %0, %%gs" : : "r" (0));
#endif
}
+diff --git a/arch/x86/include/asm/syscalls.h b/arch/x86/include/asm/syscalls.h
+index 1bb6e39..234246f 100644
+--- a/arch/x86/include/asm/syscalls.h
++++ b/arch/x86/include/asm/syscalls.h
+@@ -24,7 +24,7 @@ int sys_fork(struct pt_regs *);
+ int sys_vfork(struct pt_regs *);
+
+ /* kernel/ldt.c */
+-asmlinkage int sys_modify_ldt(int, void __user *, unsigned long);
++asmlinkage int sys_modify_ldt(int, void __user *, unsigned long) __size_overflow(3);
+
+ /* kernel/signal.c */
+ long sys_rt_sigreturn(struct pt_regs *);
diff --git a/arch/x86/include/asm/system.h b/arch/x86/include/asm/system.h
index e0fbf29..858ef4a 100644
--- a/arch/x86/include/asm/system.h
@@ -13477,11 +13536,36 @@ index 61c5874..8a046e9 100644
# include "uaccess_32.h"
#else
diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
-index 632fb44..e30e334 100644
+index 632fb44..2a195ea 100644
--- a/arch/x86/include/asm/uaccess_32.h
+++ b/arch/x86/include/asm/uaccess_32.h
-@@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero
+@@ -12,15 +12,15 @@
+ #include <asm/page.h>
+
+ unsigned long __must_check __copy_to_user_ll
+- (void __user *to, const void *from, unsigned long n);
++ (void __user *to, const void *from, unsigned long n) __size_overflow(3);
+ unsigned long __must_check __copy_from_user_ll
+- (void *to, const void __user *from, unsigned long n);
++ (void *to, const void __user *from, unsigned long n) __size_overflow(3);
+ unsigned long __must_check __copy_from_user_ll_nozero
+- (void *to, const void __user *from, unsigned long n);
++ (void *to, const void __user *from, unsigned long n) __size_overflow(3);
+ unsigned long __must_check __copy_from_user_ll_nocache
+- (void *to, const void __user *from, unsigned long n);
++ (void *to, const void __user *from, unsigned long n) __size_overflow(3);
+ unsigned long __must_check __copy_from_user_ll_nocache_nozero
+- (void *to, const void __user *from, unsigned long n);
++ (void *to, const void __user *from, unsigned long n) __size_overflow(3);
+
+ /**
+ * __copy_to_user_inatomic: - Copy a block of data into user space, with less checking.
+@@ -42,8 +42,15 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero
+ */
+
static __always_inline unsigned long __must_check
++__copy_to_user_inatomic(void __user *to, const void *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long __must_check
__copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
{
+ pax_track_stack();
@@ -13492,7 +13576,7 @@ index 632fb44..e30e334 100644
if (__builtin_constant_p(n)) {
unsigned long ret;
-@@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
+@@ -62,6 +69,8 @@ __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
return ret;
}
}
@@ -13501,7 +13585,12 @@ index 632fb44..e30e334 100644
return __copy_to_user_ll(to, from, n);
}
-@@ -83,12 +90,16 @@ static __always_inline unsigned long __must_check
+@@ -80,15 +89,23 @@ __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
+ * On success, this will be zero.
+ */
+ static __always_inline unsigned long __must_check
++__copy_to_user(void __user *to, const void *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long __must_check
__copy_to_user(void __user *to, const void *from, unsigned long n)
{
might_fault();
@@ -13510,6 +13599,8 @@ index 632fb44..e30e334 100644
}
static __always_inline unsigned long
++__copy_from_user_inatomic(void *to, const void __user *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long
__copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
{
+ if ((long)n < 0)
@@ -13518,7 +13609,12 @@ index 632fb44..e30e334 100644
/* Avoid zeroing the tail if the copy fails..
* If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
* but as the zeroing behaviour is only significant when n is not
-@@ -138,6 +149,12 @@ static __always_inline unsigned long
+@@ -135,9 +152,17 @@ __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
+ * for explanation of why this is needed.
+ */
+ static __always_inline unsigned long
++__copy_from_user(void *to, const void __user *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long
__copy_from_user(void *to, const void __user *from, unsigned long n)
{
might_fault();
@@ -13531,7 +13627,7 @@ index 632fb44..e30e334 100644
if (__builtin_constant_p(n)) {
unsigned long ret;
-@@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
+@@ -153,13 +178,21 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
return ret;
}
}
@@ -13540,7 +13636,9 @@ index 632fb44..e30e334 100644
return __copy_from_user_ll(to, from, n);
}
-@@ -160,6 +179,10 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
+ static __always_inline unsigned long __copy_from_user_nocache(void *to,
++ const void __user *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long __copy_from_user_nocache(void *to,
const void __user *from, unsigned long n)
{
might_fault();
@@ -13551,8 +13649,13 @@ index 632fb44..e30e334 100644
if (__builtin_constant_p(n)) {
unsigned long ret;
-@@ -182,14 +205,62 @@ static __always_inline unsigned long
+@@ -180,20 +213,75 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
+
+ static __always_inline unsigned long
__copy_from_user_inatomic_nocache(void *to, const void __user *from,
++ unsigned long n) __size_overflow(3);
++static __always_inline unsigned long
++__copy_from_user_inatomic_nocache(void *to, const void __user *from,
unsigned long n)
{
- return __copy_from_user_ll_nocache_nozero(to, from, n);
@@ -13576,6 +13679,8 @@ index 632fb44..e30e334 100644
+ * On success, this will be zero.
+ */
+static __always_inline unsigned long __must_check
++copy_to_user(void __user *to, const void *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long __must_check
+copy_to_user(void __user *to, const void *from, unsigned long n)
+{
+ if (access_ok(VERIFY_WRITE, to, n))
@@ -13600,6 +13705,8 @@ index 632fb44..e30e334 100644
+ * data to the requested size using zero bytes.
+ */
+static __always_inline unsigned long __must_check
++copy_from_user(void *to, const void __user *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long __must_check
+copy_from_user(void *to, const void __user *from, unsigned long n)
+{
+ if (access_ok(VERIFY_READ, from, n))
@@ -13618,10 +13725,28 @@ index 632fb44..e30e334 100644
- const void __user *from,
- unsigned long n);
long __must_check strncpy_from_user(char *dst, const char __user *src,
- long count);
+- long count);
++ unsigned long count) __size_overflow(3);
long __must_check __strncpy_from_user(char *dst,
+- const char __user *src, long count);
++ const char __user *src, unsigned long count) __size_overflow(3);
+
+ /**
+ * strlen_user: - Get the size of a string in user space.
+@@ -211,8 +299,8 @@ long __must_check __strncpy_from_user(char *dst,
+ */
+ #define strlen_user(str) strnlen_user(str, LONG_MAX)
+
+-long strnlen_user(const char __user *str, long n);
+-unsigned long __must_check clear_user(void __user *mem, unsigned long len);
+-unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
++long strnlen_user(const char __user *str, unsigned long n);
++unsigned long __must_check clear_user(void __user *mem, unsigned long len) __size_overflow(2);
++unsigned long __must_check __clear_user(void __user *mem, unsigned long len) __size_overflow(2);
+
+ #endif /* _ASM_X86_UACCESS_32_H */
diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
-index db24b21..f595ae7 100644
+index db24b21..d0d2413 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -9,6 +9,9 @@
@@ -13634,12 +13759,12 @@ index db24b21..f595ae7 100644
/*
* Copy To/From Userspace
-@@ -16,116 +19,205 @@
+@@ -16,116 +19,215 @@
/* Handles exceptions in both to and from, but doesn't do access_ok */
__must_check unsigned long
-copy_user_generic(void *to, const void *from, unsigned len);
-+copy_user_generic(void *to, const void *from, unsigned long len);
++copy_user_generic(void *to, const void *from, unsigned long len) __size_overflow(3);
__must_check unsigned long
-copy_to_user(void __user *to, const void *from, unsigned len);
@@ -13647,10 +13772,12 @@ index db24b21..f595ae7 100644
-copy_from_user(void *to, const void __user *from, unsigned len);
-__must_check unsigned long
-copy_in_user(void __user *to, const void __user *from, unsigned len);
-+copy_in_user(void __user *to, const void __user *from, unsigned long len);
++copy_in_user(void __user *to, const void __user *from, unsigned long len) __size_overflow(3);
static __always_inline __must_check
-int __copy_from_user(void *dst, const void __user *src, unsigned size)
++unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long size) __size_overflow(3);
++static __always_inline __must_check
+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long size)
{
- int ret = 0;
@@ -13731,6 +13858,8 @@ index db24b21..f595ae7 100644
static __always_inline __must_check
-int __copy_to_user(void __user *dst, const void *src, unsigned size)
++unsigned long __copy_to_user(void __user *dst, const void *src, unsigned long size) __size_overflow(3);
++static __always_inline __must_check
+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned long size)
{
- int ret = 0;
@@ -13808,21 +13937,30 @@ index db24b21..f595ae7 100644
+#endif
+
+ return copy_user_generic((__force_kernel void *)dst, src, size);
-+ }
-+}
-+
+ }
+ }
+
+ static __always_inline __must_check
+-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
++unsigned long copy_to_user(void __user *to, const void *from, unsigned long len) __size_overflow(3);
+static __always_inline __must_check
+unsigned long copy_to_user(void __user *to, const void *from, unsigned long len)
-+{
+ {
+- int ret = 0;
+ if (access_ok(VERIFY_WRITE, to, len))
+ len = __copy_to_user(to, from, len);
+ return len;
+}
-+
+
++static __always_inline __must_check
++unsigned long copy_from_user(void *to, const void __user *from, unsigned long len) __size_overflow(3);
+static __always_inline __must_check
+unsigned long copy_from_user(void *to, const void __user *from, unsigned long len)
+{
-+ might_fault();
+ might_fault();
+- if (!__builtin_constant_p(size))
+- return copy_user_generic((__force void *)dst,
+- (__force void *)src, size);
+
+ if (access_ok(VERIFY_READ, from, len))
+ len = __copy_from_user(to, from, len);
@@ -13830,21 +13968,18 @@ index db24b21..f595ae7 100644
+ if (!__builtin_constant_p(len))
+ check_object_size(to, len, false);
+ memset(to, 0, len);
- }
++ }
+ return len;
- }
-
- static __always_inline __must_check
--int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
++}
++
++static __always_inline __must_check
++unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned long size) __size_overflow(3);
++static __always_inline __must_check
+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned long size)
- {
-- int ret = 0;
++{
+ unsigned ret = 0;
-
- might_fault();
-- if (!__builtin_constant_p(size))
-- return copy_user_generic((__force void *)dst,
-- (__force void *)src, size);
++
++ might_fault();
+
+ pax_track_stack();
+
@@ -13878,7 +14013,7 @@ index db24b21..f595ae7 100644
ret, "b", "b", "=q", 1);
if (likely(!ret))
__put_user_asm(tmp, (u8 __user *)dst,
-@@ -134,7 +226,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
+@@ -134,7 +236,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
}
case 2: {
u16 tmp;
@@ -13887,7 +14022,7 @@ index db24b21..f595ae7 100644
ret, "w", "w", "=r", 2);
if (likely(!ret))
__put_user_asm(tmp, (u16 __user *)dst,
-@@ -144,7 +236,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
+@@ -144,7 +246,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
case 4: {
u32 tmp;
@@ -13896,7 +14031,7 @@ index db24b21..f595ae7 100644
ret, "l", "k", "=r", 4);
if (likely(!ret))
__put_user_asm(tmp, (u32 __user *)dst,
-@@ -153,7 +245,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
+@@ -153,7 +255,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
}
case 8: {
u64 tmp;
@@ -13905,7 +14040,7 @@ index db24b21..f595ae7 100644
ret, "q", "", "=r", 8);
if (likely(!ret))
__put_user_asm(tmp, (u64 __user *)dst,
-@@ -161,8 +253,16 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
+@@ -161,48 +263,105 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
return ret;
}
default:
@@ -13924,13 +14059,27 @@ index db24b21..f595ae7 100644
}
}
-@@ -176,33 +276,75 @@ __must_check long strlen_user(const char __user *str);
- __must_check unsigned long clear_user(void __user *mem, unsigned long len);
- __must_check unsigned long __clear_user(void __user *mem, unsigned long len);
+ __must_check long
+-strncpy_from_user(char *dst, const char __user *src, long count);
++strncpy_from_user(char *dst, const char __user *src, unsigned long count) __size_overflow(3);
+ __must_check long
+-__strncpy_from_user(char *dst, const char __user *src, long count);
+-__must_check long strnlen_user(const char __user *str, long n);
+-__must_check long __strnlen_user(const char __user *str, long n);
++__strncpy_from_user(char *dst, const char __user *src, unsigned long count) __size_overflow(3);
++__must_check long strnlen_user(const char __user *str, unsigned long n) __size_overflow(2);
++__must_check long __strnlen_user(const char __user *str, unsigned long n) __size_overflow(2);
+ __must_check long strlen_user(const char __user *str);
+-__must_check unsigned long clear_user(void __user *mem, unsigned long len);
+-__must_check unsigned long __clear_user(void __user *mem, unsigned long len);
++__must_check unsigned long clear_user(void __user *mem, unsigned long len) __size_overflow(2);
++__must_check unsigned long __clear_user(void __user *mem, unsigned long len) __size_overflow(2);
-__must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
- unsigned size);
+static __must_check __always_inline unsigned long
++__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size) __size_overflow(3);
++static __must_check __always_inline unsigned long
+__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size)
+{
+ pax_track_stack();
@@ -13952,6 +14101,8 @@ index db24b21..f595ae7 100644
+}
+
+static __must_check __always_inline unsigned long
++__copy_to_user_inatomic(void __user *dst, const void *src, unsigned long size) __size_overflow(3);
++static __must_check __always_inline unsigned long
+__copy_to_user_inatomic(void __user *dst, const void *src, unsigned long size)
{
- return copy_user_generic((__force void *)dst, src, size);
@@ -13972,10 +14123,11 @@ index db24b21..f595ae7 100644
-extern long __copy_user_nocache(void *dst, const void __user *src,
- unsigned size, int zerorest);
+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
-+ unsigned long size, int zerorest);
++ unsigned long size, int zerorest) __size_overflow(3);
-static inline int
-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
++static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned long size) __size_overflow(3);
+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned long size)
{
might_sleep();
@@ -13995,6 +14147,8 @@ index db24b21..f595ae7 100644
-__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
- unsigned size)
+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
++ unsigned long size) __size_overflow(3);
++static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
+ unsigned long size)
{
+ if (size > INT_MAX)
@@ -14011,7 +14165,7 @@ index db24b21..f595ae7 100644
-unsigned long
-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
+extern unsigned long
-+copy_user_handle_tail(char __user *to, char __user *from, unsigned long len, unsigned zerorest);
++copy_user_handle_tail(char __user *to, char __user *from, unsigned long len, unsigned zerorest) __size_overflow(3);
#endif /* _ASM_X86_UACCESS_64_H */
diff --git a/arch/x86/include/asm/vdso.h b/arch/x86/include/asm/vdso.h
@@ -14896,10 +15050,19 @@ index 417990f..96dc36b 100644
.store = store,
};
diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
-index 472763d..9831e11 100644
+index 472763d..aa4d686 100644
--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
+++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
-@@ -211,7 +211,9 @@ static ssize_t mce_write(struct file *filp, const char __user *ubuf,
+@@ -178,6 +178,8 @@ static void raise_mce(struct mce *m)
+
+ /* Error injection interface */
+ static ssize_t mce_write(struct file *filp, const char __user *ubuf,
++ size_t usize, loff_t *off) __size_overflow(3);
++static ssize_t mce_write(struct file *filp, const char __user *ubuf,
+ size_t usize, loff_t *off)
+ {
+ struct mce m;
+@@ -211,7 +213,9 @@ static ssize_t mce_write(struct file *filp, const char __user *ubuf,
static int inject_init(void)
{
printk(KERN_INFO "Machine check injector initialized\n");
@@ -15143,6 +15306,19 @@ index 55da0c5..4d75584 100644
.use_intel_if = 1,
.set_all = generic_set_all,
.get = generic_get_mtrr,
+diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c
+index 3c1b12d..454f6b6 100644
+--- a/arch/x86/kernel/cpu/mtrr/if.c
++++ b/arch/x86/kernel/cpu/mtrr/if.c
+@@ -89,6 +89,8 @@ mtrr_file_del(unsigned long base, unsigned long size,
+ * "base=%Lx size=%Lx type=%s" or "disable=%d"
+ */
+ static ssize_t
++mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos) __size_overflow(3);
++static ssize_t
+ mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos)
+ {
+ int i, err;
diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
index fd60f09..c94ef52 100644
--- a/arch/x86/kernel/cpu/mtrr/main.c
@@ -18697,6 +18873,59 @@ index 9c3bd4a..e1d9b35 100644
+#ifdef CONFIG_PAX_KERNEXEC
+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
+#endif
+diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
+index f2f8540..d845509 100644
+--- a/arch/x86/kernel/i387.c
++++ b/arch/x86/kernel/i387.c
+@@ -176,6 +176,9 @@ int xfpregs_active(struct task_struct *target, const struct user_regset *regset)
+
+ int xfpregs_get(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ void *kbuf, void __user *ubuf) __size_overflow(4);
++int xfpregs_get(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ void *kbuf, void __user *ubuf)
+ {
+ int ret;
+@@ -193,6 +196,9 @@ int xfpregs_get(struct task_struct *target, const struct user_regset *regset,
+
+ int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ const void *kbuf, const void __user *ubuf) __size_overflow(4);
++int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+@@ -365,6 +371,9 @@ static void convert_to_fxsr(struct task_struct *tsk,
+
+ int fpregs_get(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ void *kbuf, void __user *ubuf) __size_overflow(3,4);
++int fpregs_get(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ void *kbuf, void __user *ubuf)
+ {
+ struct user_i387_ia32_struct env;
+@@ -395,6 +404,9 @@ int fpregs_get(struct task_struct *target, const struct user_regset *regset,
+
+ int fpregs_set(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ const void *kbuf, const void __user *ubuf) __size_overflow(3,4);
++int fpregs_set(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ const void *kbuf, const void __user *ubuf)
+ {
+ struct user_i387_ia32_struct env;
+@@ -540,6 +552,8 @@ static inline int restore_i387_fsave(struct _fpstate_ia32 __user *buf)
+ }
+
+ static int restore_i387_fxsave(struct _fpstate_ia32 __user *buf,
++ unsigned int size) __size_overflow(2);
++static int restore_i387_fxsave(struct _fpstate_ia32 __user *buf,
+ unsigned int size)
+ {
+ struct task_struct *tsk = current;
diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
index df89102..a244320 100644
--- a/arch/x86/kernel/i8259.c
@@ -19127,7 +19356,7 @@ index 63b0ec8..6d92227 100644
#endif
pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index ec6ef60..ab2c824 100644
+index ec6ef60..d784780 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
@@ -19180,7 +19409,15 @@ index ec6ef60..ab2c824 100644
return retval;
}
-@@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
+@@ -140,6 +158,7 @@ void destroy_context(struct mm_struct *mm)
+ }
+ }
+
++static int read_ldt(void __user *ptr, unsigned long bytecount) __size_overflow(2);
+ static int read_ldt(void __user *ptr, unsigned long bytecount)
+ {
+ int err;
+@@ -229,6 +248,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
}
}
@@ -19261,11 +19498,14 @@ index 378e9a8..b5a6ea9 100644
/*
* Synchronization.
diff --git a/arch/x86/kernel/microcode_intel.c b/arch/x86/kernel/microcode_intel.c
-index 0d334dd..14cedaf 100644
+index 0d334dd..5a709b5 100644
--- a/arch/x86/kernel/microcode_intel.c
+++ b/arch/x86/kernel/microcode_intel.c
-@@ -443,13 +443,13 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device)
+@@ -441,15 +441,16 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device)
+ return ret;
+ }
++static int get_ucode_user(void *to, const void *from, size_t n) __size_overflow(3);
static int get_ucode_user(void *to, const void *from, size_t n)
{
- return copy_from_user(to, from, n);
@@ -19280,7 +19520,7 @@ index 0d334dd..14cedaf 100644
}
static void microcode_fini_cpu(int cpu)
-@@ -460,7 +460,7 @@ static void microcode_fini_cpu(int cpu)
+@@ -460,7 +461,7 @@ static void microcode_fini_cpu(int cpu)
uci->mc = NULL;
}
@@ -19289,7 +19529,7 @@ index 0d334dd..14cedaf 100644
.request_microcode_user = request_microcode_user,
.request_microcode_fw = request_microcode_fw,
.collect_cpu_info = collect_cpu_info,
-@@ -468,7 +468,7 @@ static struct microcode_ops microcode_intel_ops = {
+@@ -468,7 +469,7 @@ static struct microcode_ops microcode_intel_ops = {
.microcode_fini_cpu = microcode_fini_cpu,
};
@@ -19980,10 +20220,21 @@ index 39493bc..196816d 100644
ip = *(u64 *)(fp+8);
if (!in_sched_functions(ip))
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index c06acdd..3f5fff5 100644
+index c06acdd..09de221 100644
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
-@@ -925,7 +925,7 @@ static const struct user_regset_view user_x86_32_view; /* Initialized below. */
+@@ -559,6 +559,10 @@ static int ioperm_active(struct task_struct *target,
+ static int ioperm_get(struct task_struct *target,
+ const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ void *kbuf, void __user *ubuf) __size_overflow(3,4);
++static int ioperm_get(struct task_struct *target,
++ const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ void *kbuf, void __user *ubuf)
+ {
+ if (!target->thread.io_bitmap_ptr)
+@@ -925,7 +929,7 @@ static const struct user_regset_view user_x86_32_view; /* Initialized below. */
long arch_ptrace(struct task_struct *child, long request, long addr, long data)
{
int ret;
@@ -19992,7 +20243,7 @@ index c06acdd..3f5fff5 100644
switch (request) {
/* read the word at location addr in the USER area. */
-@@ -1012,14 +1012,14 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
+@@ -1012,14 +1016,14 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
if (addr < 0)
return -EIO;
ret = do_get_thread_area(child, addr,
@@ -20009,7 +20260,7 @@ index c06acdd..3f5fff5 100644
break;
#endif
-@@ -1038,12 +1038,12 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
+@@ -1038,12 +1042,12 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
#ifdef CONFIG_X86_PTRACE_BTS
case PTRACE_BTS_CONFIG:
ret = ptrace_bts_config
@@ -20024,7 +20275,7 @@ index c06acdd..3f5fff5 100644
break;
case PTRACE_BTS_SIZE:
-@@ -1052,7 +1052,7 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
+@@ -1052,7 +1056,7 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
case PTRACE_BTS_GET:
ret = ptrace_bts_read_record
@@ -20033,7 +20284,7 @@ index c06acdd..3f5fff5 100644
break;
case PTRACE_BTS_CLEAR:
-@@ -1061,7 +1061,7 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
+@@ -1061,7 +1065,7 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
case PTRACE_BTS_DRAIN:
ret = ptrace_bts_drain
@@ -20042,7 +20293,7 @@ index c06acdd..3f5fff5 100644
break;
#endif /* CONFIG_X86_PTRACE_BTS */
-@@ -1450,7 +1450,7 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+@@ -1450,7 +1454,7 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
info.si_code = si_code;
/* User-mode ip? */
@@ -20051,7 +20302,7 @@ index c06acdd..3f5fff5 100644
/* Send us the fake SIGTRAP */
force_sig_info(SIGTRAP, &info, tsk);
-@@ -1469,7 +1469,7 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+@@ -1469,7 +1473,7 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
* We must return the syscall number to actually look up in the table.
* This can be -1L to skip running any syscall at all.
*/
@@ -20060,7 +20311,7 @@ index c06acdd..3f5fff5 100644
{
long ret = 0;
-@@ -1514,7 +1514,7 @@ asmregparm long syscall_trace_enter(struct pt_regs *regs)
+@@ -1514,7 +1518,7 @@ asmregparm long syscall_trace_enter(struct pt_regs *regs)
return ret ?: regs->orig_ax;
}
@@ -20244,7 +20495,7 @@ index 5449a26..0b6c759 100644
bss_resource.start = virt_to_phys(&__bss_start);
bss_resource.end = virt_to_phys(&__bss_stop)-1;
diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
-index d559af9..524c6ad 100644
+index d559af9..244f55d 100644
--- a/arch/x86/kernel/setup_percpu.c
+++ b/arch/x86/kernel/setup_percpu.c
@@ -25,19 +25,17 @@
@@ -20271,7 +20522,25 @@ index d559af9..524c6ad 100644
[0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
};
EXPORT_SYMBOL(__per_cpu_offset);
-@@ -159,10 +157,10 @@ static inline void setup_percpu_segment(int cpu)
+@@ -100,6 +98,8 @@ static bool __init pcpu_need_numa(void)
+ * Pointer to the allocated area on success, NULL on failure.
+ */
+ static void * __init pcpu_alloc_bootmem(unsigned int cpu, unsigned long size,
++ unsigned long align) __size_overflow(2);
++static void * __init pcpu_alloc_bootmem(unsigned int cpu, unsigned long size,
+ unsigned long align)
+ {
+ const unsigned long goal = __pa(MAX_DMA_ADDRESS);
+@@ -128,6 +128,8 @@ static void * __init pcpu_alloc_bootmem(unsigned int cpu, unsigned long size,
+ /*
+ * Helpers for first chunk memory allocation
+ */
++static void * __init pcpu_fc_alloc(unsigned int cpu, size_t size, size_t align) __size_overflow(2);
++
+ static void * __init pcpu_fc_alloc(unsigned int cpu, size_t size, size_t align)
+ {
+ return pcpu_alloc_bootmem(cpu, size, align);
+@@ -159,10 +161,10 @@ static inline void setup_percpu_segment(int cpu)
{
#ifdef CONFIG_X86_32
struct desc_struct gdt;
@@ -20285,7 +20554,7 @@ index d559af9..524c6ad 100644
write_gdt_entry(get_cpu_gdt_table(cpu),
GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
#endif
-@@ -212,6 +210,11 @@ void __init setup_per_cpu_areas(void)
+@@ -212,6 +214,11 @@ void __init setup_per_cpu_areas(void)
/* alrighty, percpu areas up and running */
delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
for_each_possible_cpu(cpu) {
@@ -20297,7 +20566,7 @@ index d559af9..524c6ad 100644
per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
per_cpu(cpu_number, cpu) = cpu;
-@@ -239,6 +242,12 @@ void __init setup_per_cpu_areas(void)
+@@ -239,6 +246,12 @@ void __init setup_per_cpu_areas(void)
early_per_cpu_map(x86_cpu_to_node_map, cpu);
#endif
#endif
@@ -21051,6 +21320,18 @@ index 6bb7b85..dd853e1 100644
set_tls_desc(p, idx, &info, 1);
return 0;
+diff --git a/arch/x86/kernel/tls.h b/arch/x86/kernel/tls.h
+index 2f083a2..7d3fecc 100644
+--- a/arch/x86/kernel/tls.h
++++ b/arch/x86/kernel/tls.h
+@@ -16,6 +16,6 @@
+
+ extern user_regset_active_fn regset_tls_active;
+ extern user_regset_get_fn regset_tls_get;
+-extern user_regset_set_fn regset_tls_set;
++extern user_regset_set_fn regset_tls_set __size_overflow(4);
+
+ #endif /* _ARCH_X86_KERNEL_TLS_H */
diff --git a/arch/x86/kernel/trampoline_32.S b/arch/x86/kernel/trampoline_32.S
index 8508237..229b664 100644
--- a/arch/x86/kernel/trampoline_32.S
@@ -21556,7 +21837,7 @@ index 45b6f8a..0000000
- xorl %eax, %eax
- ret
diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
-index 9c4e625..c992817 100644
+index 9c4e625..e9bb4ed 100644
--- a/arch/x86/kernel/vm86_32.c
+++ b/arch/x86/kernel/vm86_32.c
@@ -41,6 +41,7 @@
@@ -21567,7 +21848,17 @@ index 9c4e625..c992817 100644
#include <asm/uaccess.h>
#include <asm/io.h>
-@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct kernel_vm86_regs *regs)
+@@ -109,6 +110,9 @@ static int copy_vm86_regs_to_user(struct vm86_regs __user *user,
+ /* convert vm86_regs to kernel_vm86_regs */
+ static int copy_vm86_regs_from_user(struct kernel_vm86_regs *regs,
+ const struct vm86_regs __user *user,
++ unsigned extra) __size_overflow(3);
++static int copy_vm86_regs_from_user(struct kernel_vm86_regs *regs,
++ const struct vm86_regs __user *user,
+ unsigned extra)
+ {
+ int ret = 0;
+@@ -148,7 +152,7 @@ struct pt_regs *save_v86_state(struct kernel_vm86_regs *regs)
do_exit(SIGSEGV);
}
@@ -21576,7 +21867,7 @@ index 9c4e625..c992817 100644
current->thread.sp0 = current->thread.saved_sp0;
current->thread.sysenter_cs = __KERNEL_CS;
load_sp0(tss, ¤t->thread);
-@@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
+@@ -208,6 +212,13 @@ int sys_vm86old(struct pt_regs *regs)
struct task_struct *tsk;
int tmp, ret = -EPERM;
@@ -21590,7 +21881,7 @@ index 9c4e625..c992817 100644
tsk = current;
if (tsk->thread.saved_sp0)
goto out;
-@@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
+@@ -238,6 +249,14 @@ int sys_vm86(struct pt_regs *regs)
int tmp, ret;
struct vm86plus_struct __user *v86;
@@ -21605,7 +21896,7 @@ index 9c4e625..c992817 100644
tsk = current;
switch (regs->bx) {
case VM86_REQUEST_IRQ:
-@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk
+@@ -324,7 +343,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk
tsk->thread.saved_fs = info->regs32->fs;
tsk->thread.saved_gs = get_user_gs(info->regs32);
@@ -21614,7 +21905,7 @@ index 9c4e625..c992817 100644
tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
if (cpu_has_sep)
tsk->thread.sysenter_cs = 0;
-@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_regs *regs, int i,
+@@ -529,7 +548,7 @@ static void do_int(struct kernel_vm86_regs *regs, int i,
goto cannot_handle;
if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
goto cannot_handle;
@@ -22225,10 +22516,18 @@ index 3bc2707..dd157e2 100644
sptep, *sptep, write_pt);
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 7c6e63e..c5d92c1 100644
+index 7c6e63e..1b7dac1 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
-@@ -2486,7 +2486,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
+@@ -2240,6 +2240,7 @@ static int rdmsr_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
+ return 1;
+ }
+
++static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data) __size_overflow(3);
+ static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+@@ -2486,7 +2487,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
int cpu = raw_smp_processor_id();
struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
@@ -22240,7 +22539,7 @@ index 7c6e63e..c5d92c1 100644
load_TR_desc();
}
-@@ -2947,7 +2951,7 @@ static bool svm_gb_page_enable(void)
+@@ -2947,7 +2952,7 @@ static bool svm_gb_page_enable(void)
return true;
}
@@ -22250,7 +22549,7 @@ index 7c6e63e..c5d92c1 100644
.disabled_by_bios = is_disabled,
.hardware_setup = svm_hardware_setup,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index e6d925f..e7a4af8 100644
+index e6d925f..8cdd779 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -570,7 +570,11 @@ static void reload_tss(void)
@@ -22265,7 +22564,15 @@ index e6d925f..e7a4af8 100644
load_TR_desc();
}
-@@ -1410,8 +1414,11 @@ static __init int hardware_setup(void)
+@@ -1035,6 +1039,7 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
+ * Returns 0 on success, non-0 otherwise.
+ * Assumes vcpu_load() was already called.
+ */
++static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data) __size_overflow(3);
+ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+@@ -1410,8 +1415,11 @@ static __init int hardware_setup(void)
if (!cpu_has_vmx_flexpriority())
flexpriority_enabled = 0;
@@ -22279,7 +22586,7 @@ index e6d925f..e7a4af8 100644
if (enable_ept && !cpu_has_vmx_ept_2m_page())
kvm_disable_largepages();
-@@ -2362,7 +2369,7 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
+@@ -2362,7 +2370,7 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
@@ -22288,7 +22595,7 @@ index e6d925f..e7a4af8 100644
vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
-@@ -3718,6 +3725,12 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+@@ -3718,6 +3726,12 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
"jmp .Lkvm_vmx_return \n\t"
".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
".Lkvm_vmx_return: "
@@ -22301,7 +22608,7 @@ index e6d925f..e7a4af8 100644
/* Save guest registers, load host registers, keep flags */
"xchg %0, (%%"R"sp) \n\t"
"mov %%"R"ax, %c[rax](%0) \n\t"
-@@ -3764,8 +3777,13 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+@@ -3764,8 +3778,13 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
[r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
#endif
[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
@@ -22316,7 +22623,7 @@ index e6d925f..e7a4af8 100644
#ifdef CONFIG_X86_64
, "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
#endif
-@@ -3782,7 +3800,16 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+@@ -3782,7 +3801,16 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
if (vmx->rmode.irq.pending)
fixup_rmode_irq(vmx);
@@ -22334,7 +22641,7 @@ index e6d925f..e7a4af8 100644
vmx->launched = 1;
vmx_complete_interrupts(vmx);
-@@ -3957,7 +3984,7 @@ static bool vmx_gb_page_enable(void)
+@@ -3957,7 +3985,7 @@ static bool vmx_gb_page_enable(void)
return false;
}
@@ -22344,7 +22651,7 @@ index e6d925f..e7a4af8 100644
.disabled_by_bios = vmx_disabled_by_bios,
.hardware_setup = hardware_setup,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index df1cefb..5e882ad 100644
+index df1cefb..ff86cc2 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -82,7 +82,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu);
@@ -22356,7 +22663,15 @@ index df1cefb..5e882ad 100644
EXPORT_SYMBOL_GPL(kvm_x86_ops);
int ignore_msrs = 0;
-@@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
+@@ -547,6 +547,7 @@ static int do_set_msr(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
+ return kvm_set_msr(vcpu, index, *data);
+ }
+
++static void kvm_write_wall_clock(struct kvm *kvm, gpa_t wall_clock) __size_overflow(2);
+ static void kvm_write_wall_clock(struct kvm *kvm, gpa_t wall_clock)
+ {
+ int version;
+@@ -1430,15 +1431,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -22380,7 +22695,7 @@ index df1cefb..5e882ad 100644
vcpu->arch.cpuid_nent = cpuid->nent;
kvm_apic_set_version(vcpu);
return 0;
-@@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+@@ -1451,16 +1457,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -22404,7 +22719,7 @@ index df1cefb..5e882ad 100644
return 0;
out:
-@@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
+@@ -1678,7 +1688,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
struct kvm_interrupt *irq)
{
@@ -22413,7 +22728,23 @@ index df1cefb..5e882ad 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -3260,10 +3269,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = {
+@@ -2764,7 +2774,14 @@ int emulator_write_emulated(unsigned long addr,
+ }
+ EXPORT_SYMBOL_GPL(emulator_write_emulated);
+
+-static int emulator_cmpxchg_emulated(unsigned long addr,
++static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt,
++ unsigned long addr,
++ const void *old,
++ const void *new,
++ unsigned int bytes,
++ struct kvm_vcpu *vcpu) __size_overflow(5);
++static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt,
++ unsigned long addr,
+ const void *old,
+ const void *new,
+ unsigned int bytes,
+@@ -3260,10 +3277,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = {
.notifier_call = kvmclock_cpufreq_notifier
};
@@ -23281,6 +23612,22 @@ index 459b58a..9570bc7 100644
len, isum, NULL, errp);
}
EXPORT_SYMBOL(csum_partial_copy_to_user);
+diff --git a/arch/x86/lib/delay.c b/arch/x86/lib/delay.c
+index ff485d3..b6372ce 100644
+--- a/arch/x86/lib/delay.c
++++ b/arch/x86/lib/delay.c
+@@ -48,9 +48,9 @@ static void delay_loop(unsigned long loops)
+ }
+
+ /* TSC based delay: */
+-static void delay_tsc(unsigned long loops)
++static void delay_tsc(unsigned long __loops)
+ {
+- unsigned long bclock, now;
++ u32 bclock, now, loops = __loops;
+ int cpu;
+
+ preempt_disable();
diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
index 51f1504..ddac4c1 100644
--- a/arch/x86/lib/getuser.S
@@ -24176,7 +24523,7 @@ index bf9a7d5..fb06ab5 100644
ret
CFI_ENDPROC
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
-index 1f118d4..ec4a953 100644
+index 1f118d4..8e0ead9 100644
--- a/arch/x86/lib/usercopy_32.c
+++ b/arch/x86/lib/usercopy_32.c
@@ -43,7 +43,7 @@ do { \
@@ -24188,6 +24535,24 @@ index 1f118d4..ec4a953 100644
" stosb\n" \
" testb %%al,%%al\n" \
" jz 1f\n" \
+@@ -83,7 +83,7 @@ do { \
+ * and returns @count.
+ */
+ long
+-__strncpy_from_user(char *dst, const char __user *src, long count)
++__strncpy_from_user(char *dst, const char __user *src, unsigned long count)
+ {
+ long res;
+ __do_strncpy_from_user(dst, src, count, res);
+@@ -110,7 +110,7 @@ EXPORT_SYMBOL(__strncpy_from_user);
+ * and returns @count.
+ */
+ long
+-strncpy_from_user(char *dst, const char __user *src, long count)
++strncpy_from_user(char *dst, const char __user *src, unsigned long count)
+ {
+ long res = -EFAULT;
+ if (access_ok(VERIFY_READ, src, 1))
@@ -128,10 +128,12 @@ do { \
int __d0; \
might_fault(); \
@@ -24201,6 +24566,15 @@ index 1f118d4..ec4a953 100644
".section .fixup,\"ax\"\n" \
"3: lea 0(%2,%0,4),%0\n" \
" jmp 2b\n" \
+@@ -192,7 +194,7 @@ EXPORT_SYMBOL(__clear_user);
+ * On exception, returns 0.
+ * If the string is too long, returns a value greater than @n.
+ */
+-long strnlen_user(const char __user *s, long n)
++long strnlen_user(const char __user *s, unsigned long n)
+ {
+ unsigned long mask = -__addr_ok(s);
+ unsigned long res, tmp;
@@ -200,6 +202,7 @@ long strnlen_user(const char __user *s, long n)
might_fault();
@@ -24279,7 +24653,7 @@ index 1f118d4..ec4a953 100644
" addl $-64, %0\n"
" addl $64, %4\n"
" addl $64, %3\n"
-@@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
+@@ -278,10 +282,12 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
" shrl $2, %0\n"
" andl $3, %%eax\n"
" cld\n"
@@ -24289,58 +24663,13 @@ index 1f118d4..ec4a953 100644
"37: rep; movsb\n"
"100:\n"
+ __COPYUSER_RESTORE_ES
-+ ".section .fixup,\"ax\"\n"
-+ "101: lea 0(%%eax,%0,4),%0\n"
-+ " jmp 100b\n"
-+ ".previous\n"
-+ ".section __ex_table,\"a\"\n"
-+ " .align 4\n"
-+ " .long 1b,100b\n"
-+ " .long 2b,100b\n"
-+ " .long 3b,100b\n"
-+ " .long 4b,100b\n"
-+ " .long 5b,100b\n"
-+ " .long 6b,100b\n"
-+ " .long 7b,100b\n"
-+ " .long 8b,100b\n"
-+ " .long 9b,100b\n"
-+ " .long 10b,100b\n"
-+ " .long 11b,100b\n"
-+ " .long 12b,100b\n"
-+ " .long 13b,100b\n"
-+ " .long 14b,100b\n"
-+ " .long 15b,100b\n"
-+ " .long 16b,100b\n"
-+ " .long 17b,100b\n"
-+ " .long 18b,100b\n"
-+ " .long 19b,100b\n"
-+ " .long 20b,100b\n"
-+ " .long 21b,100b\n"
-+ " .long 22b,100b\n"
-+ " .long 23b,100b\n"
-+ " .long 24b,100b\n"
-+ " .long 25b,100b\n"
-+ " .long 26b,100b\n"
-+ " .long 27b,100b\n"
-+ " .long 28b,100b\n"
-+ " .long 29b,100b\n"
-+ " .long 30b,100b\n"
-+ " .long 31b,100b\n"
-+ " .long 32b,100b\n"
-+ " .long 33b,100b\n"
-+ " .long 34b,100b\n"
-+ " .long 35b,100b\n"
-+ " .long 36b,100b\n"
-+ " .long 37b,100b\n"
-+ " .long 99b,101b\n"
-+ ".previous"
-+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
-+ : "1"(to), "2"(from), "0"(size)
-+ : "eax", "edx", "memory");
-+ return size;
-+}
-+
-+static unsigned long
+ ".section .fixup,\"ax\"\n"
+ "101: lea 0(%%eax,%0,4),%0\n"
+ " jmp 100b\n"
+@@ -334,46 +340,155 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
+ }
+
+ static unsigned long
+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
+{
+ int d0, d1;
@@ -24396,10 +24725,62 @@ index 1f118d4..ec4a953 100644
+ "36: movl %%eax, %0\n"
+ "37: rep; "__copyuser_seg" movsb\n"
+ "100:\n"
- ".section .fixup,\"ax\"\n"
- "101: lea 0(%%eax,%0,4),%0\n"
- " jmp 100b\n"
-@@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
++ ".section .fixup,\"ax\"\n"
++ "101: lea 0(%%eax,%0,4),%0\n"
++ " jmp 100b\n"
++ ".previous\n"
++ ".section __ex_table,\"a\"\n"
++ " .align 4\n"
++ " .long 1b,100b\n"
++ " .long 2b,100b\n"
++ " .long 3b,100b\n"
++ " .long 4b,100b\n"
++ " .long 5b,100b\n"
++ " .long 6b,100b\n"
++ " .long 7b,100b\n"
++ " .long 8b,100b\n"
++ " .long 9b,100b\n"
++ " .long 10b,100b\n"
++ " .long 11b,100b\n"
++ " .long 12b,100b\n"
++ " .long 13b,100b\n"
++ " .long 14b,100b\n"
++ " .long 15b,100b\n"
++ " .long 16b,100b\n"
++ " .long 17b,100b\n"
++ " .long 18b,100b\n"
++ " .long 19b,100b\n"
++ " .long 20b,100b\n"
++ " .long 21b,100b\n"
++ " .long 22b,100b\n"
++ " .long 23b,100b\n"
++ " .long 24b,100b\n"
++ " .long 25b,100b\n"
++ " .long 26b,100b\n"
++ " .long 27b,100b\n"
++ " .long 28b,100b\n"
++ " .long 29b,100b\n"
++ " .long 30b,100b\n"
++ " .long 31b,100b\n"
++ " .long 32b,100b\n"
++ " .long 33b,100b\n"
++ " .long 34b,100b\n"
++ " .long 35b,100b\n"
++ " .long 36b,100b\n"
++ " .long 37b,100b\n"
++ " .long 99b,101b\n"
++ ".previous"
++ : "=&c"(size), "=&D" (d0), "=&S" (d1)
++ : "1"(to), "2"(from), "0"(size)
++ : "eax", "edx", "memory");
++ return size;
++}
++
++static unsigned long
++__copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) __size_overflow(3);
++static unsigned long
+ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
+ {
int d0, d1;
__asm__ __volatile__(
" .align 2,0x90\n"
@@ -24459,7 +24840,7 @@ index 1f118d4..ec4a953 100644
" movl %%eax, 56(%3)\n"
" movl %%edx, 60(%3)\n"
" addl $-64, %0\n"
-@@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
+@@ -385,9 +500,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
" shrl $2, %0\n"
" andl $3, %%eax\n"
" cld\n"
@@ -24471,7 +24852,15 @@ index 1f118d4..ec4a953 100644
"8:\n"
".section .fixup,\"ax\"\n"
"9: lea 0(%%eax,%0,4),%0\n"
-@@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
+@@ -434,47 +549,49 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
+ */
+
+ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
++ const void __user *from, unsigned long size) __size_overflow(3);
++static unsigned long __copy_user_zeroing_intel_nocache(void *to,
+ const void __user *from, unsigned long size)
+ {
+ int d0, d1;
__asm__ __volatile__(
" .align 2,0x90\n"
@@ -24531,7 +24920,7 @@ index 1f118d4..ec4a953 100644
" movnti %%eax, 56(%3)\n"
" movnti %%edx, 60(%3)\n"
" addl $-64, %0\n"
-@@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
+@@ -487,9 +604,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
" shrl $2, %0\n"
" andl $3, %%eax\n"
" cld\n"
@@ -24543,7 +24932,15 @@ index 1f118d4..ec4a953 100644
"8:\n"
".section .fixup,\"ax\"\n"
"9: lea 0(%%eax,%0,4),%0\n"
-@@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_nocache(void *to,
+@@ -531,47 +648,49 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
+ }
+
+ static unsigned long __copy_user_intel_nocache(void *to,
++ const void __user *from, unsigned long size) __size_overflow(3);
++static unsigned long __copy_user_intel_nocache(void *to,
+ const void __user *from, unsigned long size)
+ {
+ int d0, d1;
__asm__ __volatile__(
" .align 2,0x90\n"
@@ -24603,7 +25000,7 @@ index 1f118d4..ec4a953 100644
" movnti %%eax, 56(%3)\n"
" movnti %%edx, 60(%3)\n"
" addl $-64, %0\n"
-@@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_nocache(void *to,
+@@ -584,9 +703,9 @@ static unsigned long __copy_user_intel_nocache(void *to,
" shrl $2, %0\n"
" andl $3, %%eax\n"
" cld\n"
@@ -24615,7 +25012,7 @@ index 1f118d4..ec4a953 100644
"8:\n"
".section .fixup,\"ax\"\n"
"9: lea 0(%%eax,%0,4),%0\n"
-@@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_nocache(void *to,
+@@ -629,32 +748,36 @@ static unsigned long __copy_user_intel_nocache(void *to,
*/
unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
unsigned long size);
@@ -24657,7 +25054,7 @@ index 1f118d4..ec4a953 100644
".section .fixup,\"ax\"\n" \
"5: addl %3,%0\n" \
" jmp 2b\n" \
-@@ -682,14 +799,14 @@ do { \
+@@ -682,14 +805,14 @@ do { \
" negl %0\n" \
" andl $7,%0\n" \
" subl %0,%3\n" \
@@ -24675,7 +25072,7 @@ index 1f118d4..ec4a953 100644
"2:\n" \
".section .fixup,\"ax\"\n" \
"5: addl %3,%0\n" \
-@@ -775,9 +892,9 @@ survive:
+@@ -775,9 +898,9 @@ survive:
}
#endif
if (movsl_is_ok(to, from, n))
@@ -24687,7 +25084,7 @@ index 1f118d4..ec4a953 100644
return n;
}
EXPORT_SYMBOL(__copy_to_user_ll);
-@@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from,
+@@ -797,10 +920,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from,
unsigned long n)
{
if (movsl_is_ok(to, from, n))
@@ -24700,7 +25097,7 @@ index 1f118d4..ec4a953 100644
return n;
}
EXPORT_SYMBOL(__copy_from_user_ll_nozero);
-@@ -827,59 +943,38 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr
+@@ -827,59 +949,38 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr
if (n > 64 && cpu_has_xmm2)
n = __copy_user_intel_nocache(to, from, n);
else
@@ -24785,11 +25182,15 @@ index 1f118d4..ec4a953 100644
+EXPORT_SYMBOL(set_fs);
+#endif
diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
-index b7c2849..8633ad8 100644
+index b7c2849..bab76d3 100644
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
-@@ -42,6 +42,12 @@ long
- __strncpy_from_user(char *dst, const char __user *src, long count)
+@@ -39,16 +39,22 @@ do { \
+ } while (0)
+
+ long
+-__strncpy_from_user(char *dst, const char __user *src, long count)
++__strncpy_from_user(char *dst, const char __user *src, unsigned long count)
{
long res;
+
@@ -24801,6 +25202,14 @@ index b7c2849..8633ad8 100644
__do_strncpy_from_user(dst, src, count, res);
return res;
}
+ EXPORT_SYMBOL(__strncpy_from_user);
+
+ long
+-strncpy_from_user(char *dst, const char __user *src, long count)
++strncpy_from_user(char *dst, const char __user *src, unsigned long count)
+ {
+ long res = -EFAULT;
+ if (access_ok(VERIFY_READ, src, 1))
@@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
{
long __d0;
@@ -24814,6 +25223,24 @@ index b7c2849..8633ad8 100644
/* no memory constraint because it doesn't change any memory gcc knows
about */
asm volatile(
+@@ -107,7 +119,7 @@ EXPORT_SYMBOL(clear_user);
+ * Return 0 on exception, a value greater than N if too long
+ */
+
+-long __strnlen_user(const char __user *s, long n)
++long __strnlen_user(const char __user *s, unsigned long n)
+ {
+ long res = 0;
+ char c;
+@@ -125,7 +137,7 @@ long __strnlen_user(const char __user *s, long n)
+ }
+ EXPORT_SYMBOL(__strnlen_user);
+
+-long strnlen_user(const char __user *s, long n)
++long strnlen_user(const char __user *s, unsigned long n)
+ {
+ if (!access_ok(VERIFY_READ, s, 1))
+ return 0;
@@ -149,12 +161,20 @@ long strlen_user(const char __user *s)
}
EXPORT_SYMBOL(strlen_user);
@@ -28438,7 +28865,7 @@ index bb9c5ea..5330d48 100644
.store = queue_attr_store,
};
diff --git a/block/bsg.c b/block/bsg.c
-index 7154a7a..08ac2f0 100644
+index e3e3241..759ebf7 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -175,16 +175,24 @@ static int blk_fill_sgv4_hdr_rq(struct request_queue *q, struct request *rq,
@@ -28580,6 +29007,91 @@ index 2be0a97..bded3fd 100644
if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
goto error;
+diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
+index f6f0833..514d986 100644
+--- a/crypto/ablkcipher.c
++++ b/crypto/ablkcipher.c
+@@ -29,6 +29,8 @@
+ static const char *skcipher_default_geniv __read_mostly;
+
+ static int setkey_unaligned(struct crypto_ablkcipher *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey_unaligned(struct crypto_ablkcipher *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct ablkcipher_alg *cipher = crypto_ablkcipher_alg(tfm);
+@@ -51,6 +53,8 @@ static int setkey_unaligned(struct crypto_ablkcipher *tfm, const u8 *key,
+ }
+
+ static int setkey(struct crypto_ablkcipher *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey(struct crypto_ablkcipher *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct ablkcipher_alg *cipher = crypto_ablkcipher_alg(tfm);
+diff --git a/crypto/aead.c b/crypto/aead.c
+index 0a55da7..9256a04 100644
+--- a/crypto/aead.c
++++ b/crypto/aead.c
+@@ -25,6 +25,8 @@
+ #include "internal.h"
+
+ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct aead_alg *aead = crypto_aead_alg(tfm);
+@@ -46,6 +48,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key,
+ return ret;
+ }
+
++static int setkey(struct crypto_aead *tfm, const u8 *key, unsigned int keylen) __size_overflow(3);
+ static int setkey(struct crypto_aead *tfm, const u8 *key, unsigned int keylen)
+ {
+ struct aead_alg *aead = crypto_aead_alg(tfm);
+diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
+index 90d26c9..3db7c03 100644
+--- a/crypto/blkcipher.c
++++ b/crypto/blkcipher.c
+@@ -357,6 +357,8 @@ int blkcipher_walk_virt_block(struct blkcipher_desc *desc,
+ EXPORT_SYMBOL_GPL(blkcipher_walk_virt_block);
+
+ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct blkcipher_alg *cipher = &tfm->__crt_alg->cra_blkcipher;
+@@ -378,6 +380,7 @@ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
+ return ret;
+ }
+
++static int setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen) __size_overflow(3);
+ static int setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen)
+ {
+ struct blkcipher_alg *cipher = &tfm->__crt_alg->cra_blkcipher;
+diff --git a/crypto/cipher.c b/crypto/cipher.c
+index 9a1a731..41454c2 100644
+--- a/crypto/cipher.c
++++ b/crypto/cipher.c
+@@ -21,6 +21,8 @@
+ #include "internal.h"
+
+ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct cipher_alg *cia = &tfm->__crt_alg->cra_cipher;
+@@ -43,6 +45,7 @@ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
+
+ }
+
++static int setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen) __size_overflow(3);
+ static int setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen)
+ {
+ struct cipher_alg *cia = &tfm->__crt_alg->cra_cipher;
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 3533582..f143117 100644
--- a/crypto/cryptd.c
@@ -28650,10 +29162,20 @@ index 0d2cdb8..d8de48d 100644
#define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80
static DEFINE_MUTEX(isolated_cpus_lock);
diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
-index 3f4602b..2e41d36 100644
+index 3f4602b..1978af1 100644
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
-@@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
+@@ -678,6 +678,9 @@ static int acpi_battery_print_alarm(struct seq_file *seq, int result)
+
+ static ssize_t acpi_battery_write_alarm(struct file *file,
+ const char __user * buffer,
++ size_t count, loff_t * ppos) __size_overflow(3);
++static ssize_t acpi_battery_write_alarm(struct file *file,
++ const char __user * buffer,
+ size_t count, loff_t * ppos)
+ {
+ int result = 0;
+@@ -763,7 +766,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
}
static struct battery_file {
@@ -28771,6 +29293,20 @@ index 7102474..de8ad22 100644
/*
* Buggy BIOS check
+diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
+index 52b9db8..a519aab 100644
+--- a/drivers/acpi/sbs.c
++++ b/drivers/acpi/sbs.c
+@@ -647,6 +647,9 @@ static int acpi_battery_read_alarm(struct seq_file *seq, void *offset)
+
+ static ssize_t
+ acpi_battery_write_alarm(struct file *file, const char __user * buffer,
++ size_t count, loff_t * ppos) __size_overflow(3);
++static ssize_t
++acpi_battery_write_alarm(struct file *file, const char __user * buffer,
+ size_t count, loff_t * ppos)
+ {
+ struct seq_file *seq = file->private_data;
diff --git a/drivers/acpi/sbshc.c b/drivers/acpi/sbshc.c
index d933980..5761f13 100644
--- a/drivers/acpi/sbshc.c
@@ -30021,7 +30557,7 @@ index 4257d6b..4c1d9d5 100644
.set_piomode = scc_set_piomode,
diff --git a/drivers/ata/pata_sch.c b/drivers/ata/pata_sch.c
-index 99cceb4..e2e0a87 100644
+index 99cceb45..e2e0a87 100644
--- a/drivers/ata/pata_sch.c
+++ b/drivers/ata/pata_sch.c
@@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht = {
@@ -36190,7 +36726,7 @@ index 5440da0..1194ecb 100644
EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
diff --git a/drivers/infiniband/hw/ipath/ipath_fs.c b/drivers/infiniband/hw/ipath/ipath_fs.c
-index 100da85..62e6b88 100644
+index 100da85..e0d6609 100644
--- a/drivers/infiniband/hw/ipath/ipath_fs.c
+++ b/drivers/infiniband/hw/ipath/ipath_fs.c
@@ -110,6 +110,8 @@ static ssize_t atomic_counters_read(struct file *file, char __user *buf,
@@ -36202,6 +36738,15 @@ index 100da85..62e6b88 100644
dd = file->f_path.dentry->d_inode->i_private;
dd->ipath_f_read_counters(dd, &counters);
+@@ -122,6 +124,8 @@ static const struct file_operations atomic_counters_ops = {
+ };
+
+ static ssize_t flash_read(struct file *file, char __user *buf,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t flash_read(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+ struct ipath_devdata *dd;
diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c
index cbde0cf..afaf55c 100644
--- a/drivers/infiniband/hw/nes/nes.c
@@ -37061,6 +37606,18 @@ index 8744d24..d1f9a9a 100644
end_switcher_text - start_switcher_text);
printk(KERN_INFO "lguest: mapped switcher at %p\n",
+diff --git a/drivers/lguest/lguest_user.c b/drivers/lguest/lguest_user.c
+index bd16323..ab460f7 100644
+--- a/drivers/lguest/lguest_user.c
++++ b/drivers/lguest/lguest_user.c
+@@ -194,6 +194,7 @@ static int user_send_irq(struct lg_cpu *cpu, const unsigned long __user *input)
+ * Once our Guest is initialized, the Launcher makes it run by reading
+ * from /dev/lguest.
+ */
++static ssize_t read(struct file *file, char __user *user, size_t size,loff_t*o) __size_overflow(3);
+ static ssize_t read(struct file *file, char __user *user, size_t size,loff_t*o)
+ {
+ struct lguest *lg = file->private_data;
diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c
index 6ae3888..8b38145 100644
--- a/drivers/lguest/x86/core.c
@@ -38143,10 +38700,20 @@ index 0d06e7c..3d17d24 100644
if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
diff --git a/drivers/media/video/videobuf-dma-sg.c b/drivers/media/video/videobuf-dma-sg.c
-index 032ebae..6a3532c 100644
+index 032ebae..4ebd8e8 100644
--- a/drivers/media/video/videobuf-dma-sg.c
+++ b/drivers/media/video/videobuf-dma-sg.c
-@@ -693,6 +693,8 @@ void *videobuf_sg_alloc(size_t size)
+@@ -631,6 +631,9 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q,
+
+ static int __videobuf_copy_to_user ( struct videobuf_queue *q,
+ char __user *data, size_t count,
++ int nonblocking ) __size_overflow(3);
++static int __videobuf_copy_to_user ( struct videobuf_queue *q,
++ char __user *data, size_t count,
+ int nonblocking )
+ {
+ struct videobuf_dma_sg_memory *mem = q->read_buf->priv;
+@@ -693,6 +696,8 @@ void *videobuf_sg_alloc(size_t size)
{
struct videobuf_queue q;
@@ -38155,6 +38722,20 @@ index 032ebae..6a3532c 100644
/* Required to make generic handler to call __videobuf_alloc */
q.int_ops = &sg_ops;
+diff --git a/drivers/media/video/videobuf-vmalloc.c b/drivers/media/video/videobuf-vmalloc.c
+index 35f3900..aa7c2f1 100644
+--- a/drivers/media/video/videobuf-vmalloc.c
++++ b/drivers/media/video/videobuf-vmalloc.c
+@@ -330,6 +330,9 @@ error:
+
+ static int __videobuf_copy_to_user ( struct videobuf_queue *q,
+ char __user *data, size_t count,
++ int nonblocking ) __size_overflow(3);
++static int __videobuf_copy_to_user ( struct videobuf_queue *q,
++ char __user *data, size_t count,
+ int nonblocking )
+ {
+ struct videobuf_vmalloc_memory *mem=q->read_buf->priv;
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
index b6992b7..9fa7547 100644
--- a/drivers/message/fusion/mptbase.c
@@ -38974,7 +39555,7 @@ index 8b22b18..6fada85 100644
We'll sort it out later if we find a MediaHeader which says otherwise */
/* Actually, we won't. The new DiskOnChip driver has already scanned
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
-index 14cec04..d775b87 100644
+index 14cec04..09d8519 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
@@ -39006,7 +39587,7 @@ index 14cec04..d775b87 100644
}
- return result;
-+ if ((intoverflow_t)result*scale >= INT_MAX) {
++ if (result*scale >= INT_MAX) {
+ printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
+ str);
+ return -EINVAL;
@@ -53261,7 +53842,7 @@ index 6c26840..62c97c3 100644
clear_bit(JOB_WSTATS, &local->jobs);
if (local->power.event) {
diff --git a/drivers/net/wireless/ath/ath5k/debug.c b/drivers/net/wireless/ath/ath5k/debug.c
-index 747508c..82e965d 100644
+index 747508c..c36cb08 100644
--- a/drivers/net/wireless/ath/ath5k/debug.c
+++ b/drivers/net/wireless/ath/ath5k/debug.c
@@ -205,6 +205,8 @@ static ssize_t read_file_beacon(struct file *file, char __user *user_buf,
@@ -53282,11 +53863,30 @@ index 747508c..82e965d 100644
len += snprintf(buf+len, sizeof(buf)-len,
"DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
+@@ -337,6 +341,9 @@ static ssize_t read_file_debug(struct file *file, char __user *user_buf,
+
+ static ssize_t write_file_debug(struct file *file,
+ const char __user *userbuf,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t write_file_debug(struct file *file,
++ const char __user *userbuf,
+ size_t count, loff_t *ppos)
+ {
+ struct ath5k_softc *sc = file->private_data;
diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
-index 2be4c22..593b1eb 100644
+index 2be4c22..a8ad784 100644
--- a/drivers/net/wireless/ath/ath9k/debug.c
+++ b/drivers/net/wireless/ath/ath9k/debug.c
-@@ -220,6 +220,8 @@ static ssize_t read_file_interrupt(struct file *file, char __user *user_buf,
+@@ -56,6 +56,8 @@ static ssize_t read_file_debug(struct file *file, char __user *user_buf,
+ }
+
+ static ssize_t write_file_debug(struct file *file, const char __user *user_buf,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t write_file_debug(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+ struct ath_softc *sc = file->private_data;
+@@ -220,6 +222,8 @@ static ssize_t read_file_interrupt(struct file *file, char __user *user_buf,
char buf[512];
unsigned int len = 0;
@@ -53295,7 +53895,7 @@ index 2be4c22..593b1eb 100644
len += snprintf(buf + len, sizeof(buf) - len,
"%8s: %10u\n", "RX", sc->debug.stats.istats.rxok);
len += snprintf(buf + len, sizeof(buf) - len,
-@@ -360,6 +362,8 @@ static ssize_t read_file_wiphy(struct file *file, char __user *user_buf,
+@@ -360,6 +364,8 @@ static ssize_t read_file_wiphy(struct file *file, char __user *user_buf,
int i;
u8 addr[ETH_ALEN];
@@ -53644,6 +54244,42 @@ index dc8a042..fe5f315 100644
start_switch_worker();
}
+diff --git a/drivers/oprofile/oprofile_files.c b/drivers/oprofile/oprofile_files.c
+index bbd7516..1f97f55 100644
+--- a/drivers/oprofile/oprofile_files.c
++++ b/drivers/oprofile/oprofile_files.c
+@@ -36,6 +36,8 @@ static ssize_t timeout_read(struct file *file, char __user *buf,
+
+
+ static ssize_t timeout_write(struct file *file, char const __user *buf,
++ size_t count, loff_t *offset) __size_overflow(3);
++static ssize_t timeout_write(struct file *file, char const __user *buf,
+ size_t count, loff_t *offset)
+ {
+ unsigned long val;
+@@ -71,6 +73,7 @@ static ssize_t depth_read(struct file *file, char __user *buf, size_t count, lof
+ }
+
+
++static ssize_t depth_write(struct file *file, char const __user *buf, size_t count, loff_t *offset) __size_overflow(3);
+ static ssize_t depth_write(struct file *file, char const __user *buf, size_t count, loff_t *offset)
+ {
+ unsigned long val;
+@@ -119,12 +122,14 @@ static const struct file_operations cpu_type_fops = {
+ };
+
+
++static ssize_t enable_read(struct file *file, char __user *buf, size_t count, loff_t *offset) __size_overflow(3);
+ static ssize_t enable_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
+ {
+ return oprofilefs_ulong_to_user(oprofile_started, buf, count, offset);
+ }
+
+
++static ssize_t enable_write(struct file *file, char const __user *buf, size_t count, loff_t *offset) __size_overflow(3);
+ static ssize_t enable_write(struct file *file, char const __user *buf, size_t count, loff_t *offset)
+ {
+ unsigned long val;
diff --git a/drivers/oprofile/oprofile_stats.c b/drivers/oprofile/oprofile_stats.c
index 61689e8..387f7f8 100644
--- a/drivers/oprofile/oprofile_stats.c
@@ -53687,10 +54323,18 @@ index 0b54e46..a37c527 100644
extern struct oprofile_stat_struct oprofile_stats;
diff --git a/drivers/oprofile/oprofilefs.c b/drivers/oprofile/oprofilefs.c
-index 2766a6d..80c77e2 100644
+index 2766a6d..4d533c7 100644
--- a/drivers/oprofile/oprofilefs.c
+++ b/drivers/oprofile/oprofilefs.c
-@@ -187,7 +187,7 @@ static const struct file_operations atomic_ro_fops = {
+@@ -89,6 +89,7 @@ static ssize_t ulong_read_file(struct file *file, char __user *buf, size_t count
+ }
+
+
++static ssize_t ulong_write_file(struct file *file, char const __user *buf, size_t count, loff_t *offset) __size_overflow(3);
+ static ssize_t ulong_write_file(struct file *file, char const __user *buf, size_t count, loff_t *offset)
+ {
+ unsigned long *value = file->private_data;
+@@ -187,7 +188,7 @@ static const struct file_operations atomic_ro_fops = {
int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
@@ -60615,21 +61259,6 @@ index bcbe104..9cfd1c6 100644
void usb_mon_deregister(void);
#else
-diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
-index 409cc94..a673bad 100644
---- a/drivers/usb/core/message.c
-+++ b/drivers/usb/core/message.c
-@@ -914,8 +914,8 @@ char *usb_cache_string(struct usb_device *udev, int index)
- buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
- if (buf) {
- len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
-- if (len > 0) {
-- smallbuf = kmalloc(++len, GFP_NOIO);
-+ if (len++ > 0) {
-+ smallbuf = kmalloc(len, GFP_NOIO);
- if (!smallbuf)
- return buf;
- memcpy(smallbuf, buf, len);
diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
index 62ff5e7..530b74e 100644
--- a/drivers/usb/misc/appledisplay.c
@@ -64195,20 +64824,6 @@ index 96d394b..33cf5b4 100644
if (limit != RLIM_INFINITY && offset > limit)
goto out_sig;
if (offset > inode->i_sb->s_maxbytes)
-diff --git a/fs/autofs/root.c b/fs/autofs/root.c
-index 4a1401c..05eb5ca 100644
---- a/fs/autofs/root.c
-+++ b/fs/autofs/root.c
-@@ -299,7 +299,8 @@ static int autofs_root_symlink(struct inode *dir, struct dentry *dentry, const c
- set_bit(n,sbi->symlink_bitmap);
- sl = &sbi->symlink[n];
- sl->len = strlen(symname);
-- sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
-+ slsize = sl->len+1;
-+ sl->data = kmalloc(slsize, GFP_KERNEL);
- if (!sl->data) {
- clear_bit(n,sbi->symlink_bitmap);
- unlock_kernel();
diff --git a/fs/autofs4/symlink.c b/fs/autofs4/symlink.c
index b4ea829..e63ef18 100644
--- a/fs/autofs4/symlink.c
@@ -64364,7 +64979,7 @@ index 0133b5a..3710d09 100644
(unsigned long) create_aout_tables((char __user *) bprm->p, bprm);
#ifdef __alpha__
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 1ed37ba..66794b9 100644
+index a64fde6..66794b9 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -31,6 +31,7 @@
@@ -65089,15 +65704,6 @@ index 1ed37ba..66794b9 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -1452,7 +1926,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
- for (i = 1; i < view->n; ++i) {
- const struct user_regset *regset = &view->regsets[i];
- do_thread_regset_writeback(t->task, regset);
-- if (regset->core_note_type &&
-+ if (regset->core_note_type && regset->get &&
- (!regset->active || regset->active(t->task, regset))) {
- int ret;
- size_t size = regset->n * regset->size;
@@ -1973,7 +2447,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
@@ -65696,6 +66302,20 @@ index a6c8c6f..5cf8517 100644
set_fs(old_fs);
kunmap(page);
if (ret != len)
+diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
+index 20692fb..0098fb7 100644
+--- a/fs/cifs/asn1.c
++++ b/fs/cifs/asn1.c
+@@ -416,6 +416,9 @@ asn1_subid_decode(struct asn1_ctx *ctx, unsigned long *subid)
+
+ static int
+ asn1_oid_decode(struct asn1_ctx *ctx,
++ unsigned char *eoc, unsigned long **oid, unsigned int *len) __size_overflow(2);
++static int
++asn1_oid_decode(struct asn1_ctx *ctx,
+ unsigned char *eoc, unsigned long **oid, unsigned int *len)
+ {
+ unsigned long subid;
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index 42cec2a..2aba466 100644
--- a/fs/cifs/cifs_debug.c
@@ -66410,7 +67030,7 @@ index c010ecf..a8d8c59 100644
.store = dlm_attr_store,
};
diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
-index 7a5f1ac..62fa913 100644
+index 7e164bb..62fa913 100644
--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
@@ -418,17 +418,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
@@ -66481,76 +67101,11 @@ index 7a5f1ac..62fa913 100644
out:
return rc;
}
-@@ -1455,6 +1415,25 @@ static void set_default_header_data(struct ecryptfs_crypt_stat *crypt_stat)
- ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE;
- }
-
-+void ecryptfs_i_size_init(const char *page_virt, struct inode *inode)
-+{
-+ struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
-+ struct ecryptfs_crypt_stat *crypt_stat;
-+ u64 file_size;
-+
-+ crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
-+ mount_crypt_stat =
-+ &ecryptfs_superblock_to_private(inode->i_sb)->mount_crypt_stat;
-+ if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) {
-+ file_size = i_size_read(ecryptfs_inode_to_lower(inode));
-+ if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
-+ file_size += crypt_stat->num_header_bytes_at_front;
-+ } else
-+ file_size = get_unaligned_be64(page_virt);
-+ i_size_write(inode, (loff_t)file_size);
-+ crypt_stat->flags |= ECRYPTFS_I_SIZE_INITIALIZED;
-+}
-+
- /**
- * ecryptfs_read_headers_virt
- * @page_virt: The virtual address into which to read the headers
-@@ -1485,6 +1464,8 @@ static int ecryptfs_read_headers_virt(char *page_virt,
- rc = -EINVAL;
- goto out;
- }
-+ if (!(crypt_stat->flags & ECRYPTFS_I_SIZE_INITIALIZED))
-+ ecryptfs_i_size_init(page_virt, ecryptfs_dentry->d_inode);
- offset += MAGIC_ECRYPTFS_MARKER_SIZE_BYTES;
- rc = ecryptfs_process_flags(crypt_stat, (page_virt + offset),
- &bytes_read);
-diff --git a/fs/ecryptfs/ecryptfs_kernel.h b/fs/ecryptfs/ecryptfs_kernel.h
-index 542f625..9685315 100644
---- a/fs/ecryptfs/ecryptfs_kernel.h
-+++ b/fs/ecryptfs/ecryptfs_kernel.h
-@@ -270,6 +270,7 @@ struct ecryptfs_crypt_stat {
- #define ECRYPTFS_ENCFN_USE_MOUNT_FNEK 0x00001000
- #define ECRYPTFS_ENCFN_USE_FEK 0x00002000
- #define ECRYPTFS_UNLINK_SIGS 0x00004000
-+#define ECRYPTFS_I_SIZE_INITIALIZED 0x00008000
- u32 flags;
- unsigned int file_version;
- size_t iv_bytes;
-@@ -619,6 +620,7 @@ struct ecryptfs_open_req {
- int ecryptfs_interpose(struct dentry *hidden_dentry,
- struct dentry *this_dentry, struct super_block *sb,
- u32 flags);
-+void ecryptfs_i_size_init(const char *page_virt, struct inode *inode);
- int ecryptfs_lookup_and_interpose_lower(struct dentry *ecryptfs_dentry,
- struct dentry *lower_dentry,
- struct inode *ecryptfs_dir_inode,
diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
-index 3015389..49129f4 100644
+index 502b09f..49129f4 100644
--- a/fs/ecryptfs/file.c
+++ b/fs/ecryptfs/file.c
-@@ -237,7 +237,8 @@ static int ecryptfs_open(struct inode *inode, struct file *file)
- goto out_free;
- }
- rc = 0;
-- crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED);
-+ crypt_stat->flags &= ~(ECRYPTFS_I_SIZE_INITIALIZED
-+ | ECRYPTFS_ENCRYPTED);
- mutex_unlock(&crypt_stat->cs_mutex);
- goto out;
- }
-@@ -347,7 +348,6 @@ const struct file_operations ecryptfs_main_fops = {
+@@ -348,7 +348,6 @@ const struct file_operations ecryptfs_main_fops = {
#ifdef CONFIG_COMPAT
.compat_ioctl = ecryptfs_compat_ioctl,
#endif
@@ -66559,41 +67114,10 @@ index 3015389..49129f4 100644
.flush = ecryptfs_flush,
.release = ecryptfs_release,
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
-index 4434e8f..fa05803 100644
+index 90a6087..fa05803 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
-@@ -256,10 +256,8 @@ int ecryptfs_lookup_and_interpose_lower(struct dentry *ecryptfs_dentry,
- struct dentry *lower_dir_dentry;
- struct vfsmount *lower_mnt;
- struct inode *lower_inode;
-- struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
- struct ecryptfs_crypt_stat *crypt_stat;
- char *page_virt = NULL;
-- u64 file_size;
- int rc = 0;
-
- lower_dir_dentry = lower_dentry->d_parent;
-@@ -334,18 +332,7 @@ int ecryptfs_lookup_and_interpose_lower(struct dentry *ecryptfs_dentry,
- }
- crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
- }
-- mount_crypt_stat = &ecryptfs_superblock_to_private(
-- ecryptfs_dentry->d_sb)->mount_crypt_stat;
-- if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) {
-- if (crypt_stat->flags & ECRYPTFS_METADATA_IN_XATTR)
-- file_size = (crypt_stat->num_header_bytes_at_front
-- + i_size_read(lower_dentry->d_inode));
-- else
-- file_size = i_size_read(lower_dentry->d_inode);
-- } else {
-- file_size = get_unaligned_be64(page_virt);
-- }
-- i_size_write(ecryptfs_dentry->d_inode, (loff_t)file_size);
-+ ecryptfs_i_size_init(page_virt, ecryptfs_dentry->d_inode);
- out_free_kmem:
- kmem_cache_free(ecryptfs_header_cache_2, page_virt);
- goto out;
-@@ -660,7 +647,7 @@ static int ecryptfs_readlink_lower(struct dentry *dentry, char **buf,
+@@ -647,7 +647,7 @@ static int ecryptfs_readlink_lower(struct dentry *dentry, char **buf,
old_fs = get_fs();
set_fs(get_ds());
rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
@@ -66602,7 +67126,7 @@ index 4434e8f..fa05803 100644
lower_bufsiz);
set_fs(old_fs);
if (rc < 0)
-@@ -706,7 +693,7 @@ static void *ecryptfs_follow_link(struct dentry *dentry, struct nameidata *nd)
+@@ -693,7 +693,7 @@ static void *ecryptfs_follow_link(struct dentry *dentry, struct nameidata *nd)
}
old_fs = get_fs();
set_fs(get_ds());
@@ -66611,18 +67135,8 @@ index 4434e8f..fa05803 100644
set_fs(old_fs);
if (rc < 0)
goto out_free;
-@@ -964,7 +951,8 @@ static int ecryptfs_setattr(struct dentry *dentry, struct iattr *ia)
- goto out;
- }
- rc = 0;
-- crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED);
-+ crypt_stat->flags &= ~(ECRYPTFS_I_SIZE_INITIALIZED
-+ | ECRYPTFS_ENCRYPTED);
- }
- }
- mutex_unlock(&crypt_stat->cs_mutex);
diff --git a/fs/exec.c b/fs/exec.c
-index 86fafc6..6a041a8 100644
+index 86fafc6..6a109b9 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,12 +56,28 @@
@@ -67058,7 +67572,7 @@ index 86fafc6..6a041a8 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1591,6 +1739,219 @@ out:
+@@ -1591,6 +1739,229 @@ out:
return ispipe;
}
@@ -67275,10 +67789,20 @@ index 86fafc6..6a041a8 100644
+EXPORT_SYMBOL(pax_track_stack);
+#endif
+
++#ifdef CONFIG_PAX_SIZE_OVERFLOW
++void report_size_overflow(const char *file, unsigned int line, const char *func)
++{
++ printk(KERN_ERR "PAX: size overflow detected in function %s %s:%u\n", func, file, line);
++ dump_stack();
++ do_group_exit(SIGKILL);
++}
++EXPORT_SYMBOL(report_size_overflow);
++#endif
++
static int zap_process(struct task_struct *start)
{
struct task_struct *t;
-@@ -1793,17 +2154,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -1793,17 +2164,17 @@ static void wait_for_dump_helpers(struct file *file)
pipe = file->f_path.dentry->d_inode->i_pipe;
pipe_lock(pipe);
@@ -67301,7 +67825,7 @@ index 86fafc6..6a041a8 100644
pipe_unlock(pipe);
}
-@@ -1826,10 +2187,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -1826,10 +2197,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
char **helper_argv = NULL;
int helper_argc = 0;
int dump_count = 0;
@@ -67316,7 +67840,7 @@ index 86fafc6..6a041a8 100644
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
goto fail;
-@@ -1874,6 +2238,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -1874,6 +2248,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
*/
clear_thread_flag(TIF_SIGPENDING);
@@ -67325,7 +67849,7 @@ index 86fafc6..6a041a8 100644
/*
* lock_kernel() because format_corename() is controlled by sysctl, which
* uses lock_kernel()
-@@ -1908,7 +2274,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -1908,7 +2284,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
goto fail_unlock;
}
@@ -67334,7 +67858,7 @@ index 86fafc6..6a041a8 100644
if (core_pipe_limit && (core_pipe_limit < dump_count)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
-@@ -1972,7 +2338,7 @@ close_fail:
+@@ -1972,7 +2348,7 @@ close_fail:
filp_close(file, NULL);
fail_dropcount:
if (dump_count)
@@ -70239,6 +70763,28 @@ index cf98da1..da890a9 100644
data.wdog_pid = NULL;
server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
if (!server)
+diff --git a/fs/ncpfs/ncplib_kernel.h b/fs/ncpfs/ncplib_kernel.h
+index 2441d1a..96882c1 100644
+--- a/fs/ncpfs/ncplib_kernel.h
++++ b/fs/ncpfs/ncplib_kernel.h
+@@ -131,7 +131,7 @@ static inline int ncp_is_nfs_extras(struct ncp_server* server, unsigned int voln
+ int ncp__io2vol(struct ncp_server *, unsigned char *, unsigned int *,
+ const unsigned char *, unsigned int, int);
+ int ncp__vol2io(struct ncp_server *, unsigned char *, unsigned int *,
+- const unsigned char *, unsigned int, int);
++ const unsigned char *, unsigned int, int) __size_overflow(5);
+
+ #define NCP_ESC ':'
+ #define NCP_IO_TABLE(dentry) (NCP_SERVER((dentry)->d_inode)->nls_io)
+@@ -147,7 +147,7 @@ int ncp__vol2io(struct ncp_server *, unsigned char *, unsigned int *,
+ int ncp__io2vol(unsigned char *, unsigned int *,
+ const unsigned char *, unsigned int, int);
+ int ncp__vol2io(unsigned char *, unsigned int *,
+- const unsigned char *, unsigned int, int);
++ const unsigned char *, unsigned int, int) __size_overflow(5);
+
+ #define NCP_IO_TABLE(dentry) NULL
+ #define ncp_tolower(t, c) tolower(c)
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index bfaef7b..e9d03ca 100644
--- a/fs/nfs/inode.c
@@ -70365,6 +70911,18 @@ index f6af760..d0adf34 100644
len = argv[n].v_size * argv[n].v_nmembs;
base = (void __user *)(unsigned long)argv[n].v_base;
if (len == 0) {
+diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
+index ad391a8..149a8a1 100644
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -478,6 +478,7 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs,
+ brelse(sbh[1]);
+ sbh[1] = NULL;
+ sbp[1] = NULL;
++ valid[1] = 0;
+ swp = 0;
+ }
+ if (!valid[swp]) {
diff --git a/fs/notify/dnotify/dnotify.c b/fs/notify/dnotify/dnotify.c
index 7e54e52..9337248 100644
--- a/fs/notify/dnotify/dnotify.c
@@ -72564,7 +73122,7 @@ index fd38ce2..f5381b8 100644
return -EINVAL;
diff --git a/fs/seq_file.c b/fs/seq_file.c
-index eae7d9d..4ddabe2 100644
+index eae7d9d..b7613c6 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -9,6 +9,7 @@
@@ -72585,47 +73143,7 @@ index eae7d9d..4ddabe2 100644
/*
* Wrappers around seq_open(e.g. swaps_open) need to be
-@@ -76,7 +80,8 @@ static int traverse(struct seq_file *m, loff_t offset)
- return 0;
- }
- if (!m->buf) {
-- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
-+ m->size = PAGE_SIZE;
-+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
- if (!m->buf)
- return -ENOMEM;
- }
-@@ -116,7 +121,8 @@ static int traverse(struct seq_file *m, loff_t offset)
- Eoverflow:
- m->op->stop(m, p);
- kfree(m->buf);
-- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
-+ m->size <<= 1;
-+ m->buf = kmalloc(m->size, GFP_KERNEL);
- return !m->buf ? -ENOMEM : -EAGAIN;
- }
-
-@@ -169,7 +175,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
- m->version = file->f_version;
- /* grab buffer if we didn't have one */
- if (!m->buf) {
-- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
-+ m->size = PAGE_SIZE;
-+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
- if (!m->buf)
- goto Enomem;
- }
-@@ -210,7 +217,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
- goto Fill;
- m->op->stop(m, p);
- kfree(m->buf);
-- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
-+ m->size <<= 1;
-+ m->buf = kmalloc(m->size, GFP_KERNEL);
- if (!m->buf)
- goto Enomem;
- m->count = 0;
-@@ -551,7 +559,7 @@ static void single_stop(struct seq_file *p, void *v)
+@@ -551,7 +555,7 @@ static void single_stop(struct seq_file *p, void *v)
int single_open(struct file *file, int (*show)(struct seq_file *, void *),
void *data)
{
@@ -72685,7 +73203,7 @@ index 00b2909..2ace383 100644
__putname(s);
}
diff --git a/fs/splice.c b/fs/splice.c
-index bb92b7c..5aa72b0 100644
+index bb92b7c5..5aa72b0 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
@@ -72853,6 +73371,19 @@ index bb92b7c..5aa72b0 100644
ret = -EAGAIN;
pipe_unlock(ipipe);
+diff --git a/fs/sysfs/bin.c b/fs/sysfs/bin.c
+index 60c702b..dddc2b5 100644
+--- a/fs/sysfs/bin.c
++++ b/fs/sysfs/bin.c
+@@ -67,6 +67,8 @@ fill_read(struct dentry *dentry, char *buffer, loff_t off, size_t count)
+ }
+
+ static ssize_t
++read(struct file *file, char __user *userbuf, size_t bytes, loff_t *off) __size_overflow(3);
++static ssize_t
+ read(struct file *file, char __user *userbuf, size_t bytes, loff_t *off)
+ {
+ struct bin_buffer *bb = file->private_data;
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index e020183..18d64b4 100644
--- a/fs/sysfs/dir.c
@@ -83870,32 +84401,6 @@ index 3c2344f..4590a7d 100644
{
return -ENOSYS;
}
-diff --git a/include/asm-generic/int-l64.h b/include/asm-generic/int-l64.h
-index 1ca3efc..e3dc852 100644
---- a/include/asm-generic/int-l64.h
-+++ b/include/asm-generic/int-l64.h
-@@ -46,6 +46,8 @@ typedef unsigned int u32;
- typedef signed long s64;
- typedef unsigned long u64;
-
-+typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
-+
- #define S8_C(x) x
- #define U8_C(x) x ## U
- #define S16_C(x) x
-diff --git a/include/asm-generic/int-ll64.h b/include/asm-generic/int-ll64.h
-index f394147..b6152b9 100644
---- a/include/asm-generic/int-ll64.h
-+++ b/include/asm-generic/int-ll64.h
-@@ -51,6 +51,8 @@ typedef unsigned int u32;
- typedef signed long long s64;
- typedef unsigned long long u64;
-
-+typedef unsigned long long intoverflow_t;
-+
- #define S8_C(x) x
- #define U8_C(x) x ## U
- #define S16_C(x) x
diff --git a/include/asm-generic/kmap_types.h b/include/asm-generic/kmap_types.h
index e5f234a..cdb16b3 100644
--- a/include/asm-generic/kmap_types.h
@@ -83910,6 +84415,18 @@ index e5f234a..cdb16b3 100644
};
#undef KMAP_D
+diff --git a/include/asm-generic/local.h b/include/asm-generic/local.h
+index fc21844..2ee9629 100644
+--- a/include/asm-generic/local.h
++++ b/include/asm-generic/local.h
+@@ -39,6 +39,7 @@ typedef struct
+ #define local_add_return(i, l) atomic_long_add_return((i), (&(l)->a))
+ #define local_sub_return(i, l) atomic_long_sub_return((i), (&(l)->a))
+ #define local_inc_return(l) atomic_long_inc_return(&(l)->a)
++#define local_dec_return(l) atomic_long_dec_return(&(l)->a)
+
+ #define local_cmpxchg(l, o, n) atomic_long_cmpxchg((&(l)->a), (o), (n))
+ #define local_xchg(l, n) atomic_long_xchg((&(l)->a), (n))
diff --git a/include/asm-generic/pgtable-nopmd.h b/include/asm-generic/pgtable-nopmd.h
index 725612b..9cc513a 100644
--- a/include/asm-generic/pgtable-nopmd.h
@@ -84003,6 +84520,96 @@ index e2bd73e..fea8ed3 100644
#endif /* !__ASSEMBLY__ */
#endif /* _ASM_GENERIC_PGTABLE_H */
+diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
+index b218b85..f0ac13a 100644
+--- a/include/asm-generic/uaccess.h
++++ b/include/asm-generic/uaccess.h
+@@ -76,6 +76,8 @@ extern unsigned long search_exception_table(unsigned long);
+ */
+ #ifndef __copy_from_user
+ static inline __must_check long __copy_from_user(void *to,
++ const void __user * from, unsigned long n) __size_overflow(3);
++static inline __must_check long __copy_from_user(void *to,
+ const void __user * from, unsigned long n)
+ {
+ if (__builtin_constant_p(n)) {
+@@ -106,6 +108,8 @@ static inline __must_check long __copy_from_user(void *to,
+
+ #ifndef __copy_to_user
+ static inline __must_check long __copy_to_user(void __user *to,
++ const void *from, unsigned long n) __size_overflow(3);
++static inline __must_check long __copy_to_user(void __user *to,
+ const void *from, unsigned long n)
+ {
+ if (__builtin_constant_p(n)) {
+@@ -224,6 +228,7 @@ extern int __put_user_bad(void) __attribute__((noreturn));
+ -EFAULT; \
+ })
+
++static inline int __get_user_fn(size_t size, const void __user *ptr, void *x) __size_overflow(1);
+ static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
+ {
+ size = __copy_from_user(x, ptr, size);
+@@ -240,6 +245,7 @@ extern int __get_user_bad(void) __attribute__((noreturn));
+ #define __copy_to_user_inatomic __copy_to_user
+ #endif
+
++static inline long copy_from_user(void *to, const void __user * from, unsigned long n) __size_overflow(3);
+ static inline long copy_from_user(void *to,
+ const void __user * from, unsigned long n)
+ {
+@@ -250,6 +256,7 @@ static inline long copy_from_user(void *to,
+ return n;
+ }
+
++static inline long copy_to_user(void __user *to, const void *from, unsigned long n) __size_overflow(3);
+ static inline long copy_to_user(void __user *to,
+ const void *from, unsigned long n)
+ {
+@@ -265,6 +272,8 @@ static inline long copy_to_user(void __user *to,
+ */
+ #ifndef __strncpy_from_user
+ static inline long
++__strncpy_from_user(char *dst, const char __user *src, unsigned long count) __size_overflow(3);
++static inline long
+ __strncpy_from_user(char *dst, const char __user *src, long count)
+ {
+ char *tmp;
+@@ -276,6 +285,8 @@ __strncpy_from_user(char *dst, const char __user *src, long count)
+ #endif
+
+ static inline long
++strncpy_from_user(char *dst, const char __user *src, unsigned long count) __size_overflow(3);
++static inline long
+ strncpy_from_user(char *dst, const char __user *src, long count)
+ {
+ if (!access_ok(VERIFY_READ, src, 1))
+@@ -289,6 +300,7 @@ strncpy_from_user(char *dst, const char __user *src, long count)
+ * Return 0 on exception, a value greater than N if too long
+ */
+ #ifndef strnlen_user
++static inline long strnlen_user(const char __user *src, unsigned long n) __size_overflow(2);
+ static inline long strnlen_user(const char __user *src, long n)
+ {
+ if (!access_ok(VERIFY_READ, src, 1))
+@@ -307,6 +319,8 @@ static inline long strlen_user(const char __user *src)
+ */
+ #ifndef __clear_user
+ static inline __must_check unsigned long
++__clear_user(void __user *to, unsigned long n) __size_overflow(2);
++static inline __must_check unsigned long
+ __clear_user(void __user *to, unsigned long n)
+ {
+ memset((void __force *)to, 0, n);
+@@ -315,6 +329,8 @@ __clear_user(void __user *to, unsigned long n)
+ #endif
+
+ static inline __must_check unsigned long
++clear_user(void __user *to, unsigned long n) __size_overflow(2);
++static inline __must_check unsigned long
+ clear_user(void __user *to, unsigned long n)
+ {
+ might_sleep();
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index b6e818f..21aa58a 100644
--- a/include/asm-generic/vmlinux.lds.h
@@ -84371,10 +84978,20 @@ index c8f2a5f7..1618a5c 100644
/* audit system wants to get cap info from files as well */
struct dentry;
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
-index 450fa59..86019fb 100644
+index 450fa59..246fa19 100644
--- a/include/linux/compiler-gcc4.h
+++ b/include/linux/compiler-gcc4.h
-@@ -36,4 +36,16 @@
+@@ -14,6 +14,9 @@
+ #define __compiler_offsetof(a,b) __builtin_offsetof(a,b)
+ #define __always_inline inline __attribute__((always_inline))
+
++#ifdef SIZE_OVERFLOW_PLUGIN
++#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__)))
++#endif
+ /*
+ * A trick to suppress uninitialized variable warning without generating any
+ * code
+@@ -36,4 +39,16 @@
the kernel context */
#define __cold __attribute__((__cold__))
@@ -84392,7 +85009,7 @@ index 450fa59..86019fb 100644
+
#endif
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
-index 04fb513..fd6477b 100644
+index 04fb513..6189f3b 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -5,11 +5,14 @@
@@ -84445,7 +85062,7 @@ index 04fb513..fd6477b 100644
# define __chk_user_ptr(x) (void)0
# define __chk_io_ptr(x) (void)0
# define __builtin_warning(x, y...) (1)
-@@ -247,6 +271,14 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -247,6 +271,17 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
# define __attribute_const__ /* unimplemented */
#endif
@@ -84457,10 +85074,13 @@ index 04fb513..fd6477b 100644
+# define __do_const
+#endif
+
++#ifndef __size_overflow
++# define __size_overflow(...)
++#endif
/*
* Tell gcc if a function is cold. The compiler will assume any path
* directly leading to the call is unlikely.
-@@ -256,6 +288,22 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -256,6 +291,22 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
#define __cold
#endif
@@ -84483,7 +85103,7 @@ index 04fb513..fd6477b 100644
/* Simple shorthand for a section definition */
#ifndef __section
# define __section(S) __attribute__ ((__section__(#S)))
-@@ -278,6 +326,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -278,6 +329,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
* use is to mediate communication between process-level code and irq/NMI
* handlers, all running on the same CPU.
*/
@@ -84492,6 +85112,19 @@ index 04fb513..fd6477b 100644
+#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
#endif /* __LINUX_COMPILER_H */
+diff --git a/include/linux/crash_dump.h b/include/linux/crash_dump.h
+index 0026f26..6c237c5 100644
+--- a/include/linux/crash_dump.h
++++ b/include/linux/crash_dump.h
+@@ -12,7 +12,7 @@
+ extern unsigned long long elfcorehdr_addr;
+
+ extern ssize_t copy_oldmem_page(unsigned long, char *, size_t,
+- unsigned long, int);
++ unsigned long, int) __size_overflow(3);
+
+ /* Architecture code defines this if there are other possible ELF
+ * machine types, e.g. on bi-arch capable hardware. */
diff --git a/include/linux/crypto.h b/include/linux/crypto.h
index fd92988..a3164bd 100644
--- a/include/linux/crypto.h
@@ -86300,7 +86933,7 @@ index 58ae8e0..3950d3c 100644
static inline struct kset *to_kset(struct kobject *kobj)
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index c728a50..752d821 100644
+index c728a50..762821f 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -210,7 +210,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu);
@@ -86321,6 +86954,15 @@ index c728a50..752d821 100644
void kvm_arch_exit(void);
int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
+@@ -519,7 +519,7 @@ int kvm_setup_default_irq_routing(struct kvm *kvm);
+ int kvm_set_irq_routing(struct kvm *kvm,
+ const struct kvm_irq_routing_entry *entries,
+ unsigned nr,
+- unsigned flags);
++ unsigned flags) __size_overflow(3);
+ void kvm_free_irq_routing(struct kvm *kvm);
+
+ #else
diff --git a/include/linux/libata.h b/include/linux/libata.h
index a069916..223edde 100644
--- a/include/linux/libata.h
@@ -86703,19 +87345,22 @@ index 482efc8..642032b 100644
/* Search for module by name: must hold module_mutex. */
diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h
-index c1f40c2..682ca53 100644
+index c1f40c2..e875ff4 100644
--- a/include/linux/moduleloader.h
+++ b/include/linux/moduleloader.h
-@@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(struct module *mod, unsigned int section);
- sections. Returns NULL on failure. */
- void *module_alloc(unsigned long size);
+@@ -18,11 +18,23 @@ unsigned int arch_mod_section_prepend(struct module *mod, unsigned int section);
+ /* Allocator used for allocating struct module, core sections and init
+ sections. Returns NULL on failure. */
+-void *module_alloc(unsigned long size);
++void *module_alloc(unsigned long size) __size_overflow(1);
++
+#ifdef CONFIG_PAX_KERNEXEC
+void *module_alloc_exec(unsigned long size);
+#else
+#define module_alloc_exec(x) module_alloc(x)
+#endif
-+
+
/* Free memory returned from module_alloc. */
void module_free(struct module *mod, void *module_region);
@@ -86839,7 +87484,7 @@ index b359c4a..c08b334 100644
#define num_online_nodes() num_node_state(N_ONLINE)
diff --git a/include/linux/oprofile.h b/include/linux/oprofile.h
-index 5171639..7cf4235 100644
+index 5171639..81f30d3 100644
--- a/include/linux/oprofile.h
+++ b/include/linux/oprofile.h
@@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super_block * sb, struct dentry * root,
@@ -86854,6 +87499,15 @@ index 5171639..7cf4235 100644
/** create a directory */
struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
+@@ -153,7 +153,7 @@ ssize_t oprofilefs_ulong_to_user(unsigned long val, char __user * buf, size_t co
+ * Read an ASCII string for a number from a userspace buffer and fill *val on success.
+ * Returns 0 on success, < 0 on error.
+ */
+-int oprofilefs_ulong_from_user(unsigned long * val, char const __user * buf, size_t count);
++int oprofilefs_ulong_from_user(unsigned long * val, char const __user * buf, size_t count) __size_overflow(3);
+
+ /** lock for read/write safety */
+ extern spinlock_t oprofilefs_lock;
diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
index 3c62ed4..8924c7c 100644
--- a/include/linux/pagemap.h
@@ -87089,30 +87743,6 @@ index 988e55f..17cb4ef 100644
#include <asm/emergency-restart.h>
#endif
-diff --git a/include/linux/regset.h b/include/linux/regset.h
-index 8abee65..5150fd1 100644
---- a/include/linux/regset.h
-+++ b/include/linux/regset.h
-@@ -335,6 +335,9 @@ static inline int copy_regset_to_user(struct task_struct *target,
- {
- const struct user_regset *regset = &view->regsets[setno];
-
-+ if (!regset->get)
-+ return -EOPNOTSUPP;
-+
- if (!access_ok(VERIFY_WRITE, data, size))
- return -EIO;
-
-@@ -358,6 +361,9 @@ static inline int copy_regset_from_user(struct task_struct *target,
- {
- const struct user_regset *regset = &view->regsets[setno];
-
-+ if (!regset->set)
-+ return -EOPNOTSUPP;
-+
- if (!access_ok(VERIFY_READ, data, size))
- return -EIO;
-
diff --git a/include/linux/reiserfs_fs.h b/include/linux/reiserfs_fs.h
index dd31e7b..5b03c5c 100644
--- a/include/linux/reiserfs_fs.h
@@ -87677,7 +88307,7 @@ index bcdd660..fd2e332 100644
/**
diff --git a/include/linux/slab.h b/include/linux/slab.h
-index 2da8372..a3be824 100644
+index 2da8372..9e01add 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -11,12 +11,20 @@
@@ -87718,7 +88348,14 @@ index 2da8372..a3be824 100644
/*
* struct kmem_cache related prototypes
-@@ -138,6 +149,7 @@ void * __must_check krealloc(const void *, size_t, gfp_t);
+@@ -133,11 +144,12 @@ int kmem_ptr_validate(struct kmem_cache *cachep, const void *ptr);
+ /*
+ * Common kmalloc functions provided by all allocators
+ */
+-void * __must_check __krealloc(const void *, size_t, gfp_t);
+-void * __must_check krealloc(const void *, size_t, gfp_t);
++void * __must_check __krealloc(const void *, size_t, gfp_t) __size_overflow(2);
++void * __must_check krealloc(const void *, size_t, gfp_t) __size_overflow(2);
void kfree(const void *);
void kzfree(const void *);
size_t ksize(const void *);
@@ -87726,46 +88363,26 @@ index 2da8372..a3be824 100644
/*
* Allocator specific definitions. These are mainly used to establish optimized
-@@ -328,4 +340,37 @@ static inline void *kzalloc_node(size_t size, gfp_t flags, int node)
-
- void __init kmem_cache_init_late(void);
-
-+#define kmalloc(x, y) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = kmalloc((size_t)___x, (y)); \
-+ ___retval; \
-+})
-+
-+#define kmalloc_node(x, y, z) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = kmalloc_node((size_t)___x, (y), (z));\
-+ ___retval; \
-+})
-+
-+#define kzalloc(x, y) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = kzalloc((size_t)___x, (y)); \
-+ ___retval; \
-+})
-+
- #endif /* _LINUX_SLAB_H */
+@@ -263,7 +275,7 @@ static inline void *kmem_cache_alloc_node(struct kmem_cache *cachep,
+ * request comes from.
+ */
+ #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB)
+-extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long);
++extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long) __size_overflow(1);
+ #define kmalloc_track_caller(size, flags) \
+ __kmalloc_track_caller(size, flags, _RET_IP_)
+ #else
+@@ -281,7 +293,7 @@ extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long);
+ * allocation request comes from.
+ */
+ #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB)
+-extern void *__kmalloc_node_track_caller(size_t, gfp_t, int, unsigned long);
++extern void *__kmalloc_node_track_caller(size_t, gfp_t, int, unsigned long) __size_overflow(1);
+ #define kmalloc_node_track_caller(size, flags, node) \
+ __kmalloc_node_track_caller(size, flags, node, \
+ _RET_IP_)
diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h
-index 850d057..d9dfe3c 100644
+index 850d057..33bad48 100644
--- a/include/linux/slab_def.h
+++ b/include/linux/slab_def.h
@@ -69,10 +69,10 @@ struct kmem_cache {
@@ -87783,8 +88400,71 @@ index 850d057..d9dfe3c 100644
/*
* If debugging is enabled, then the allocator can add additional
+@@ -108,7 +108,7 @@ struct cache_sizes {
+ extern struct cache_sizes malloc_sizes[];
+
+ void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
+-void *__kmalloc(size_t size, gfp_t flags);
++void *__kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+
+ #ifdef CONFIG_KMEMTRACE
+ extern void *kmem_cache_alloc_notrace(struct kmem_cache *cachep, gfp_t flags);
+@@ -125,6 +125,7 @@ static inline size_t slab_buffer_size(struct kmem_cache *cachep)
+ }
+ #endif
+
++static __always_inline void *kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *kmalloc(size_t size, gfp_t flags)
+ {
+ struct kmem_cache *cachep;
+@@ -163,7 +164,7 @@ found:
+ }
+
+ #ifdef CONFIG_NUMA
+-extern void *__kmalloc_node(size_t size, gfp_t flags, int node);
++extern void *__kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ extern void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
+
+ #ifdef CONFIG_KMEMTRACE
+@@ -180,6 +181,7 @@ kmem_cache_alloc_node_notrace(struct kmem_cache *cachep,
+ }
+ #endif
+
++static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
+ {
+ struct kmem_cache *cachep;
+diff --git a/include/linux/slob_def.h b/include/linux/slob_def.h
+index 0ec00b3..65e7e0e 100644
+--- a/include/linux/slob_def.h
++++ b/include/linux/slob_def.h
+@@ -9,8 +9,9 @@ static __always_inline void *kmem_cache_alloc(struct kmem_cache *cachep,
+ return kmem_cache_alloc_node(cachep, flags, -1);
+ }
+
+-void *__kmalloc_node(size_t size, gfp_t flags, int node);
++void *__kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+
++static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
+ {
+ return __kmalloc_node(size, flags, node);
+@@ -24,11 +25,13 @@ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
+ * kmalloc is the normal method of allocating memory
+ * in the kernel.
+ */
++static __always_inline void *kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *kmalloc(size_t size, gfp_t flags)
+ {
+ return __kmalloc_node(size, flags, -1);
+ }
+
++static __always_inline void *__kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *__kmalloc(size_t size, gfp_t flags)
+ {
+ return kmalloc(size, flags);
diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h
-index 5ad70a6..57f9f65 100644
+index 5ad70a6..8f0e2c8 100644
--- a/include/linux/slub_def.h
+++ b/include/linux/slub_def.h
@@ -86,7 +86,7 @@ struct kmem_cache {
@@ -87796,15 +88476,56 @@ index 5ad70a6..57f9f65 100644
void (*ctor)(void *);
int inuse; /* Offset to metadata */
int align; /* Alignment */
-@@ -215,7 +215,7 @@ static __always_inline struct kmem_cache *kmalloc_slab(size_t size)
+@@ -197,6 +197,7 @@ static __always_inline int kmalloc_index(size_t size)
+ * This ought to end up with a global pointer to the right cache
+ * in kmalloc_caches.
+ */
++static __always_inline struct kmem_cache *kmalloc_slab(size_t size) __size_overflow(1);
+ static __always_inline struct kmem_cache *kmalloc_slab(size_t size)
+ {
+ int index = kmalloc_index(size);
+@@ -215,7 +216,7 @@ static __always_inline struct kmem_cache *kmalloc_slab(size_t size)
#endif
void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
-void *__kmalloc(size_t size, gfp_t flags);
-+void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
++void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1) __size_overflow(1);
#ifdef CONFIG_KMEMTRACE
extern void *kmem_cache_alloc_notrace(struct kmem_cache *s, gfp_t gfpflags);
+@@ -227,6 +228,7 @@ kmem_cache_alloc_notrace(struct kmem_cache *s, gfp_t gfpflags)
+ }
+ #endif
+
++static __always_inline void *kmalloc_large(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *kmalloc_large(size_t size, gfp_t flags)
+ {
+ unsigned int order = get_order(size);
+@@ -238,6 +240,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags)
+ return ret;
+ }
+
++static __always_inline void *kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *kmalloc(size_t size, gfp_t flags)
+ {
+ void *ret;
+@@ -263,7 +266,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags)
+ }
+
+ #ifdef CONFIG_NUMA
+-void *__kmalloc_node(size_t size, gfp_t flags, int node);
++void *__kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
+
+ #ifdef CONFIG_KMEMTRACE
+@@ -280,6 +283,7 @@ kmem_cache_alloc_node_notrace(struct kmem_cache *s,
+ }
+ #endif
+
++static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
+ {
+ void *ret;
diff --git a/include/linux/sonet.h b/include/linux/sonet.h
index 67ad11f..0bbd8af 100644
--- a/include/linux/sonet.h
@@ -88201,7 +88922,7 @@ index c42724f..d190eee 100644
struct ustat {
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
-index 6b58367..53a3e8e 100644
+index 6b58367..57b150e 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_user_nocache(void *to,
@@ -88233,7 +88954,7 @@ index 6b58367..53a3e8e 100644
* happens, handle that and return -EFAULT.
*/
-extern long probe_kernel_write(void *dst, void *src, size_t size);
-+extern long probe_kernel_write(void *dst, const void *src, size_t size);
++extern long probe_kernel_write(void *dst, const void *src, size_t size) __size_overflow(3);
#endif /* __LINUX_UACCESS_H__ */
diff --git a/include/linux/unaligned/access_ok.h b/include/linux/unaligned/access_ok.h
@@ -88321,7 +89042,7 @@ index 79b9837..b5a56f9 100644
+ MODULE_GRSEC
diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
-index 819a634..462ac12 100644
+index 819a634..b99e71b 100644
--- a/include/linux/vmalloc.h
+++ b/include/linux/vmalloc.h
@@ -14,6 +14,11 @@ struct vm_area_struct; /* vma defining user mapping in mm_types.h */
@@ -88336,88 +89057,38 @@ index 819a634..462ac12 100644
/* bits [20..32] reserved for arch specific ioremap internals */
/*
-@@ -124,4 +129,81 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets,
-
- void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
-
-+#define vmalloc(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc((unsigned long)___x); \
-+ ___retval; \
-+})
-+
-+#define __vmalloc(x, y, z) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = __vmalloc((unsigned long)___x, (y), (z));\
-+ ___retval; \
-+})
-+
-+#define vmalloc_user(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_user((unsigned long)___x); \
-+ ___retval; \
-+})
-+
-+#define vmalloc_exec(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_exec((unsigned long)___x); \
-+ ___retval; \
-+})
-+
-+#define vmalloc_node(x, y) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_node((unsigned long)___x, (y));\
-+ ___retval; \
-+})
-+
-+#define vmalloc_32(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_32((unsigned long)___x); \
-+ ___retval; \
-+})
-+
-+#define vmalloc_32_user(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_32_user((unsigned long)___x);\
-+ ___retval; \
-+})
-+
- #endif /* _LINUX_VMALLOC_H */
+@@ -51,13 +56,13 @@ static inline void vmalloc_init(void)
+ }
+ #endif
+
+-extern void *vmalloc(unsigned long size);
+-extern void *vmalloc_user(unsigned long size);
+-extern void *vmalloc_node(unsigned long size, int node);
+-extern void *vmalloc_exec(unsigned long size);
+-extern void *vmalloc_32(unsigned long size);
+-extern void *vmalloc_32_user(unsigned long size);
+-extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot);
++extern void *vmalloc(unsigned long size) __size_overflow(1);
++extern void *vmalloc_user(unsigned long size) __size_overflow(1);
++extern void *vmalloc_node(unsigned long size, int node) __size_overflow(1);
++extern void *vmalloc_exec(unsigned long size) __size_overflow(1);
++extern void *vmalloc_32(unsigned long size) __size_overflow(1);
++extern void *vmalloc_32_user(unsigned long size) __size_overflow(1);
++extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot) __size_overflow(1);
+ extern void *__vmalloc_area(struct vm_struct *area, gfp_t gfp_mask,
+ pgprot_t prot);
+ extern void vfree(const void *addr);
+@@ -106,8 +111,8 @@ extern struct vm_struct *alloc_vm_area(size_t size);
+ extern void free_vm_area(struct vm_struct *area);
+
+ /* for /dev/kmem */
+-extern long vread(char *buf, char *addr, unsigned long count);
+-extern long vwrite(char *buf, char *addr, unsigned long count);
++extern long vread(char *buf, char *addr, unsigned long count) __size_overflow(3);
++extern long vwrite(char *buf, char *addr, unsigned long count) __size_overflow(3);
+
+ /*
+ * Internals. Dont't use..
diff --git a/include/linux/vmstat.h b/include/linux/vmstat.h
index 13070d6..aa4159a 100644
--- a/include/linux/vmstat.h
@@ -94851,19 +95522,6 @@ index 9ecd6e8..12c94c1 100644
WARN_ON(release == (void (*)(struct kref *))kfree);
if (atomic_dec_and_test(&kref->refcount)) {
-diff --git a/lib/parser.c b/lib/parser.c
-index b00d020..1b34325 100644
---- a/lib/parser.c
-+++ b/lib/parser.c
-@@ -126,7 +126,7 @@ static int match_number(substring_t *s, int *result, int base)
- char *buf;
- int ret;
-
-- buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
-+ buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
- if (!buf)
- return -ENOMEM;
- memcpy(buf, s->from, s->to - s->from);
diff --git a/lib/radix-tree.c b/lib/radix-tree.c
index 92cdd99..a8149d7 100644
--- a/lib/radix-tree.c
@@ -95015,10 +95673,10 @@ index 2c19c0b..f3c3f83 100644
This is the portion of low virtual memory which should be protected
from userspace allocation. Keeping a user from writing to low pages
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
-index 67a33a5..094dcf1 100644
+index d824401..9f5244a 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
-@@ -272,7 +272,7 @@ static void bdi_task_init(struct backing_dev_info *bdi,
+@@ -271,7 +271,7 @@ static void bdi_task_init(struct backing_dev_info *bdi,
list_add_tail_rcu(&wb->list, &bdi->wb_list);
spin_unlock(&bdi->wb_lock);
@@ -95027,7 +95685,7 @@ index 67a33a5..094dcf1 100644
set_freezable();
/*
-@@ -484,7 +484,7 @@ static void bdi_add_to_pending(struct rcu_head *head)
+@@ -489,7 +489,7 @@ static void bdi_add_to_pending(struct rcu_head *head)
* Add the default flusher task that gets created for any bdi
* that has dirty data pending writeout
*/
@@ -98820,7 +99478,7 @@ index e48b493..24a601d 100644
mm->unmap_area = arch_unmap_area;
}
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index f34ffd0..e60c44f 100644
+index f34ffd0..90d7407 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
@@ -98990,44 +99648,11 @@ index f34ffd0..e60c44f 100644
area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST,
VMALLOC_START, VMALLOC_END, node,
gfp_mask, caller);
-@@ -1619,6 +1684,7 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
- return addr;
- }
-
-+#undef __vmalloc
- void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
- {
- return __vmalloc_node(size, 1, gfp_mask, prot, -1,
-@@ -1635,6 +1701,7 @@ EXPORT_SYMBOL(__vmalloc);
- * For tight control over page level allocator and protection flags
- * use __vmalloc() instead.
- */
-+#undef vmalloc
- void *vmalloc(unsigned long size)
- {
- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
-@@ -1649,6 +1716,7 @@ EXPORT_SYMBOL(vmalloc);
- * The resulting memory area is zeroed so it can be mapped to userspace
- * without leaking data.
- */
-+#undef vmalloc_user
- void *vmalloc_user(unsigned long size)
- {
- struct vm_struct *area;
-@@ -1676,6 +1744,7 @@ EXPORT_SYMBOL(vmalloc_user);
- * For tight control over page level allocator and protection flags
- * use __vmalloc() instead.
- */
-+#undef vmalloc_node
- void *vmalloc_node(unsigned long size, int node)
- {
- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
-@@ -1698,10 +1767,10 @@ EXPORT_SYMBOL(vmalloc_node);
+@@ -1698,10 +1763,9 @@ EXPORT_SYMBOL(vmalloc_node);
* For tight control over page level allocator and protection flags
* use __vmalloc() instead.
*/
-
-+#undef vmalloc_exec
void *vmalloc_exec(unsigned long size)
{
- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
@@ -99035,23 +99660,7 @@ index f34ffd0..e60c44f 100644
-1, __builtin_return_address(0));
}
-@@ -1720,6 +1789,7 @@ void *vmalloc_exec(unsigned long size)
- * Allocate enough 32bit PA addressable pages to cover @size from the
- * page level allocator and map them into contiguous kernel virtual space.
- */
-+#undef vmalloc_32
- void *vmalloc_32(unsigned long size)
- {
- return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
-@@ -1734,6 +1804,7 @@ EXPORT_SYMBOL(vmalloc_32);
- * The resulting memory area is 32bit addressable and zeroed so it can be
- * mapped to userspace without leaking data.
- */
-+#undef vmalloc_32_user
- void *vmalloc_32_user(unsigned long size)
- {
- struct vm_struct *area;
-@@ -1998,6 +2069,8 @@ int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
+@@ -1998,6 +2062,8 @@ int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
unsigned long uaddr = vma->vm_start;
unsigned long usize = vma->vm_end - vma->vm_start;
@@ -99931,7 +100540,7 @@ index f8d04c2..c1188f2 100644
return res;
}
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
-index c8b0cc3..4da5ae2 100644
+index c8b0cc3..05e4007 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -934,6 +934,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
@@ -99942,6 +100551,27 @@ index c8b0cc3..4da5ae2 100644
info.valid_hooks = t->valid_hooks;
memcpy(info.hook_entry, private->hook_entry,
sizeof(info.hook_entry));
+@@ -1003,6 +1004,11 @@ static int __do_replace(struct net *net, const char *name,
+ unsigned int valid_hooks,
+ struct xt_table_info *newinfo,
+ unsigned int num_counters,
++ void __user *counters_ptr) __size_overflow(5);
++static int __do_replace(struct net *net, const char *name,
++ unsigned int valid_hooks,
++ struct xt_table_info *newinfo,
++ unsigned int num_counters,
+ void __user *counters_ptr)
+ {
+ int ret;
+@@ -1135,6 +1141,8 @@ add_counter_to_entry(struct arpt_entry *e,
+ }
+
+ static int do_add_counters(struct net *net, void __user *user, unsigned int len,
++ int compat) __size_overflow(3);
++static int do_add_counters(struct net *net, void __user *user, unsigned int len,
+ int compat)
+ {
+ unsigned int i, curcpu;
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index c156db2..e772975 100644
--- a/net/ipv4/netfilter/ip_queue.c
@@ -99967,7 +100597,7 @@ index c156db2..e772975 100644
skblen = skb->len;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
-index 0606db1..02e7e4c 100644
+index 0606db1..918b88a 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1141,6 +1141,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
@@ -99978,19 +100608,41 @@ index 0606db1..02e7e4c 100644
info.valid_hooks = t->valid_hooks;
memcpy(info.hook_entry, private->hook_entry,
sizeof(info.hook_entry));
+@@ -1208,6 +1209,10 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
+ static int
+ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
+ struct xt_table_info *newinfo, unsigned int num_counters,
++ void __user *counters_ptr) __size_overflow(5);
++static int
++__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
++ struct xt_table_info *newinfo, unsigned int num_counters,
+ void __user *counters_ptr)
+ {
+ int ret;
+@@ -1339,6 +1344,8 @@ add_counter_to_entry(struct ipt_entry *e,
+ }
+
+ static int
++do_add_counters(struct net *net, void __user *user, unsigned int len, int compat) __size_overflow(3);
++static int
+ do_add_counters(struct net *net, void __user *user, unsigned int len, int compat)
+ {
+ unsigned int i, curcpu;
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
-index d9521f6..3c3eb25 100644
+index d9521f6..127fa44 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
-@@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(struct asn1_ctx *ctx,
-
- *len = 0;
-
-- *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
-+ *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
- if (*octets == NULL) {
- if (net_ratelimit())
- printk("OOM in bsalg (%d)\n", __LINE__);
+@@ -436,6 +436,10 @@ static unsigned char asn1_subid_decode(struct asn1_ctx *ctx,
+ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
+ unsigned char *eoc,
+ unsigned long **oid,
++ unsigned int *len) __size_overflow(2);
++static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
++ unsigned char *eoc,
++ unsigned long **oid,
+ unsigned int *len)
+ {
+ unsigned long subid;
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index ab996f9..3da5f96 100644
--- a/net/ipv4/raw.c
@@ -100500,7 +101152,7 @@ index 1cf3f0c..1d4376f 100644
skblen = skb->len;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
-index 78b5a36..7f37433 100644
+index 78b5a36..2b9bb06 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1173,6 +1173,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
@@ -100511,6 +101163,27 @@ index 78b5a36..7f37433 100644
info.valid_hooks = t->valid_hooks;
memcpy(info.hook_entry, private->hook_entry,
sizeof(info.hook_entry));
+@@ -1240,6 +1241,10 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len)
+ static int
+ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
+ struct xt_table_info *newinfo, unsigned int num_counters,
++ void __user *counters_ptr) __size_overflow(5);
++static int
++__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
++ struct xt_table_info *newinfo, unsigned int num_counters,
+ void __user *counters_ptr)
+ {
+ int ret;
+@@ -1373,6 +1378,9 @@ add_counter_to_entry(struct ip6t_entry *e,
+
+ static int
+ do_add_counters(struct net *net, void __user *user, unsigned int len,
++ int compat) __size_overflow(3);
++static int
++do_add_counters(struct net *net, void __user *user, unsigned int len,
+ int compat)
+ {
+ unsigned int i, curcpu;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 4f24570..b813b34 100644
--- a/net/ipv6/raw.c
@@ -103230,10 +103903,10 @@ index d52f7a0..269eb1b 100755
rm -f tags
xtags ctags
diff --git a/security/Kconfig b/security/Kconfig
-index fb363cd..90fc8f4 100644
+index fb363cd..a9d08e5 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,626 @@
+@@ -4,6 +4,638 @@
menu "Security options"
@@ -103325,7 +103998,6 @@ index fb363cd..90fc8f4 100644
+
+config PAX_XATTR_PAX_FLAGS
+ bool 'Use filesystem extended attributes marking'
-+ depends on EXPERT
+ select CIFS_XATTR if CIFS
+ select EXT2_FS_XATTR if EXT2_FS
+ select EXT3_FS_XATTR if EXT3_FS
@@ -103853,6 +104525,19 @@ index fb363cd..90fc8f4 100644
+ Since this has a negligible performance impact, you should enable
+ this feature.
+
++config PAX_SIZE_OVERFLOW
++ bool "Prevent various integer overflows in function size parameters"
++ help
++ By saying Y here the kernel recomputes expressions of function
++ arguments marked by a size_overflow attribute with double integer
++ precision (DImode/TImode for 32/64 bit integer types).
++
++ The recomputed argument is checked against INT_MAX and an event
++ is logged on overflow and the triggering process is killed.
++
++ Homepage:
++ http://www.grsecurity.net/~ephox/overflow_plugin/
++
+endmenu
+
+endmenu
@@ -103860,7 +104545,7 @@ index fb363cd..90fc8f4 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -146,7 +766,7 @@ config INTEL_TXT
+@@ -146,7 +778,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -105141,10 +105826,10 @@ index 79633ea..9732e90 100644
}
diff --git a/tools/gcc/Makefile b/tools/gcc/Makefile
new file mode 100644
-index 0000000..894c8bf
+index 0000000..ca64170
--- /dev/null
+++ b/tools/gcc/Makefile
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,26 @@
+#CC := gcc
+#PLUGIN_SOURCE_FILES := pax_plugin.c
+#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
@@ -105152,6 +105837,7 @@ index 0000000..894c8bf
+#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W -std=gnu99
+
+HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include -I$(GCCPLUGINS_DIR)/include/c-family -std=gnu99 -ggdb
++CFLAGS_size_overflow_plugin.o := -Wno-missing-initializer
+
+hostlibs-y := constify_plugin.so
+hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so
@@ -105159,6 +105845,7 @@ index 0000000..894c8bf
+hostlibs-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so
+hostlibs-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so
+hostlibs-y += colorize_plugin.so
++hostlibs-$(CONFIG_PAX_SIZE_OVERFLOW) += size_overflow_plugin.so
+
+always := $(hostlibs-y)
+
@@ -105168,6 +105855,7 @@ index 0000000..894c8bf
+kernexec_plugin-objs := kernexec_plugin.o
+checker_plugin-objs := checker_plugin.o
+colorize_plugin-objs := colorize_plugin.o
++size_overflow_plugin-objs := size_overflow_plugin.o
diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c
new file mode 100644
index 0000000..d41b5af
@@ -106413,12 +107101,2141 @@ index 0000000..008f159
+
+ return 0;
+}
+diff --git a/tools/gcc/size_overflow_hash1.h b/tools/gcc/size_overflow_hash1.h
+new file mode 100644
+index 0000000..5b08f5c
+--- /dev/null
++++ b/tools/gcc/size_overflow_hash1.h
+@@ -0,0 +1,1055 @@
++struct size_overflow_hash size_overflow_hash1[65536] = {
++ [10167].file = "sound/core/oss/pcm_plugin.c",
++ [10167].name = "snd_pcm_plugin_build",
++ [10167].param5 = 1,
++ [1022].file = "sound/pci/rme9652/rme9652.c",
++ [1022].name = "snd_rme9652_playback_copy",
++ [1022].param5 = 1,
++ [10341].file = "fs/nfsd/nfs4xdr.c",
++ [10341].name = "read_buf",
++ [10341].param2 = 1,
++ [10496].file = "drivers/bluetooth/hci_vhci.c",
++ [10496].name = "vhci_read",
++ [10496].param3 = 1,
++ [10623].file = "drivers/infiniband/core/user_mad.c",
++ [10623].name = "ib_umad_write",
++ [10623].param3 = 1,
++ [10674].file = "drivers/mtd/mtdchar.c",
++ [10674].name = "mtd_do_writeoob",
++ [10674].param4 = 1,
++ [10773].file = "drivers/input/mousedev.c",
++ [10773].name = "mousedev_read",
++ [10773].param3 = 1,
++ [10776].file = "drivers/media/video/gspca/t613.c",
++ [10776].name = "reg_w_buf",
++ [10776].param3 = 1,
++ [10919].file = "net/ipv4/netfilter/arp_tables.c",
++ [10919].name = "do_arpt_set_ctl",
++ [10919].param4 = 1,
++ [11054].file = "drivers/net/wireless/libertas/debugfs.c",
++ [11054].name = "lbs_wrmac_write",
++ [11054].param3 = 1,
++ [11068].file = "drivers/net/wireless/libertas/debugfs.c",
++ [11068].name = "lbs_wrrf_write",
++ [11068].param3 = 1,
++ [11385].file = "net/tipc/socket.c",
++ [11385].name = "recv_msg",
++ [11385].param4 = 1,
++ [11402].file = "drivers/net/wireless/libertas/debugfs.c",
++ [11402].name = "lbs_threshold_write",
++ [11402].param5 = 1,
++ [11494].file = "drivers/video/via/viafbdev.c",
++ [11494].name = "viafb_dvp1_proc_write",
++ [11494].param3 = 1,
++ [11699].file = "drivers/net/vxge/vxge-config.h",
++ [11699].name = "vxge_os_dma_malloc",
++ [11699].param2 = 1,
++ [11986].file = "drivers/net/usb/asix.c",
++ [11986].name = "asix_read_cmd",
++ [11986].param5 = 1,
++ [12205].file = "fs/reiserfs/journal.c",
++ [12205].name = "reiserfs_allocate_list_bitmaps",
++ [12205].param3 = 1,
++ [1248].file = "kernel/kprobes.c",
++ [1248].name = "write_enabled_file_bool",
++ [1248].param3 = 1,
++ [12591].file = "sound/core/pcm_lib.c",
++ [12591].name = "snd_pcm_lib_writev_transfer",
++ [12591].param5 = 1,
++ [12755].file = "sound/drivers/opl4/opl4_proc.c",
++ [12755].name = "snd_opl4_mem_proc_read",
++ [12755].param5 = 1,
++ [12833].file = "net/sctp/auth.c",
++ [12833].name = "sctp_auth_create_key",
++ [12833].param1 = 1,
++ [12954].file = "fs/proc/base.c",
++ [12954].name = "oom_adjust_write",
++ [12954].param3 = 1,
++ [13121].file = "net/ipv4/ip_sockglue.c",
++ [13121].name = "do_ip_setsockopt",
++ [13121].param5 = 1,
++ [13863].file = "drivers/net/wireless/iwlwifi/iwl-agn-rs.c",
++ [13863].name = "rs_sta_dbgfs_scale_table_write",
++ [13863].param3 = 1,
++ [13924].file = "net/ipv4/netfilter/ip_tables.c",
++ [13924].name = "do_ipt_set_ctl",
++ [13924].param4 = 1,
++ [14019].file = "fs/cifs/dns_resolve.c",
++ [14019].name = "dns_resolver_instantiate",
++ [14019].param3 = 1,
++ [14025].file = "net/ax25/af_ax25.c",
++ [14025].name = "ax25_setsockopt",
++ [14025].param5 = 1,
++ [14031].file = "drivers/net/wireless/ath/ath5k/debug.c",
++ [14031].name = "write_file_beacon",
++ [14031].param3 = 1,
++ [14090].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [14090].name = "btmrvl_hsmode_write",
++ [14090].param3 = 1,
++ [14174].file = "sound/pci/es1938.c",
++ [14174].name = "snd_es1938_capture_copy",
++ [14174].param5 = 1,
++ [14299].file = "sound/core/oss/pcm_plugin.c",
++ [14299].name = "snd_pcm_plugin_alloc",
++ [14299].param2 = 1,
++ [14345].file = "fs/cachefiles/daemon.c",
++ [14345].name = "cachefiles_daemon_write",
++ [14345].param3 = 1,
++ [14347].file = "drivers/media/dvb/dvb-core/dvb_ca_en50221.c",
++ [14347].name = "dvb_ca_en50221_io_write",
++ [14347].param3 = 1,
++ [15071].file = "drivers/net/wireless/ipw2x00/libipw_module.c",
++ [15071].name = "store_debug_level",
++ [15071].param3 = 1,
++ [15112].file = "drivers/xen/evtchn.c",
++ [15112].name = "evtchn_write",
++ [15112].param3 = 1,
++ [15274].file = "crypto/shash.c",
++ [15274].name = "crypto_shash_setkey",
++ [15274].param3 = 1,
++ [15319].file = "net/netfilter/xt_recent.c",
++ [15319].name = "recent_old_proc_write",
++ [15319].param3 = 1,
++ [15891].file = "drivers/media/video/videobuf-dma-sg.c",
++ [15891].name = "__videobuf_alloc",
++ [15891].param1 = 1,
++ [1603].file = "fs/debugfs/file.c",
++ [1603].name = "write_file_bool",
++ [1603].param3 = 1,
++ [16073].file = "net/sctp/socket.c",
++ [16073].name = "sctp_setsockopt",
++ [16073].param5 = 1,
++ [16166].file = "drivers/platform/x86/thinkpad_acpi.c",
++ [16166].name = "dispatch_proc_write",
++ [16166].param3 = 1,
++ [16344].file = "lib/scatterlist.c",
++ [16344].name = "sg_kmalloc",
++ [16344].param1 = 1,
++ [16605].file = "fs/ecryptfs/miscdev.c",
++ [16605].name = "ecryptfs_send_miscdev",
++ [16605].param2 = 1,
++ [16606].file = "drivers/ide/ide-tape.c",
++ [16606].name = "idetape_chrdev_write",
++ [16606].param3 = 1,
++ [16758].file = "drivers/net/usb/pegasus.c",
++ [16758].name = "set_registers",
++ [16758].param3 = 1,
++ [16911].file = "drivers/media/dvb/ttpci/av7110_hw.c",
++ [16911].name = "LoadBitmap",
++ [16911].param2 = 1,
++ [17139].file = "fs/ubifs/xattr.c",
++ [17139].name = "ubifs_setxattr",
++ [17139].param4 = 1,
++ [17170].file = "drivers/media/video/zc0301/zc0301_core.c",
++ [17170].name = "zc0301_read",
++ [17170].param3 = 1,
++ [17224].file = "drivers/media/video/w9968cf.c",
++ [17224].name = "w9968cf_read",
++ [17224].param3 = 1,
++ [17377].file = "drivers/usb/class/cdc-wdm.c",
++ [17377].name = "wdm_write",
++ [17377].param3 = 1,
++ [17460].file = "fs/nfsd/nfscache.c",
++ [17460].name = "nfsd_cache_update",
++ [17460].param3 = 1,
++ [17492].file = "net/dccp/proto.c",
++ [17492].name = "do_dccp_setsockopt",
++ [17492].param5 = 1,
++ [17828].file = "kernel/sched.c",
++ [17828].name = "sched_feat_write",
++ [17828].param3 = 1,
++ [1800].file = "drivers/media/dvb/dvb-core/dmxdev.c",
++ [1800].name = "dvb_dvr_do_ioctl",
++ [1800].param4 = 1,
++ [18224].file = "drivers/xen/grant-table.c",
++ [18224].name = "gnttab_map",
++ [18224].param2 = 1,
++ [18232].file = "fs/nfs/write.c",
++ [18232].name = "nfs_writedata_alloc",
++ [18232].param1 = 1,
++ [18303].file = "fs/xattr.c",
++ [18303].name = "getxattr",
++ [18303].param4 = 1,
++ [18313].file = "drivers/platform/x86/toshiba_acpi.c",
++ [18313].name = "dispatch_write",
++ [18313].param3 = 1,
++ [18353].file = "net/rfkill/core.c",
++ [18353].name = "rfkill_fop_read",
++ [18353].param3 = 1,
++ [183].file = "crypto/ahash.c",
++ [183].name = "crypto_ahash_setkey",
++ [183].param3 = 1,
++ [1858].file = "net/ipv6/netfilter/ip6_tables.c",
++ [1858].name = "do_ip6t_set_ctl",
++ [1858].param4 = 1,
++ [18592].file = "drivers/base/platform.c",
++ [18592].name = "platform_device_add_resources",
++ [18592].param3 = 1,
++ [19012].file = "drivers/acpi/event.c",
++ [19012].name = "acpi_system_read_event",
++ [19012].param3 = 1,
++ [19261].file = "net/netlabel/netlabel_domainhash.c",
++ [19261].name = "netlbl_domhsh_init",
++ [19261].param1 = 1,
++ [19288].file = "net/ipv6/raw.c",
++ [19288].name = "rawv6_setsockopt",
++ [19288].param5 = 1,
++ [19504].file = "drivers/usb/serial/garmin_gps.c",
++ [19504].name = "pkt_add",
++ [19504].param3 = 1,
++ [19511].file = "drivers/scsi/cxgb3i/cxgb3i_ddp.c",
++ [19511].name = "cxgb3i_ddp_make_gl",
++ [19511].param1 = 1,
++ [19738].file = "fs/sysfs/file.c",
++ [19738].name = "sysfs_write_file",
++ [19738].param3 = 1,
++ [19909].file = "drivers/net/wireless/libertas/debugfs.c",
++ [19909].name = "lbs_sleepparams_write",
++ [19909].param3 = 1,
++ [19960].file = "drivers/usb/class/usblp.c",
++ [19960].name = "usblp_read",
++ [19960].param3 = 1,
++ [20023].file = "drivers/media/video/gspca/gspca.c",
++ [20023].name = "dev_read",
++ [20023].param3 = 1,
++ [20113].file = "drivers/net/wireless/libertas/debugfs.c",
++ [20113].name = "lbs_rdmac_write",
++ [20113].param3 = 1,
++ [20123].file = "drivers/ieee1394/csr1212.h",
++ [20123].name = "csr1212_rom_cache_malloc",
++ [20123].param2 = 1,
++ [20314].file = "drivers/gpu/drm/drm_hashtab.c",
++ [20314].name = "drm_ht_create",
++ [20314].param2 = 1,
++ [20611].file = "net/netfilter/x_tables.c",
++ [20611].name = "xt_alloc_table_info",
++ [20611].param1 = 1,
++ [20951].file = "crypto/rng.c",
++ [20951].name = "rngapi_reset",
++ [20951].param3 = 1,
++ [21134].file = "drivers/video/via/viafbdev.c",
++ [21134].name = "viafb_dfph_proc_write",
++ [21134].param3 = 1,
++ [21277].file = "drivers/usb/storage/shuttle_usbat.c",
++ [21277].name = "usbat_flash_write_data",
++ [21277].param4 = 1,
++ [21312].file = "lib/ts_kmp.c",
++ [21312].name = "kmp_init",
++ [21312].param2 = 1,
++ [21397].file = "net/core/sock.c",
++ [21397].name = "sock_setsockopt",
++ [21397].param5 = 1,
++ [21451].file = "net/netfilter/ipvs/ip_vs_ctl.c",
++ [21451].name = "do_ip_vs_set_ctl",
++ [21451].param4 = 1,
++ [21538].file = "net/bluetooth/l2cap.c",
++ [21538].name = "l2cap_sock_setsockopt",
++ [21538].param5 = 1,
++ [21608].file = "drivers/char/tpm/tpm.c",
++ [21608].name = "tpm_write",
++ [21608].param3 = 1,
++ [2180].file = "drivers/char/ppdev.c",
++ [2180].name = "pp_write",
++ [2180].param3 = 1,
++ [22173].file = "drivers/ieee1394/highlevel.c",
++ [22173].name = "hpsb_create_hostinfo",
++ [22173].param3 = 1,
++ [22190].file = "drivers/char/tpm/tpm.c",
++ [22190].name = "tpm_read",
++ [22190].param3 = 1,
++ [22291].file = "net/core/pktgen.c",
++ [22291].name = "pgctrl_write",
++ [22291].param3 = 1,
++ [22428].file = "ipc/ipc_sysctl.c",
++ [22428].name = "sysctl_ipc_data",
++ [22428].param5 = 1,
++ [2243].file = "drivers/scsi/scsi_tgt_lib.c",
++ [2243].name = "scsi_tgt_kspace_exec",
++ [2243].param8 = 1,
++ [22546].file = "drivers/char/pcmcia/cm4040_cs.c",
++ [22546].name = "cm4040_read",
++ [22546].param3 = 1,
++ [23093].file = "drivers/scsi/st.c",
++ [23093].name = "st_read",
++ [23093].param3 = 1,
++ [2324].file = "net/ieee802154/wpan-class.c",
++ [2324].name = "wpan_phy_alloc",
++ [2324].param1 = 1,
++ [23535].file = "ipc/sem.c",
++ [23535].name = "sys_semtimedop",
++ [23535].param3 = 1,
++ [2386].file = "drivers/acpi/acpica/exnames.c",
++ [2386].name = "acpi_ex_allocate_name_string",
++ [2386].param2 = 1,
++ [23883].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [23883].name = "iwl_dbgfs_interrupt_write",
++ [23883].param3 = 1,
++ [23999].file = "sound/pci/rme9652/hdsp.c",
++ [23999].name = "snd_hdsp_capture_copy",
++ [23999].param5 = 1,
++ [24263].file = "kernel/cgroup.c",
++ [24263].name = "cgroup_file_write",
++ [24263].param3 = 1,
++ [24549].file = "drivers/infiniband/core/ucm.c",
++ [24549].name = "ib_ucm_alloc_data",
++ [24549].param3 = 1,
++ [24719].file = "drivers/input/evdev.c",
++ [24719].name = "bits_to_user",
++ [24719].param2 = 1,
++ [24719].param3 = 1,
++ [24805].file = "security/keys/user_defined.c",
++ [24805].name = "user_update",
++ [24805].param3 = 1,
++ [25127].file = "drivers/scsi/device_handler/scsi_dh_alua.c",
++ [25127].name = "realloc_buffer",
++ [25127].param2 = 1,
++ [25158].file = "drivers/net/mlx4/en_rx.c",
++ [25158].name = "mlx4_en_create_rx_ring",
++ [25158].param3 = 1,
++ [25267].file = "fs/configfs/file.c",
++ [25267].name = "configfs_write_file",
++ [25267].param3 = 1,
++ [25558].file = "fs/proc/task_mmu.c",
++ [25558].name = "clear_refs_write",
++ [25558].param3 = 1,
++ [25884].file = "drivers/net/wireless/zd1211rw/zd_usb.c",
++ [25884].name = "zd_usb_ioread16v",
++ [25884].param4 = 1,
++ [26256].file = "fs/hpfs/name.c",
++ [26256].name = "hpfs_translate_name",
++ [26256].param3 = 1,
++ [26560].file = "crypto/algapi.c",
++ [26560].name = "crypto_alloc_instance2",
++ [26560].param3 = 1,
++ [26701].file = "drivers/mtd/chips/cfi_util.c",
++ [26701].name = "cfi_read_pri",
++ [26701].param3 = 1,
++ [26912].file = "drivers/ieee1394/raw1394.c",
++ [26912].name = "arm_write",
++ [26912].param6 = 1,
++ [26962].file = "drivers/usb/class/usbtmc.c",
++ [26962].name = "usbtmc_write",
++ [26962].param3 = 1,
++ [27004].file = "drivers/misc/hpilo.c",
++ [27004].name = "ilo_write",
++ [27004].param3 = 1,
++ [2711].file = "drivers/media/dvb/dvb-core/dvb_ringbuffer.c",
++ [2711].name = "dvb_ringbuffer_read_user",
++ [2711].param3 = 1,
++ [27129].file = "fs/lockd/mon.c",
++ [27129].name = "nsm_get_handle",
++ [27129].param4 = 1,
++ [27280].file = "drivers/net/mlx4/en_tx.c",
++ [27280].name = "mlx4_en_create_tx_ring",
++ [27280].param3 = 1,
++ [27290].file = "security/selinux/ss/services.c",
++ [27290].name = "security_context_to_sid_core",
++ [27290].param2 = 1,
++ [27302].file = "fs/proc/base.c",
++ [27302].name = "proc_loginuid_write",
++ [27302].param3 = 1,
++ [27347].file = "drivers/net/wireless/zd1211rw/zd_usb.c",
++ [27347].name = "zd_usb_rfwrite",
++ [27347].param3 = 1,
++ [27491].file = "fs/proc/base.c",
++ [27491].name = "proc_pid_attr_write",
++ [27491].param3 = 1,
++ [28092].file = "fs/select.c",
++ [28092].name = "do_sys_poll",
++ [28092].param2 = 1,
++ [28126].file = "drivers/net/wireless/zd1211rw/zd_chip.c",
++ [28126].name = "zd_ioread32v_locked",
++ [28126].param4 = 1,
++ [28370].file = "kernel/sysctl.c",
++ [28370].name = "sysctl_string",
++ [28370].param5 = 1,
++ [28462].file = "net/rfkill/core.c",
++ [28462].name = "rfkill_fop_write",
++ [28462].param3 = 1,
++ [28635].file = "drivers/gpu/drm/drm_sman.c",
++ [28635].name = "drm_sman_init",
++ [28635].param2 = 1,
++ [28655].file = "drivers/infiniband/hw/mthca/mthca_allocator.c",
++ [28655].name = "mthca_alloc_init",
++ [28655].param2 = 1,
++ [28879].file = "drivers/base/map.c",
++ [28879].name = "kobj_map",
++ [28879].param2 = 1,
++ [28889].file = "drivers/char/pcmcia/cm4040_cs.c",
++ [28889].name = "cm4040_write",
++ [28889].param3 = 1,
++ [28892].file = "drivers/media/video/se401.c",
++ [28892].name = "se401_read",
++ [28892].param3 = 1,
++ [29366].file = "drivers/char/pcmcia/cm4000_cs.c",
++ [29366].name = "cmm_read",
++ [29366].param3 = 1,
++ [29875].file = "sound/isa/gus/gus_pcm.c",
++ [29875].name = "snd_gf1_pcm_playback_copy",
++ [29875].param5 = 1,
++ [2995].file = "mm/page_alloc.c",
++ [2995].name = "alloc_large_system_hash",
++ [2995].param2 = 1,
++ [30438].file = "mm/filemap_xip.c",
++ [30438].name = "xip_file_read",
++ [30438].param3 = 1,
++ [30449].file = "drivers/telephony/ixj.c",
++ [30449].name = "ixj_read",
++ [30449].param3 = 1,
++ [30494].file = "fs/nilfs2/ioctl.c",
++ [30494].name = "nilfs_ioctl_wrap_copy",
++ [30494].param4 = 1,
++ [31348].file = "kernel/sched.c",
++ [31348].name = "sys_sched_getaffinity",
++ [31348].param2 = 1,
++ [31465].file = "net/rds/message.c",
++ [31465].name = "rds_message_map_pages",
++ [31465].param2 = 1,
++ [31492].file = "drivers/hid/hidraw.c",
++ [31492].name = "hidraw_read",
++ [31492].param3 = 1,
++ [3170].file = "security/integrity/ima/ima_fs.c",
++ [3170].name = "ima_write_policy",
++ [3170].param3 = 1,
++ [31730].file = "net/dccp/proto.c",
++ [31730].name = "dccp_setsockopt",
++ [31730].param5 = 1,
++ [31789].file = "fs/file.c",
++ [31789].name = "alloc_fdmem",
++ [31789].param1 = 1,
++ [31957].file = "fs/afs/proc.c",
++ [31957].name = "afs_proc_cells_write",
++ [31957].param3 = 1,
++ [32326].file = "drivers/char/n_r3964.c",
++ [32326].name = "r3964_write",
++ [32326].param4 = 1,
++ [32950].file = "fs/reiserfs/resize.c",
++ [32950].name = "reiserfs_resize",
++ [32950].param2 = 1,
++ [33256].file = "drivers/ieee1394/raw1394.c",
++ [33256].name = "arm_read",
++ [33256].param5 = 1,
++ [33637].file = "net/9p/client.c",
++ [33637].name = "p9_client_read",
++ [33637].param5 = 1,
++ [33669].file = "fs/gfs2/glock.c",
++ [33669].name = "gfs2_glock_nq_m",
++ [33669].param1 = 1,
++ [3384].file = "drivers/block/paride/pg.c",
++ [3384].name = "pg_write",
++ [3384].param3 = 1,
++ [34105].file = "fs/libfs.c",
++ [34105].name = "simple_read_from_buffer",
++ [34105].param5 = 1,
++ [34120].file = "drivers/media/video/pvrusb2/pvrusb2-io.c",
++ [34120].name = "pvr2_stream_buffer_count",
++ [34120].param2 = 1,
++ [34672].file = "drivers/char/tty_io.c",
++ [34672].name = "tty_write",
++ [34672].param3 = 1,
++ [34863].file = "drivers/video/fbsysfs.c",
++ [34863].name = "framebuffer_alloc",
++ [34863].param1 = 1,
++ [34988].file = "drivers/net/wireless/libertas/debugfs.c",
++ [34988].name = "lbs_rdrf_write",
++ [34988].param3 = 1,
++ [35007].file = "drivers/usb/mon/mon_bin.c",
++ [35007].name = "mon_bin_read",
++ [35007].param3 = 1,
++ [35050].file = "fs/ocfs2/dlm/dlmfs.c",
++ [35050].name = "dlmfs_file_write",
++ [35050].param3 = 1,
++ [35176].file = "drivers/usb/misc/ldusb.c",
++ [35176].name = "ld_usb_write",
++ [35176].param3 = 1,
++ [35268].file = "security/keys/request_key_auth.c",
++ [35268].name = "request_key_auth_read",
++ [35268].param3 = 1,
++ [35731].file = "drivers/usb/class/cdc-wdm.c",
++ [35731].name = "wdm_read",
++ [35731].param3 = 1,
++ [36284].file = "drivers/spi/spi.c",
++ [36284].name = "spi_register_board_info",
++ [36284].param2 = 1,
++ [3632].file = "drivers/firewire/core-cdev.c",
++ [3632].name = "fw_device_op_read",
++ [3632].param3 = 1,
++ [36807].file = "drivers/usb/mon/mon_bin.c",
++ [36807].name = "mon_bin_get_event",
++ [36807].param4 = 1,
++ [36822].file = "kernel/sysctl.c",
++ [36822].name = "sysctl_data",
++ [36822].param5 = 1,
++ [36981].file = "drivers/video/via/viafbdev.c",
++ [36981].name = "viafb_dfpl_proc_write",
++ [36981].param3 = 1,
++ [37204].file = "drivers/isdn/hardware/eicon/divasi.c",
++ [37204].name = "um_idi_read",
++ [37204].param3 = 1,
++ [37233].file = "fs/ocfs2/cluster/tcp.c",
++ [37233].name = "o2net_send_message_vec",
++ [37233].param4 = 1,
++ [37309].file = "drivers/mtd/mtdchar.c",
++ [37309].name = "mtd_do_readoob",
++ [37309].param3 = 1,
++ [37594].file = "include/linux/poll.h",
++ [37594].name = "get_fd_set",
++ [37594].param1 = 1,
++ [37611].file = "drivers/xen/xenbus/xenbus_xs.c",
++ [37611].name = "split",
++ [37611].param2 = 1,
++ [37661].file = "mm/filemap.c",
++ [37661].name = "file_read_actor",
++ [37661].param4 = 1,
++ [38109].file = "drivers/media/video/cafe_ccic.c",
++ [38109].name = "cafe_deliver_buffer",
++ [38109].param3 = 1,
++ [38401].file = "drivers/xen/xenfs/xenbus.c",
++ [38401].name = "queue_reply",
++ [38401].param3 = 1,
++ [38576].file = "drivers/i2c/i2c-dev.c",
++ [38576].name = "i2cdev_read",
++ [38576].param3 = 1,
++ [39001].file = "net/xfrm/xfrm_hash.c",
++ [39001].name = "xfrm_hash_alloc",
++ [39001].param1 = 1,
++ [39147].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [39147].name = "iwl_dbgfs_rx_statistics_write",
++ [39147].param3 = 1,
++ [39231].file = "drivers/mtd/mtdconcat.c",
++ [39231].name = "concat_writev",
++ [39231].param3 = 1,
++ [39254].file = "drivers/char/pcmcia/cm4000_cs.c",
++ [39254].name = "cmm_write",
++ [39254].param3 = 1,
++ [39479].file = "drivers/ide/ide-tape.c",
++ [39479].name = "idetape_chrdev_read",
++ [39479].param3 = 1,
++ [40049].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [40049].name = "btmrvl_psmode_write",
++ [40049].param3 = 1,
++ [40075].file = "drivers/media/video/c-qcam.c",
++ [40075].name = "qc_capture",
++ [40075].param3 = 1,
++ [40161].file = "net/sunrpc/xprtsock.c",
++ [40161].name = "xs_setup_xprt",
++ [40161].param2 = 1,
++ [40578].file = "sound/soc/soc-core.c",
++ [40578].name = "codec_reg_write_file",
++ [40578].param3 = 1,
++ [40609].file = "sound/pci/rme9652/hdspm.c",
++ [40609].name = "snd_hdspm_playback_copy",
++ [40609].param5 = 1,
++ [40713].file = "net/mac80211/debugfs.c",
++ [40713].name = "noack_write",
++ [40713].param3 = 1,
++ [40786].file = "net/ipv4/netfilter/nf_nat_snmp_basic.c",
++ [40786].name = "asn1_octets_decode",
++ [40786].param2 = 1,
++ [40951].file = "drivers/xen/evtchn.c",
++ [40951].name = "evtchn_read",
++ [40951].param3 = 1,
++ [40952].file = "drivers/misc/sgi-xp/xpc_partition.c",
++ [40952].name = "xpc_kmalloc_cacheline_aligned",
++ [40952].param1 = 1,
++ [41000].file = "sound/core/pcm_native.c",
++ [41000].name = "snd_pcm_aio_read",
++ [41000].param3 = 1,
++ [41056].file = "net/sunrpc/auth_gss/auth_gss.c",
++ [41056].name = "gss_pipe_upcall",
++ [41056].param4 = 1,
++ [41230].file = "drivers/usb/storage/datafab.c",
++ [41230].name = "datafab_read_data",
++ [41230].param4 = 1,
++ [41249].file = "drivers/media/video/zr364xx.c",
++ [41249].name = "send_control_msg",
++ [41249].param6 = 1,
++ [41418].file = "fs/libfs.c",
++ [41418].name = "simple_attr_write",
++ [41418].param3 = 1,
++ [4155].file = "kernel/kexec.c",
++ [4155].name = "do_kimage_alloc",
++ [4155].param3 = 1,
++ [41592].file = "net/sctp/ssnmap.c",
++ [41592].name = "sctp_ssnmap_new",
++ [41592].param1 = 1,
++ [41592].param2 = 1,
++ [4200].file = "fs/squashfs/id.c",
++ [4200].name = "squashfs_read_id_index_table",
++ [4200].param3 = 1,
++ [42420].file = "drivers/net/wireless/hostap/hostap_ioctl.c",
++ [42420].name = "prism2_set_genericelement",
++ [42420].param3 = 1,
++ [42483].file = "drivers/media/video/videobuf-dma-sg.c",
++ [42483].name = "videobuf_dma_init_user_locked",
++ [42483].param3 = 1,
++ [42666].file = "drivers/pcmcia/cistpl.c",
++ [42666].name = "read_cis_cache",
++ [42666].param4 = 1,
++ [42808].file = "drivers/net/cxgb3/sge.c",
++ [42808].name = "alloc_ring",
++ [42808].param4 = 1,
++ [42882].file = "security/keys/user_defined.c",
++ [42882].name = "user_instantiate",
++ [42882].param3 = 1,
++ [43393].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [43393].name = "iwl_dbgfs_sram_write",
++ [43393].param3 = 1,
++ [43515].file = "drivers/usb/storage/jumpshot.c",
++ [43515].name = "jumpshot_read_data",
++ [43515].param4 = 1,
++ [44180].file = "drivers/video/via/viafbdev.c",
++ [44180].name = "viafb_vt1636_proc_write",
++ [44180].param3 = 1,
++ [44290].file = "drivers/net/usb/dm9601.c",
++ [44290].name = "dm_read",
++ [44290].param3 = 1,
++ [44298].file = "drivers/scsi/pmcraid.c",
++ [44298].name = "pmcraid_copy_sglist",
++ [44298].param3 = 1,
++ [44649].file = "mm/page_cgroup.c",
++ [44649].name = "swap_cgroup_swapon",
++ [44649].param2 = 1,
++ [44825].file = "drivers/scsi/osd/osd_initiator.c",
++ [44825].name = "_osd_realloc_seg",
++ [44825].param3 = 1,
++ [45000].file = "fs/afs/proc.c",
++ [45000].name = "afs_proc_rootcell_write",
++ [45000].param3 = 1,
++ [45231].file = "fs/ecryptfs/crypto.c",
++ [45231].name = "ecryptfs_copy_filename",
++ [45231].param4 = 1,
++ [45244].file = "drivers/mfd/ab3100-core.c",
++ [45244].name = "ab3100_get_set_reg",
++ [45244].param3 = 1,
++ [45576].file = "net/netfilter/xt_recent.c",
++ [45576].name = "recent_mt_proc_write",
++ [45576].param3 = 1,
++ [45583].file = "fs/gfs2/dir.c",
++ [45583].name = "leaf_dealloc",
++ [45583].param3 = 1,
++ [45954].file = "drivers/usb/misc/legousbtower.c",
++ [45954].name = "tower_write",
++ [45954].param3 = 1,
++ [45976].file = "net/core/dev.c",
++ [45976].name = "alloc_netdev_mq",
++ [45976].param4 = 1,
++ [46138].file = "fs/btrfs/file.c",
++ [46138].name = "btrfs_file_write",
++ [46138].param3 = 1,
++ [4614].file = "sound/core/pcm_lib.c",
++ [4614].name = "snd_pcm_lib_write_transfer",
++ [4614].param5 = 1,
++ [46243].file = "fs/binfmt_misc.c",
++ [46243].name = "bm_register_write",
++ [46243].param3 = 1,
++ [46343].file = "fs/compat.c",
++ [46343].name = "compat_do_readv_writev",
++ [46343].param4 = 1,
++ [4644].file = "drivers/net/usb/mcs7830.c",
++ [4644].name = "mcs7830_get_reg",
++ [4644].param3 = 1,
++ [46630].file = "net/decnet/af_decnet.c",
++ [46630].name = "__dn_setsockopt",
++ [46630].param5 = 1,
++ [46881].file = "drivers/char/lp.c",
++ [46881].name = "lp_write",
++ [46881].param3 = 1,
++ [47385].file = "drivers/net/wireless/zd1211rw/zd_usb.c",
++ [47385].name = "zd_usb_iowrite16v",
++ [47385].param3 = 1,
++ [47499].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [47499].name = "iwl_dbgfs_tx_statistics_write",
++ [47499].param3 = 1,
++ [47850].file = "fs/cifs/cifssmb.c",
++ [47850].name = "CIFSSMBWrite",
++ [47850].param4 = 1,
++ [48182].file = "crypto/cryptd.c",
++ [48182].name = "cryptd_alloc_instance",
++ [48182].param2 = 1,
++ [49263].file = "drivers/net/wireless/ath/ath9k/debug.c",
++ [49263].name = "write_file_wiphy",
++ [49263].param3 = 1,
++ [49354].file = "drivers/media/video/cx18/cx18-fileops.c",
++ [49354].name = "cx18_v4l2_read",
++ [49354].param3 = 1,
++ [49448].file = "drivers/isdn/gigaset/common.c",
++ [49448].name = "gigaset_initdriver",
++ [49448].param2 = 1,
++ [49494].file = "drivers/virtio/virtio_ring.c",
++ [49494].name = "vring_new_virtqueue",
++ [49494].param1 = 1,
++ [49663].file = "drivers/media/video/uvc/uvc_driver.c",
++ [49663].name = "uvc_simplify_fraction",
++ [49663].param3 = 1,
++ [49780].file = "net/mac80211/key.c",
++ [49780].name = "ieee80211_key_alloc",
++ [49780].param3 = 1,
++ [49805].file = "drivers/pci/pci.c",
++ [49805].name = "pci_add_cap_save_buffer",
++ [49805].param3 = 1,
++ [49945].file = "drivers/ieee1394/hosts.c",
++ [49945].name = "hpsb_alloc_host",
++ [49945].param2 = 1,
++ [50001].file = "sound/pci/ctxfi/ctresource.c",
++ [50001].name = "rsc_mgr_init",
++ [50001].param3 = 1,
++ [50022].file = "drivers/usb/storage/shuttle_usbat.c",
++ [50022].name = "usbat_flash_read_data",
++ [50022].param4 = 1,
++ [50096].file = "drivers/net/wireless/libertas/debugfs.c",
++ [50096].name = "lbs_rdbbp_write",
++ [50096].param3 = 1,
++ [50102].file = "drivers/telephony/ixj.c",
++ [50102].name = "ixj_write",
++ [50102].param3 = 1,
++ [5052].file = "drivers/char/ppdev.c",
++ [5052].name = "pp_read",
++ [5052].param3 = 1,
++ [50562].file = "drivers/media/video/zoran/zoran_procfs.c",
++ [50562].name = "zoran_write",
++ [50562].param3 = 1,
++ [50692].file = "lib/ts_bm.c",
++ [50692].name = "bm_init",
++ [50692].param2 = 1,
++ [51052].file = "drivers/base/firmware_class.c",
++ [51052].name = "firmware_data_write",
++ [51052].param5 = 1,
++ [51177].file = "net/sunrpc/xprtrdma/transport.c",
++ [51177].name = "xprt_rdma_allocate",
++ [51177].param2 = 1,
++ [51250].file = "fs/read_write.c",
++ [51250].name = "rw_copy_check_uvector",
++ [51250].param3 = 1,
++ [51323].file = "sound/pci/ac97/ac97_pcm.c",
++ [51323].name = "snd_ac97_pcm_assign",
++ [51323].param2 = 1,
++ [51340].file = "drivers/usb/class/usblp.c",
++ [51340].name = "usblp_write",
++ [51340].param3 = 1,
++ [51464].file = "drivers/i2c/i2c-dev.c",
++ [51464].name = "i2cdev_write",
++ [51464].param3 = 1,
++ [51855].file = "net/rds/message.c",
++ [51855].name = "rds_message_copy_from_user",
++ [51855].param2 = 1,
++ [5197].file = "net/core/dev.c",
++ [5197].name = "dev_set_alias",
++ [5197].param3 = 1,
++ [52173].file = "drivers/misc/ibmasm/ibmasmfs.c",
++ [52173].name = "remote_settings_file_write",
++ [52173].param3 = 1,
++ [52201].file = "drivers/video/via/viafbdev.c",
++ [52201].name = "viafb_dvp0_proc_write",
++ [52201].param3 = 1,
++ [5233].file = "include/linux/poll.h",
++ [5233].name = "set_fd_set",
++ [5233].param1 = 1,
++ [52364].file = "sound/core/pcm_lib.c",
++ [52364].name = "snd_pcm_lib_readv_transfer",
++ [52364].param5 = 1,
++ [52589].file = "drivers/xen/xenfs/xenbus.c",
++ [52589].name = "xenbus_file_read",
++ [52589].param3 = 1,
++ [52699].file = "lib/ts_fsm.c",
++ [52699].name = "fsm_init",
++ [52699].param2 = 1,
++ [5313].file = "fs/gfs2/quota.c",
++ [5313].name = "do_sync",
++ [5313].param1 = 1,
++ [5344].file = "security/selinux/ss/hashtab.c",
++ [5344].name = "hashtab_create",
++ [5344].param3 = 1,
++ [53626].file = "drivers/block/paride/pg.c",
++ [53626].name = "pg_read",
++ [53626].param3 = 1,
++ [53644].file = "net/mac80211/rc80211_minstrel_debugfs.c",
++ [53644].name = "minstrel_stats_read",
++ [53644].param3 = 1,
++ [5389].file = "drivers/infiniband/core/uverbs_cmd.c",
++ [5389].name = "ib_uverbs_unmarshall_recv",
++ [5389].param5 = 1,
++ [53901].file = "net/rds/message.c",
++ [53901].name = "rds_message_alloc",
++ [53901].param1 = 1,
++ [54298].file = "drivers/usb/wusbcore/crypto.c",
++ [54298].name = "wusb_ccm_mac",
++ [54298].param7 = 1,
++ [54335].file = "drivers/md/dm-table.c",
++ [54335].name = "dm_vcalloc",
++ [54335].param2 = 1,
++ [54427].file = "drivers/usb/storage/jumpshot.c",
++ [54427].name = "jumpshot_write_data",
++ [54427].param4 = 1,
++ [54467].file = "net/packet/af_packet.c",
++ [54467].name = "packet_setsockopt",
++ [54467].param5 = 1,
++ [54643].file = "drivers/isdn/hardware/eicon/divasi.c",
++ [54643].name = "um_idi_write",
++ [54643].param3 = 1,
++ [54657].file = "mm/migrate.c",
++ [54657].name = "do_pages_stat",
++ [54657].param2 = 1,
++ [54663].file = "drivers/isdn/hardware/eicon/platform.h",
++ [54663].name = "diva_os_malloc",
++ [54663].param2 = 1,
++ [54780].file = "drivers/net/wireless/zd1211rw/zd_chip.c",
++ [54780].name = "_zd_iowrite32v_locked",
++ [54780].param3 = 1,
++ [55066].file = "net/ipv6/ipv6_sockglue.c",
++ [55066].name = "do_ipv6_setsockopt",
++ [55066].param5 = 1,
++ [55081].file = "drivers/virtio/virtio_ring.c",
++ [55081].name = "vring_add_buf",
++ [55081].param4 = 1,
++ [55105].file = "drivers/base/devres.c",
++ [55105].name = "devres_alloc",
++ [55105].param2 = 1,
++ [55155].file = "net/bluetooth/rfcomm/sock.c",
++ [55155].name = "rfcomm_sock_setsockopt",
++ [55155].param5 = 1,
++ [55608].file = "net/sctp/socket.c",
++ [55608].name = "sctp_setsockopt_auth_key",
++ [55608].param3 = 1,
++ [56471].file = "include/linux/slab.h",
++ [56471].name = "kcalloc",
++ [56471].param1 = 1,
++ [56471].param2 = 1,
++ [5661].file = "lib/dma-debug.c",
++ [5661].name = "filter_write",
++ [5661].param3 = 1,
++ [57471].file = "drivers/media/video/sn9c102/sn9c102_core.c",
++ [57471].name = "sn9c102_read",
++ [57471].param3 = 1,
++ [57670].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [57670].name = "btmrvl_pscmd_write",
++ [57670].param3 = 1,
++ [57724].file = "net/bluetooth/hci_sock.c",
++ [57724].name = "hci_sock_setsockopt",
++ [57724].param5 = 1,
++ [58043].file = "kernel/auditfilter.c",
++ [58043].name = "audit_unpack_string",
++ [58043].param3 = 1,
++ [58107].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [58107].name = "iwl_dbgfs_sleep_level_override_write",
++ [58107].param3 = 1,
++ [58263].file = "security/keys/keyring.c",
++ [58263].name = "keyring_read",
++ [58263].param3 = 1,
++ [58278].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [58278].name = "iwl_dbgfs_log_event_write",
++ [58278].param3 = 1,
++ [5827].file = "drivers/net/wireless/ray_cs.c",
++ [5827].name = "write_essid",
++ [5827].param3 = 1,
++ [58769].file = "drivers/net/wireless/zd1211rw/zd_usb.c",
++ [58769].name = "zd_usb_read_fw",
++ [58769].param4 = 1,
++ [58878].file = "drivers/net/wireless/libertas/debugfs.c",
++ [58878].name = "lbs_wrbbp_write",
++ [58878].param3 = 1,
++ [58888].file = "fs/xattr.c",
++ [58888].name = "listxattr",
++ [58888].param3 = 1,
++ [58918].file = "sound/core/pcm_native.c",
++ [58918].name = "snd_pcm_aio_write",
++ [58918].param3 = 1,
++ [58919].file = "net/netlabel/netlabel_unlabeled.c",
++ [58919].name = "netlbl_unlabel_init",
++ [58919].param1 = 1,
++ [58942].file = "drivers/block/aoe/aoedev.c",
++ [58942].name = "aoedev_flush",
++ [58942].param2 = 1,
++ [59270].file = "net/tipc/socket.c",
++ [59270].name = "recv_stream",
++ [59270].param4 = 1,
++ [59639].file = "drivers/media/video/stv680.c",
++ [59639].name = "stv680_read",
++ [59639].param3 = 1,
++ [5968].file = "net/sunrpc/sched.c",
++ [5968].name = "rpc_malloc",
++ [5968].param2 = 1,
++ [59794].file = "mm/mincore.c",
++ [59794].name = "sys_mincore",
++ [59794].param2 = 1,
++ [59856].file = "drivers/base/devres.c",
++ [59856].name = "devm_kzalloc",
++ [59856].param2 = 1,
++ [59877].file = "sound/pci/rme9652/hdspm.c",
++ [59877].name = "snd_hdspm_capture_copy",
++ [59877].param5 = 1,
++ [59991].file = "drivers/media/video/uvc/uvc_queue.c",
++ [59991].name = "uvc_alloc_buffers",
++ [59991].param2 = 1,
++ [60005].file = "fs/namei.c",
++ [60005].name = "getname",
++ [60005].param1 = 1,
++ [60045].file = "drivers/net/usb/mcs7830.c",
++ [60045].name = "mcs7830_set_reg",
++ [60045].param3 = 1,
++ [60198].file = "fs/nfs/nfs4proc.c",
++ [60198].name = "nfs4_write_cached_acl",
++ [60198].param3 = 1,
++ [60331].file = "fs/squashfs/fragment.c",
++ [60331].name = "squashfs_read_fragment_index_table",
++ [60331].param3 = 1,
++ [60391].file = "drivers/ieee1394/raw1394.c",
++ [60391].name = "fcp_request",
++ [60391].param6 = 1,
++ [60651].file = "drivers/ide/ide-proc.c",
++ [60651].name = "ide_driver_proc_write",
++ [60651].param3 = 1,
++ [60683].file = "sound/drivers/opl4/opl4_proc.c",
++ [60683].name = "snd_opl4_mem_proc_write",
++ [60683].param5 = 1,
++ [60693].file = "drivers/misc/hpilo.c",
++ [60693].name = "ilo_read",
++ [60693].param3 = 1,
++ [60744].file = "sound/pci/emu10k1/emuproc.c",
++ [60744].name = "snd_emu10k1_fx8010_read",
++ [60744].param5 = 1,
++ [60878].file = "drivers/net/wireless/rt2x00/rt2x00debug.c",
++ [60878].name = "rt2x00debug_read_queue_dump",
++ [60878].param3 = 1,
++ [61058].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [61058].name = "iwl_dbgfs_disable_ht40_write",
++ [61058].param3 = 1,
++ [61552].file = "drivers/input/evdev.c",
++ [61552].name = "str_to_user",
++ [61552].param2 = 1,
++ [61770].file = "drivers/media/video/et61x251/et61x251_core.c",
++ [61770].name = "et61x251_read",
++ [61770].param3 = 1,
++ [62081].file = "drivers/net/irda/vlsi_ir.c",
++ [62081].name = "vlsi_alloc_ring",
++ [62081].param3 = 1,
++ [62378].file = "net/ipv4/tcp.c",
++ [62378].name = "do_tcp_setsockopt",
++ [62378].param5 = 1,
++ [62525].file = "net/mac80211/debugfs.c",
++ [62525].name = "tsf_write",
++ [62525].param3 = 1,
++ [62744].file = "drivers/char/mem.c",
++ [62744].name = "kmsg_write",
++ [62744].param3 = 1,
++ [62970].file = "net/sched/sch_api.c",
++ [62970].name = "qdisc_class_hash_alloc",
++ [62970].param1 = 1,
++ [63004].file = "drivers/usb/storage/datafab.c",
++ [63004].name = "datafab_write_data",
++ [63004].param4 = 1,
++ [63007].file = "fs/proc/base.c",
++ [63007].name = "proc_coredump_filter_write",
++ [63007].param3 = 1,
++ [63091].file = "drivers/net/usb/pegasus.c",
++ [63091].name = "get_registers",
++ [63091].param3 = 1,
++ [63169].file = "drivers/scsi/sg.c",
++ [63169].name = "sg_read",
++ [63169].param3 = 1,
++ [63489].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [63489].name = "btmrvl_hscfgcmd_write",
++ [63489].param3 = 1,
++ [63605].file = "mm/mempool.c",
++ [63605].name = "mempool_kmalloc",
++ [63605].param2 = 1,
++ [63765].file = "fs/seq_file.c",
++ [63765].name = "seq_read",
++ [63765].param3 = 1,
++ [64392].file = "drivers/mmc/core/mmc_ops.c",
++ [64392].name = "mmc_send_cxd_data",
++ [64392].param5 = 1,
++ [64471].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [64471].name = "btmrvl_hscmd_write",
++ [64471].param3 = 1,
++ [64743].file = "fs/ocfs2/dlm/dlmfs.c",
++ [64743].name = "dlmfs_file_read",
++ [64743].param3 = 1,
++ [65087].file = "drivers/net/usb/asix.c",
++ [65087].name = "asix_write_cmd",
++ [65087].param5 = 1,
++ [65098].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [65098].name = "iwl_dbgfs_traffic_log_write",
++ [65098].param3 = 1,
++ [65195].file = "fs/jffs2/xattr.c",
++ [65195].name = "do_jffs2_setxattr",
++ [65195].param5 = 1,
++ [65207].file = "drivers/media/video/cpia.c",
++ [65207].name = "cpia_write_proc",
++ [65207].param3 = 1,
++ [65364].file = "sound/core/pcm_lib.c",
++ [65364].name = "snd_pcm_lib_read_transfer",
++ [65364].param5 = 1,
++ [65409].file = "net/802/garp.c",
++ [65409].name = "garp_request_join",
++ [65409].param4 = 1,
++ [65514].file = "drivers/media/video/gspca/t613.c",
++ [65514].name = "reg_w_ixbuf",
++ [65514].param4 = 1,
++ [6691].file = "drivers/acpi/proc.c",
++ [6691].name = "acpi_system_write_wakeup_device",
++ [6691].param3 = 1,
++ [680].file = "drivers/misc/ibmasm/ibmasmfs.c",
++ [680].name = "command_file_read",
++ [680].param3 = 1,
++ [6867].file = "fs/coda/psdev.c",
++ [6867].name = "coda_psdev_read",
++ [6867].param3 = 1,
++ [6891].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [6891].name = "btmrvl_gpiogap_write",
++ [6891].param3 = 1,
++ [720].file = "sound/pci/rme9652/hdsp.c",
++ [720].name = "snd_hdsp_playback_copy",
++ [720].param5 = 1,
++ [7488].file = "security/keys/user_defined.c",
++ [7488].name = "user_read",
++ [7488].param3 = 1,
++ [7664].file = "drivers/hid/hid-core.c",
++ [7664].name = "hid_parse_report",
++ [7664].param3 = 1,
++ [7810].file = "fs/squashfs/export.c",
++ [7810].name = "squashfs_read_inode_lookup_table",
++ [7810].param3 = 1,
++ [7958].file = "drivers/gpu/vga/vgaarb.c",
++ [7958].name = "vga_arb_write",
++ [7958].param3 = 1,
++ [7976].file = "drivers/usb/gadget/rndis.c",
++ [7976].name = "rndis_add_response",
++ [7976].param2 = 1,
++ [8285].file = "net/ipv4/tcp.c",
++ [8285].name = "tcp_setsockopt",
++ [8285].param5 = 1,
++ [8334].file = "drivers/scsi/sg.c",
++ [8334].name = "sg_proc_write_adio",
++ [8334].param3 = 1,
++ [8481].file = "drivers/isdn/i4l/isdn_common.c",
++ [8481].name = "isdn_write",
++ [8481].param3 = 1,
++ [8536].file = "fs/cifs/dns_resolve.c",
++ [8536].name = "dns_resolve_server_name_to_ip",
++ [8536].param1 = 1,
++ [8699].file = "fs/nfs/idmap.c",
++ [8699].name = "idmap_pipe_upcall",
++ [8699].param4 = 1,
++ [8764].file = "drivers/usb/core/devio.c",
++ [8764].name = "usbdev_read",
++ [8764].param3 = 1,
++ [8917].file = "net/ipv4/raw.c",
++ [8917].name = "raw_setsockopt",
++ [8917].param5 = 1,
++ [9463].file = "drivers/infiniband/hw/ipath/ipath_verbs.c",
++ [9463].name = "ipath_verbs_send",
++ [9463].param3 = 1,
++ [9463].param5 = 1,
++ [9702].file = "drivers/pcmcia/pcmcia_ioctl.c",
++ [9702].name = "ds_ioctl",
++ [9702].param3 = 1,
++ [9828].file = "drivers/media/dvb/dvb-core/dmxdev.c",
++ [9828].name = "dvb_demux_do_ioctl",
++ [9828].param4 = 1,
++ [9962].file = "drivers/scsi/sg.c",
++ [9962].name = "sg_proc_write_dressz",
++ [9962].param3 = 1,
++ [31291].collision = 1,
++ [38314].collision = 1,
++};
+diff --git a/tools/gcc/size_overflow_hash2.h b/tools/gcc/size_overflow_hash2.h
+new file mode 100644
+index 0000000..7176f29
+--- /dev/null
++++ b/tools/gcc/size_overflow_hash2.h
+@@ -0,0 +1,14 @@
++struct size_overflow_hash size_overflow_hash2[65536] = {
++ [39105].file = "drivers/gpu/drm/ttm/ttm_tt.c",
++ [39105].name = "ttm_tt_create",
++ [39105].param2 = 1,
++ [43208].file = "fs/nfs/read.c",
++ [43208].name = "nfs_readdata_alloc",
++ [43208].param1 = 1,
++ [46911].file = "drivers/media/video/ivtv/ivtv-fileops.c",
++ [46911].name = "ivtv_v4l2_read",
++ [46911].param3 = 1,
++ [52857].file = "sound/pci/rme9652/rme9652.c",
++ [52857].name = "snd_rme9652_capture_copy",
++ [52857].param5 = 1,
++};
+diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
+new file mode 100644
+index 0000000..a9ae886
+--- /dev/null
++++ b/tools/gcc/size_overflow_plugin.c
+@@ -0,0 +1,1042 @@
++/*
++ * Copyright 2011, 2012 by Emese Revfy <re.emese@gmail.com>
++ * Licensed under the GPL v2, or (at your option) v3
++ *
++ * Homepage:
++ * http://www.grsecurity.net/~ephox/overflow_plugin/
++ *
++ * This plugin recomputes expressions of function arguments marked by a size_overflow attribute
++ * with double integer precision (DImode/TImode for 32/64 bit integer types).
++ * The recomputed argument is checked against INT_MAX and an event is logged on overflow and the triggering process is killed.
++ *
++ * Usage:
++ * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o size_overflow_plugin.so size_overflow_plugin.c
++ * $ gcc -fplugin=size_overflow_plugin.so test.c -O2
++ */
++
++#include "gcc-plugin.h"
++#include "config.h"
++#include "system.h"
++#include "coretypes.h"
++#include "tree.h"
++#include "tree-pass.h"
++#include "intl.h"
++#include "plugin-version.h"
++#include "tm.h"
++#include "toplev.h"
++#include "function.h"
++#include "tree-flow.h"
++#include "plugin.h"
++#include "gimple.h"
++#include "c-common.h"
++#include "diagnostic.h"
++
++struct size_overflow_hash {
++ const char *name;
++ const char *file;
++ unsigned short collision:1;
++ unsigned short param1:1;
++ unsigned short param2:1;
++ unsigned short param3:1;
++ unsigned short param4:1;
++ unsigned short param5:1;
++ unsigned short param6:1;
++ unsigned short param7:1;
++ unsigned short param8:1;
++ unsigned short param9:1;
++};
++
++#include "size_overflow_hash1.h"
++#include "size_overflow_hash2.h"
++
++#define __unused __attribute__((__unused__))
++#define NAME(node) IDENTIFIER_POINTER(DECL_NAME(node))
++#define BEFORE_STMT true
++#define AFTER_STMT false
++#define CREATE_NEW_VAR NULL_TREE
++
++int plugin_is_GPL_compatible;
++void debug_gimple_stmt (gimple gs);
++
++static tree expand(struct pointer_set_t *visited, tree var);
++static tree signed_size_overflow_type;
++static tree unsigned_size_overflow_type;
++static tree report_size_overflow_decl;
++static tree const_char_ptr_type_node;
++static unsigned int handle_function(void);
++
++static struct plugin_info size_overflow_plugin_info = {
++ .version = "20120311beta",
++ .help = "no-size_overflow\tturn off size overflow checking\n",
++};
++
++static tree handle_size_overflow_attribute(tree *node, tree __unused name, tree args, int __unused flags, bool *no_add_attrs)
++{
++ unsigned int arg_count = type_num_arguments(*node);
++
++ for (; args; args = TREE_CHAIN(args)) {
++ tree position = TREE_VALUE(args);
++ if (TREE_CODE(position) != INTEGER_CST || TREE_INT_CST_HIGH(position) || TREE_INT_CST_LOW(position) < 1 || TREE_INT_CST_LOW(position) > arg_count ) {
++ error("handle_size_overflow_attribute: overflow parameter outside range.");
++ *no_add_attrs = true;
++ }
++ }
++ return NULL_TREE;
++}
++
++static struct attribute_spec no_size_overflow_attr = {
++ .name = "size_overflow",
++ .min_length = 1,
++ .max_length = -1,
++ .decl_required = false,
++ .type_required = true,
++ .function_type_required = true,
++ .handler = handle_size_overflow_attribute
++};
++
++static void register_attributes(void __unused *event_data, void __unused *data)
++{
++ register_attribute(&no_size_overflow_attr);
++}
++
++// http://www.team5150.com/~andrew/noncryptohashzoo2~/CrapWow.html
++static unsigned int CrapWow(const char *key, unsigned int len, unsigned int seed)
++{
++#define cwfold( a, b, lo, hi ) { p = (unsigned int)(a) * (unsigned long long)(b); lo ^= (unsigned int)p; hi ^= (unsigned int)(p >> 32); }
++#define cwmixa( in ) { cwfold( in, m, k, h ); }
++#define cwmixb( in ) { cwfold( in, n, h, k ); }
++
++ const unsigned int m = 0x57559429;
++ const unsigned int n = 0x5052acdb;
++ const unsigned int *key4 = (const unsigned int *)key;
++ unsigned int h = len;
++ unsigned int k = len + seed + n;
++ unsigned long long p;
++
++ while (len >= 8) {
++ cwmixb(key4[0]) cwmixa(key4[1]) key4 += 2;
++ len -= 8;
++ }
++ if (len >= 4) {
++ cwmixb(key4[0]) key4 += 1;
++ len -= 4;
++ }
++ if (len)
++ cwmixa(key4[0] & ((1 << (len * 8)) - 1 ));
++ cwmixb(h ^ (k + n));
++ return k ^ h;
++
++#undef cwfold
++#undef cwmixa
++#undef cwmixb
++}
++
++static inline unsigned int size_overflow_hash(const char *fndecl, unsigned int seed)
++{
++ return CrapWow(fndecl, strlen(fndecl), seed) & 0xffff;
++}
++
++static inline tree get_original_function_decl(tree fndecl)
++{
++ if (DECL_ABSTRACT_ORIGIN(fndecl))
++ return DECL_ABSTRACT_ORIGIN(fndecl);
++ return fndecl;
++}
++
++static inline gimple get_def_stmt(tree node)
++{
++ gcc_assert(TREE_CODE(node) == SSA_NAME);
++ return SSA_NAME_DEF_STMT(node);
++}
++
++static struct size_overflow_hash *get_function_hash(tree fndecl)
++{
++ unsigned int hash;
++ const char *func = NAME(fndecl);
++
++ hash = size_overflow_hash(func, 0);
++
++ if (size_overflow_hash1[hash].collision) {
++ hash = size_overflow_hash(func, 23432);
++ return &size_overflow_hash2[hash];
++ }
++ return &size_overflow_hash1[hash];
++}
++
++static void check_missing_attribute(tree arg)
++{
++ tree var, func = get_original_function_decl(current_function_decl);
++ const char *curfunc = NAME(func);
++ unsigned int new_hash, argnum = 1;
++ struct size_overflow_hash *hash;
++ location_t loc;
++ expanded_location xloc;
++ bool match = false;
++
++ loc = DECL_SOURCE_LOCATION(func);
++ xloc = expand_location(loc);
++
++ if (lookup_attribute("size_overflow", TYPE_ATTRIBUTES(TREE_TYPE(func))))
++ return;
++
++ hash = get_function_hash(func);
++ if (hash->name && !strcmp(hash->name, NAME(func)) && !strcmp(hash->file, xloc.file))
++ return;
++
++ gcc_assert(TREE_CODE(arg) != COMPONENT_REF);
++
++ if (TREE_CODE(arg) == SSA_NAME)
++ arg = SSA_NAME_VAR(arg);
++
++ for (var = DECL_ARGUMENTS(func); var; var = TREE_CHAIN(var)) {
++ if (strcmp(NAME(arg), NAME(var))) {
++ argnum++;
++ continue;
++ }
++ match = true;
++ if (!TYPE_UNSIGNED(TREE_TYPE(var)))
++ return;
++ break;
++ }
++ if (!match) {
++ warning(0, "check_missing_attribute: cannot find the %s argument in %s", NAME(arg), NAME(func));
++ return;
++ }
++
++#define check_param(num) \
++ if (num == argnum && hash->param##num) \
++ return;
++ check_param(1);
++ check_param(2);
++ check_param(3);
++ check_param(4);
++ check_param(5);
++ check_param(6);
++ check_param(7);
++ check_param(8);
++ check_param(9);
++#undef check_param
++
++ new_hash = size_overflow_hash(curfunc, 0);
++ inform(loc, "Function %s is missing from the size_overflow hash table +%s+%d+%u+%s", curfunc, curfunc, argnum, new_hash, xloc.file);
++}
++
++static tree create_new_var(tree type)
++{
++ tree new_var = create_tmp_var(type, "cicus");
++
++ add_referenced_var(new_var);
++ mark_sym_for_renaming(new_var);
++ return new_var;
++}
++
++static bool is_bool(tree node)
++{
++ tree type;
++
++ if (node == NULL_TREE)
++ return false;
++
++ type = TREE_TYPE(node);
++ if (!INTEGRAL_TYPE_P(type))
++ return false;
++ if (TREE_CODE(type) == BOOLEAN_TYPE)
++ return true;
++ if (TYPE_PRECISION(type) == 1)
++ return true;
++ return false;
++}
++
++static gimple build_cast_stmt(tree type, tree var, tree new_var, location_t loc)
++{
++ gimple assign;
++
++ if (new_var == CREATE_NEW_VAR)
++ new_var = create_new_var(type);
++
++ assign = gimple_build_assign(new_var, fold_convert(type, var));
++ gimple_set_location(assign, loc);
++ gimple_set_lhs(assign, make_ssa_name(new_var, assign));
++
++ return assign;
++}
++
++static tree create_assign(struct pointer_set_t *visited, gimple oldstmt, tree rhs1, bool before)
++{
++ tree oldstmt_rhs1;
++ enum tree_code code;
++ gimple stmt;
++ gimple_stmt_iterator gsi;
++
++ if (is_bool(rhs1)) {
++ pointer_set_insert(visited, oldstmt);
++ return gimple_get_lhs(oldstmt);
++ }
++
++ if (rhs1 == NULL_TREE) {
++ debug_gimple_stmt(oldstmt);
++ error("create_assign: rhs1 is NULL_TREE");
++ gcc_unreachable();
++ }
++
++ oldstmt_rhs1 = gimple_assign_rhs1(oldstmt);
++ code = TREE_CODE(oldstmt_rhs1);
++ if (code == PARM_DECL || (code == SSA_NAME && gimple_code(get_def_stmt(oldstmt_rhs1)) == GIMPLE_NOP))
++ check_missing_attribute(oldstmt_rhs1);
++
++ stmt = build_cast_stmt(signed_size_overflow_type, rhs1, CREATE_NEW_VAR, gimple_location(oldstmt));
++ gsi = gsi_for_stmt(oldstmt);
++ if (before)
++ gsi_insert_before(&gsi, stmt, GSI_NEW_STMT);
++ else
++ gsi_insert_after(&gsi, stmt, GSI_NEW_STMT);
++ update_stmt(stmt);
++ pointer_set_insert(visited, oldstmt);
++ return gimple_get_lhs(stmt);
++}
++
++static tree dup_assign(struct pointer_set_t *visited, gimple oldstmt, tree rhs1, tree rhs2, tree __unused rhs3)
++{
++ tree new_var, lhs = gimple_get_lhs(oldstmt);
++ gimple stmt;
++ gimple_stmt_iterator gsi;
++
++ if (gimple_num_ops(oldstmt) != 4 && rhs1 == NULL_TREE) {
++ rhs1 = gimple_assign_rhs1(oldstmt);
++ rhs1 = create_assign(visited, oldstmt, rhs1, BEFORE_STMT);
++ }
++ if (gimple_num_ops(oldstmt) == 3 && rhs2 == NULL_TREE) {
++ rhs2 = gimple_assign_rhs2(oldstmt);
++ rhs2 = create_assign(visited, oldstmt, rhs2, BEFORE_STMT);
++ }
++
++ stmt = gimple_copy(oldstmt);
++ gimple_set_location(stmt, gimple_location(oldstmt));
++
++ if (gimple_assign_rhs_code(oldstmt) == WIDEN_MULT_EXPR)
++ gimple_assign_set_rhs_code(stmt, MULT_EXPR);
++
++ if (is_bool(lhs))
++ new_var = SSA_NAME_VAR(lhs);
++ else
++ new_var = create_new_var(signed_size_overflow_type);
++ new_var = make_ssa_name(new_var, stmt);
++ gimple_set_lhs(stmt, new_var);
++
++ if (rhs1 != NULL_TREE) {
++ if (!gimple_assign_cast_p(oldstmt))
++ rhs1 = fold_convert(signed_size_overflow_type, rhs1);
++ gimple_assign_set_rhs1(stmt, rhs1);
++ }
++
++ if (rhs2 != NULL_TREE)
++ gimple_assign_set_rhs2(stmt, rhs2);
++#if BUILDING_GCC_VERSION >= 4007
++ if (rhs3 != NULL_TREE)
++ gimple_assign_set_rhs3(stmt, rhs3);
++#endif
++ gimple_set_vuse(stmt, gimple_vuse(oldstmt));
++ gimple_set_vdef(stmt, gimple_vdef(oldstmt));
++
++ gsi = gsi_for_stmt(oldstmt);
++ gsi_insert_after(&gsi, stmt, GSI_SAME_STMT);
++ update_stmt(stmt);
++ pointer_set_insert(visited, oldstmt);
++ return gimple_get_lhs(stmt);
++}
++
++static gimple overflow_create_phi_node(gimple oldstmt, tree var)
++{
++ basic_block bb;
++ gimple phi;
++ gimple_stmt_iterator gsi = gsi_for_stmt(oldstmt);
++
++ bb = gsi_bb(gsi);
++ phi = make_phi_node(var, EDGE_COUNT(bb->preds));
++
++ gsi_insert_after(&gsi, phi, GSI_NEW_STMT);
++ gimple_set_bb(phi, bb);
++ return phi;
++}
++
++static tree signed_cast_constant(tree node)
++{
++ gcc_assert(is_gimple_constant(node));
++
++ if (TYPE_PRECISION(signed_size_overflow_type) == TYPE_PRECISION(TREE_TYPE(node)))
++ return build_int_cst_wide(signed_size_overflow_type, TREE_INT_CST_LOW(node), TREE_INT_CST_HIGH(node));
++ else
++ return build_int_cst(signed_size_overflow_type, int_cst_value(node));
++}
++
++static gimple cast_old_phi_arg(gimple oldstmt, tree arg, tree new_var)
++{
++ basic_block first_bb;
++ gimple newstmt;
++ gimple_stmt_iterator gsi;
++
++ newstmt = build_cast_stmt(signed_size_overflow_type, arg, new_var, gimple_location(oldstmt));
++
++ first_bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest;
++ if (dom_info_available_p(CDI_DOMINATORS))
++ set_immediate_dominator(CDI_DOMINATORS, first_bb, ENTRY_BLOCK_PTR);
++ gsi = gsi_start_bb(first_bb);
++
++ gsi_insert_before(&gsi, newstmt, GSI_NEW_STMT);
++ return newstmt;
++}
++
++static gimple handle_new_phi_arg(tree arg, tree new_var, tree new_rhs)
++{
++ gimple newstmt;
++ gimple_stmt_iterator gsi;
++ void (*gsi_insert)(gimple_stmt_iterator *, gimple, enum gsi_iterator_update);
++ gimple def_newstmt = get_def_stmt(new_rhs);
++
++ gsi_insert = gsi_insert_after;
++ gsi = gsi_for_stmt(def_newstmt);
++
++ switch (gimple_code(get_def_stmt(arg))) {
++ case GIMPLE_PHI:
++ newstmt = gimple_build_assign(new_var, new_rhs);
++ gsi = gsi_after_labels(gimple_bb(def_newstmt));
++ gsi_insert = gsi_insert_before;
++ break;
++ case GIMPLE_ASM:
++ case GIMPLE_CALL:
++ newstmt = gimple_build_assign(new_var, new_rhs);
++ break;
++ case GIMPLE_ASSIGN:
++ newstmt = gimple_copy(def_newstmt);
++ break;
++ default:
++ /* unknown gimple_code (build_new_phi_arg) */
++ gcc_unreachable();
++ }
++
++ gimple_set_lhs(newstmt, make_ssa_name(new_var, newstmt));
++ gsi_insert(&gsi, newstmt, GSI_NEW_STMT);
++ return newstmt;
++}
++
++static tree build_new_phi_arg(struct pointer_set_t *visited, gimple oldstmt, tree arg, tree new_var)
++{
++ gimple newstmt;
++ tree new_rhs;
++
++ if (is_gimple_constant(arg))
++ return signed_cast_constant(arg);
++
++ pointer_set_insert(visited, oldstmt);
++ new_rhs = expand(visited, arg);
++ if (new_rhs == NULL_TREE) {
++ gcc_assert(TREE_CODE(TREE_TYPE(arg)) != VOID_TYPE);
++ newstmt = cast_old_phi_arg(oldstmt, arg, new_var);
++ } else
++ newstmt = handle_new_phi_arg(arg, new_var, new_rhs);
++ update_stmt(newstmt);
++ return gimple_get_lhs(newstmt);
++}
++
++static tree build_new_phi(struct pointer_set_t *visited, gimple oldstmt)
++{
++ gimple phi;
++ tree new_var = create_new_var(signed_size_overflow_type);
++ unsigned int i, n = gimple_phi_num_args(oldstmt);
++
++ phi = overflow_create_phi_node(oldstmt, new_var);
++
++ for (i = 0; i < n; i++) {
++ tree arg, lhs;
++
++ arg = gimple_phi_arg_def(oldstmt, i);
++ lhs = build_new_phi_arg(visited, oldstmt, arg, new_var);
++ add_phi_arg(phi, lhs, gimple_phi_arg_edge(oldstmt, i), gimple_location(oldstmt));
++ }
++ update_stmt(phi);
++ return gimple_phi_result(phi);
++}
++
++static tree handle_unary_ops(struct pointer_set_t *visited, tree var)
++{
++ gimple def_stmt = get_def_stmt(var);
++ tree new_rhs1, rhs1 = gimple_assign_rhs1(def_stmt);
++
++ if (is_gimple_constant(rhs1))
++ return dup_assign(visited, def_stmt, signed_cast_constant(rhs1), NULL_TREE, NULL_TREE);
++
++ switch (TREE_CODE(rhs1)) {
++ case SSA_NAME:
++ new_rhs1 = expand(visited, rhs1);
++ break;
++ case ARRAY_REF:
++ case ADDR_EXPR:
++ case COMPONENT_REF:
++ case COND_EXPR:
++ case INDIRECT_REF:
++#if BUILDING_GCC_VERSION >= 4006
++ case MEM_REF:
++#endif
++ case PARM_DECL:
++ case TARGET_MEM_REF:
++ case VAR_DECL:
++ return create_assign(visited, def_stmt, var, AFTER_STMT);
++ default:
++ debug_gimple_stmt(def_stmt);
++ debug_tree(rhs1);
++ gcc_unreachable();
++ }
++
++ if (new_rhs1 == NULL_TREE)
++ return create_assign(visited, def_stmt, rhs1, AFTER_STMT);
++ return dup_assign(visited, def_stmt, new_rhs1, NULL_TREE, NULL_TREE);
++}
++
++static tree transform_mult_overflow(tree rhs, tree const_rhs, tree log2const_rhs, location_t loc)
++{
++ tree new_def_rhs;
++
++ if (!is_gimple_constant(rhs))
++ return NULL_TREE;
++
++ new_def_rhs = fold_build2_loc(loc, MULT_EXPR, TREE_TYPE(const_rhs), rhs, const_rhs);
++ new_def_rhs = signed_cast_constant(new_def_rhs);
++ if (int_cst_value(new_def_rhs) >= 0)
++ return NULL_TREE;
++ return fold_build2_loc(loc, RSHIFT_EXPR, TREE_TYPE(new_def_rhs), new_def_rhs, log2const_rhs);
++}
++
++static tree handle_intentional_mult_overflow(struct pointer_set_t *visited, tree rhs, tree const_rhs)
++{
++ gimple new_def_stmt, def_stmt;
++ tree def_rhs1, def_rhs2, new_def_rhs;
++ location_t loc;
++ tree log2const_rhs;
++ int log2 = exact_log2(TREE_INT_CST_LOW(const_rhs));
++
++ if (log2 == -1) {
++// warning(0, "Possibly unhandled intentional integer truncation");
++ return NULL_TREE;
++ }
++
++ def_stmt = get_def_stmt(rhs);
++ loc = gimple_location(def_stmt);
++ def_rhs1 = gimple_assign_rhs1(def_stmt);
++ def_rhs2 = gimple_assign_rhs2(def_stmt);
++ new_def_stmt = get_def_stmt(expand(visited, rhs));
++ log2const_rhs = build_int_cstu(TREE_TYPE(const_rhs), log2);
++
++ new_def_rhs = transform_mult_overflow(def_rhs1, const_rhs, log2const_rhs, loc);
++ if (new_def_rhs != NULL_TREE) {
++ gimple_assign_set_rhs1(new_def_stmt, new_def_rhs);
++ } else {
++ new_def_rhs = transform_mult_overflow(def_rhs2, const_rhs, log2const_rhs, loc);
++ if (new_def_rhs != NULL_TREE)
++ gimple_assign_set_rhs2(new_def_stmt, new_def_rhs);
++ }
++ if (new_def_rhs == NULL_TREE)
++ return NULL_TREE;
++
++ update_stmt(new_def_stmt);
++// warning(0, "Handle integer truncation (gcc optimization)");
++ return gimple_get_lhs(new_def_stmt);
++}
++
++static bool is_mult_overflow(gimple def_stmt, tree rhs1)
++{
++ gimple rhs1_def_stmt = get_def_stmt(rhs1);
++
++ if (gimple_assign_rhs_code(def_stmt) != MULT_EXPR)
++ return false;
++ if (gimple_code(rhs1_def_stmt) != GIMPLE_ASSIGN)
++ return false;
++ if (gimple_assign_rhs_code(rhs1_def_stmt) != PLUS_EXPR)
++ return false;
++ return true;
++}
++
++static tree handle_intentional_overflow(struct pointer_set_t *visited, gimple def_stmt, tree rhs1, tree rhs2)
++{
++ if (is_mult_overflow(def_stmt, rhs1))
++ return handle_intentional_mult_overflow(visited, rhs1, rhs2);
++ return NULL_TREE;
++}
++
++static tree handle_binary_ops(struct pointer_set_t *visited, tree var)
++{
++ tree rhs1, rhs2;
++ gimple def_stmt = get_def_stmt(var);
++ tree new_rhs1 = NULL_TREE;
++ tree new_rhs2 = NULL_TREE;
++
++ rhs1 = gimple_assign_rhs1(def_stmt);
++ rhs2 = gimple_assign_rhs2(def_stmt);
++
++ /* no DImode/TImode division in the 32/64 bit kernel */
++ switch (gimple_assign_rhs_code(def_stmt)) {
++ case RDIV_EXPR:
++ case TRUNC_DIV_EXPR:
++ case CEIL_DIV_EXPR:
++ case FLOOR_DIV_EXPR:
++ case ROUND_DIV_EXPR:
++ case TRUNC_MOD_EXPR:
++ case CEIL_MOD_EXPR:
++ case FLOOR_MOD_EXPR:
++ case ROUND_MOD_EXPR:
++ case EXACT_DIV_EXPR:
++ case POINTER_PLUS_EXPR:
++ /* logical AND cannot cause an overflow */
++ case BIT_AND_EXPR:
++ return create_assign(visited, def_stmt, var, AFTER_STMT);
++ default:
++ break;
++ }
++
++ if (is_gimple_constant(rhs2)) {
++ new_rhs2 = signed_cast_constant(rhs2);
++ new_rhs1 = handle_intentional_overflow(visited, def_stmt, rhs1, rhs2);
++ }
++
++ if (is_gimple_constant(rhs1)) {
++ new_rhs1 = signed_cast_constant(rhs1);
++ new_rhs2 = handle_intentional_overflow(visited, def_stmt, rhs2, rhs1);
++ }
++
++ if (new_rhs1 == NULL_TREE && TREE_CODE(rhs1) == SSA_NAME)
++ new_rhs1 = expand(visited, rhs1);
++ if (new_rhs2 == NULL_TREE && TREE_CODE(rhs2) == SSA_NAME)
++ new_rhs2 = expand(visited, rhs2);
++
++ return dup_assign(visited, def_stmt, new_rhs1, new_rhs2, NULL_TREE);
++}
++
++#if BUILDING_GCC_VERSION >= 4007
++static tree get_new_rhs(struct pointer_set_t *visited, tree rhs)
++{
++ if (is_gimple_constant(rhs))
++ return signed_cast_constant(rhs);
++ if (TREE_CODE(rhs) != SSA_NAME)
++ return NULL_TREE;
++ return expand(visited, rhs);
++}
++
++static tree handle_ternary_ops(struct pointer_set_t *visited, tree var)
++{
++ tree rhs1, rhs2, rhs3, new_rhs1, new_rhs2, new_rhs3;
++ gimple def_stmt = get_def_stmt(var);
++
++ rhs1 = gimple_assign_rhs1(def_stmt);
++ rhs2 = gimple_assign_rhs2(def_stmt);
++ rhs3 = gimple_assign_rhs3(def_stmt);
++ new_rhs1 = get_new_rhs(visited, rhs1);
++ new_rhs2 = get_new_rhs(visited, rhs2);
++ new_rhs3 = get_new_rhs(visited, rhs3);
++
++ if (new_rhs1 == NULL_TREE && new_rhs2 != NULL_TREE && new_rhs3 != NULL_TREE)
++ return dup_assign(visited, def_stmt, new_rhs1, new_rhs2, new_rhs3);
++ error("handle_ternary_ops: unknown rhs");
++ gcc_unreachable();
++}
++#endif
++
++static void set_size_overflow_type(tree node)
++{
++ switch (TYPE_MODE(TREE_TYPE(node))) {
++ case SImode:
++ signed_size_overflow_type = intDI_type_node;
++ unsigned_size_overflow_type = unsigned_intDI_type_node;
++ break;
++ case DImode:
++ if (LONG_TYPE_SIZE == GET_MODE_BITSIZE(SImode)) {
++ signed_size_overflow_type = intDI_type_node;
++ unsigned_size_overflow_type = unsigned_intDI_type_node;
++ } else {
++ signed_size_overflow_type = intTI_type_node;
++ unsigned_size_overflow_type = unsigned_intTI_type_node;
++ }
++ break;
++ default:
++ error("set_size_overflow_type: unsupported gcc configuration.");
++ gcc_unreachable();
++ }
++}
++
++static tree expand_visited(gimple def_stmt)
++{
++ gimple tmp;
++ gimple_stmt_iterator gsi = gsi_for_stmt(def_stmt);
++
++ gsi_next(&gsi);
++ tmp = gsi_stmt(gsi);
++ switch (gimple_code(tmp)) {
++ case GIMPLE_ASSIGN:
++ return gimple_get_lhs(tmp);
++ case GIMPLE_PHI:
++ return gimple_phi_result(tmp);
++ case GIMPLE_CALL:
++ return gimple_call_lhs(tmp);
++ default:
++ return NULL_TREE;
++ }
++}
++
++static tree expand(struct pointer_set_t *visited, tree var)
++{
++ gimple def_stmt;
++
++ if (is_gimple_constant(var))
++ return NULL_TREE;
++
++ if (TREE_CODE(var) == ADDR_EXPR)
++ return NULL_TREE;
++
++ if (SSA_NAME_IS_DEFAULT_DEF(var))
++ return NULL_TREE;
++
++ def_stmt = get_def_stmt(var);
++
++ if (!def_stmt)
++ return NULL_TREE;
++
++ if (pointer_set_contains(visited, def_stmt))
++ return expand_visited(def_stmt);
++
++ switch (gimple_code(def_stmt)) {
++ case GIMPLE_NOP:
++ check_missing_attribute(var);
++ return NULL_TREE;
++ case GIMPLE_PHI:
++ return build_new_phi(visited, def_stmt);
++ case GIMPLE_CALL:
++ case GIMPLE_ASM:
++ gcc_assert(TREE_CODE(TREE_TYPE(var)) != VOID_TYPE);
++ return create_assign(visited, def_stmt, var, AFTER_STMT);
++ case GIMPLE_ASSIGN:
++ switch (gimple_num_ops(def_stmt)) {
++ case 2:
++ return handle_unary_ops(visited, var);
++ case 3:
++ return handle_binary_ops(visited, var);
++#if BUILDING_GCC_VERSION >= 4007
++ case 4:
++ return handle_ternary_ops(visited, var);
++#endif
++ }
++ default:
++ debug_gimple_stmt(def_stmt);
++ error("expand: unknown gimple code");
++ gcc_unreachable();
++ }
++}
++
++static void change_function_arg(gimple func_stmt, tree origarg, unsigned int argnum, tree newarg)
++{
++ gimple assign, stmt;
++ gimple_stmt_iterator gsi = gsi_for_stmt(func_stmt);
++ tree origtype = TREE_TYPE(origarg);
++
++ stmt = gsi_stmt(gsi);
++ gcc_assert(gimple_code(stmt) == GIMPLE_CALL);
++
++ assign = build_cast_stmt(origtype, newarg, CREATE_NEW_VAR, gimple_location(stmt));
++ gsi_insert_before(&gsi, assign, GSI_SAME_STMT);
++ update_stmt(assign);
++
++ gimple_call_set_arg(stmt, argnum, gimple_get_lhs(assign));
++ update_stmt(stmt);
++}
++
++static tree get_function_arg(unsigned int argnum, gimple stmt, tree fndecl)
++{
++ const char *origid;
++ tree arg, origarg;
++
++ if (!DECL_ABSTRACT_ORIGIN(fndecl)) {
++ gcc_assert(gimple_call_num_args(stmt) > argnum);
++ return gimple_call_arg(stmt, argnum);
++ }
++
++ origarg = DECL_ARGUMENTS(DECL_ABSTRACT_ORIGIN(fndecl));
++ while (origarg && argnum) {
++ argnum--;
++ origarg = TREE_CHAIN(origarg);
++ }
++
++ gcc_assert(argnum == 0);
++
++ gcc_assert(origarg != NULL_TREE);
++ origid = NAME(origarg);
++ for (arg = DECL_ARGUMENTS(fndecl); arg; arg = TREE_CHAIN(arg)) {
++ if (!strcmp(origid, NAME(arg)))
++ return arg;
++ }
++ return NULL_TREE;
++}
++
++static void insert_cond(tree arg, basic_block cond_bb)
++{
++ gimple cond_stmt;
++ gimple_stmt_iterator gsi = gsi_last_bb(cond_bb);
++
++ cond_stmt = gimple_build_cond(GT_EXPR, arg, build_int_cstu(signed_size_overflow_type, 0x7fffffff), NULL_TREE, NULL_TREE);
++ gsi_insert_after(&gsi, cond_stmt, GSI_CONTINUE_LINKING);
++ update_stmt(cond_stmt);
++}
++
++static tree create_string_param(tree string)
++{
++ tree array_ref = build4(ARRAY_REF, TREE_TYPE(string), string, integer_zero_node, NULL, NULL);
++
++ return build1(ADDR_EXPR, ptr_type_node, array_ref);
++}
++
++static void insert_cond_result(basic_block bb_true, gimple stmt, tree arg)
++{
++ gimple func_stmt, def_stmt;
++ tree current_func, loc_file, loc_line;
++ expanded_location xloc;
++ gimple_stmt_iterator gsi = gsi_start_bb(bb_true);
++
++ def_stmt = get_def_stmt(arg);
++ xloc = expand_location(gimple_location(def_stmt));
++
++ if (!gimple_has_location(def_stmt)) {
++ xloc = expand_location(gimple_location(stmt));
++ gcc_assert(gimple_has_location(stmt));
++ }
++
++ loc_line = build_int_cstu(unsigned_type_node, xloc.line);
++
++ loc_file = build_string(strlen(xloc.file), xloc.file);
++ TREE_TYPE(loc_file) = char_array_type_node;
++ loc_file = create_string_param(loc_file);
++
++ current_func = build_string(IDENTIFIER_LENGTH(DECL_NAME(current_function_decl)), NAME(current_function_decl));
++ TREE_TYPE(current_func) = char_array_type_node;
++ current_func = create_string_param(current_func);
++
++ // void report_size_overflow(const char *file, unsigned int line, const char *func)
++ func_stmt = gimple_build_call(report_size_overflow_decl, 3, loc_file, loc_line, current_func);
++
++ gsi_insert_after(&gsi, func_stmt, GSI_CONTINUE_LINKING);
++}
++
++static void insert_check_size_overflow(gimple stmt, tree arg)
++{
++ basic_block cond_bb, join_bb, bb_true;
++ edge e;
++ gimple_stmt_iterator gsi = gsi_for_stmt(stmt);
++
++ cond_bb = gimple_bb(stmt);
++ gsi_prev(&gsi);
++ if (gsi_end_p(gsi))
++ e = split_block_after_labels(cond_bb);
++ else
++ e = split_block(cond_bb, gsi_stmt(gsi));
++ cond_bb = e->src;
++ join_bb = e->dest;
++ e->flags = EDGE_FALSE_VALUE;
++ e->probability = REG_BR_PROB_BASE;
++
++ bb_true = create_empty_bb(cond_bb);
++ make_edge(cond_bb, bb_true, EDGE_TRUE_VALUE);
++
++ if (dom_info_available_p(CDI_DOMINATORS)) {
++ set_immediate_dominator(CDI_DOMINATORS, bb_true, cond_bb);
++ set_immediate_dominator(CDI_DOMINATORS, join_bb, cond_bb);
++ }
++
++ insert_cond(arg, cond_bb);
++ insert_cond_result(bb_true, stmt, arg);
++}
++
++static void handle_function_arg(gimple stmt, tree fndecl, unsigned int argnum)
++{
++ struct pointer_set_t *visited;
++ tree arg, newarg;
++ gimple ucast_stmt;
++ gimple_stmt_iterator gsi;
++ location_t loc = gimple_location(stmt);
++
++ arg = get_function_arg(argnum, stmt, fndecl);
++ if (arg == NULL_TREE)
++ return;
++
++ if (is_gimple_constant(arg))
++ return;
++ if (TREE_CODE(arg) != SSA_NAME)
++ return;
++
++ set_size_overflow_type(arg);
++ visited = pointer_set_create();
++ newarg = expand(visited, arg);
++ pointer_set_destroy(visited);
++
++ if (newarg == NULL_TREE)
++ return;
++
++ change_function_arg(stmt, arg, argnum, newarg);
++
++ ucast_stmt = build_cast_stmt(unsigned_size_overflow_type, newarg, CREATE_NEW_VAR, loc);
++ gsi = gsi_for_stmt(stmt);
++ gsi_insert_before(&gsi, ucast_stmt, GSI_SAME_STMT);
++
++ insert_check_size_overflow(stmt, gimple_get_lhs(ucast_stmt));
++// inform(loc, "Integer size_overflow check applied here.");
++}
++
++static void handle_function_by_attribute(gimple stmt, tree attr, tree fndecl)
++{
++ tree p = TREE_VALUE(attr);
++ do {
++ handle_function_arg(stmt, fndecl, TREE_INT_CST_LOW(TREE_VALUE(p))-1);
++ p = TREE_CHAIN(p);
++ } while (p);
++}
++
++static void handle_function_by_hash(gimple stmt, tree fndecl)
++{
++ struct size_overflow_hash *hash;
++ expanded_location xloc;
++
++ hash = get_function_hash(fndecl);
++ xloc = expand_location(DECL_SOURCE_LOCATION(fndecl));
++
++ fndecl = get_original_function_decl(fndecl);
++ if (!hash->name || !hash->file)
++ return;
++ if (strcmp(hash->name, NAME(fndecl)) || strcmp(hash->file, xloc.file))
++ return;
++
++#define search_param(argnum) \
++ if (hash->param##argnum) \
++ handle_function_arg(stmt, fndecl, argnum - 1);
++
++ search_param(1);
++ search_param(2);
++ search_param(3);
++ search_param(4);
++ search_param(5);
++ search_param(6);
++ search_param(7);
++ search_param(8);
++ search_param(9);
++#undef search_param
++}
++
++static unsigned int handle_function(void)
++{
++ basic_block bb = ENTRY_BLOCK_PTR->next_bb;
++ int saved_last_basic_block = last_basic_block;
++
++ do {
++ gimple_stmt_iterator gsi;
++ basic_block next = bb->next_bb;
++
++ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
++ tree fndecl, attr;
++ gimple stmt = gsi_stmt(gsi);
++
++ if (!(is_gimple_call(stmt)))
++ continue;
++ fndecl = gimple_call_fndecl(stmt);
++ if (fndecl == NULL_TREE)
++ continue;
++ if (gimple_call_num_args(stmt) == 0)
++ continue;
++ attr = lookup_attribute("size_overflow", TYPE_ATTRIBUTES(TREE_TYPE(fndecl)));
++ if (!attr || !TREE_VALUE(attr))
++ handle_function_by_hash(stmt, fndecl);
++ else
++ handle_function_by_attribute(stmt, attr, fndecl);
++ gsi = gsi_for_stmt(stmt);
++ }
++ bb = next;
++ } while (bb && bb->index <= saved_last_basic_block);
++ return 0;
++}
++
++static struct gimple_opt_pass size_overflow_pass = {
++ .pass = {
++ .type = GIMPLE_PASS,
++ .name = "size_overflow",
++ .gate = NULL,
++ .execute = handle_function,
++ .sub = NULL,
++ .next = NULL,
++ .static_pass_number = 0,
++ .tv_id = TV_NONE,
++ .properties_required = PROP_cfg | PROP_referenced_vars,
++ .properties_provided = 0,
++ .properties_destroyed = 0,
++ .todo_flags_start = 0,
++ .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi | TODO_cleanup_cfg | TODO_ggc_collect | TODO_verify_flow
++ }
++};
++
++static void start_unit_callback(void __unused *gcc_data, void __unused *user_data)
++{
++ tree fntype;
++
++ const_char_ptr_type_node = build_pointer_type(build_type_variant(char_type_node, 1, 0));
++
++ // void report_size_overflow(const char *loc_file, unsigned int loc_line, const char *current_func)
++ fntype = build_function_type_list(void_type_node,
++ const_char_ptr_type_node,
++ unsigned_type_node,
++ const_char_ptr_type_node,
++ NULL_TREE);
++ report_size_overflow_decl = build_fn_decl("report_size_overflow", fntype);
++
++ TREE_PUBLIC(report_size_overflow_decl) = 1;
++ DECL_EXTERNAL(report_size_overflow_decl) = 1;
++ DECL_ARTIFICIAL(report_size_overflow_decl) = 1;
++}
++
++extern struct gimple_opt_pass pass_dce;
++
++int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
++{
++ int i;
++ const char * const plugin_name = plugin_info->base_name;
++ const int argc = plugin_info->argc;
++ const struct plugin_argument * const argv = plugin_info->argv;
++ bool enable = true;
++
++ struct register_pass_info size_overflow_pass_info = {
++ .pass = &size_overflow_pass.pass,
++ .reference_pass_name = "mudflap2",
++ .ref_pass_instance_number = 1,
++ .pos_op = PASS_POS_INSERT_BEFORE
++ };
++
++ struct register_pass_info dce_pass_info = {
++ .pass = &pass_dce.pass,
++ .reference_pass_name = "mudflap2",
++ .ref_pass_instance_number = 1,
++ .pos_op = PASS_POS_INSERT_BEFORE
++ };
++
++ if (!plugin_default_version_check(version, &gcc_version)) {
++ error(G_("incompatible gcc/plugin versions"));
++ return 1;
++ }
++
++ for (i = 0; i < argc; ++i) {
++ if (!(strcmp(argv[i].key, "no-size_overflow"))) {
++ enable = false;
++ continue;
++ }
++ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ }
++
++ register_callback(plugin_name, PLUGIN_INFO, NULL, &size_overflow_plugin_info);
++ if (enable) {
++ register_callback ("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL);
++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &size_overflow_pass_info);
++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &dce_pass_info);
++ }
++ register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
++
++ return 0;
++}
diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
new file mode 100644
-index 0000000..ea79948
+index 0000000..b87ec9d
--- /dev/null
+++ b/tools/gcc/stackleak_plugin.c
-@@ -0,0 +1,326 @@
+@@ -0,0 +1,313 @@
+/*
+ * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -106465,12 +109282,10 @@ index 0000000..ea79948
+static int track_frame_size = -1;
+static const char track_function[] = "pax_track_stack";
+static const char check_function[] = "pax_check_alloca";
-+static tree pax_check_alloca_decl;
-+static tree pax_track_stack_decl;
+static bool init_locals;
+
+static struct plugin_info stackleak_plugin_info = {
-+ .version = "201203021600",
++ .version = "201203140940",
+ .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
+// "initialize-locals\t\tforcibly initialize all stack frames\n"
+};
@@ -106523,20 +109338,29 @@ index 0000000..ea79948
+static void stackleak_check_alloca(gimple_stmt_iterator *gsi)
+{
+ gimple check_alloca;
-+ tree alloca_size;
++ tree fntype, fndecl, alloca_size;
++
++ fntype = build_function_type_list(void_type_node, long_unsigned_type_node, NULL_TREE);
++ fndecl = build_fn_decl(check_function, fntype);
++ DECL_ASSEMBLER_NAME(fndecl); // for LTO
+
+ // insert call to void pax_check_alloca(unsigned long size)
+ alloca_size = gimple_call_arg(gsi_stmt(*gsi), 0);
-+ check_alloca = gimple_build_call(pax_check_alloca_decl, 1, alloca_size);
++ check_alloca = gimple_build_call(fndecl, 1, alloca_size);
+ gsi_insert_before(gsi, check_alloca, GSI_SAME_STMT);
+}
+
+static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi)
+{
+ gimple track_stack;
++ tree fntype, fndecl;
++
++ fntype = build_function_type_list(void_type_node, NULL_TREE);
++ fndecl = build_fn_decl(track_function, fntype);
++ DECL_ASSEMBLER_NAME(fndecl); // for LTO
+
+ // insert call to void pax_track_stack(void)
-+ track_stack = gimple_build_call(pax_track_stack_decl, 0);
++ track_stack = gimple_build_call(fndecl, 0);
+ gsi_insert_after(gsi, track_stack, GSI_CONTINUE_LINKING);
+}
+
@@ -106603,12 +109427,14 @@ index 0000000..ea79948
+ }
+ }
+
-+ // special case for some bad linux code: taking the address of static inline functions will materialize them
++ // special cases for some bad linux code: taking the address of static inline functions will materialize them
+ // but we mustn't instrument some of them as the resulting stack alignment required by the function call ABI
+ // will break other assumptions regarding the expected (but not otherwise enforced) register clobbering ABI.
+ // case in point: native_save_fl on amd64 when optimized for size clobbers rdx if it were instrumented here.
+ if (is_leaf && !TREE_PUBLIC(current_function_decl) && DECL_DECLARED_INLINE_P(current_function_decl))
+ return 0;
++ if (is_leaf && !strncmp(IDENTIFIER_POINTER(DECL_NAME(current_function_decl)), "_paravirt_", 10))
++ return 0;
+
+ // 4. insert track call at the beginning
+ if (!prologue_instrumented) {
@@ -106669,27 +109495,6 @@ index 0000000..ea79948
+ return 0;
+}
+
-+static void stackleak_start_unit(void *gcc_data, void *user_data)
-+{
-+ tree fntype;
-+
-+ // declare void pax_check_alloca(unsigned long size)
-+ fntype = build_function_type_list(void_type_node, long_unsigned_type_node, NULL_TREE);
-+ pax_check_alloca_decl = build_fn_decl(check_function, fntype);
-+ DECL_ASSEMBLER_NAME(pax_check_alloca_decl); // for LTO
-+ TREE_PUBLIC(pax_check_alloca_decl) = 1;
-+ DECL_EXTERNAL(pax_check_alloca_decl) = 1;
-+ DECL_ARTIFICIAL(pax_check_alloca_decl) = 1;
-+
-+ // declare void pax_track_stack(void)
-+ fntype = build_function_type_list(void_type_node, NULL_TREE);
-+ pax_track_stack_decl = build_fn_decl(track_function, fntype);
-+ DECL_ASSEMBLER_NAME(pax_track_stack_decl); // for LTO
-+ TREE_PUBLIC(pax_track_stack_decl) = 1;
-+ DECL_EXTERNAL(pax_track_stack_decl) = 1;
-+ DECL_ARTIFICIAL(pax_track_stack_decl) = 1;
-+}
-+
+int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
+{
+ const char * const plugin_name = plugin_info->base_name;
@@ -106739,7 +109544,6 @@ index 0000000..ea79948
+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
+ }
+
-+ register_callback(plugin_name, PLUGIN_START_UNIT, &stackleak_start_unit, NULL);
+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_tree_instrument_pass_info);
+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_final_pass_info);
+
diff --git a/2.6.32/4425_grsec_enable_xtpax.patch b/2.6.32/4425_grsec_enable_xtpax.patch
deleted file mode 100644
index 9735ecf..0000000
--- a/2.6.32/4425_grsec_enable_xtpax.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-
-Unlock PAX_XATTR_PAX_FLAGS option
-
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2012-02-05 12:24:37.000000000 -0500
-+++ b/security/Kconfig 2012-02-05 12:25:04.000000000 -0500
-@@ -92,7 +92,7 @@
-
- config PAX_XATTR_PAX_FLAGS
- bool 'Use filesystem extended attributes marking'
-- depends on EXPERT
-+# depends on EXPERT
- select CIFS_XATTR if CIFS
- select EXT2_FS_XATTR if EXT2_FS
- select EXT3_FS_XATTR if EXT3_FS
diff --git a/3.2.11/0000_README b/3.2.11/0000_README
index b641520..e078ec7 100644
--- a/3.2.11/0000_README
+++ b/3.2.11/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9-3.2.11-201203141956.patch
+Patch: 4420_grsecurity-2.9-3.2.11-201203181401.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.11/4420_grsecurity-2.9-3.2.11-201203141956.patch b/3.2.11/4420_grsecurity-2.9-3.2.11-201203181401.patch
similarity index 92%
rename from 3.2.11/4420_grsecurity-2.9-3.2.11-201203141956.patch
rename to 3.2.11/4420_grsecurity-2.9-3.2.11-201203181401.patch
index ba37ae4..4c91dcc 100644
--- a/3.2.11/4420_grsecurity-2.9-3.2.11-201203141956.patch
+++ b/3.2.11/4420_grsecurity-2.9-3.2.11-201203181401.patch
@@ -1,8 +1,12 @@
diff --git a/Documentation/dontdiff b/Documentation/dontdiff
-index dfa6fc6..6af9546 100644
+index dfa6fc6..df93044 100644
--- a/Documentation/dontdiff
+++ b/Documentation/dontdiff
-@@ -5,6 +5,7 @@
+@@ -2,9 +2,11 @@
+ *.aux
+ *.bin
+ *.bz2
++*.c.[012]*.*
*.cis
*.cpio
*.csp
@@ -10,7 +14,7 @@ index dfa6fc6..6af9546 100644
*.dsp
*.dvi
*.elf
-@@ -14,6 +15,7 @@
+@@ -14,6 +16,7 @@
*.gcov
*.gen.S
*.gif
@@ -18,7 +22,7 @@ index dfa6fc6..6af9546 100644
*.grep
*.grp
*.gz
-@@ -48,9 +50,11 @@
+@@ -48,9 +51,11 @@
*.tab.h
*.tex
*.ver
@@ -30,7 +34,7 @@ index dfa6fc6..6af9546 100644
*_vga16.c
*~
\#*#
-@@ -70,6 +74,7 @@ Kerntypes
+@@ -70,6 +75,7 @@ Kerntypes
Module.markers
Module.symvers
PENDING
@@ -38,7 +42,7 @@ index dfa6fc6..6af9546 100644
SCCS
System.map*
TAGS
-@@ -93,19 +98,24 @@ bounds.h
+@@ -93,19 +99,24 @@ bounds.h
bsetup
btfixupprep
build
@@ -63,7 +67,7 @@ index dfa6fc6..6af9546 100644
conmakehash
consolemap_deftbl.c*
cpustr.h
-@@ -116,9 +126,11 @@ devlist.h*
+@@ -116,9 +127,11 @@ devlist.h*
dnotify_test
docproc
dslm
@@ -75,7 +79,7 @@ index dfa6fc6..6af9546 100644
fixdep
flask.h
fore200e_mkfirm
-@@ -126,12 +138,15 @@ fore200e_pca_fw.c*
+@@ -126,12 +139,15 @@ fore200e_pca_fw.c*
gconf
gconf.glade.h
gen-devlist
@@ -91,7 +95,7 @@ index dfa6fc6..6af9546 100644
hpet_example
hugepage-mmap
hugepage-shm
-@@ -146,7 +161,7 @@ int32.c
+@@ -146,7 +162,7 @@ int32.c
int4.c
int8.c
kallsyms
@@ -100,7 +104,7 @@ index dfa6fc6..6af9546 100644
keywords.c
ksym.c*
ksym.h*
-@@ -154,7 +169,7 @@ kxgettext
+@@ -154,7 +170,7 @@ kxgettext
lkc_defs.h
lex.c
lex.*.c
@@ -109,7 +113,7 @@ index dfa6fc6..6af9546 100644
logo_*.c
logo_*_clut224.c
logo_*_mono.c
-@@ -166,14 +181,15 @@ machtypes.h
+@@ -166,14 +182,15 @@ machtypes.h
map
map_hugetlb
maui_boot.h
@@ -126,7 +130,7 @@ index dfa6fc6..6af9546 100644
mkprep
mkregtable
mktables
-@@ -209,6 +225,7 @@ r300_reg_safe.h
+@@ -209,6 +226,7 @@ r300_reg_safe.h
r420_reg_safe.h
r600_reg_safe.h
recordmcount
@@ -134,7 +138,7 @@ index dfa6fc6..6af9546 100644
relocs
rlim_names.h
rn50_reg_safe.h
-@@ -219,6 +236,7 @@ setup
+@@ -219,6 +237,7 @@ setup
setup.bin
setup.elf
sImage
@@ -142,7 +146,7 @@ index dfa6fc6..6af9546 100644
sm_tbl*
split-include
syscalltab.h
-@@ -229,6 +247,7 @@ tftpboot.img
+@@ -229,6 +248,7 @@ tftpboot.img
timeconst.h
times.h*
trix_boot.h
@@ -150,7 +154,7 @@ index dfa6fc6..6af9546 100644
utsrelease.h*
vdso-syms.lds
vdso.lds
-@@ -246,7 +265,9 @@ vmlinux
+@@ -246,7 +266,9 @@ vmlinux
vmlinux-*
vmlinux.aout
vmlinux.bin.all
@@ -160,7 +164,7 @@ index dfa6fc6..6af9546 100644
vmlinuz
voffset.h
vsyscall.lds
-@@ -254,9 +275,11 @@ vsyscall_32.lds
+@@ -254,9 +276,11 @@ vsyscall_32.lds
wanxlfw.inc
uImage
unifdef
@@ -191,7 +195,7 @@ index 81c287f..d456d02 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index 4b76371..53aa79c 100644
+index 4b76371..b091a81 100644
--- a/Makefile
+++ b/Makefile
@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -217,7 +221,7 @@ index 4b76371..53aa79c 100644
$(Q)$(MAKE) $(build)=scripts/basic
$(Q)rm -f .tmp_quiet_recordmcount
-@@ -564,6 +565,50 @@ else
+@@ -564,6 +565,53 @@ else
KBUILD_CFLAGS += -O2
endif
@@ -244,10 +248,13 @@ index 4b76371..53aa79c 100644
+endif
+endif
+COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so
++ifdef CONFIG_PAX_SIZE_OVERFLOW
++SIZE_OVERFLOW_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/size_overflow_plugin.so -DSIZE_OVERFLOW_PLUGIN
++endif
+GCC_PLUGINS_CFLAGS := $(CONSTIFY_PLUGIN_CFLAGS) $(STACKLEAK_PLUGIN_CFLAGS) $(KALLOCSTAT_PLUGIN_CFLAGS)
-+GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS)
++GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS) $(SIZE_OVERFLOW_PLUGIN_CFLAGS)
+GCC_PLUGINS_AFLAGS := $(KERNEXEC_PLUGIN_AFLAGS)
-+export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
++export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN SIZE_OVERFLOW_PLUGIN
+ifeq ($(KBUILD_EXTMOD),)
+gcc-plugins:
+ $(Q)$(MAKE) $(build)=tools/gcc
@@ -268,7 +275,7 @@ index 4b76371..53aa79c 100644
include $(srctree)/arch/$(SRCARCH)/Makefile
ifneq ($(CONFIG_FRAME_WARN),0)
-@@ -708,7 +753,7 @@ export mod_strip_cmd
+@@ -708,7 +756,7 @@ export mod_strip_cmd
ifeq ($(KBUILD_EXTMOD),)
@@ -277,7 +284,7 @@ index 4b76371..53aa79c 100644
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-@@ -932,6 +977,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE
+@@ -932,6 +980,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE
# The actual objects are generated when descending,
# make sure no implicit rule kicks in
@@ -286,7 +293,7 @@ index 4b76371..53aa79c 100644
$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
# Handle descending into subdirectories listed in $(vmlinux-dirs)
-@@ -941,7 +988,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
+@@ -941,7 +991,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
# Error messages still appears in the original language
PHONY += $(vmlinux-dirs)
@@ -295,7 +302,7 @@ index 4b76371..53aa79c 100644
$(Q)$(MAKE) $(build)=$@
# Store (new) KERNELRELASE string in include/config/kernel.release
-@@ -985,6 +1032,7 @@ prepare0: archprepare FORCE
+@@ -985,6 +1035,7 @@ prepare0: archprepare FORCE
$(Q)$(MAKE) $(build)=.
# All the preparing..
@@ -303,7 +310,7 @@ index 4b76371..53aa79c 100644
prepare: prepare0
# Generate some files
-@@ -1086,6 +1134,8 @@ all: modules
+@@ -1086,6 +1137,8 @@ all: modules
# using awk while concatenating to the final file.
PHONY += modules
@@ -312,7 +319,7 @@ index 4b76371..53aa79c 100644
modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
$(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
@$(kecho) ' Building modules, stage 2.';
-@@ -1101,7 +1151,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
+@@ -1101,7 +1154,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
# Target to prepare building external modules
PHONY += modules_prepare
@@ -321,7 +328,7 @@ index 4b76371..53aa79c 100644
# Target to install modules
PHONY += modules_install
-@@ -1198,6 +1248,7 @@ distclean: mrproper
+@@ -1198,6 +1251,7 @@ distclean: mrproper
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
-o -name '.*.rej' \
@@ -329,7 +336,7 @@ index 4b76371..53aa79c 100644
-o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
-type f -print | xargs rm -f
-@@ -1358,6 +1409,8 @@ PHONY += $(module-dirs) modules
+@@ -1358,6 +1412,8 @@ PHONY += $(module-dirs) modules
$(module-dirs): crmodverdir $(objtree)/Module.symvers
$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
@@ -338,7 +345,7 @@ index 4b76371..53aa79c 100644
modules: $(module-dirs)
@$(kecho) ' Building modules, stage 2.';
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-@@ -1484,17 +1537,21 @@ else
+@@ -1484,17 +1540,21 @@ else
target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
endif
@@ -364,7 +371,7 @@ index 4b76371..53aa79c 100644
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
%.symtypes: %.c prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
-@@ -1504,11 +1561,15 @@ endif
+@@ -1504,11 +1564,15 @@ endif
$(cmd_crmodverdir)
$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
$(build)=$(build-dir)
@@ -4636,9 +4643,18 @@ index f92602e..27060b2 100644
config SPARC64
def_bool 64BIT
diff --git a/arch/sparc/Makefile b/arch/sparc/Makefile
-index ad1fb5d..fc5315b 100644
+index ad1fb5d..b117d90 100644
--- a/arch/sparc/Makefile
+++ b/arch/sparc/Makefile
+@@ -31,7 +31,7 @@ UTS_MACHINE := sparc
+
+ #KBUILD_CFLAGS += -g -pipe -fcall-used-g5 -fcall-used-g7
+ KBUILD_CFLAGS += -m32 -pipe -mno-fpu -fcall-used-g5 -fcall-used-g7
+-KBUILD_AFLAGS += -m32
++KBUILD_AFLAGS += -m32 -Wa,-Av8
+
+ #LDFLAGS_vmlinux = -N -Ttext 0xf0004000
+ # Since 2.5.40, the first stage is left not btfix-ed.
@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc/oprofile/
# Export what is needed by arch/sparc/boot/Makefile
export VMLINUX_INIT VMLINUX_MAIN
@@ -10010,6 +10026,18 @@ index cc70c1c..d96d011 100644
+extern void machine_emergency_restart(void) __noreturn;
#endif /* _ASM_X86_EMERGENCY_RESTART_H */
+diff --git a/arch/x86/include/asm/floppy.h b/arch/x86/include/asm/floppy.h
+index dbe82a5..c6d8a00 100644
+--- a/arch/x86/include/asm/floppy.h
++++ b/arch/x86/include/asm/floppy.h
+@@ -157,6 +157,7 @@ static unsigned long dma_mem_alloc(unsigned long size)
+ }
+
+
++static unsigned long vdma_mem_alloc(unsigned long size) __size_overflow(1);
+ static unsigned long vdma_mem_alloc(unsigned long size)
+ {
+ return (unsigned long)vmalloc(size);
diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h
index d09bb03..4ea4194 100644
--- a/arch/x86/include/asm/futex.h
@@ -10183,7 +10211,7 @@ index 5478825..839e88c 100644
#define flush_insn_slot(p) do { } while (0)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index b4973f4..7c4d3fc 100644
+index b4973f4..a42170a 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -459,7 +459,7 @@ struct kvm_arch {
@@ -10204,6 +10232,36 @@ index b4973f4..7c4d3fc 100644
struct kvm_arch_async_pf {
u32 token;
+@@ -667,9 +667,9 @@ void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages);
+ int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3);
+
+ int emulator_write_phys(struct kvm_vcpu *vcpu, gpa_t gpa,
+- const void *val, int bytes);
++ const void *val, int bytes) __size_overflow(2);
+ int kvm_pv_mmu_op(struct kvm_vcpu *vcpu, unsigned long bytes,
+- gpa_t addr, unsigned long *ret);
++ gpa_t addr, unsigned long *ret) __size_overflow(2,3);
+ u8 kvm_get_guest_memory_type(struct kvm_vcpu *vcpu, gfn_t gfn);
+
+ extern bool tdp_enabled;
+@@ -730,7 +730,7 @@ void kvm_get_cs_db_l_bits(struct kvm_vcpu *vcpu, int *db, int *l);
+ int kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr);
+
+ int kvm_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata);
+-int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data);
++int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data) __size_overflow(3);
+
+ unsigned long kvm_get_rflags(struct kvm_vcpu *vcpu);
+ void kvm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags);
+@@ -755,7 +755,7 @@ int fx_init(struct kvm_vcpu *vcpu);
+ void kvm_mmu_flush_tlb(struct kvm_vcpu *vcpu);
+ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
+ const u8 *new, int bytes,
+- bool guest_initiated);
++ bool guest_initiated) __size_overflow(2);
+ int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva);
+ void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu);
+ int kvm_mmu_load(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h
index 9cdae5d..300d20f 100644
--- a/arch/x86/include/asm/local.h
@@ -11804,6 +11862,19 @@ index cb23852..2dde194 100644
asmlinkage long sys32_sysfs(int, u32, u32);
asmlinkage long sys32_sched_rr_get_interval(compat_pid_t,
+diff --git a/arch/x86/include/asm/syscalls.h b/arch/x86/include/asm/syscalls.h
+index f1d8b44..a4de8b7 100644
+--- a/arch/x86/include/asm/syscalls.h
++++ b/arch/x86/include/asm/syscalls.h
+@@ -30,7 +30,7 @@ long sys_clone(unsigned long, unsigned long, void __user *,
+ void __user *, struct pt_regs *);
+
+ /* kernel/ldt.c */
+-asmlinkage int sys_modify_ldt(int, void __user *, unsigned long);
++asmlinkage int sys_modify_ldt(int, void __user *, unsigned long) __size_overflow(3);
+
+ /* kernel/signal.c */
+ long sys_rt_sigreturn(struct pt_regs *);
diff --git a/arch/x86/include/asm/system.h b/arch/x86/include/asm/system.h
index 2d2f01c..f985723 100644
--- a/arch/x86/include/asm/system.h
@@ -12237,11 +12308,36 @@ index 36361bf..324f262 100644
#ifdef CONFIG_X86_WP_WORKS_OK
diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
-index 566e803..b9521e9 100644
+index 566e803..4414921 100644
--- a/arch/x86/include/asm/uaccess_32.h
+++ b/arch/x86/include/asm/uaccess_32.h
-@@ -43,6 +43,9 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero
+@@ -11,15 +11,15 @@
+ #include <asm/page.h>
+
+ unsigned long __must_check __copy_to_user_ll
+- (void __user *to, const void *from, unsigned long n);
++ (void __user *to, const void *from, unsigned long n) __size_overflow(3);
+ unsigned long __must_check __copy_from_user_ll
+- (void *to, const void __user *from, unsigned long n);
++ (void *to, const void __user *from, unsigned long n) __size_overflow(3);
+ unsigned long __must_check __copy_from_user_ll_nozero
+- (void *to, const void __user *from, unsigned long n);
++ (void *to, const void __user *from, unsigned long n) __size_overflow(3);
+ unsigned long __must_check __copy_from_user_ll_nocache
+- (void *to, const void __user *from, unsigned long n);
++ (void *to, const void __user *from, unsigned long n) __size_overflow(3);
+ unsigned long __must_check __copy_from_user_ll_nocache_nozero
+- (void *to, const void __user *from, unsigned long n);
++ (void *to, const void __user *from, unsigned long n) __size_overflow(3);
+
+ /**
+ * __copy_to_user_inatomic: - Copy a block of data into user space, with less checking.
+@@ -41,8 +41,13 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero
+ */
+
static __always_inline unsigned long __must_check
++__copy_to_user_inatomic(void __user *to, const void *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long __must_check
__copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
{
+ if ((long)n < 0)
@@ -12250,7 +12346,7 @@ index 566e803..b9521e9 100644
if (__builtin_constant_p(n)) {
unsigned long ret;
-@@ -61,6 +64,8 @@ __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
+@@ -61,6 +66,8 @@ __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
return ret;
}
}
@@ -12259,7 +12355,12 @@ index 566e803..b9521e9 100644
return __copy_to_user_ll(to, from, n);
}
-@@ -82,12 +87,16 @@ static __always_inline unsigned long __must_check
+@@ -79,15 +86,23 @@ __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
+ * On success, this will be zero.
+ */
+ static __always_inline unsigned long __must_check
++__copy_to_user(void __user *to, const void *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long __must_check
__copy_to_user(void __user *to, const void *from, unsigned long n)
{
might_fault();
@@ -12268,6 +12369,8 @@ index 566e803..b9521e9 100644
}
static __always_inline unsigned long
++__copy_from_user_inatomic(void *to, const void __user *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long
__copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
{
+ if ((long)n < 0)
@@ -12276,7 +12379,12 @@ index 566e803..b9521e9 100644
/* Avoid zeroing the tail if the copy fails..
* If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
* but as the zeroing behaviour is only significant when n is not
-@@ -137,6 +146,10 @@ static __always_inline unsigned long
+@@ -134,9 +149,15 @@ __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
+ * for explanation of why this is needed.
+ */
+ static __always_inline unsigned long
++__copy_from_user(void *to, const void __user *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long
__copy_from_user(void *to, const void __user *from, unsigned long n)
{
might_fault();
@@ -12287,7 +12395,7 @@ index 566e803..b9521e9 100644
if (__builtin_constant_p(n)) {
unsigned long ret;
-@@ -152,6 +165,8 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
+@@ -152,13 +173,21 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
return ret;
}
}
@@ -12296,7 +12404,9 @@ index 566e803..b9521e9 100644
return __copy_from_user_ll(to, from, n);
}
-@@ -159,6 +174,10 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
+ static __always_inline unsigned long __copy_from_user_nocache(void *to,
++ const void __user *from, unsigned long n) __size_overflow(3);
++static __always_inline unsigned long __copy_from_user_nocache(void *to,
const void __user *from, unsigned long n)
{
might_fault();
@@ -12307,8 +12417,13 @@ index 566e803..b9521e9 100644
if (__builtin_constant_p(n)) {
unsigned long ret;
-@@ -181,15 +200,19 @@ static __always_inline unsigned long
+@@ -179,17 +208,24 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
+
+ static __always_inline unsigned long
__copy_from_user_inatomic_nocache(void *to, const void __user *from,
++ unsigned long n) __size_overflow(3);
++static __always_inline unsigned long
++__copy_from_user_inatomic_nocache(void *to, const void __user *from,
unsigned long n)
{
- return __copy_from_user_ll_nocache_nozero(to, from, n);
@@ -12334,7 +12449,7 @@ index 566e803..b9521e9 100644
extern void copy_from_user_overflow(void)
#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
-@@ -199,17 +222,61 @@ extern void copy_from_user_overflow(void)
+@@ -199,24 +235,72 @@ extern void copy_from_user_overflow(void)
#endif
;
@@ -12355,6 +12470,8 @@ index 566e803..b9521e9 100644
+ * On success, this will be zero.
+ */
+static inline unsigned long __must_check
++copy_to_user(void __user *to, const void *from, unsigned long n) __size_overflow(3);
++static inline unsigned long __must_check
+copy_to_user(void __user *to, const void *from, unsigned long n)
+{
+ int sz = __compiletime_object_size(from);
@@ -12383,6 +12500,8 @@ index 566e803..b9521e9 100644
+ * data to the requested size using zero bytes.
+ */
+static inline unsigned long __must_check
++copy_from_user(void *to, const void __user *from, unsigned long n) __size_overflow(3);
++static inline unsigned long __must_check
+copy_from_user(void *to, const void __user *from, unsigned long n)
{
int sz = __compiletime_object_size(to);
@@ -12403,8 +12522,29 @@ index 566e803..b9521e9 100644
return n;
}
+ long __must_check strncpy_from_user(char *dst, const char __user *src,
+- long count);
++ unsigned long count) __size_overflow(3);
+ long __must_check __strncpy_from_user(char *dst,
+- const char __user *src, long count);
++ const char __user *src, unsigned long count) __size_overflow(3);
+
+ /**
+ * strlen_user: - Get the size of a string in user space.
+@@ -234,8 +318,8 @@ long __must_check __strncpy_from_user(char *dst,
+ */
+ #define strlen_user(str) strnlen_user(str, LONG_MAX)
+
+-long strnlen_user(const char __user *str, long n);
+-unsigned long __must_check clear_user(void __user *mem, unsigned long len);
+-unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
++long strnlen_user(const char __user *str, unsigned long n);
++unsigned long __must_check clear_user(void __user *mem, unsigned long len) __size_overflow(2);
++unsigned long __must_check __clear_user(void __user *mem, unsigned long len) __size_overflow(2);
+
+ #endif /* _ASM_X86_UACCESS_32_H */
diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
-index 1c66d30..e66922c 100644
+index 1c66d30..2582764 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -10,6 +10,9 @@
@@ -12417,23 +12557,25 @@ index 1c66d30..e66922c 100644
/*
* Copy To/From Userspace
-@@ -17,12 +20,12 @@
+@@ -17,12 +20,14 @@
/* Handles exceptions in both to and from, but doesn't do access_ok */
__must_check unsigned long
-copy_user_generic_string(void *to, const void *from, unsigned len);
-+copy_user_generic_string(void *to, const void *from, unsigned long len);
++copy_user_generic_string(void *to, const void *from, unsigned long len) __size_overflow(3);
__must_check unsigned long
-copy_user_generic_unrolled(void *to, const void *from, unsigned len);
-+copy_user_generic_unrolled(void *to, const void *from, unsigned long len);
++copy_user_generic_unrolled(void *to, const void *from, unsigned long len) __size_overflow(3);
static __always_inline __must_check unsigned long
-copy_user_generic(void *to, const void *from, unsigned len)
++copy_user_generic(void *to, const void *from, unsigned long len) __size_overflow(3);
++static __always_inline __must_check unsigned long
+copy_user_generic(void *to, const void *from, unsigned long len)
{
unsigned ret;
-@@ -32,142 +35,226 @@ copy_user_generic(void *to, const void *from, unsigned len)
+@@ -32,142 +37,237 @@ copy_user_generic(void *to, const void *from, unsigned len)
ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from),
"=d" (len)),
"1" (to), "2" (from), "3" (len)
@@ -12443,19 +12585,22 @@ index 1c66d30..e66922c 100644
}
+static __always_inline __must_check unsigned long
-+__copy_to_user(void __user *to, const void *from, unsigned long len);
++__copy_to_user(void __user *to, const void *from, unsigned long len) __size_overflow(3);
+static __always_inline __must_check unsigned long
-+__copy_from_user(void *to, const void __user *from, unsigned long len);
++__copy_from_user(void *to, const void __user *from, unsigned long len) __size_overflow(3);
__must_check unsigned long
-_copy_to_user(void __user *to, const void *from, unsigned len);
-__must_check unsigned long
-_copy_from_user(void *to, const void __user *from, unsigned len);
-__must_check unsigned long
-copy_in_user(void __user *to, const void __user *from, unsigned len);
-+copy_in_user(void __user *to, const void __user *from, unsigned long len);
++copy_in_user(void __user *to, const void __user *from, unsigned long len) __size_overflow(3);
static inline unsigned long __must_check copy_from_user(void *to,
const void __user *from,
++ unsigned long n) __size_overflow(3);
++static inline unsigned long __must_check copy_from_user(void *to,
++ const void __user *from,
unsigned long n)
{
- int sz = __compiletime_object_size(to);
@@ -12480,6 +12625,8 @@ index 1c66d30..e66922c 100644
static __always_inline __must_check
-int copy_to_user(void __user *dst, const void *src, unsigned size)
++int copy_to_user(void __user *dst, const void *src, unsigned long size) __size_overflow(3);
++static __always_inline __must_check
+int copy_to_user(void __user *dst, const void *src, unsigned long size)
{
might_fault();
@@ -12492,6 +12639,8 @@ index 1c66d30..e66922c 100644
static __always_inline __must_check
-int __copy_from_user(void *dst, const void __user *src, unsigned size)
++unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long size) __size_overflow(3);
++static __always_inline __must_check
+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long size)
{
- int ret = 0;
@@ -12580,6 +12729,8 @@ index 1c66d30..e66922c 100644
static __always_inline __must_check
-int __copy_to_user(void __user *dst, const void *src, unsigned size)
++unsigned long __copy_to_user(void __user *dst, const void *src, unsigned long size) __size_overflow(3);
++static __always_inline __must_check
+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned long size)
{
- int ret = 0;
@@ -12668,6 +12819,8 @@ index 1c66d30..e66922c 100644
static __always_inline __must_check
-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
++unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned long size) __size_overflow(3);
++static __always_inline __must_check
+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned long size)
{
- int ret = 0;
@@ -12708,7 +12861,7 @@ index 1c66d30..e66922c 100644
ret, "b", "b", "=q", 1);
if (likely(!ret))
__put_user_asm(tmp, (u8 __user *)dst,
-@@ -176,7 +263,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
+@@ -176,7 +276,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
}
case 2: {
u16 tmp;
@@ -12717,7 +12870,7 @@ index 1c66d30..e66922c 100644
ret, "w", "w", "=r", 2);
if (likely(!ret))
__put_user_asm(tmp, (u16 __user *)dst,
-@@ -186,7 +273,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
+@@ -186,7 +286,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
case 4: {
u32 tmp;
@@ -12726,7 +12879,7 @@ index 1c66d30..e66922c 100644
ret, "l", "k", "=r", 4);
if (likely(!ret))
__put_user_asm(tmp, (u32 __user *)dst,
-@@ -195,7 +282,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
+@@ -195,7 +295,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
}
case 8: {
u64 tmp;
@@ -12735,7 +12888,7 @@ index 1c66d30..e66922c 100644
ret, "q", "", "=r", 8);
if (likely(!ret))
__put_user_asm(tmp, (u64 __user *)dst,
-@@ -203,8 +290,16 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
+@@ -203,51 +303,103 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
return ret;
}
default:
@@ -12754,11 +12907,26 @@ index 1c66d30..e66922c 100644
}
}
-@@ -219,35 +314,72 @@ __must_check unsigned long clear_user(void __user *mem, unsigned long len);
- __must_check unsigned long __clear_user(void __user *mem, unsigned long len);
+ __must_check long
+-strncpy_from_user(char *dst, const char __user *src, long count);
++strncpy_from_user(char *dst, const char __user *src, unsigned long count) __size_overflow(3);
+ __must_check long
+-__strncpy_from_user(char *dst, const char __user *src, long count);
+-__must_check long strnlen_user(const char __user *str, long n);
+-__must_check long __strnlen_user(const char __user *str, long n);
++__strncpy_from_user(char *dst, const char __user *src, unsigned long count) __size_overflow(3);
++__must_check long strnlen_user(const char __user *str, unsigned long n);
++__must_check long __strnlen_user(const char __user *str, unsigned long n);
+ __must_check long strlen_user(const char __user *str);
+-__must_check unsigned long clear_user(void __user *mem, unsigned long len);
+-__must_check unsigned long __clear_user(void __user *mem, unsigned long len);
++__must_check unsigned long clear_user(void __user *mem, unsigned long len) __size_overflow(2);
++__must_check unsigned long __clear_user(void __user *mem, unsigned long len) __size_overflow(2);
static __must_check __always_inline int
-__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
++__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size) __size_overflow(3);
++static __must_check __always_inline int
+__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size)
{
- return copy_user_generic(dst, (__force const void *)src, size);
@@ -12779,6 +12947,8 @@ index 1c66d30..e66922c 100644
-static __must_check __always_inline int
-__copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
+static __must_check __always_inline unsigned long
++__copy_to_user_inatomic(void __user *dst, const void *src, unsigned long size) __size_overflow(3);
++static __must_check __always_inline unsigned long
+__copy_to_user_inatomic(void __user *dst, const void *src, unsigned long size)
{
- return copy_user_generic((__force void *)dst, src, size);
@@ -12799,10 +12969,11 @@ index 1c66d30..e66922c 100644
-extern long __copy_user_nocache(void *dst, const void __user *src,
- unsigned size, int zerorest);
+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
-+ unsigned long size, int zerorest);
++ unsigned long size, int zerorest) __size_overflow(3);
-static inline int
-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
++static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned long size) __size_overflow(3);
+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned long size)
{
might_sleep();
@@ -12822,6 +12993,8 @@ index 1c66d30..e66922c 100644
-__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
- unsigned size)
+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
++ unsigned long size) __size_overflow(3);
++static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
+ unsigned long size)
{
+ if (size > INT_MAX)
@@ -12838,7 +13011,7 @@ index 1c66d30..e66922c 100644
-unsigned long
-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
+extern unsigned long
-+copy_user_handle_tail(char __user *to, char __user *from, unsigned long len, unsigned zerorest);
++copy_user_handle_tail(char __user *to, char __user *from, unsigned long len, unsigned zerorest) __size_overflow(3);
#endif /* _ASM_X86_UACCESS_64_H */
diff --git a/arch/x86/include/asm/vdso.h b/arch/x86/include/asm/vdso.h
@@ -13596,6 +13769,19 @@ index 5231312..a78a987 100644
load_idt(&idt_descr);
}
#endif
+diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
+index 319882e..993534e 100644
+--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
++++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
+@@ -173,6 +173,8 @@ static void raise_mce(struct mce *m)
+
+ /* Error injection interface */
+ static ssize_t mce_write(struct file *filp, const char __user *ubuf,
++ size_t usize, loff_t *off) __size_overflow(3);
++static ssize_t mce_write(struct file *filp, const char __user *ubuf,
+ size_t usize, loff_t *off)
+ {
+ struct mce m;
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
index 2af127d..8ff7ac0 100644
--- a/arch/x86/kernel/cpu/mcheck/mce.c
@@ -13765,6 +13951,19 @@ index 54060f5..c1a7577 100644
/* Make sure the vector pointer is visible before we enable MCEs: */
wmb();
+diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c
+index 7928963..1b16001 100644
+--- a/arch/x86/kernel/cpu/mtrr/if.c
++++ b/arch/x86/kernel/cpu/mtrr/if.c
+@@ -91,6 +91,8 @@ mtrr_file_del(unsigned long base, unsigned long size,
+ * "base=%Lx size=%Lx type=%s" or "disable=%d"
+ */
+ static ssize_t
++mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos) __size_overflow(3);
++static ssize_t
+ mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos)
+ {
+ int i, err;
diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
index 6b96110..0da73eb 100644
--- a/arch/x86/kernel/cpu/mtrr/main.c
@@ -16808,6 +17007,79 @@ index 9c3bd4a..e1d9b35 100644
+#ifdef CONFIG_PAX_KERNEXEC
+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
+#endif
+diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
+index 739d859..d1d6be7 100644
+--- a/arch/x86/kernel/i387.c
++++ b/arch/x86/kernel/i387.c
+@@ -188,6 +188,9 @@ int xfpregs_active(struct task_struct *target, const struct user_regset *regset)
+
+ int xfpregs_get(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ void *kbuf, void __user *ubuf) __size_overflow(4);
++int xfpregs_get(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ void *kbuf, void __user *ubuf)
+ {
+ int ret;
+@@ -207,6 +210,9 @@ int xfpregs_get(struct task_struct *target, const struct user_regset *regset,
+
+ int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ const void *kbuf, const void __user *ubuf) __size_overflow(4);
++int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+@@ -240,6 +246,9 @@ int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
+
+ int xstateregs_get(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ void *kbuf, void __user *ubuf) __size_overflow(4);
++int xstateregs_get(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ void *kbuf, void __user *ubuf)
+ {
+ int ret;
+@@ -269,6 +278,9 @@ int xstateregs_get(struct task_struct *target, const struct user_regset *regset,
+
+ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ const void *kbuf, const void __user *ubuf) __size_overflow(4);
++int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+@@ -439,6 +451,9 @@ static void convert_to_fxsr(struct task_struct *tsk,
+
+ int fpregs_get(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ void *kbuf, void __user *ubuf) __size_overflow(3,4);
++int fpregs_get(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ void *kbuf, void __user *ubuf)
+ {
+ struct user_i387_ia32_struct env;
+@@ -471,6 +486,9 @@ int fpregs_get(struct task_struct *target, const struct user_regset *regset,
+
+ int fpregs_set(struct task_struct *target, const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ const void *kbuf, const void __user *ubuf) __size_overflow(3,4);
++int fpregs_set(struct task_struct *target, const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ const void *kbuf, const void __user *ubuf)
+ {
+ struct user_i387_ia32_struct env;
+@@ -619,6 +637,8 @@ static inline int restore_i387_fsave(struct _fpstate_ia32 __user *buf)
+ }
+
+ static int restore_i387_fxsave(struct _fpstate_ia32 __user *buf,
++ unsigned int size) __size_overflow(2);
++static int restore_i387_fxsave(struct _fpstate_ia32 __user *buf,
+ unsigned int size)
+ {
+ struct task_struct *tsk = current;
diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
index 6104852..6114160 100644
--- a/arch/x86/kernel/i8259.c
@@ -17286,7 +17558,7 @@ index a9c2116..a52d4fc 100644
#endif
pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index ea69726..604d066 100644
+index ea69726..8b497c9 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
@@ -17339,7 +17611,15 @@ index ea69726..604d066 100644
return retval;
}
-@@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
+@@ -141,6 +159,7 @@ void destroy_context(struct mm_struct *mm)
+ }
+ }
+
++static int read_ldt(void __user *ptr, unsigned long bytecount) __size_overflow(2);
+ static int read_ldt(void __user *ptr, unsigned long bytecount)
+ {
+ int err;
+@@ -230,6 +249,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
}
}
@@ -17385,11 +17665,14 @@ index a3fa43b..8966f4c 100644
relocate_kernel_ptr = control_page;
page_list[PA_CONTROL_PAGE] = __pa(control_page);
diff --git a/arch/x86/kernel/microcode_intel.c b/arch/x86/kernel/microcode_intel.c
-index 3ca42d0..7cff8cc 100644
+index 3ca42d0..79d24cd 100644
--- a/arch/x86/kernel/microcode_intel.c
+++ b/arch/x86/kernel/microcode_intel.c
-@@ -436,13 +436,13 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device)
+@@ -434,15 +434,16 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device)
+ return ret;
+ }
++static int get_ucode_user(void *to, const void *from, size_t n) __size_overflow(3);
static int get_ucode_user(void *to, const void *from, size_t n)
{
- return copy_from_user(to, from, n);
@@ -18024,10 +18307,21 @@ index 6a364a6..b147d11 100644
ip = *(u64 *)(fp+8);
if (!in_sched_functions(ip))
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index 8252879..d3219e0 100644
+index 8252879..f367ec9 100644
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
-@@ -822,7 +822,7 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -791,6 +791,10 @@ static int ioperm_active(struct task_struct *target,
+ static int ioperm_get(struct task_struct *target,
+ const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
++ void *kbuf, void __user *ubuf) __size_overflow(3,4);
++static int ioperm_get(struct task_struct *target,
++ const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
+ void *kbuf, void __user *ubuf)
+ {
+ if (!target->thread.io_bitmap_ptr)
+@@ -822,7 +826,7 @@ long arch_ptrace(struct task_struct *child, long request,
unsigned long addr, unsigned long data)
{
int ret;
@@ -18036,7 +18330,7 @@ index 8252879..d3219e0 100644
switch (request) {
/* read the word at location addr in the USER area. */
-@@ -907,14 +907,14 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -907,14 +911,14 @@ long arch_ptrace(struct task_struct *child, long request,
if ((int) addr < 0)
return -EIO;
ret = do_get_thread_area(child, addr,
@@ -18053,7 +18347,7 @@ index 8252879..d3219e0 100644
break;
#endif
-@@ -1331,7 +1331,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
+@@ -1331,7 +1335,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
memset(info, 0, sizeof(*info));
info->si_signo = SIGTRAP;
info->si_code = si_code;
@@ -18300,7 +18594,7 @@ index cf0ef98..e3f780b 100644
bss_resource.start = virt_to_phys(&__bss_start);
bss_resource.end = virt_to_phys(&__bss_stop)-1;
diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
-index 71f4727..16dc9f7 100644
+index 71f4727..217419b 100644
--- a/arch/x86/kernel/setup_percpu.c
+++ b/arch/x86/kernel/setup_percpu.c
@@ -21,19 +21,17 @@
@@ -18327,7 +18621,25 @@ index 71f4727..16dc9f7 100644
[0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
};
EXPORT_SYMBOL(__per_cpu_offset);
-@@ -155,10 +153,10 @@ static inline void setup_percpu_segment(int cpu)
+@@ -96,6 +94,8 @@ static bool __init pcpu_need_numa(void)
+ * Pointer to the allocated area on success, NULL on failure.
+ */
+ static void * __init pcpu_alloc_bootmem(unsigned int cpu, unsigned long size,
++ unsigned long align) __size_overflow(2);
++static void * __init pcpu_alloc_bootmem(unsigned int cpu, unsigned long size,
+ unsigned long align)
+ {
+ const unsigned long goal = __pa(MAX_DMA_ADDRESS);
+@@ -124,6 +124,8 @@ static void * __init pcpu_alloc_bootmem(unsigned int cpu, unsigned long size,
+ /*
+ * Helpers for first chunk memory allocation
+ */
++static void * __init pcpu_fc_alloc(unsigned int cpu, size_t size, size_t align) __size_overflow(2);
++
+ static void * __init pcpu_fc_alloc(unsigned int cpu, size_t size, size_t align)
+ {
+ return pcpu_alloc_bootmem(cpu, size, align);
+@@ -155,10 +157,10 @@ static inline void setup_percpu_segment(int cpu)
{
#ifdef CONFIG_X86_32
struct desc_struct gdt;
@@ -18341,7 +18653,7 @@ index 71f4727..16dc9f7 100644
write_gdt_entry(get_cpu_gdt_table(cpu),
GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
#endif
-@@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
+@@ -207,6 +209,11 @@ void __init setup_per_cpu_areas(void)
/* alrighty, percpu areas up and running */
delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
for_each_possible_cpu(cpu) {
@@ -18353,7 +18665,7 @@ index 71f4727..16dc9f7 100644
per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
per_cpu(cpu_number, cpu) = cpu;
-@@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
+@@ -247,6 +254,12 @@ void __init setup_per_cpu_areas(void)
*/
set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
#endif
@@ -19015,6 +19327,18 @@ index 6bb7b85..dd853e1 100644
set_tls_desc(p, idx, &info, 1);
return 0;
+diff --git a/arch/x86/kernel/tls.h b/arch/x86/kernel/tls.h
+index 2f083a2..7d3fecc 100644
+--- a/arch/x86/kernel/tls.h
++++ b/arch/x86/kernel/tls.h
+@@ -16,6 +16,6 @@
+
+ extern user_regset_active_fn regset_tls_active;
+ extern user_regset_get_fn regset_tls_get;
+-extern user_regset_set_fn regset_tls_set;
++extern user_regset_set_fn regset_tls_set __size_overflow(4);
+
+ #endif /* _ARCH_X86_KERNEL_TLS_H */
diff --git a/arch/x86/kernel/trampoline_32.S b/arch/x86/kernel/trampoline_32.S
index 451c0a7..e57f551 100644
--- a/arch/x86/kernel/trampoline_32.S
@@ -19661,7 +19985,7 @@ index 7110911..e8cdee5 100644
if (unlikely(err)) {
/*
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index f1e3be1..588efc8 100644
+index f1e3be18..588efc8 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -249,6 +249,7 @@ struct gprefix {
@@ -19747,10 +20071,18 @@ index 9299410..ade2f9b 100644
spin_unlock(&vcpu->kvm->mmu_lock);
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 94a4672..5c6b853 100644
+index 94a4672..1700ed1 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
-@@ -3405,7 +3405,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
+@@ -3037,6 +3037,7 @@ static int svm_set_vm_cr(struct kvm_vcpu *vcpu, u64 data)
+ return 0;
+ }
+
++static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data) __size_overflow(3);
+ static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+@@ -3405,7 +3406,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
int cpu = raw_smp_processor_id();
struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
@@ -19762,7 +20094,7 @@ index 94a4672..5c6b853 100644
load_TR_desc();
}
-@@ -3783,6 +3787,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -3783,6 +3788,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
#endif
#endif
@@ -19774,7 +20106,7 @@ index 94a4672..5c6b853 100644
local_irq_disable();
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 4ea7678..b3a7084 100644
+index 4ea7678..c715f2f 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1305,7 +1305,11 @@ static void reload_tss(void)
@@ -19789,7 +20121,15 @@ index 4ea7678..b3a7084 100644
load_TR_desc();
}
-@@ -2633,8 +2637,11 @@ static __init int hardware_setup(void)
+@@ -2163,6 +2167,7 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
+ * Returns 0 on success, non-0 otherwise.
+ * Assumes vcpu_load() was already called.
+ */
++static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data) __size_overflow(3);
+ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+@@ -2633,8 +2638,11 @@ static __init int hardware_setup(void)
if (!cpu_has_vmx_flexpriority())
flexpriority_enabled = 0;
@@ -19803,7 +20143,7 @@ index 4ea7678..b3a7084 100644
if (enable_ept && !cpu_has_vmx_ept_2m_page())
kvm_disable_largepages();
-@@ -3648,7 +3655,7 @@ static void vmx_set_constant_host_state(void)
+@@ -3648,7 +3656,7 @@ static void vmx_set_constant_host_state(void)
vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
asm("mov $.Lkvm_vmx_return, %0" : "=r"(tmpl));
@@ -19812,7 +20152,7 @@ index 4ea7678..b3a7084 100644
rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
-@@ -6169,6 +6176,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -6169,6 +6177,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
"jmp .Lkvm_vmx_return \n\t"
".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
".Lkvm_vmx_return: "
@@ -19825,7 +20165,7 @@ index 4ea7678..b3a7084 100644
/* Save guest registers, load host registers, keep flags */
"mov %0, %c[wordsize](%%"R"sp) \n\t"
"pop %0 \n\t"
-@@ -6217,6 +6230,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -6217,6 +6231,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
#endif
[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
[wordsize]"i"(sizeof(ulong))
@@ -19837,7 +20177,7 @@ index 4ea7678..b3a7084 100644
: "cc", "memory"
, R"ax", R"bx", R"di", R"si"
#ifdef CONFIG_X86_64
-@@ -6245,7 +6263,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -6245,7 +6264,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
}
}
@@ -19856,10 +20196,18 @@ index 4ea7678..b3a7084 100644
vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 4c938da..4ddef65 100644
+index 4c938da..6cd8090 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -1345,8 +1345,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
+@@ -907,6 +907,7 @@ static int do_set_msr(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
+ return kvm_set_msr(vcpu, index, *data);
+ }
+
++static void kvm_write_wall_clock(struct kvm *kvm, gpa_t wall_clock) __size_overflow(2);
+ static void kvm_write_wall_clock(struct kvm *kvm, gpa_t wall_clock)
+ {
+ int version;
+@@ -1345,8 +1346,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
{
struct kvm *kvm = vcpu->kvm;
int lm = is_long_mode(vcpu);
@@ -19870,7 +20218,7 @@ index 4c938da..4ddef65 100644
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
: kvm->arch.xen_hvm_config.blob_size_32;
u32 page_num = data & ~PAGE_MASK;
-@@ -2165,6 +2165,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
+@@ -2165,6 +2166,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
if (n < msr_list.nmsrs)
goto out;
r = -EFAULT;
@@ -19879,7 +20227,7 @@ index 4c938da..4ddef65 100644
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
num_msrs_to_save * sizeof(u32)))
goto out;
-@@ -2340,15 +2342,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
+@@ -2340,15 +2343,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -19903,7 +20251,7 @@ index 4c938da..4ddef65 100644
vcpu->arch.cpuid_nent = cpuid->nent;
kvm_apic_set_version(vcpu);
kvm_x86_ops->cpuid_update(vcpu);
-@@ -2363,15 +2370,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+@@ -2363,15 +2371,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
struct kvm_cpuid2 *cpuid,
struct kvm_cpuid_entry2 __user *entries)
{
@@ -19926,7 +20274,7 @@ index 4c938da..4ddef65 100644
return 0;
out:
-@@ -2746,7 +2757,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
+@@ -2746,7 +2758,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
struct kvm_interrupt *irq)
{
@@ -19935,7 +20283,67 @@ index 4c938da..4ddef65 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -5162,7 +5173,7 @@ static void kvm_set_mmio_spte_mask(void)
+@@ -3949,6 +3961,9 @@ gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva,
+
+ static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
+ struct kvm_vcpu *vcpu, u32 access,
++ struct x86_exception *exception) __size_overflow(1,3);
++static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
++ struct kvm_vcpu *vcpu, u32 access,
+ struct x86_exception *exception)
+ {
+ void *data = val;
+@@ -3980,6 +3995,9 @@ out:
+ /* used for instruction fetching */
+ static int kvm_fetch_guest_virt(struct x86_emulate_ctxt *ctxt,
+ gva_t addr, void *val, unsigned int bytes,
++ struct x86_exception *exception) __size_overflow(2,4);
++static int kvm_fetch_guest_virt(struct x86_emulate_ctxt *ctxt,
++ gva_t addr, void *val, unsigned int bytes,
+ struct x86_exception *exception)
+ {
+ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+@@ -4004,6 +4022,9 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_virt);
+
+ static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+ gva_t addr, void *val, unsigned int bytes,
++ struct x86_exception *exception) __size_overflow(2,4);
++static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt,
++ gva_t addr, void *val, unsigned int bytes,
+ struct x86_exception *exception)
+ {
+ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+@@ -4117,12 +4138,16 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
+ }
+
+ static int read_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
++ void *val, int bytes) __size_overflow(2);
++static int read_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
+ void *val, int bytes)
+ {
+ return !kvm_read_guest(vcpu->kvm, gpa, val, bytes);
+ }
+
+ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
++ void *val, int bytes) __size_overflow(2);
++static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
+ void *val, int bytes)
+ {
+ return emulator_write_phys(vcpu, gpa, val, bytes);
+@@ -4273,6 +4298,12 @@ static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt,
+ const void *old,
+ const void *new,
+ unsigned int bytes,
++ struct x86_exception *exception) __size_overflow(5);
++static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt,
++ unsigned long addr,
++ const void *old,
++ const void *new,
++ unsigned int bytes,
+ struct x86_exception *exception)
+ {
+ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+@@ -5162,7 +5193,7 @@ static void kvm_set_mmio_spte_mask(void)
kvm_mmu_set_mmio_spte_mask(mask);
}
@@ -19944,6 +20352,23 @@ index 4c938da..4ddef65 100644
{
int r;
struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
+diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
+index d36fe23..a4b189f 100644
+--- a/arch/x86/kvm/x86.h
++++ b/arch/x86/kvm/x86.h
+@@ -119,10 +119,10 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, u64 data);
+
+ int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
+ gva_t addr, void *val, unsigned int bytes,
+- struct x86_exception *exception);
++ struct x86_exception *exception) __size_overflow(2,4);
+
+ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+ gva_t addr, void *val, unsigned int bytes,
+- struct x86_exception *exception);
++ struct x86_exception *exception) __size_overflow(2,4);
+
+ #endif
diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
index cf4603b..7cdde38 100644
--- a/arch/x86/lguest/boot.c
@@ -21135,6 +21560,22 @@ index 459b58a..9570bc7 100644
len, isum, NULL, errp);
}
EXPORT_SYMBOL(csum_partial_copy_to_user);
+diff --git a/arch/x86/lib/delay.c b/arch/x86/lib/delay.c
+index fc45ba8..e395693 100644
+--- a/arch/x86/lib/delay.c
++++ b/arch/x86/lib/delay.c
+@@ -48,9 +48,9 @@ static void delay_loop(unsigned long loops)
+ }
+
+ /* TSC based delay: */
+-static void delay_tsc(unsigned long loops)
++static void delay_tsc(unsigned long __loops)
+ {
+- unsigned long bclock, now;
++ u32 bclock, now, loops = __loops;
+ int cpu;
+
+ preempt_disable();
diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
index 51f1504..ddac4c1 100644
--- a/arch/x86/lib/getuser.S
@@ -22217,7 +22658,7 @@ index a63efd6..ccecad8 100644
ret
CFI_ENDPROC
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
-index e218d5d..35679b4 100644
+index e218d5d..1e01930 100644
--- a/arch/x86/lib/usercopy_32.c
+++ b/arch/x86/lib/usercopy_32.c
@@ -43,7 +43,7 @@ do { \
@@ -22229,6 +22670,24 @@ index e218d5d..35679b4 100644
" stosb\n" \
" testb %%al,%%al\n" \
" jz 1f\n" \
+@@ -83,7 +83,7 @@ do { \
+ * and returns @count.
+ */
+ long
+-__strncpy_from_user(char *dst, const char __user *src, long count)
++__strncpy_from_user(char *dst, const char __user *src, unsigned long count)
+ {
+ long res;
+ __do_strncpy_from_user(dst, src, count, res);
+@@ -110,7 +110,7 @@ EXPORT_SYMBOL(__strncpy_from_user);
+ * and returns @count.
+ */
+ long
+-strncpy_from_user(char *dst, const char __user *src, long count)
++strncpy_from_user(char *dst, const char __user *src, unsigned long count)
+ {
+ long res = -EFAULT;
+ if (access_ok(VERIFY_READ, src, 1))
@@ -128,10 +128,12 @@ do { \
int __d0; \
might_fault(); \
@@ -22242,6 +22701,15 @@ index e218d5d..35679b4 100644
".section .fixup,\"ax\"\n" \
"3: lea 0(%2,%0,4),%0\n" \
" jmp 2b\n" \
+@@ -192,7 +194,7 @@ EXPORT_SYMBOL(__clear_user);
+ * On exception, returns 0.
+ * If the string is too long, returns a value greater than @n.
+ */
+-long strnlen_user(const char __user *s, long n)
++long strnlen_user(const char __user *s, unsigned long n)
+ {
+ unsigned long mask = -__addr_ok(s);
+ unsigned long res, tmp;
@@ -200,6 +202,7 @@ long strnlen_user(const char __user *s, long n)
might_fault();
@@ -22320,7 +22788,7 @@ index e218d5d..35679b4 100644
" addl $-64, %0\n"
" addl $64, %4\n"
" addl $64, %3\n"
-@@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
+@@ -278,10 +282,12 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
" shrl $2, %0\n"
" andl $3, %%eax\n"
" cld\n"
@@ -22330,58 +22798,13 @@ index e218d5d..35679b4 100644
"37: rep; movsb\n"
"100:\n"
+ __COPYUSER_RESTORE_ES
-+ ".section .fixup,\"ax\"\n"
-+ "101: lea 0(%%eax,%0,4),%0\n"
-+ " jmp 100b\n"
-+ ".previous\n"
-+ ".section __ex_table,\"a\"\n"
-+ " .align 4\n"
-+ " .long 1b,100b\n"
-+ " .long 2b,100b\n"
-+ " .long 3b,100b\n"
-+ " .long 4b,100b\n"
-+ " .long 5b,100b\n"
-+ " .long 6b,100b\n"
-+ " .long 7b,100b\n"
-+ " .long 8b,100b\n"
-+ " .long 9b,100b\n"
-+ " .long 10b,100b\n"
-+ " .long 11b,100b\n"
-+ " .long 12b,100b\n"
-+ " .long 13b,100b\n"
-+ " .long 14b,100b\n"
-+ " .long 15b,100b\n"
-+ " .long 16b,100b\n"
-+ " .long 17b,100b\n"
-+ " .long 18b,100b\n"
-+ " .long 19b,100b\n"
-+ " .long 20b,100b\n"
-+ " .long 21b,100b\n"
-+ " .long 22b,100b\n"
-+ " .long 23b,100b\n"
-+ " .long 24b,100b\n"
-+ " .long 25b,100b\n"
-+ " .long 26b,100b\n"
-+ " .long 27b,100b\n"
-+ " .long 28b,100b\n"
-+ " .long 29b,100b\n"
-+ " .long 30b,100b\n"
-+ " .long 31b,100b\n"
-+ " .long 32b,100b\n"
-+ " .long 33b,100b\n"
-+ " .long 34b,100b\n"
-+ " .long 35b,100b\n"
-+ " .long 36b,100b\n"
-+ " .long 37b,100b\n"
-+ " .long 99b,101b\n"
-+ ".previous"
-+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
-+ : "1"(to), "2"(from), "0"(size)
-+ : "eax", "edx", "memory");
-+ return size;
-+}
-+
-+static unsigned long
+ ".section .fixup,\"ax\"\n"
+ "101: lea 0(%%eax,%0,4),%0\n"
+ " jmp 100b\n"
+@@ -334,46 +340,155 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
+ }
+
+ static unsigned long
+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
+{
+ int d0, d1;
@@ -22437,10 +22860,62 @@ index e218d5d..35679b4 100644
+ "36: movl %%eax, %0\n"
+ "37: rep; "__copyuser_seg" movsb\n"
+ "100:\n"
- ".section .fixup,\"ax\"\n"
- "101: lea 0(%%eax,%0,4),%0\n"
- " jmp 100b\n"
-@@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
++ ".section .fixup,\"ax\"\n"
++ "101: lea 0(%%eax,%0,4),%0\n"
++ " jmp 100b\n"
++ ".previous\n"
++ ".section __ex_table,\"a\"\n"
++ " .align 4\n"
++ " .long 1b,100b\n"
++ " .long 2b,100b\n"
++ " .long 3b,100b\n"
++ " .long 4b,100b\n"
++ " .long 5b,100b\n"
++ " .long 6b,100b\n"
++ " .long 7b,100b\n"
++ " .long 8b,100b\n"
++ " .long 9b,100b\n"
++ " .long 10b,100b\n"
++ " .long 11b,100b\n"
++ " .long 12b,100b\n"
++ " .long 13b,100b\n"
++ " .long 14b,100b\n"
++ " .long 15b,100b\n"
++ " .long 16b,100b\n"
++ " .long 17b,100b\n"
++ " .long 18b,100b\n"
++ " .long 19b,100b\n"
++ " .long 20b,100b\n"
++ " .long 21b,100b\n"
++ " .long 22b,100b\n"
++ " .long 23b,100b\n"
++ " .long 24b,100b\n"
++ " .long 25b,100b\n"
++ " .long 26b,100b\n"
++ " .long 27b,100b\n"
++ " .long 28b,100b\n"
++ " .long 29b,100b\n"
++ " .long 30b,100b\n"
++ " .long 31b,100b\n"
++ " .long 32b,100b\n"
++ " .long 33b,100b\n"
++ " .long 34b,100b\n"
++ " .long 35b,100b\n"
++ " .long 36b,100b\n"
++ " .long 37b,100b\n"
++ " .long 99b,101b\n"
++ ".previous"
++ : "=&c"(size), "=&D" (d0), "=&S" (d1)
++ : "1"(to), "2"(from), "0"(size)
++ : "eax", "edx", "memory");
++ return size;
++}
++
++static unsigned long
++__copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size) __size_overflow(3);
++static unsigned long
+ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
+ {
int d0, d1;
__asm__ __volatile__(
" .align 2,0x90\n"
@@ -22500,7 +22975,7 @@ index e218d5d..35679b4 100644
" movl %%eax, 56(%3)\n"
" movl %%edx, 60(%3)\n"
" addl $-64, %0\n"
-@@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
+@@ -385,9 +500,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
" shrl $2, %0\n"
" andl $3, %%eax\n"
" cld\n"
@@ -22512,7 +22987,15 @@ index e218d5d..35679b4 100644
"8:\n"
".section .fixup,\"ax\"\n"
"9: lea 0(%%eax,%0,4),%0\n"
-@@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
+@@ -434,47 +549,49 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
+ */
+
+ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
++ const void __user *from, unsigned long size) __size_overflow(3);
++static unsigned long __copy_user_zeroing_intel_nocache(void *to,
+ const void __user *from, unsigned long size)
+ {
+ int d0, d1;
__asm__ __volatile__(
" .align 2,0x90\n"
@@ -22572,7 +23055,7 @@ index e218d5d..35679b4 100644
" movnti %%eax, 56(%3)\n"
" movnti %%edx, 60(%3)\n"
" addl $-64, %0\n"
-@@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
+@@ -487,9 +604,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
" shrl $2, %0\n"
" andl $3, %%eax\n"
" cld\n"
@@ -22584,7 +23067,15 @@ index e218d5d..35679b4 100644
"8:\n"
".section .fixup,\"ax\"\n"
"9: lea 0(%%eax,%0,4),%0\n"
-@@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_nocache(void *to,
+@@ -531,47 +648,49 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
+ }
+
+ static unsigned long __copy_user_intel_nocache(void *to,
++ const void __user *from, unsigned long size) __size_overflow(3);
++static unsigned long __copy_user_intel_nocache(void *to,
+ const void __user *from, unsigned long size)
+ {
+ int d0, d1;
__asm__ __volatile__(
" .align 2,0x90\n"
@@ -22644,7 +23135,7 @@ index e218d5d..35679b4 100644
" movnti %%eax, 56(%3)\n"
" movnti %%edx, 60(%3)\n"
" addl $-64, %0\n"
-@@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_nocache(void *to,
+@@ -584,9 +703,9 @@ static unsigned long __copy_user_intel_nocache(void *to,
" shrl $2, %0\n"
" andl $3, %%eax\n"
" cld\n"
@@ -22656,7 +23147,7 @@ index e218d5d..35679b4 100644
"8:\n"
".section .fixup,\"ax\"\n"
"9: lea 0(%%eax,%0,4),%0\n"
-@@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_nocache(void *to,
+@@ -629,32 +748,36 @@ static unsigned long __copy_user_intel_nocache(void *to,
*/
unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
unsigned long size);
@@ -22698,7 +23189,7 @@ index e218d5d..35679b4 100644
".section .fixup,\"ax\"\n" \
"5: addl %3,%0\n" \
" jmp 2b\n" \
-@@ -682,14 +799,14 @@ do { \
+@@ -682,14 +805,14 @@ do { \
" negl %0\n" \
" andl $7,%0\n" \
" subl %0,%3\n" \
@@ -22716,7 +23207,7 @@ index e218d5d..35679b4 100644
"2:\n" \
".section .fixup,\"ax\"\n" \
"5: addl %3,%0\n" \
-@@ -775,9 +892,9 @@ survive:
+@@ -775,9 +898,9 @@ survive:
}
#endif
if (movsl_is_ok(to, from, n))
@@ -22728,7 +23219,7 @@ index e218d5d..35679b4 100644
return n;
}
EXPORT_SYMBOL(__copy_to_user_ll);
-@@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from,
+@@ -797,10 +920,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from,
unsigned long n)
{
if (movsl_is_ok(to, from, n))
@@ -22741,7 +23232,7 @@ index e218d5d..35679b4 100644
return n;
}
EXPORT_SYMBOL(__copy_from_user_ll_nozero);
-@@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr
+@@ -827,65 +949,50 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr
if (n > 64 && cpu_has_xmm2)
n = __copy_user_intel_nocache(to, from, n);
else
@@ -22844,11 +23335,15 @@ index e218d5d..35679b4 100644
+EXPORT_SYMBOL(set_fs);
+#endif
diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
-index b7c2849..8633ad8 100644
+index b7c2849..bab76d3 100644
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
-@@ -42,6 +42,12 @@ long
- __strncpy_from_user(char *dst, const char __user *src, long count)
+@@ -39,16 +39,22 @@ do { \
+ } while (0)
+
+ long
+-__strncpy_from_user(char *dst, const char __user *src, long count)
++__strncpy_from_user(char *dst, const char __user *src, unsigned long count)
{
long res;
+
@@ -22860,6 +23355,14 @@ index b7c2849..8633ad8 100644
__do_strncpy_from_user(dst, src, count, res);
return res;
}
+ EXPORT_SYMBOL(__strncpy_from_user);
+
+ long
+-strncpy_from_user(char *dst, const char __user *src, long count)
++strncpy_from_user(char *dst, const char __user *src, unsigned long count)
+ {
+ long res = -EFAULT;
+ if (access_ok(VERIFY_READ, src, 1))
@@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
{
long __d0;
@@ -22873,6 +23376,24 @@ index b7c2849..8633ad8 100644
/* no memory constraint because it doesn't change any memory gcc knows
about */
asm volatile(
+@@ -107,7 +119,7 @@ EXPORT_SYMBOL(clear_user);
+ * Return 0 on exception, a value greater than N if too long
+ */
+
+-long __strnlen_user(const char __user *s, long n)
++long __strnlen_user(const char __user *s, unsigned long n)
+ {
+ long res = 0;
+ char c;
+@@ -125,7 +137,7 @@ long __strnlen_user(const char __user *s, long n)
+ }
+ EXPORT_SYMBOL(__strnlen_user);
+
+-long strnlen_user(const char __user *s, long n)
++long strnlen_user(const char __user *s, unsigned long n)
+ {
+ if (!access_ok(VERIFY_READ, s, 1))
+ return 0;
@@ -149,12 +161,20 @@ long strlen_user(const char __user *s)
}
EXPORT_SYMBOL(strlen_user);
@@ -25946,6 +26467,28 @@ index ad4ec1c..686479e 100644
}
/* parse all the mtimer info to a static mtimer array */
+diff --git a/arch/x86/platform/uv/tlb_uv.c b/arch/x86/platform/uv/tlb_uv.c
+index 81aee5a..9ad9aae 100644
+--- a/arch/x86/platform/uv/tlb_uv.c
++++ b/arch/x86/platform/uv/tlb_uv.c
+@@ -1433,6 +1433,8 @@ static ssize_t tunables_read(struct file *file, char __user *userbuf,
+ * 0: display meaning of the statistics
+ */
+ static ssize_t ptc_proc_write(struct file *file, const char __user *user,
++ size_t count, loff_t *data) __size_overflow(3);
++static ssize_t ptc_proc_write(struct file *file, const char __user *user,
+ size_t count, loff_t *data)
+ {
+ int cpu;
+@@ -1548,6 +1550,8 @@ static int parse_tunables_write(struct bau_control *bcp, char *instr,
+ * Handle a write to debugfs. (/sys/kernel/debug/sgi_uv/bau_tunables)
+ */
+ static ssize_t tunables_write(struct file *file, const char __user *user,
++ size_t count, loff_t *data) __size_overflow(3);
++static ssize_t tunables_write(struct file *file, const char __user *user,
+ size_t count, loff_t *data)
+ {
+ int cpu;
diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
index f10c0af..3ec1f95 100644
--- a/arch/x86/power/cpu.c
@@ -26566,6 +27109,91 @@ index 688be8a..8a37d98 100644
if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
goto error;
+diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
+index a0f768c..1da9c73 100644
+--- a/crypto/ablkcipher.c
++++ b/crypto/ablkcipher.c
+@@ -307,6 +307,8 @@ int ablkcipher_walk_phys(struct ablkcipher_request *req,
+ EXPORT_SYMBOL_GPL(ablkcipher_walk_phys);
+
+ static int setkey_unaligned(struct crypto_ablkcipher *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey_unaligned(struct crypto_ablkcipher *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct ablkcipher_alg *cipher = crypto_ablkcipher_alg(tfm);
+@@ -329,6 +331,8 @@ static int setkey_unaligned(struct crypto_ablkcipher *tfm, const u8 *key,
+ }
+
+ static int setkey(struct crypto_ablkcipher *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey(struct crypto_ablkcipher *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct ablkcipher_alg *cipher = crypto_ablkcipher_alg(tfm);
+diff --git a/crypto/aead.c b/crypto/aead.c
+index 04add3dc..983032f 100644
+--- a/crypto/aead.c
++++ b/crypto/aead.c
+@@ -27,6 +27,8 @@
+ #include "internal.h"
+
+ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct aead_alg *aead = crypto_aead_alg(tfm);
+@@ -48,6 +50,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key,
+ return ret;
+ }
+
++static int setkey(struct crypto_aead *tfm, const u8 *key, unsigned int keylen) __size_overflow(3);
+ static int setkey(struct crypto_aead *tfm, const u8 *key, unsigned int keylen)
+ {
+ struct aead_alg *aead = crypto_aead_alg(tfm);
+diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
+index 1e61d1a..cf06b86 100644
+--- a/crypto/blkcipher.c
++++ b/crypto/blkcipher.c
+@@ -359,6 +359,8 @@ int blkcipher_walk_virt_block(struct blkcipher_desc *desc,
+ EXPORT_SYMBOL_GPL(blkcipher_walk_virt_block);
+
+ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct blkcipher_alg *cipher = &tfm->__crt_alg->cra_blkcipher;
+@@ -380,6 +382,7 @@ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
+ return ret;
+ }
+
++static int setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen) __size_overflow(3);
+ static int setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen)
+ {
+ struct blkcipher_alg *cipher = &tfm->__crt_alg->cra_blkcipher;
+diff --git a/crypto/cipher.c b/crypto/cipher.c
+index 39541e0..802d956 100644
+--- a/crypto/cipher.c
++++ b/crypto/cipher.c
+@@ -21,6 +21,8 @@
+ #include "internal.h"
+
+ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
++ unsigned int keylen) __size_overflow(3);
++static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
+ unsigned int keylen)
+ {
+ struct cipher_alg *cia = &tfm->__crt_alg->cra_cipher;
+@@ -43,6 +45,7 @@ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key,
+
+ }
+
++static int setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen) __size_overflow(3);
+ static int setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen)
+ {
+ struct cipher_alg *cia = &tfm->__crt_alg->cra_cipher;
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 671d4d6..5f24030 100644
--- a/crypto/cryptd.c
@@ -26609,6 +27237,20 @@ index 5d41894..22021e4 100644
}
EXPORT_SYMBOL_GPL(cper_next_record_id);
+diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
+index 7711d94..8622811 100644
+--- a/drivers/acpi/battery.c
++++ b/drivers/acpi/battery.c
+@@ -787,6 +787,9 @@ static int acpi_battery_print_alarm(struct seq_file *seq, int result)
+
+ static ssize_t acpi_battery_write_alarm(struct file *file,
+ const char __user * buffer,
++ size_t count, loff_t * ppos) __size_overflow(3);
++static ssize_t acpi_battery_write_alarm(struct file *file,
++ const char __user * buffer,
+ size_t count, loff_t * ppos)
+ {
+ int result = 0;
diff --git a/drivers/acpi/ec_sys.c b/drivers/acpi/ec_sys.c
index 6c47ae9..abfdd63 100644
--- a/drivers/acpi/ec_sys.c
@@ -26713,6 +27355,20 @@ index 9d7bc9f..a6fc091 100644
/*
* Buggy BIOS check
+diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
+index 6e36d0c..f319944 100644
+--- a/drivers/acpi/sbs.c
++++ b/drivers/acpi/sbs.c
+@@ -655,6 +655,9 @@ static int acpi_battery_read_alarm(struct seq_file *seq, void *offset)
+
+ static ssize_t
+ acpi_battery_write_alarm(struct file *file, const char __user * buffer,
++ size_t count, loff_t * ppos) __size_overflow(3);
++static ssize_t
++acpi_battery_write_alarm(struct file *file, const char __user * buffer,
+ size_t count, loff_t * ppos)
+ {
+ struct seq_file *seq = file->private_data;
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index c04ad68..0b99473 100644
--- a/drivers/ata/libata-core.c
@@ -31534,6 +32190,19 @@ index 40c8353..946b0e4 100644
}
PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
__func__, stag_state, type, pdid, stag_idx);
+diff --git a/drivers/infiniband/hw/ipath/ipath_fs.c b/drivers/infiniband/hw/ipath/ipath_fs.c
+index 31ae1b1..641d285 100644
+--- a/drivers/infiniband/hw/ipath/ipath_fs.c
++++ b/drivers/infiniband/hw/ipath/ipath_fs.c
+@@ -126,6 +126,8 @@ static const struct file_operations atomic_counters_ops = {
+ };
+
+ static ssize_t flash_read(struct file *file, char __user *buf,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t flash_read(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+ struct ipath_devdata *dd;
diff --git a/drivers/infiniband/hw/ipath/ipath_rc.c b/drivers/infiniband/hw/ipath/ipath_rc.c
index 79b3dbc..96e5fcc 100644
--- a/drivers/infiniband/hw/ipath/ipath_rc.c
@@ -32013,6 +32682,19 @@ index b881bdc..c2e360c 100644
#include "qib_common.h"
#include "qib_verbs.h"
+diff --git a/drivers/infiniband/hw/qib/qib_fs.c b/drivers/infiniband/hw/qib/qib_fs.c
+index df7fa25..0c854f0 100644
+--- a/drivers/infiniband/hw/qib/qib_fs.c
++++ b/drivers/infiniband/hw/qib/qib_fs.c
+@@ -267,6 +267,8 @@ static const struct file_operations qsfp_ops[] = {
+ };
+
+ static ssize_t flash_read(struct file *file, char __user *buf,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t flash_read(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+ struct qib_devdata *dd;
diff --git a/drivers/input/gameport/gameport.c b/drivers/input/gameport/gameport.c
index c351aa4..e6967c2 100644
--- a/drivers/input/gameport/gameport.c
@@ -32396,6 +33078,18 @@ index b5fdcb7..5b6c59f 100644
end_switcher_text - start_switcher_text);
printk(KERN_INFO "lguest: mapped switcher at %p\n",
+diff --git a/drivers/lguest/lguest_user.c b/drivers/lguest/lguest_user.c
+index ff4a0bc..f5fdd9c 100644
+--- a/drivers/lguest/lguest_user.c
++++ b/drivers/lguest/lguest_user.c
+@@ -198,6 +198,7 @@ static int user_send_irq(struct lg_cpu *cpu, const unsigned long __user *input)
+ * Once our Guest is initialized, the Launcher makes it run by reading
+ * from /dev/lguest.
+ */
++static ssize_t read(struct file *file, char __user *user, size_t size,loff_t*o) __size_overflow(3);
+ static ssize_t read(struct file *file, char __user *user, size_t size,loff_t*o)
+ {
+ struct lguest *lg = file->private_data;
diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c
index 65af42f..530c87a 100644
--- a/drivers/lguest/x86/core.c
@@ -33217,23 +33911,30 @@ index 68d1240..46b32eb 100644
{0x14f1,0x8811,PCI_ANY_ID,PCI_ANY_ID,0,0,0},
{0, }
diff --git a/drivers/media/video/omap/omap_vout.c b/drivers/media/video/omap/omap_vout.c
-index ee0d0b3..7db1a4f 100644
+index ee0d0b3..63f6b78 100644
--- a/drivers/media/video/omap/omap_vout.c
+++ b/drivers/media/video/omap/omap_vout.c
-@@ -64,7 +64,12 @@ enum omap_vout_channels {
+@@ -64,7 +64,6 @@ enum omap_vout_channels {
OMAP_VIDEO2,
};
-static struct videobuf_queue_ops video_vbq_ops;
-+static struct videobuf_queue_ops video_vbq_ops = {
-+ .buf_setup = omap_vout_buffer_setup,
-+ .buf_prepare = omap_vout_buffer_prepare,
-+ .buf_release = omap_vout_buffer_release,
-+ .buf_queue = omap_vout_buffer_queue,
-+};
/* Variables configurable through module params*/
static u32 video1_numbuffers = 3;
static u32 video2_numbuffers = 3;
+@@ -999,6 +998,12 @@ static int omap_vout_open(struct file *file)
+ {
+ struct videobuf_queue *q;
+ struct omap_vout_device *vout = NULL;
++ static struct videobuf_queue_ops video_vbq_ops = {
++ .buf_setup = omap_vout_buffer_setup,
++ .buf_prepare = omap_vout_buffer_prepare,
++ .buf_release = omap_vout_buffer_release,
++ .buf_queue = omap_vout_buffer_queue,
++ };
+
+ vout = video_drvdata(file);
+ v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev, "Entering %s\n", __func__);
@@ -1016,10 +1021,6 @@ static int omap_vout_open(struct file *file)
vout->type = V4L2_BUF_TYPE_VIDEO_OUTPUT;
@@ -33258,6 +33959,32 @@ index 305e6aa..0143317 100644
pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT];
int i2c_cx25840_hack_state;
int i2c_linked;
+diff --git a/drivers/media/video/saa7164/saa7164-encoder.c b/drivers/media/video/saa7164/saa7164-encoder.c
+index 2fd38a0..ddec3c4 100644
+--- a/drivers/media/video/saa7164/saa7164-encoder.c
++++ b/drivers/media/video/saa7164/saa7164-encoder.c
+@@ -1136,6 +1136,8 @@ struct saa7164_user_buffer *saa7164_enc_next_buf(struct saa7164_port *port)
+ }
+
+ static ssize_t fops_read(struct file *file, char __user *buffer,
++ size_t count, loff_t *pos) __size_overflow(3);
++static ssize_t fops_read(struct file *file, char __user *buffer,
+ size_t count, loff_t *pos)
+ {
+ struct saa7164_encoder_fh *fh = file->private_data;
+diff --git a/drivers/media/video/saa7164/saa7164-vbi.c b/drivers/media/video/saa7164/saa7164-vbi.c
+index e2e0341..b80056c 100644
+--- a/drivers/media/video/saa7164/saa7164-vbi.c
++++ b/drivers/media/video/saa7164/saa7164-vbi.c
+@@ -1081,6 +1081,8 @@ struct saa7164_user_buffer *saa7164_vbi_next_buf(struct saa7164_port *port)
+ }
+
+ static ssize_t fops_read(struct file *file, char __user *buffer,
++ size_t count, loff_t *pos) __size_overflow(3);
++static ssize_t fops_read(struct file *file, char __user *buffer,
+ size_t count, loff_t *pos)
+ {
+ struct saa7164_vbi_fh *fh = file->private_data;
diff --git a/drivers/media/video/timblogiw.c b/drivers/media/video/timblogiw.c
index a0895bf..b7ebb1b 100644
--- a/drivers/media/video/timblogiw.c
@@ -33908,7 +34635,7 @@ index ac40925..483b753 100644
#include <linux/mtd/nand.h>
#include <linux/mtd/nftl.h>
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
-index 6c3fb5a..c542a81 100644
+index 6c3fb5a..5b2eeb0 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -1311,7 +1311,7 @@ module_exit(ubi_exit);
@@ -33940,7 +34667,7 @@ index 6c3fb5a..c542a81 100644
}
- return result;
-+ if ((intoverflow_t)result*scale >= INT_MAX) {
++ if (result*scale >= INT_MAX) {
+ printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
+ str);
+ return -EINVAL;
@@ -33950,6 +34677,19 @@ index 6c3fb5a..c542a81 100644
}
/**
+diff --git a/drivers/mtd/ubi/debug.c b/drivers/mtd/ubi/debug.c
+index ab80c0d..aec8580 100644
+--- a/drivers/mtd/ubi/debug.c
++++ b/drivers/mtd/ubi/debug.c
+@@ -338,6 +338,8 @@ out:
+
+ /* Write an UBI debugfs file */
+ static ssize_t dfs_file_write(struct file *file, const char __user *user_buf,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t dfs_file_write(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+ unsigned long ubi_num = (unsigned long)file->private_data;
diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c
index 1feae59..c2a61d2 100644
--- a/drivers/net/ethernet/atheros/atlx/atl2.c
@@ -34001,6 +34741,47 @@ index c5f5479..2e8c260 100644
#define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/sge.c b/drivers/net/ethernet/chelsio/cxgb3/sge.c
+index cfb60e1..9c76da7 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/sge.c
+@@ -611,6 +611,8 @@ static void recycle_rx_buf(struct adapter *adap, struct sge_fl *q,
+ * of the SW ring.
+ */
+ static void *alloc_ring(struct pci_dev *pdev, size_t nelem, size_t elem_size,
++ size_t sw_size, dma_addr_t * phys, void *metadata) __size_overflow(2,4);
++static void *alloc_ring(struct pci_dev *pdev, size_t nelem, size_t elem_size,
+ size_t sw_size, dma_addr_t * phys, void *metadata)
+ {
+ size_t len = nelem * elem_size;
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+index 140254c..5b8a0a6 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+@@ -593,6 +593,9 @@ static inline void __refill_fl(struct adapter *adap, struct sge_fl *fl)
+ */
+ static void *alloc_ring(struct device *dev, size_t nelem, size_t elem_size,
+ size_t sw_size, dma_addr_t *phys, void *metadata,
++ size_t stat_size, int node) __size_overflow(2,4);
++static void *alloc_ring(struct device *dev, size_t nelem, size_t elem_size,
++ size_t sw_size, dma_addr_t *phys, void *metadata,
+ size_t stat_size, int node)
+ {
+ size_t len = nelem * elem_size + stat_size;
+diff --git a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
+index 8d5d55a..a3c3474 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
+@@ -730,6 +730,9 @@ static inline void __refill_fl(struct adapter *adapter, struct sge_fl *fl)
+ */
+ static void *alloc_ring(struct device *dev, size_t nelem, size_t hwsize,
+ size_t swsize, dma_addr_t *busaddrp, void *swringp,
++ size_t stat_size) __size_overflow(2,4);
++static void *alloc_ring(struct device *dev, size_t nelem, size_t hwsize,
++ size_t swsize, dma_addr_t *busaddrp, void *swringp,
+ size_t stat_size)
+ {
+ /*
diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
index 871bcaa..4043505 100644
--- a/drivers/net/ethernet/dec/tulip/de4x5.c
@@ -34590,6 +35371,60 @@ index 46db5c5..37c1536 100644
err = platform_driver_register(&sk_isa_driver);
if (err)
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 7bea9c6..7ef073c 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -359,7 +359,7 @@ static void tun_free_netdev(struct net_device *dev)
+ {
+ struct tun_struct *tun = netdev_priv(dev);
+
+- sock_put(tun->socket.sk);
++ sk_release_kernel(tun->socket.sk);
+ }
+
+ /* Net device open. */
+@@ -979,10 +979,18 @@ static int tun_recvmsg(struct kiocb *iocb, struct socket *sock,
+ return ret;
+ }
+
++static int tun_release(struct socket *sock)
++{
++ if (sock->sk)
++ sock_put(sock->sk);
++ return 0;
++}
++
+ /* Ops structure to mimic raw sockets with tun */
+ static const struct proto_ops tun_socket_ops = {
+ .sendmsg = tun_sendmsg,
+ .recvmsg = tun_recvmsg,
++ .release = tun_release,
+ };
+
+ static struct proto tun_proto = {
+@@ -1109,10 +1117,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
+ tun->vnet_hdr_sz = sizeof(struct virtio_net_hdr);
+
+ err = -ENOMEM;
+- sk = sk_alloc(net, AF_UNSPEC, GFP_KERNEL, &tun_proto);
++ sk = sk_alloc(&init_net, AF_UNSPEC, GFP_KERNEL, &tun_proto);
+ if (!sk)
+ goto err_free_dev;
+
++ sk_change_net(sk, net);
+ tun->socket.wq = &tun->wq;
+ init_waitqueue_head(&tun->wq.wait);
+ tun->socket.ops = &tun_socket_ops;
+@@ -1173,7 +1182,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
+ return 0;
+
+ err_free_sk:
+- sock_put(sk);
++ tun_free_netdev(dev);
+ err_free_dev:
+ free_netdev(dev);
+ failed:
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 304fe78..db112fa 100644
--- a/drivers/net/usb/hso.c
@@ -34716,6 +35551,20 @@ index 0f9ee46..e2d6e65 100644
struct ath_common;
struct ath_bus_ops;
+diff --git a/drivers/net/wireless/ath/ath5k/debug.c b/drivers/net/wireless/ath/ath5k/debug.c
+index 8c5ce8b..abf101b 100644
+--- a/drivers/net/wireless/ath/ath5k/debug.c
++++ b/drivers/net/wireless/ath/ath5k/debug.c
+@@ -343,6 +343,9 @@ static ssize_t read_file_debug(struct file *file, char __user *user_buf,
+
+ static ssize_t write_file_debug(struct file *file,
+ const char __user *userbuf,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t write_file_debug(struct file *file,
++ const char __user *userbuf,
+ size_t count, loff_t *ppos)
+ {
+ struct ath5k_hw *ah = file->private_data;
diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
index b592016..fe47870 100644
--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c
@@ -34921,6 +35770,32 @@ index f5ae3c6..7936af3 100644
}
static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
+diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
+index 2741203..837a960 100644
+--- a/drivers/net/wireless/ath/ath9k/debug.c
++++ b/drivers/net/wireless/ath/ath9k/debug.c
+@@ -60,6 +60,8 @@ static ssize_t read_file_debug(struct file *file, char __user *user_buf,
+ }
+
+ static ssize_t write_file_debug(struct file *file, const char __user *user_buf,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t write_file_debug(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+ struct ath_softc *sc = file->private_data;
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+index d3ff33c..c98bcda 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+@@ -464,6 +464,8 @@ static ssize_t read_file_debug(struct file *file, char __user *user_buf,
+ }
+
+ static ssize_t write_file_debug(struct file *file, const char __user *user_buf,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t write_file_debug(struct file *file, const char __user *user_buf,
+ size_t count, loff_t *ppos)
+ {
+ struct ath9k_htc_priv *priv = file->private_data;
diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
index 1bd8edf..10c6d30 100644
--- a/drivers/net/wireless/ath/ath9k/hw.h
@@ -35118,6 +35993,42 @@ index f8c752e..28bf4fc 100644
start_switch_worker();
}
+diff --git a/drivers/oprofile/oprofile_files.c b/drivers/oprofile/oprofile_files.c
+index 84a208d..f07d177 100644
+--- a/drivers/oprofile/oprofile_files.c
++++ b/drivers/oprofile/oprofile_files.c
+@@ -36,6 +36,8 @@ static ssize_t timeout_read(struct file *file, char __user *buf,
+
+
+ static ssize_t timeout_write(struct file *file, char const __user *buf,
++ size_t count, loff_t *offset) __size_overflow(3);
++static ssize_t timeout_write(struct file *file, char const __user *buf,
+ size_t count, loff_t *offset)
+ {
+ unsigned long val;
+@@ -72,6 +74,7 @@ static ssize_t depth_read(struct file *file, char __user *buf, size_t count, lof
+ }
+
+
++static ssize_t depth_write(struct file *file, char const __user *buf, size_t count, loff_t *offset) __size_overflow(3);
+ static ssize_t depth_write(struct file *file, char const __user *buf, size_t count, loff_t *offset)
+ {
+ unsigned long val;
+@@ -126,12 +129,14 @@ static const struct file_operations cpu_type_fops = {
+ };
+
+
++static ssize_t enable_read(struct file *file, char __user *buf, size_t count, loff_t *offset) __size_overflow(3);
+ static ssize_t enable_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
+ {
+ return oprofilefs_ulong_to_user(oprofile_started, buf, count, offset);
+ }
+
+
++static ssize_t enable_write(struct file *file, char const __user *buf, size_t count, loff_t *offset) __size_overflow(3);
+ static ssize_t enable_write(struct file *file, char const __user *buf, size_t count, loff_t *offset)
+ {
+ unsigned long val;
diff --git a/drivers/oprofile/oprofile_stats.c b/drivers/oprofile/oprofile_stats.c
index 917d28e..d62d981 100644
--- a/drivers/oprofile/oprofile_stats.c
@@ -35161,10 +36072,18 @@ index 38b6fc0..b5cbfce 100644
extern struct oprofile_stat_struct oprofile_stats;
diff --git a/drivers/oprofile/oprofilefs.c b/drivers/oprofile/oprofilefs.c
-index 2f0aa0f..90fab02 100644
+index 2f0aa0f..d5246c3 100644
--- a/drivers/oprofile/oprofilefs.c
+++ b/drivers/oprofile/oprofilefs.c
-@@ -193,7 +193,7 @@ static const struct file_operations atomic_ro_fops = {
+@@ -97,6 +97,7 @@ static ssize_t ulong_read_file(struct file *file, char __user *buf, size_t count
+ }
+
+
++static ssize_t ulong_write_file(struct file *file, char const __user *buf, size_t count, loff_t *offset) __size_overflow(3);
+ static ssize_t ulong_write_file(struct file *file, char const __user *buf, size_t count, loff_t *offset)
+ {
+ unsigned long value;
+@@ -193,7 +194,7 @@ static const struct file_operations atomic_ro_fops = {
int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
@@ -35277,6 +36196,19 @@ index 27911b5..5b6db88 100644
proc_create("devices", 0, proc_bus_pci_dir,
&proc_bus_pci_dev_operations);
proc_initialized = 1;
+diff --git a/drivers/platform/x86/asus_acpi.c b/drivers/platform/x86/asus_acpi.c
+index d9312b3..59f63f2 100644
+--- a/drivers/platform/x86/asus_acpi.c
++++ b/drivers/platform/x86/asus_acpi.c
+@@ -887,6 +887,8 @@ static int lcd_proc_open(struct inode *inode, struct file *file)
+ }
+
+ static ssize_t lcd_proc_write(struct file *file, const char __user *buffer,
++ size_t count, loff_t *pos) __size_overflow(3);
++static ssize_t lcd_proc_write(struct file *file, const char __user *buffer,
+ size_t count, loff_t *pos)
+ {
+ int rv, value;
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
index 7b82868..b9344c9 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
@@ -35409,6 +36341,19 @@ index 7b82868..b9344c9 100644
/*
* Polling driver
+diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c
+index dcdc1f4..85cee16 100644
+--- a/drivers/platform/x86/toshiba_acpi.c
++++ b/drivers/platform/x86/toshiba_acpi.c
+@@ -517,6 +517,8 @@ static int set_lcd_status(struct backlight_device *bd)
+ }
+
+ static ssize_t lcd_proc_write(struct file *file, const char __user *buf,
++ size_t count, loff_t *pos) __size_overflow(3);
++static ssize_t lcd_proc_write(struct file *file, const char __user *buf,
+ size_t count, loff_t *pos)
+ {
+ struct toshiba_acpi_dev *dev = PDE(file->f_path.dentry->d_inode)->data;
diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c
index b859d16..5cc6b1a 100644
--- a/drivers/pnp/pnpbios/bioscalls.c
@@ -36741,6 +37686,32 @@ index 06c1a74..866eebc 100644
cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
+diff --git a/drivers/staging/rtl8192e/rtllib_module.c b/drivers/staging/rtl8192e/rtllib_module.c
+index c36a140..dd27fda 100644
+--- a/drivers/staging/rtl8192e/rtllib_module.c
++++ b/drivers/staging/rtl8192e/rtllib_module.c
+@@ -228,6 +228,8 @@ static int show_debug_level(char *page, char **start, off_t offset,
+ }
+
+ static int store_debug_level(struct file *file, const char __user *buffer,
++ unsigned long count, void *data) __size_overflow(3);
++static int store_debug_level(struct file *file, const char __user *buffer,
+ unsigned long count, void *data)
+ {
+ char buf[] = "0x00000000";
+diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_module.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_module.c
+index e3d47bc..85f4d0d 100644
+--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_module.c
++++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_module.c
+@@ -250,6 +250,8 @@ static int show_debug_level(char *page, char **start, off_t offset,
+ }
+
+ static int store_debug_level(struct file *file, const char *buffer,
++ unsigned long count, void *data) __size_overflow(3);
++static int store_debug_level(struct file *file, const char *buffer,
+ unsigned long count, void *data)
+ {
+ char buf[] = "0x00000000";
diff --git a/drivers/staging/rtl8712/rtl871x_io.h b/drivers/staging/rtl8712/rtl871x_io.h
index 86308a0..feaa925 100644
--- a/drivers/staging/rtl8712/rtl871x_io.h
@@ -37791,21 +38762,6 @@ index d956965..4179a77 100644
if (file->f_version != event_count) {
file->f_version = event_count;
return POLLIN | POLLRDNORM;
-diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
-index b3bdfed..a9460e0 100644
---- a/drivers/usb/core/message.c
-+++ b/drivers/usb/core/message.c
-@@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device *udev, int index)
- buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
- if (buf) {
- len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
-- if (len > 0) {
-- smallbuf = kmalloc(++len, GFP_NOIO);
-+ if (len++ > 0) {
-+ smallbuf = kmalloc(len, GFP_NOIO);
- if (!smallbuf)
- return buf;
- memcpy(smallbuf, buf, len);
diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
index 1fc8f12..20647c1 100644
--- a/drivers/usb/early/ehci-dbgp.c
@@ -37908,6 +38864,19 @@ index b0b2ac3..89a4399 100644
"AGP",
"PCI",
"PRO AGP",
+diff --git a/drivers/video/backlight/s6e63m0.c b/drivers/video/backlight/s6e63m0.c
+index e132157..516db70 100644
+--- a/drivers/video/backlight/s6e63m0.c
++++ b/drivers/video/backlight/s6e63m0.c
+@@ -690,7 +690,7 @@ static ssize_t s6e63m0_sysfs_store_gamma_mode(struct device *dev,
+ struct backlight_device *bd = NULL;
+ int brightness, rc;
+
+- rc = strict_strtoul(buf, 0, (unsigned long *)&lcd->gamma_mode);
++ rc = kstrtouint(buf, 0, &lcd->gamma_mode);
+ if (rc < 0)
+ return rc;
+
diff --git a/drivers/video/fbcmap.c b/drivers/video/fbcmap.c
index 5c3960d..15cf8fc 100644
--- a/drivers/video/fbcmap.c
@@ -41090,7 +42059,7 @@ index 79e2ca7..5828ad1 100644
A.out (Assembler.OUTput) is a set of formats for libraries and
executables used in the earliest versions of UNIX. Linux used
diff --git a/fs/aio.c b/fs/aio.c
-index 67e4b90..fbb09dc 100644
+index 67e4b90..86cb1d5 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx *ctx)
@@ -41102,7 +42071,69 @@ index 67e4b90..fbb09dc 100644
return -EINVAL;
nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
-@@ -1463,22 +1463,27 @@ static ssize_t aio_fsync(struct kiocb *iocb)
+@@ -228,12 +228,6 @@ static void __put_ioctx(struct kioctx *ctx)
+ call_rcu(&ctx->rcu_head, ctx_rcu_free);
+ }
+
+-static inline void get_ioctx(struct kioctx *kioctx)
+-{
+- BUG_ON(atomic_read(&kioctx->users) <= 0);
+- atomic_inc(&kioctx->users);
+-}
+-
+ static inline int try_get_ioctx(struct kioctx *kioctx)
+ {
+ return atomic_inc_not_zero(&kioctx->users);
+@@ -273,7 +267,7 @@ static struct kioctx *ioctx_alloc(unsigned nr_events)
+ mm = ctx->mm = current->mm;
+ atomic_inc(&mm->mm_count);
+
+- atomic_set(&ctx->users, 1);
++ atomic_set(&ctx->users, 2);
+ spin_lock_init(&ctx->ctx_lock);
+ spin_lock_init(&ctx->ring_info.ring_lock);
+ init_waitqueue_head(&ctx->wait);
+@@ -609,11 +603,16 @@ static void aio_fput_routine(struct work_struct *data)
+ fput(req->ki_filp);
+
+ /* Link the iocb into the context's free list */
++ rcu_read_lock();
+ spin_lock_irq(&ctx->ctx_lock);
+ really_put_req(ctx, req);
++ /*
++ * at that point ctx might've been killed, but actual
++ * freeing is RCU'd
++ */
+ spin_unlock_irq(&ctx->ctx_lock);
++ rcu_read_unlock();
+
+- put_ioctx(ctx);
+ spin_lock_irq(&fput_lock);
+ }
+ spin_unlock_irq(&fput_lock);
+@@ -644,7 +643,6 @@ static int __aio_put_req(struct kioctx *ctx, struct kiocb *req)
+ * this function will be executed w/out any aio kthread wakeup.
+ */
+ if (unlikely(!fput_atomic(req->ki_filp))) {
+- get_ioctx(ctx);
+ spin_lock(&fput_lock);
+ list_add(&req->ki_list, &fput_head);
+ spin_unlock(&fput_lock);
+@@ -1338,10 +1336,10 @@ SYSCALL_DEFINE2(io_setup, unsigned, nr_events, aio_context_t __user *, ctxp)
+ ret = PTR_ERR(ioctx);
+ if (!IS_ERR(ioctx)) {
+ ret = put_user(ioctx->user_id, ctxp);
+- if (!ret)
++ if (!ret) {
++ put_ioctx(ioctx);
+ return 0;
+-
+- get_ioctx(ioctx); /* io_destroy() expects us to hold a ref */
++ }
+ io_destroy(ioctx);
+ }
+
+@@ -1463,22 +1461,27 @@ static ssize_t aio_fsync(struct kiocb *iocb)
static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
{
ssize_t ret;
@@ -42469,6 +43500,20 @@ index 9895400..fa40a7d 100644
int err;
u32 ftype;
struct ceph_mds_reply_info_parsed *rinfo;
+diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
+index cfd1ce3..6b13a74 100644
+--- a/fs/cifs/asn1.c
++++ b/fs/cifs/asn1.c
+@@ -416,6 +416,9 @@ asn1_subid_decode(struct asn1_ctx *ctx, unsigned long *subid)
+
+ static int
+ asn1_oid_decode(struct asn1_ctx *ctx,
++ unsigned char *eoc, unsigned long **oid, unsigned int *len) __size_overflow(2);
++static int
++asn1_oid_decode(struct asn1_ctx *ctx,
+ unsigned char *eoc, unsigned long **oid, unsigned int *len)
+ {
+ unsigned long subid;
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index 84e8c07..6170d31 100644
--- a/fs/cifs/cifs_debug.c
@@ -43099,7 +44144,7 @@ index 608c1c3..7d040a8 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
-index 3625464..cdeecdb 100644
+index 3625464..ff895b9 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,12 +55,28 @@
@@ -43605,7 +44650,7 @@ index 3625464..cdeecdb 100644
cn->corename = kmalloc(cn->size, GFP_KERNEL);
cn->used = 0;
-@@ -1812,6 +1938,218 @@ out:
+@@ -1812,6 +1938,228 @@ out:
return ispipe;
}
@@ -43821,10 +44866,20 @@ index 3625464..cdeecdb 100644
+EXPORT_SYMBOL(pax_track_stack);
+#endif
+
++#ifdef CONFIG_PAX_SIZE_OVERFLOW
++void report_size_overflow(const char *file, unsigned int line, const char *func)
++{
++ printk(KERN_ERR "PAX: size overflow detected in function %s %s:%u\n", func, file, line);
++ dump_stack();
++ do_group_exit(SIGKILL);
++}
++EXPORT_SYMBOL(report_size_overflow);
++#endif
++
static int zap_process(struct task_struct *start, int exit_code)
{
struct task_struct *t;
-@@ -2023,17 +2361,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -2023,17 +2371,17 @@ static void wait_for_dump_helpers(struct file *file)
pipe = file->f_path.dentry->d_inode->i_pipe;
pipe_lock(pipe);
@@ -43847,7 +44902,7 @@ index 3625464..cdeecdb 100644
pipe_unlock(pipe);
}
-@@ -2094,7 +2432,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2094,7 +2442,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
int retval = 0;
int flag = 0;
int ispipe;
@@ -43856,7 +44911,7 @@ index 3625464..cdeecdb 100644
struct coredump_params cprm = {
.signr = signr,
.regs = regs,
-@@ -2109,6 +2447,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2109,6 +2457,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
audit_core_dumps(signr);
@@ -43866,7 +44921,7 @@ index 3625464..cdeecdb 100644
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
goto fail;
-@@ -2176,7 +2517,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2176,7 +2527,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
}
cprm.limit = RLIM_INFINITY;
@@ -43875,7 +44930,7 @@ index 3625464..cdeecdb 100644
if (core_pipe_limit && (core_pipe_limit < dump_count)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
-@@ -2203,6 +2544,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2203,6 +2554,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
} else {
struct inode *inode;
@@ -43884,7 +44939,7 @@ index 3625464..cdeecdb 100644
if (cprm.limit < binfmt->min_coredump)
goto fail_unlock;
-@@ -2246,7 +2589,7 @@ close_fail:
+@@ -2246,7 +2599,7 @@ close_fail:
filp_close(cprm.file, NULL);
fail_dropcount:
if (ispipe)
@@ -43893,7 +44948,7 @@ index 3625464..cdeecdb 100644
fail_unlock:
kfree(cn.corename);
fail_corename:
-@@ -2265,7 +2608,7 @@ fail:
+@@ -2265,7 +2618,7 @@ fail:
*/
int dump_write(struct file *file, const void *addr, int nr)
{
@@ -45730,7 +46785,7 @@ index 0be5a78..9cfb853 100644
static int can_do_hugetlb_shm(void)
{
diff --git a/fs/inode.c b/fs/inode.c
-index ee4e66b..0451521 100644
+index ee4e66b..9a39f9c 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -787,8 +787,8 @@ unsigned int get_next_ino(void)
@@ -45744,6 +46799,24 @@ index ee4e66b..0451521 100644
res = next - LAST_INO_BATCH;
}
+@@ -855,8 +855,7 @@ void lockdep_annotate_inode_mutex_key(struct inode *inode)
+ struct file_system_type *type = inode->i_sb->s_type;
+
+ /* Set new key only if filesystem hasn't already changed it */
+- if (!lockdep_match_class(&inode->i_mutex,
+- &type->i_mutex_key)) {
++ if (lockdep_match_class(&inode->i_mutex, &type->i_mutex_key)) {
+ /*
+ * ensure nobody is actually holding i_mutex
+ */
+@@ -883,6 +882,7 @@ void unlock_new_inode(struct inode *inode)
+ spin_lock(&inode->i_lock);
+ WARN_ON(!(inode->i_state & I_NEW));
+ inode->i_state &= ~I_NEW;
++ smp_mb();
+ wake_up_bit(&inode->i_state, __I_NEW);
+ spin_unlock(&inode->i_lock);
+ }
diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
index e513f19..2ab1351 100644
--- a/fs/jffs2/erase.c
@@ -45857,7 +46930,7 @@ index 637694b..f84a121 100644
lock_flocks();
diff --git a/fs/namei.c b/fs/namei.c
-index 744e942..24ef47f 100644
+index 744e942..a19f203 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -46018,10 +47091,12 @@ index 744e942..24ef47f 100644
audit_inode(pathname, dir);
goto ok;
}
-@@ -2140,6 +2207,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2139,7 +2206,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+ /* sayonara */
error = complete_walk(nd);
if (error)
- return ERR_PTR(-ECHILD);
+- return ERR_PTR(-ECHILD);
++ return ERR_PTR(error);
+#ifdef CONFIG_GRKERNSEC
+ if (nd->flags & LOOKUP_RCU) {
+ error = -ECHILD;
@@ -46077,6 +47152,15 @@ index 744e942..24ef47f 100644
mutex_unlock(&dir->d_inode->i_mutex);
audit_inode(pathname, path->dentry);
+@@ -2238,7 +2336,7 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+ /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
+ error = complete_walk(nd);
+ if (error)
+- goto exit;
++ return ERR_PTR(error);
+ error = -EISDIR;
+ if (S_ISDIR(nd->inode->i_mode))
+ goto exit;
@@ -2424,6 +2522,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path
*path = nd.path;
return dentry;
@@ -46407,6 +47491,28 @@ index cfc6d44..b4632a5 100644
get_fs_root(current->fs, &root);
error = lock_mount(&old);
if (error)
+diff --git a/fs/ncpfs/ncplib_kernel.h b/fs/ncpfs/ncplib_kernel.h
+index 09881e6..308ff20 100644
+--- a/fs/ncpfs/ncplib_kernel.h
++++ b/fs/ncpfs/ncplib_kernel.h
+@@ -130,7 +130,7 @@ static inline int ncp_is_nfs_extras(struct ncp_server* server, unsigned int voln
+ int ncp__io2vol(struct ncp_server *, unsigned char *, unsigned int *,
+ const unsigned char *, unsigned int, int);
+ int ncp__vol2io(struct ncp_server *, unsigned char *, unsigned int *,
+- const unsigned char *, unsigned int, int);
++ const unsigned char *, unsigned int, int) __size_overflow(5);
+
+ #define NCP_ESC ':'
+ #define NCP_IO_TABLE(sb) (NCP_SBP(sb)->nls_io)
+@@ -146,7 +146,7 @@ int ncp__vol2io(struct ncp_server *, unsigned char *, unsigned int *,
+ int ncp__io2vol(unsigned char *, unsigned int *,
+ const unsigned char *, unsigned int, int);
+ int ncp__vol2io(unsigned char *, unsigned int *,
+- const unsigned char *, unsigned int, int);
++ const unsigned char *, unsigned int, int) __size_overflow(5);
+
+ #define NCP_IO_TABLE(sb) NULL
+ #define ncp_tolower(t, c) tolower(c)
diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
index 3db6b82..a57597e 100644
--- a/fs/nfs/blocklayout/blocklayout.c
@@ -46484,6 +47590,31 @@ index 7a2e442..8e544cc 100644
set_fs(oldfs);
if (host_err < 0)
+diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
+index d327140..501b7f8 100644
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -409,6 +409,12 @@ static int nilfs_store_disk_layout(struct the_nilfs *nilfs,
+ nilfs->ns_first_data_block = le64_to_cpu(sbp->s_first_data_block);
+ nilfs->ns_r_segments_percentage =
+ le32_to_cpu(sbp->s_r_segments_percentage);
++ if (nilfs->ns_r_segments_percentage < 1 ||
++ nilfs->ns_r_segments_percentage > 99) {
++ printk(KERN_ERR "NILFS: invalid reserved segments percentage.\n");
++ return -EINVAL;
++ }
++
+ nilfs_set_nsegments(nilfs, le64_to_cpu(sbp->s_nsegments));
+ nilfs->ns_crc_seed = le32_to_cpu(sbp->s_crc_seed);
+ return 0;
+@@ -515,6 +521,7 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs,
+ brelse(sbh[1]);
+ sbh[1] = NULL;
+ sbp[1] = NULL;
++ valid[1] = 0;
+ swp = 0;
+ }
+ if (!valid[swp]) {
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 9fde1c0..14e8827 100644
--- a/fs/notify/fanotify/fanotify_user.c
@@ -48306,7 +49437,7 @@ index d33418f..2a5345e 100644
return -EINVAL;
diff --git a/fs/seq_file.c b/fs/seq_file.c
-index dba43c3..9fb8511 100644
+index dba43c3..4b3f701 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -9,6 +9,7 @@
@@ -48327,47 +49458,7 @@ index dba43c3..9fb8511 100644
/*
* Wrappers around seq_open(e.g. swaps_open) need to be
-@@ -76,7 +80,8 @@ static int traverse(struct seq_file *m, loff_t offset)
- return 0;
- }
- if (!m->buf) {
-- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
-+ m->size = PAGE_SIZE;
-+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
- if (!m->buf)
- return -ENOMEM;
- }
-@@ -116,7 +121,8 @@ static int traverse(struct seq_file *m, loff_t offset)
- Eoverflow:
- m->op->stop(m, p);
- kfree(m->buf);
-- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
-+ m->size <<= 1;
-+ m->buf = kmalloc(m->size, GFP_KERNEL);
- return !m->buf ? -ENOMEM : -EAGAIN;
- }
-
-@@ -169,7 +175,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
- m->version = file->f_version;
- /* grab buffer if we didn't have one */
- if (!m->buf) {
-- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
-+ m->size = PAGE_SIZE;
-+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
- if (!m->buf)
- goto Enomem;
- }
-@@ -210,7 +217,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
- goto Fill;
- m->op->stop(m, p);
- kfree(m->buf);
-- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
-+ m->size <<= 1;
-+ m->buf = kmalloc(m->size, GFP_KERNEL);
- if (!m->buf)
- goto Enomem;
- m->count = 0;
-@@ -549,7 +557,7 @@ static void single_stop(struct seq_file *p, void *v)
+@@ -549,7 +553,7 @@ static void single_stop(struct seq_file *p, void *v)
int single_open(struct file *file, int (*show)(struct seq_file *, void *),
void *data)
{
@@ -48518,6 +49609,19 @@ index fa2defa..8601650 100644
ret = -EAGAIN;
pipe_unlock(ipipe);
+diff --git a/fs/sysfs/bin.c b/fs/sysfs/bin.c
+index a475983..9c6a1f0 100644
+--- a/fs/sysfs/bin.c
++++ b/fs/sysfs/bin.c
+@@ -67,6 +67,8 @@ fill_read(struct file *file, char *buffer, loff_t off, size_t count)
+ }
+
+ static ssize_t
++read(struct file *file, char __user *userbuf, size_t bytes, loff_t *off) __size_overflow(3);
++static ssize_t
+ read(struct file *file, char __user *userbuf, size_t bytes, loff_t *off)
+ {
+ struct bin_buffer *bb = file->private_data;
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index 7fdf6a7..e6cd8ad 100644
--- a/fs/sysfs/dir.c
@@ -48603,6 +49707,44 @@ index a7ac78f..02158e1 100644
if (!IS_ERR(page))
free_page((unsigned long)page);
}
+diff --git a/fs/ubifs/debug.c b/fs/ubifs/debug.c
+index b09ba2d..1cad1a8 100644
+--- a/fs/ubifs/debug.c
++++ b/fs/ubifs/debug.c
+@@ -2817,6 +2817,7 @@ static ssize_t dfs_file_read(struct file *file, char __user *u, size_t count,
+ * debugfs file. Returns %0 or %1 in case of success and a negative error code
+ * in case of failure.
+ */
++static int interpret_user_input(const char __user *u, size_t count) __size_overflow(2);
+ static int interpret_user_input(const char __user *u, size_t count)
+ {
+ size_t buf_size;
+@@ -2835,6 +2836,8 @@ static int interpret_user_input(const char __user *u, size_t count)
+ }
+
+ static ssize_t dfs_file_write(struct file *file, const char __user *u,
++ size_t count, loff_t *ppos) __size_overflow(3);
++static ssize_t dfs_file_write(struct file *file, const char __user *u,
+ size_t count, loff_t *ppos)
+ {
+ struct ubifs_info *c = file->private_data;
+diff --git a/fs/udf/file.c b/fs/udf/file.c
+index dca0c38..d567b84 100644
+--- a/fs/udf/file.c
++++ b/fs/udf/file.c
+@@ -201,12 +201,10 @@ out:
+ static int udf_release_file(struct inode *inode, struct file *filp)
+ {
+ if (filp->f_mode & FMODE_WRITE) {
+- mutex_lock(&inode->i_mutex);
+ down_write(&UDF_I(inode)->i_data_sem);
+ udf_discard_prealloc(inode);
+ udf_truncate_tail_extent(inode);
+ up_write(&UDF_I(inode)->i_data_sem);
+- mutex_unlock(&inode->i_mutex);
+ }
+ return 0;
+ }
diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index c175b4d..8f36a16 100644
--- a/fs/udf/misc.c
@@ -59111,32 +60253,6 @@ index 0d68a1e..b74a761 100644
{
machine_restart(NULL);
}
-diff --git a/include/asm-generic/int-l64.h b/include/asm-generic/int-l64.h
-index 1ca3efc..e3dc852 100644
---- a/include/asm-generic/int-l64.h
-+++ b/include/asm-generic/int-l64.h
-@@ -46,6 +46,8 @@ typedef unsigned int u32;
- typedef signed long s64;
- typedef unsigned long u64;
-
-+typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
-+
- #define S8_C(x) x
- #define U8_C(x) x ## U
- #define S16_C(x) x
-diff --git a/include/asm-generic/int-ll64.h b/include/asm-generic/int-ll64.h
-index f394147..b6152b9 100644
---- a/include/asm-generic/int-ll64.h
-+++ b/include/asm-generic/int-ll64.h
-@@ -51,6 +51,8 @@ typedef unsigned int u32;
- typedef signed long long s64;
- typedef unsigned long long u64;
-
-+typedef unsigned long long intoverflow_t;
-+
- #define S8_C(x) x
- #define U8_C(x) x ## U
- #define S16_C(x) x
diff --git a/include/asm-generic/kmap_types.h b/include/asm-generic/kmap_types.h
index 0232ccb..13d9165 100644
--- a/include/asm-generic/kmap_types.h
@@ -59259,6 +60375,88 @@ index 76bff2b..c7a14e2 100644
#endif /* !__ASSEMBLY__ */
#endif /* _ASM_GENERIC_PGTABLE_H */
+diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
+index ac68c99..b495b0a 100644
+--- a/include/asm-generic/uaccess.h
++++ b/include/asm-generic/uaccess.h
+@@ -76,6 +76,8 @@ extern unsigned long search_exception_table(unsigned long);
+ */
+ #ifndef __copy_from_user
+ static inline __must_check long __copy_from_user(void *to,
++ const void __user * from, unsigned long n) __size_overflow(3);
++static inline __must_check long __copy_from_user(void *to,
+ const void __user * from, unsigned long n)
+ {
+ if (__builtin_constant_p(n)) {
+@@ -106,6 +108,8 @@ static inline __must_check long __copy_from_user(void *to,
+
+ #ifndef __copy_to_user
+ static inline __must_check long __copy_to_user(void __user *to,
++ const void *from, unsigned long n) __size_overflow(3);
++static inline __must_check long __copy_to_user(void __user *to,
+ const void *from, unsigned long n)
+ {
+ if (__builtin_constant_p(n)) {
+@@ -224,6 +228,7 @@ extern int __put_user_bad(void) __attribute__((noreturn));
+ -EFAULT; \
+ })
+
++static inline int __get_user_fn(size_t size, const void __user *ptr, void *x) __size_overflow(1);
+ static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
+ {
+ size = __copy_from_user(x, ptr, size);
+@@ -240,6 +245,7 @@ extern int __get_user_bad(void) __attribute__((noreturn));
+ #define __copy_to_user_inatomic __copy_to_user
+ #endif
+
++static inline long copy_from_user(void *to, const void __user * from, unsigned long n) __size_overflow(3);
+ static inline long copy_from_user(void *to,
+ const void __user * from, unsigned long n)
+ {
+@@ -250,6 +256,7 @@ static inline long copy_from_user(void *to,
+ return n;
+ }
+
++static inline long copy_to_user(void __user *to, const void *from, unsigned long n) __size_overflow(3);
+ static inline long copy_to_user(void __user *to,
+ const void *from, unsigned long n)
+ {
+@@ -265,6 +272,8 @@ static inline long copy_to_user(void __user *to,
+ */
+ #ifndef __strncpy_from_user
+ static inline long
++__strncpy_from_user(char *dst, const char __user *src, unsigned long count) __size_overflow(3);
++static inline long
+ __strncpy_from_user(char *dst, const char __user *src, long count)
+ {
+ char *tmp;
+@@ -276,6 +285,8 @@ __strncpy_from_user(char *dst, const char __user *src, long count)
+ #endif
+
+ static inline long
++strncpy_from_user(char *dst, const char __user *src, unsigned long count) __size_overflow(3);
++static inline long
+ strncpy_from_user(char *dst, const char __user *src, long count)
+ {
+ if (!access_ok(VERIFY_READ, src, 1))
+@@ -309,6 +320,8 @@ static inline long strlen_user(const char __user *src)
+ */
+ #ifndef __clear_user
+ static inline __must_check unsigned long
++__clear_user(void __user *to, unsigned long n) __size_overflow(2);
++static inline __must_check unsigned long
+ __clear_user(void __user *to, unsigned long n)
+ {
+ memset((void __force *)to, 0, n);
+@@ -317,6 +330,8 @@ __clear_user(void __user *to, unsigned long n)
+ #endif
+
+ static inline __must_check unsigned long
++clear_user(void __user *to, unsigned long n) __size_overflow(2);
++static inline __must_check unsigned long
+ clear_user(void __user *to, unsigned long n)
+ {
+ might_sleep();
diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
index b5e2e4c..6a5373e 100644
--- a/include/asm-generic/vmlinux.lds.h
@@ -59557,10 +60755,10 @@ index 04ffb2e..6799180 100644
extern struct cleancache_ops
cleancache_register_ops(struct cleancache_ops *ops);
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
-index dfadc96..c0e70c1 100644
+index dfadc96..d90deca 100644
--- a/include/linux/compiler-gcc4.h
+++ b/include/linux/compiler-gcc4.h
-@@ -31,6 +31,12 @@
+@@ -31,6 +31,15 @@
#if __GNUC_MINOR__ >= 5
@@ -59570,10 +60768,13 @@ index dfadc96..c0e70c1 100644
+#define __do_const __attribute__((do_const))
+#endif
+
++#ifdef SIZE_OVERFLOW_PLUGIN
++#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__)))
++#endif
/*
* Mark a position in code as unreachable. This can be used to
* suppress control flow warnings after asm blocks that transfer
-@@ -46,6 +52,11 @@
+@@ -46,6 +55,11 @@
#define __noclone __attribute__((__noclone__))
#endif
@@ -59586,7 +60787,7 @@ index dfadc96..c0e70c1 100644
#if __GNUC_MINOR__ > 0
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
-index 320d6c9..8573a1c 100644
+index 320d6c9..1221a6b 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -5,31 +5,62 @@
@@ -59662,7 +60863,7 @@ index 320d6c9..8573a1c 100644
#endif
#ifdef __KERNEL__
-@@ -264,6 +297,14 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -264,6 +297,17 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
# define __attribute_const__ /* unimplemented */
#endif
@@ -59674,10 +60875,13 @@ index 320d6c9..8573a1c 100644
+# define __do_const
+#endif
+
++#ifndef __size_overflow
++# define __size_overflow(...)
++#endif
/*
* Tell gcc if a function is cold. The compiler will assume any path
* directly leading to the call is unlikely.
-@@ -273,6 +314,22 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -273,6 +317,22 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
#define __cold
#endif
@@ -59700,7 +60904,7 @@ index 320d6c9..8573a1c 100644
/* Simple shorthand for a section definition */
#ifndef __section
# define __section(S) __attribute__ ((__section__(#S)))
-@@ -306,6 +363,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -306,6 +366,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
* use is to mediate communication between process-level code and irq/NMI
* handlers, all running on the same CPU.
*/
@@ -59722,6 +60926,19 @@ index e9eaec5..bfeb9bb 100644
}
static inline void set_mems_allowed(nodemask_t nodemask)
+diff --git a/include/linux/crash_dump.h b/include/linux/crash_dump.h
+index b936763..48685ee 100644
+--- a/include/linux/crash_dump.h
++++ b/include/linux/crash_dump.h
+@@ -14,7 +14,7 @@ extern unsigned long long elfcorehdr_addr;
+ extern unsigned long long elfcorehdr_size;
+
+ extern ssize_t copy_oldmem_page(unsigned long, char *, size_t,
+- unsigned long, int);
++ unsigned long, int) __size_overflow(3);
+
+ /* Architecture code defines this if there are other possible ELF
+ * machine types, e.g. on bi-arch capable hardware. */
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 4030896..8d6f342 100644
--- a/include/linux/cred.h
@@ -61335,7 +62552,7 @@ index b16f653..eb908f4 100644
#define request_module_nowait(mod...) __request_module(false, mod)
#define try_then_request_module(x, mod...) \
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index d526231..086e89b 100644
+index d526231..c9599fc 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -308,7 +308,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu);
@@ -61347,6 +62564,33 @@ index d526231..086e89b 100644
struct module *module);
void kvm_exit(void);
+@@ -385,20 +385,20 @@ void kvm_get_pfn(pfn_t pfn);
+ int kvm_read_guest_page(struct kvm *kvm, gfn_t gfn, void *data, int offset,
+ int len);
+ int kvm_read_guest_atomic(struct kvm *kvm, gpa_t gpa, void *data,
+- unsigned long len);
+-int kvm_read_guest(struct kvm *kvm, gpa_t gpa, void *data, unsigned long len);
++ unsigned long len) __size_overflow(4);
++int kvm_read_guest(struct kvm *kvm, gpa_t gpa, void *data, unsigned long len) __size_overflow(2,4);
+ int kvm_read_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+- void *data, unsigned long len);
++ void *data, unsigned long len) __size_overflow(4);
+ int kvm_write_guest_page(struct kvm *kvm, gfn_t gfn, const void *data,
+ int offset, int len);
+ int kvm_write_guest(struct kvm *kvm, gpa_t gpa, const void *data,
+- unsigned long len);
++ unsigned long len) __size_overflow(2,4);
+ int kvm_write_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+- void *data, unsigned long len);
++ void *data, unsigned long len) __size_overflow(4);
+ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+ gpa_t gpa);
+ int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len);
+-int kvm_clear_guest(struct kvm *kvm, gpa_t gpa, unsigned long len);
++int kvm_clear_guest(struct kvm *kvm, gpa_t gpa, unsigned long len) __size_overflow(2,3);
+ struct kvm_memory_slot *gfn_to_memslot(struct kvm *kvm, gfn_t gfn);
+ int kvm_is_visible_gfn(struct kvm *kvm, gfn_t gfn);
+ unsigned long kvm_host_page_size(struct kvm *kvm, gfn_t gfn);
@@ -454,7 +454,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
struct kvm_guest_debug *dbg);
int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
@@ -61356,6 +62600,15 @@ index d526231..086e89b 100644
void kvm_arch_exit(void);
int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
+@@ -690,7 +690,7 @@ int kvm_setup_default_irq_routing(struct kvm *kvm);
+ int kvm_set_irq_routing(struct kvm *kvm,
+ const struct kvm_irq_routing_entry *entries,
+ unsigned nr,
+- unsigned flags);
++ unsigned flags) __size_overflow(3);
+ void kvm_free_irq_routing(struct kvm *kvm);
+
+ #else
diff --git a/include/linux/libata.h b/include/linux/libata.h
index cafc09a..d7e7829 100644
--- a/include/linux/libata.h
@@ -61725,19 +62978,22 @@ index 3cb7839..511cb87 100644
/* Search for module by name: must hold module_mutex. */
diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h
-index b2be02e..6a9fdb1 100644
+index b2be02e..edb10c9 100644
--- a/include/linux/moduleloader.h
+++ b/include/linux/moduleloader.h
-@@ -25,9 +25,21 @@ unsigned int arch_mod_section_prepend(struct module *mod, unsigned int section);
- sections. Returns NULL on failure. */
- void *module_alloc(unsigned long size);
+@@ -23,11 +23,23 @@ unsigned int arch_mod_section_prepend(struct module *mod, unsigned int section);
+ /* Allocator used for allocating struct module, core sections and init
+ sections. Returns NULL on failure. */
+-void *module_alloc(unsigned long size);
++void *module_alloc(unsigned long size) __size_overflow(1);
++
+#ifdef CONFIG_PAX_KERNEXEC
+void *module_alloc_exec(unsigned long size);
+#else
+#define module_alloc_exec(x) module_alloc(x)
+#endif
-+
+
/* Free memory returned from module_alloc. */
void module_free(struct module *mod, void *module_region);
@@ -61862,7 +63118,7 @@ index c65a18a..0c05f3a 100644
extern void *prom_early_alloc(unsigned long size);
diff --git a/include/linux/oprofile.h b/include/linux/oprofile.h
-index a4c5624..79d6d88 100644
+index a4c5624..2dabfb7 100644
--- a/include/linux/oprofile.h
+++ b/include/linux/oprofile.h
@@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super_block * sb, struct dentry * root,
@@ -61877,6 +63133,15 @@ index a4c5624..79d6d88 100644
/** create a directory */
struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
+@@ -163,7 +163,7 @@ ssize_t oprofilefs_ulong_to_user(unsigned long val, char __user * buf, size_t co
+ * Read an ASCII string for a number from a userspace buffer and fill *val on success.
+ * Returns 0 on success, < 0 on error.
+ */
+-int oprofilefs_ulong_from_user(unsigned long * val, char const __user * buf, size_t count);
++int oprofilefs_ulong_from_user(unsigned long * val, char const __user * buf, size_t count) __size_overflow(3);
+
+ /** lock for read/write safety */
+ extern raw_spinlock_t oprofilefs_lock;
diff --git a/include/linux/padata.h b/include/linux/padata.h
index 4633b2f..988bc08 100644
--- a/include/linux/padata.h
@@ -62533,7 +63798,7 @@ index fe86488..1563c1c 100644
extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
diff --git a/include/linux/slab.h b/include/linux/slab.h
-index 573c809..e84c132 100644
+index 573c809..07e1f43 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -11,12 +11,20 @@
@@ -62574,7 +63839,14 @@ index 573c809..e84c132 100644
/*
* struct kmem_cache related prototypes
-@@ -161,6 +172,7 @@ void * __must_check krealloc(const void *, size_t, gfp_t);
+@@ -156,11 +167,12 @@ unsigned int kmem_cache_size(struct kmem_cache *);
+ /*
+ * Common kmalloc functions provided by all allocators
+ */
+-void * __must_check __krealloc(const void *, size_t, gfp_t);
+-void * __must_check krealloc(const void *, size_t, gfp_t);
++void * __must_check __krealloc(const void *, size_t, gfp_t) __size_overflow(2);
++void * __must_check krealloc(const void *, size_t, gfp_t) __size_overflow(2);
void kfree(const void *);
void kzfree(const void *);
size_t ksize(const void *);
@@ -62582,68 +63854,26 @@ index 573c809..e84c132 100644
/*
* Allocator specific definitions. These are mainly used to establish optimized
-@@ -353,4 +365,59 @@ static inline void *kzalloc_node(size_t size, gfp_t flags, int node)
-
- void __init kmem_cache_init_late(void);
-
-+#define kmalloc(x, y) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
-+ ___retval = NULL; \
-+ else \
-+ ___retval = kmalloc((size_t)___x, (y)); \
-+ ___retval; \
-+})
-+
-+#define kmalloc_node(x, y, z) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = kmalloc_node((size_t)___x, (y), (z));\
-+ ___retval; \
-+})
-+
-+#define kzalloc(x, y) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
-+ ___retval = NULL; \
-+ else \
-+ ___retval = kzalloc((size_t)___x, (y)); \
-+ ___retval; \
-+})
-+
-+#define __krealloc(x, y, z) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___y = (intoverflow_t)y; \
-+ if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = __krealloc((x), (size_t)___y, (z)); \
-+ ___retval; \
-+})
-+
-+#define krealloc(x, y, z) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___y = (intoverflow_t)y; \
-+ if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
-+ ___retval = NULL; \
-+ else \
-+ ___retval = krealloc((x), (size_t)___y, (z)); \
-+ ___retval; \
-+})
-+
- #endif /* _LINUX_SLAB_H */
+@@ -287,7 +299,7 @@ static inline void *kmem_cache_alloc_node(struct kmem_cache *cachep,
+ */
+ #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB) || \
+ (defined(CONFIG_SLAB) && defined(CONFIG_TRACING))
+-extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long);
++extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long) __size_overflow(1);
+ #define kmalloc_track_caller(size, flags) \
+ __kmalloc_track_caller(size, flags, _RET_IP_)
+ #else
+@@ -306,7 +318,7 @@ extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long);
+ */
+ #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB) || \
+ (defined(CONFIG_SLAB) && defined(CONFIG_TRACING))
+-extern void *__kmalloc_node_track_caller(size_t, gfp_t, int, unsigned long);
++extern void *__kmalloc_node_track_caller(size_t, gfp_t, int, unsigned long) __size_overflow(1);
+ #define kmalloc_node_track_caller(size, flags, node) \
+ __kmalloc_node_track_caller(size, flags, node, \
+ _RET_IP_)
diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h
-index d00e0ba..1b3bf7b 100644
+index d00e0ba..d61fb1f 100644
--- a/include/linux/slab_def.h
+++ b/include/linux/slab_def.h
@@ -68,10 +68,10 @@ struct kmem_cache {
@@ -62661,8 +63891,71 @@ index d00e0ba..1b3bf7b 100644
/*
* If debugging is enabled, then the allocator can add additional
+@@ -109,7 +109,7 @@ struct cache_sizes {
+ extern struct cache_sizes malloc_sizes[];
+
+ void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
+-void *__kmalloc(size_t size, gfp_t flags);
++void *__kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+
+ #ifdef CONFIG_TRACING
+ extern void *kmem_cache_alloc_trace(size_t size,
+@@ -127,6 +127,7 @@ static inline size_t slab_buffer_size(struct kmem_cache *cachep)
+ }
+ #endif
+
++static __always_inline void *kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *kmalloc(size_t size, gfp_t flags)
+ {
+ struct kmem_cache *cachep;
+@@ -162,7 +163,7 @@ found:
+ }
+
+ #ifdef CONFIG_NUMA
+-extern void *__kmalloc_node(size_t size, gfp_t flags, int node);
++extern void *__kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ extern void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
+
+ #ifdef CONFIG_TRACING
+@@ -181,6 +182,7 @@ kmem_cache_alloc_node_trace(size_t size,
+ }
+ #endif
+
++static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
+ {
+ struct kmem_cache *cachep;
+diff --git a/include/linux/slob_def.h b/include/linux/slob_def.h
+index 0ec00b3..65e7e0e 100644
+--- a/include/linux/slob_def.h
++++ b/include/linux/slob_def.h
+@@ -9,8 +9,9 @@ static __always_inline void *kmem_cache_alloc(struct kmem_cache *cachep,
+ return kmem_cache_alloc_node(cachep, flags, -1);
+ }
+
+-void *__kmalloc_node(size_t size, gfp_t flags, int node);
++void *__kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+
++static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
+ {
+ return __kmalloc_node(size, flags, node);
+@@ -24,11 +25,13 @@ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
+ * kmalloc is the normal method of allocating memory
+ * in the kernel.
+ */
++static __always_inline void *kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *kmalloc(size_t size, gfp_t flags)
+ {
+ return __kmalloc_node(size, flags, -1);
+ }
+
++static __always_inline void *__kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *__kmalloc(size_t size, gfp_t flags)
+ {
+ return kmalloc(size, flags);
diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h
-index a32bcfd..53b71f4 100644
+index a32bcfd..d26bd6e 100644
--- a/include/linux/slub_def.h
+++ b/include/linux/slub_def.h
@@ -89,7 +89,7 @@ struct kmem_cache {
@@ -62674,15 +63967,59 @@ index a32bcfd..53b71f4 100644
void (*ctor)(void *);
int inuse; /* Offset to metadata */
int align; /* Alignment */
-@@ -215,7 +215,7 @@ static __always_inline struct kmem_cache *kmalloc_slab(size_t size)
+@@ -204,6 +204,7 @@ static __always_inline int kmalloc_index(size_t size)
+ * This ought to end up with a global pointer to the right cache
+ * in kmalloc_caches.
+ */
++static __always_inline struct kmem_cache *kmalloc_slab(size_t size) __size_overflow(1);
+ static __always_inline struct kmem_cache *kmalloc_slab(size_t size)
+ {
+ int index = kmalloc_index(size);
+@@ -215,9 +216,11 @@ static __always_inline struct kmem_cache *kmalloc_slab(size_t size)
}
void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
-void *__kmalloc(size_t size, gfp_t flags);
-+void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
++void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1) __size_overflow(1);
static __always_inline void *
++kmalloc_order(size_t size, gfp_t flags, unsigned int order) __size_overflow(1);
++static __always_inline void *
kmalloc_order(size_t size, gfp_t flags, unsigned int order)
+ {
+ void *ret = (void *) __get_free_pages(flags | __GFP_COMP, order);
+@@ -256,12 +259,14 @@ kmalloc_order_trace(size_t size, gfp_t flags, unsigned int order)
+ }
+ #endif
+
++static __always_inline void *kmalloc_large(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *kmalloc_large(size_t size, gfp_t flags)
+ {
+ unsigned int order = get_order(size);
+ return kmalloc_order_trace(size, flags, order);
+ }
+
++static __always_inline void *kmalloc(size_t size, gfp_t flags) __size_overflow(1);
+ static __always_inline void *kmalloc(size_t size, gfp_t flags)
+ {
+ if (__builtin_constant_p(size)) {
+@@ -281,7 +286,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags)
+ }
+
+ #ifdef CONFIG_NUMA
+-void *__kmalloc_node(size_t size, gfp_t flags, int node);
++void *__kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
+
+ #ifdef CONFIG_TRACING
+@@ -298,6 +303,7 @@ kmem_cache_alloc_node_trace(struct kmem_cache *s,
+ }
+ #endif
+
++static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
+ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
+ {
+ if (__builtin_constant_p(size) &&
diff --git a/include/linux/sonet.h b/include/linux/sonet.h
index de8832d..0147b46 100644
--- a/include/linux/sonet.h
@@ -62880,7 +64217,7 @@ index 57a9723..dbe234a 100644
struct list_head {
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
-index 5ca0951..ab496a5 100644
+index 5ca0951..53a2fff 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_user_nocache(void *to,
@@ -62898,6 +64235,15 @@ index 5ca0951..ab496a5 100644
ret; \
})
+@@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *dst, const void *src, size_t size);
+ * Safely write to address @dst from the buffer at @src. If a kernel fault
+ * happens, handle that and return -EFAULT.
+ */
+-extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
++extern long notrace probe_kernel_write(void *dst, const void *src, size_t size) __size_overflow(3);
+ extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
+
+ #endif /* __LINUX_UACCESS_H__ */
diff --git a/include/linux/unaligned/access_ok.h b/include/linux/unaligned/access_ok.h
index 99c1b4d..bb94261 100644
--- a/include/linux/unaligned/access_ok.h
@@ -63005,7 +64351,7 @@ index 6f8fbcf..8259001 100644
+ MODULE_GRSEC
diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
-index 4bde182..aec92c1 100644
+index 4bde182..c42a656 100644
--- a/include/linux/vmalloc.h
+++ b/include/linux/vmalloc.h
@@ -14,6 +14,11 @@ struct vm_area_struct; /* vma defining user mapping in mm_types.h */
@@ -63020,110 +64366,46 @@ index 4bde182..aec92c1 100644
/* bits [20..32] reserved for arch specific ioremap internals */
/*
-@@ -156,4 +161,103 @@ pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms)
- # endif
+@@ -51,18 +56,18 @@ static inline void vmalloc_init(void)
+ }
#endif
-+#define vmalloc(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc((unsigned long)___x); \
-+ ___retval; \
-+})
-+
-+#define vzalloc(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vzalloc((unsigned long)___x); \
-+ ___retval; \
-+})
-+
-+#define __vmalloc(x, y, z) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = __vmalloc((unsigned long)___x, (y), (z));\
-+ ___retval; \
-+})
-+
-+#define vmalloc_user(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_user((unsigned long)___x); \
-+ ___retval; \
-+})
-+
-+#define vmalloc_exec(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_exec((unsigned long)___x); \
-+ ___retval; \
-+})
-+
-+#define vmalloc_node(x, y) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_node((unsigned long)___x, (y));\
-+ ___retval; \
-+})
-+
-+#define vzalloc_node(x, y) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vzalloc_node((unsigned long)___x, (y));\
-+ ___retval; \
-+})
-+
-+#define vmalloc_32(x) \
-+({ \
-+ void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_32((unsigned long)___x); \
-+ ___retval; \
-+})
-+
-+#define vmalloc_32_user(x) \
-+({ \
-+void *___retval; \
-+ intoverflow_t ___x = (intoverflow_t)x; \
-+ if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
-+ ___retval = NULL; \
-+ else \
-+ ___retval = vmalloc_32_user((unsigned long)___x);\
-+ ___retval; \
-+})
-+
- #endif /* _LINUX_VMALLOC_H */
+-extern void *vmalloc(unsigned long size);
+-extern void *vzalloc(unsigned long size);
+-extern void *vmalloc_user(unsigned long size);
+-extern void *vmalloc_node(unsigned long size, int node);
+-extern void *vzalloc_node(unsigned long size, int node);
+-extern void *vmalloc_exec(unsigned long size);
+-extern void *vmalloc_32(unsigned long size);
+-extern void *vmalloc_32_user(unsigned long size);
+-extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot);
++extern void *vmalloc(unsigned long size) __size_overflow(1);
++extern void *vzalloc(unsigned long size) __size_overflow(1);
++extern void *vmalloc_user(unsigned long size) __size_overflow(1);
++extern void *vmalloc_node(unsigned long size, int node) __size_overflow(1);
++extern void *vzalloc_node(unsigned long size, int node) __size_overflow(1);
++extern void *vmalloc_exec(unsigned long size) __size_overflow(1);
++extern void *vmalloc_32(unsigned long size) __size_overflow(1);
++extern void *vmalloc_32_user(unsigned long size) __size_overflow(1);
++extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot) __size_overflow(1);
+ extern void *__vmalloc_node_range(unsigned long size, unsigned long align,
+ unsigned long start, unsigned long end, gfp_t gfp_mask,
+- pgprot_t prot, int node, void *caller);
++ pgprot_t prot, int node, void *caller) __size_overflow(1);
+ extern void vfree(const void *addr);
+
+ extern void *vmap(struct page **pages, unsigned int count,
+@@ -123,8 +128,8 @@ extern struct vm_struct *alloc_vm_area(size_t size, pte_t **ptes);
+ extern void free_vm_area(struct vm_struct *area);
+
+ /* for /dev/kmem */
+-extern long vread(char *buf, char *addr, unsigned long count);
+-extern long vwrite(char *buf, char *addr, unsigned long count);
++extern long vread(char *buf, char *addr, unsigned long count) __size_overflow(3);
++extern long vwrite(char *buf, char *addr, unsigned long count) __size_overflow(3);
+
+ /*
+ * Internals. Dont't use..
diff --git a/include/linux/vmstat.h b/include/linux/vmstat.h
index 65efb92..137adbb 100644
--- a/include/linux/vmstat.h
@@ -73341,26 +74623,10 @@ index b1cd120..aaae885 100644
if (S_ISREG(inode->i_mode))
diff --git a/mm/util.c b/mm/util.c
-index 136ac4f..5117eef 100644
+index 136ac4f..f917fa9 100644
--- a/mm/util.c
+++ b/mm/util.c
-@@ -114,6 +114,7 @@ EXPORT_SYMBOL(memdup_user);
- * allocated buffer. Use this if you don't want to free the buffer immediately
- * like, for example, with RCU.
- */
-+#undef __krealloc
- void *__krealloc(const void *p, size_t new_size, gfp_t flags)
- {
- void *ret;
-@@ -147,6 +148,7 @@ EXPORT_SYMBOL(__krealloc);
- * behaves exactly like kmalloc(). If @size is 0 and @p is not a
- * %NULL pointer, the object pointed to is freed.
- */
-+#undef krealloc
- void *krealloc(const void *p, size_t new_size, gfp_t flags)
- {
- void *ret;
-@@ -243,6 +245,12 @@ void __vma_link_list(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -243,6 +243,12 @@ void __vma_link_list(struct mm_struct *mm, struct vm_area_struct *vma,
void arch_pick_mmap_layout(struct mm_struct *mm)
{
mm->mmap_base = TASK_UNMAPPED_BASE;
@@ -73374,7 +74640,7 @@ index 136ac4f..5117eef 100644
mm->unmap_area = arch_unmap_area;
}
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index 27be2f0..0aef2c2 100644
+index 27be2f0..633e5cc 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
@@ -73523,60 +74789,11 @@ index 27be2f0..0aef2c2 100644
area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST,
start, end, node, gfp_mask, caller);
if (!area)
-@@ -1679,6 +1741,7 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
- gfp_mask, prot, node, caller);
- }
-
-+#undef __vmalloc
- void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
- {
- return __vmalloc_node(size, 1, gfp_mask, prot, -1,
-@@ -1702,6 +1765,7 @@ static inline void *__vmalloc_node_flags(unsigned long size,
- * For tight control over page level allocator and protection flags
- * use __vmalloc() instead.
- */
-+#undef vmalloc
- void *vmalloc(unsigned long size)
- {
- return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
-@@ -1718,6 +1782,7 @@ EXPORT_SYMBOL(vmalloc);
- * For tight control over page level allocator and protection flags
- * use __vmalloc() instead.
- */
-+#undef vzalloc
- void *vzalloc(unsigned long size)
- {
- return __vmalloc_node_flags(size, -1,
-@@ -1732,6 +1797,7 @@ EXPORT_SYMBOL(vzalloc);
- * The resulting memory area is zeroed so it can be mapped to userspace
- * without leaking data.
- */
-+#undef vmalloc_user
- void *vmalloc_user(unsigned long size)
- {
- struct vm_struct *area;
-@@ -1759,6 +1825,7 @@ EXPORT_SYMBOL(vmalloc_user);
- * For tight control over page level allocator and protection flags
- * use __vmalloc() instead.
- */
-+#undef vmalloc_node
- void *vmalloc_node(unsigned long size, int node)
- {
- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
-@@ -1778,6 +1845,7 @@ EXPORT_SYMBOL(vmalloc_node);
- * For tight control over page level allocator and protection flags
- * use __vmalloc_node() instead.
- */
-+#undef vzalloc_node
- void *vzalloc_node(unsigned long size, int node)
- {
- return __vmalloc_node_flags(size, node,
-@@ -1800,10 +1868,10 @@ EXPORT_SYMBOL(vzalloc_node);
+@@ -1800,10 +1862,9 @@ EXPORT_SYMBOL(vzalloc_node);
* For tight control over page level allocator and protection flags
* use __vmalloc() instead.
*/
-
-+#undef vmalloc_exec
void *vmalloc_exec(unsigned long size)
{
- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
@@ -73584,23 +74801,7 @@ index 27be2f0..0aef2c2 100644
-1, __builtin_return_address(0));
}
-@@ -1822,6 +1890,7 @@ void *vmalloc_exec(unsigned long size)
- * Allocate enough 32bit PA addressable pages to cover @size from the
- * page level allocator and map them into contiguous kernel virtual space.
- */
-+#undef vmalloc_32
- void *vmalloc_32(unsigned long size)
- {
- return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
-@@ -1836,6 +1905,7 @@ EXPORT_SYMBOL(vmalloc_32);
- * The resulting memory area is 32bit addressable and zeroed so it can be
- * mapped to userspace without leaking data.
- */
-+#undef vmalloc_32_user
- void *vmalloc_32_user(unsigned long size)
- {
- struct vm_struct *area;
-@@ -2098,6 +2168,8 @@ int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
+@@ -2098,6 +2159,8 @@ int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
unsigned long uaddr = vma->vm_start;
unsigned long usize = vma->vm_end - vma->vm_start;
@@ -74630,6 +75831,19 @@ index 39a2d29..f39c0fe 100644
---help---
Econet is a fairly old and slow networking protocol mainly used by
Acorn computers to access file and print servers. It uses native
+diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
+index 36d1440..44ff28b 100644
+--- a/net/ipv4/ah4.c
++++ b/net/ipv4/ah4.c
+@@ -19,6 +19,8 @@ struct ah_skb_cb {
+ #define AH_SKB_CB(__skb) ((struct ah_skb_cb *)&((__skb)->cb[0]))
+
+ static void *ah_alloc_tmp(struct crypto_ahash *ahash, int nfrags,
++ unsigned int size) __size_overflow(3);
++static void *ah_alloc_tmp(struct crypto_ahash *ahash, int nfrags,
+ unsigned int size)
+ {
+ unsigned int len;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 92fc5f6..b790d91 100644
--- a/net/ipv4/fib_frontend.c
@@ -74847,19 +76061,71 @@ index 99ec116..c5628fe 100644
set_fs(oldfs);
return res;
}
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index fd7a3f6..e5be655 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -984,6 +984,11 @@ static int __do_replace(struct net *net, const char *name,
+ unsigned int valid_hooks,
+ struct xt_table_info *newinfo,
+ unsigned int num_counters,
++ void __user *counters_ptr) __size_overflow(5);
++static int __do_replace(struct net *net, const char *name,
++ unsigned int valid_hooks,
++ struct xt_table_info *newinfo,
++ unsigned int num_counters,
+ void __user *counters_ptr)
+ {
+ int ret;
+@@ -1104,6 +1109,8 @@ static int do_replace(struct net *net, const void __user *user,
+ }
+
+ static int do_add_counters(struct net *net, const void __user *user,
++ unsigned int len, int compat) __size_overflow(3);
++static int do_add_counters(struct net *net, const void __user *user,
+ unsigned int len, int compat)
+ {
+ unsigned int i, curcpu;
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 24e556e..a8daf7a 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1172,6 +1172,10 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr,
+ static int
+ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
+ struct xt_table_info *newinfo, unsigned int num_counters,
++ void __user *counters_ptr) __size_overflow(5);
++static int
++__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
++ struct xt_table_info *newinfo, unsigned int num_counters,
+ void __user *counters_ptr)
+ {
+ int ret;
+@@ -1293,6 +1297,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
+
+ static int
+ do_add_counters(struct net *net, const void __user *user,
++ unsigned int len, int compat) __size_overflow(3);
++static int
++do_add_counters(struct net *net, const void __user *user,
+ unsigned int len, int compat)
+ {
+ unsigned int i, curcpu;
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
-index 2133c30..5c4b40b 100644
+index 2133c30..0e8047e 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
-@@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(struct asn1_ctx *ctx,
-
- *len = 0;
-
-- *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
-+ *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
- if (*octets == NULL)
- return 0;
-
+@@ -435,6 +435,10 @@ static unsigned char asn1_subid_decode(struct asn1_ctx *ctx,
+ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
+ unsigned char *eoc,
+ unsigned long **oid,
++ unsigned int *len) __size_overflow(2);
++static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
++ unsigned char *eoc,
++ unsigned long **oid,
+ unsigned int *len)
+ {
+ unsigned long subid;
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 43d4c3b..1914409 100644
--- a/net/ipv4/ping.c
@@ -74965,8 +76231,62 @@ index 94cdbc5..0cb0063 100644
if (peer->tcp_ts_stamp) {
ts = peer->tcp_ts;
tsage = get_seconds() - peer->tcp_ts_stamp;
+diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
+index 90f6544..769c0e9 100644
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -278,6 +278,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
+ struct rtable *rt;
+ __u8 rcv_wscale;
+ bool ecn_ok = false;
++ struct flowi4 fl4;
+
+ if (!sysctl_tcp_syncookies || !th->ack || th->rst)
+ goto out;
+@@ -346,20 +347,16 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
+ * hasn't changed since we received the original syn, but I see
+ * no easy way to do this.
+ */
+- {
+- struct flowi4 fl4;
+-
+- flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+- RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+- inet_sk_flowi_flags(sk),
+- (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+- ireq->loc_addr, th->source, th->dest);
+- security_req_classify_flow(req, flowi4_to_flowi(&fl4));
+- rt = ip_route_output_key(sock_net(sk), &fl4);
+- if (IS_ERR(rt)) {
+- reqsk_free(req);
+- goto out;
+- }
++ flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
++ RT_SCOPE_UNIVERSE, IPPROTO_TCP,
++ inet_sk_flowi_flags(sk),
++ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
++ ireq->loc_addr, th->source, th->dest);
++ security_req_classify_flow(req, flowi4_to_flowi(&fl4));
++ rt = ip_route_output_key(sock_net(sk), &fl4);
++ if (IS_ERR(rt)) {
++ reqsk_free(req);
++ goto out;
+ }
+
+ /* Try to redo what tcp_v4_send_synack did. */
+@@ -373,5 +370,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
+ ireq->rcv_wscale = rcv_wscale;
+
+ ret = get_cookie_sock(sk, skb, req, &rt->dst);
++ /* ip_queue_xmit() depends on our flow being setup
++ * Normal sockets get it right from inet_csk_route_child_sock()
++ */
++ if (ret)
++ inet_sk(ret)->cork.fl.u.ip4 = fl4;
+ out: return ret;
+ }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index eb90aa8..22bf114 100644
+index eb90aa8..74908e1 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
@@ -74979,7 +76299,24 @@ index eb90aa8..22bf114 100644
#ifdef CONFIG_TCP_MD5SIG
static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
-@@ -1632,6 +1635,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
+@@ -1465,9 +1468,13 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
+ inet_csk(newsk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
+ newinet->inet_id = newtp->write_seq ^ jiffies;
+
+- if (!dst && (dst = inet_csk_route_child_sock(sk, newsk, req)) == NULL)
+- goto put_and_exit;
+-
++ if (!dst) {
++ dst = inet_csk_route_child_sock(sk, newsk, req);
++ if (!dst)
++ goto put_and_exit;
++ } else {
++ /* syncookie case : see end of cookie_v4_check() */
++ }
+ sk_setup_caps(newsk, dst);
+
+ tcp_mtup_init(newsk);
+@@ -1632,6 +1639,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
return 0;
reset:
@@ -74989,7 +76326,7 @@ index eb90aa8..22bf114 100644
tcp_v4_send_reset(rsk, skb);
discard:
kfree_skb(skb);
-@@ -1694,12 +1700,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
+@@ -1694,12 +1704,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
TCP_SKB_CB(skb)->sacked = 0;
sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -75012,7 +76349,7 @@ index eb90aa8..22bf114 100644
if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
-@@ -1749,6 +1762,10 @@ no_tcp_socket:
+@@ -1749,6 +1766,10 @@ no_tcp_socket:
bad_packet:
TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
} else {
@@ -75023,7 +76360,7 @@ index eb90aa8..22bf114 100644
tcp_v4_send_reset(NULL, skb);
}
-@@ -2409,7 +2426,11 @@ static void get_openreq4(const struct sock *sk, const struct request_sock *req,
+@@ -2409,7 +2430,11 @@ static void get_openreq4(const struct sock *sk, const struct request_sock *req,
0, /* non standard timer */
0, /* open_requests have no inode */
atomic_read(&sk->sk_refcnt),
@@ -75035,7 +76372,7 @@ index eb90aa8..22bf114 100644
len);
}
-@@ -2459,7 +2480,12 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len)
+@@ -2459,7 +2484,12 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len)
sock_i_uid(sk),
icsk->icsk_probes_out,
sock_i_ino(sk),
@@ -75049,7 +76386,7 @@ index eb90aa8..22bf114 100644
jiffies_to_clock_t(icsk->icsk_rto),
jiffies_to_clock_t(icsk->icsk_ack.ato),
(icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
-@@ -2487,7 +2513,13 @@ static void get_timewait4_sock(const struct inet_timewait_sock *tw,
+@@ -2487,7 +2517,13 @@ static void get_timewait4_sock(const struct inet_timewait_sock *tw,
" %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",
i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
@@ -75261,6 +76598,19 @@ index 836c4ea..cbb74dc 100644
if (ops->ndo_do_ioctl) {
mm_segment_t oldfs = get_fs();
+diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
+index 4c0f894..fca5d15 100644
+--- a/net/ipv6/ah6.c
++++ b/net/ipv6/ah6.c
+@@ -56,6 +56,8 @@ struct ah_skb_cb {
+ #define AH_SKB_CB(__skb) ((struct ah_skb_cb *)&((__skb)->cb[0]))
+
+ static void *ah_alloc_tmp(struct crypto_ahash *ahash, int nfrags,
++ unsigned int size) __size_overflow(3);
++static void *ah_alloc_tmp(struct crypto_ahash *ahash, int nfrags,
+ unsigned int size)
+ {
+ unsigned int len;
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index 1567fb1..29af910 100644
--- a/net/ipv6/inet6_connection_sock.c
@@ -75296,6 +76646,31 @@ index 26cb08c..8af9877 100644
msg.msg_controllen = len;
msg.msg_flags = flags;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 94874b0..dc413fa 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1194,6 +1194,10 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr,
+ static int
+ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
+ struct xt_table_info *newinfo, unsigned int num_counters,
++ void __user *counters_ptr) __size_overflow(5);
++static int
++__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
++ struct xt_table_info *newinfo, unsigned int num_counters,
+ void __user *counters_ptr)
+ {
+ int ret;
+@@ -1315,6 +1319,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
+
+ static int
+ do_add_counters(struct net *net, const void __user *user, unsigned int len,
++ int compat) __size_overflow(3);
++static int
++do_add_counters(struct net *net, const void __user *user, unsigned int len,
+ int compat)
+ {
+ unsigned int i, curcpu;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 361ebf3..d5628fb 100644
--- a/net/ipv6/raw.c
@@ -77823,10 +79198,10 @@ index 5c11312..72742b5 100644
write_hex_cnt = 0;
for (i = 0; i < logo_clutsize; i++) {
diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..3a4ebd0 100644
+index 51bd5a0..58c5b70 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,627 @@
+@@ -4,6 +4,639 @@
menu "Security options"
@@ -77918,7 +79293,6 @@ index 51bd5a0..3a4ebd0 100644
+
+config PAX_XATTR_PAX_FLAGS
+ bool 'Use filesystem extended attributes marking'
-+ depends on EXPERT
+ select CIFS_XATTR if CIFS
+ select EXT2_FS_XATTR if EXT2_FS
+ select EXT3_FS_XATTR if EXT3_FS
@@ -78447,6 +79821,19 @@ index 51bd5a0..3a4ebd0 100644
+ Since this has a negligible performance impact, you should enable
+ this feature.
+
++config PAX_SIZE_OVERFLOW
++ bool "Prevent various integer overflows in function size parameters"
++ help
++ By saying Y here the kernel recomputes expressions of function
++ arguments marked by a size_overflow attribute with double integer
++ precision (DImode/TImode for 32/64 bit integer types).
++
++ The recomputed argument is checked against INT_MAX and an event
++ is logged on overflow and the triggering process is killed.
++
++ Homepage:
++ http://www.grsecurity.net/~ephox/overflow_plugin/
++
+endmenu
+
+endmenu
@@ -78454,7 +79841,7 @@ index 51bd5a0..3a4ebd0 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -169,7 +790,7 @@ config INTEL_TXT
+@@ -169,7 +802,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -79384,10 +80771,10 @@ index a39edcc..1014050 100644
};
diff --git a/tools/gcc/Makefile b/tools/gcc/Makefile
new file mode 100644
-index 0000000..894c8bf
+index 0000000..ca64170
--- /dev/null
+++ b/tools/gcc/Makefile
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,26 @@
+#CC := gcc
+#PLUGIN_SOURCE_FILES := pax_plugin.c
+#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
@@ -79395,6 +80782,7 @@ index 0000000..894c8bf
+#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W -std=gnu99
+
+HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include -I$(GCCPLUGINS_DIR)/include/c-family -std=gnu99 -ggdb
++CFLAGS_size_overflow_plugin.o := -Wno-missing-initializer
+
+hostlibs-y := constify_plugin.so
+hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so
@@ -79402,6 +80790,7 @@ index 0000000..894c8bf
+hostlibs-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so
+hostlibs-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so
+hostlibs-y += colorize_plugin.so
++hostlibs-$(CONFIG_PAX_SIZE_OVERFLOW) += size_overflow_plugin.so
+
+always := $(hostlibs-y)
+
@@ -79411,6 +80800,7 @@ index 0000000..894c8bf
+kernexec_plugin-objs := kernexec_plugin.o
+checker_plugin-objs := checker_plugin.o
+colorize_plugin-objs := colorize_plugin.o
++size_overflow_plugin-objs := size_overflow_plugin.o
diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c
new file mode 100644
index 0000000..d41b5af
@@ -80656,12 +82046,3876 @@ index 0000000..008f159
+
+ return 0;
+}
+diff --git a/tools/gcc/size_overflow_hash1.h b/tools/gcc/size_overflow_hash1.h
+new file mode 100644
+index 0000000..55a1292
+--- /dev/null
++++ b/tools/gcc/size_overflow_hash1.h
+@@ -0,0 +1,2760 @@
++struct size_overflow_hash size_overflow_hash1[65536] = {
++ [10013].file = "security/smack/smackfs.c",
++ [10013].name = "smk_write_direct",
++ [10013].param3 = 1,
++ [10167].file = "sound/core/oss/pcm_plugin.c",
++ [10167].name = "snd_pcm_plugin_build",
++ [10167].param5 = 1,
++ [1020].file = "drivers/usb/misc/usbtest.c",
++ [1020].name = "test_unaligned_bulk",
++ [1020].param3 = 1,
++ [1022].file = "sound/pci/rme9652/rme9652.c",
++ [1022].name = "snd_rme9652_playback_copy",
++ [1022].param5 = 1,
++ [10341].file = "fs/nfsd/nfs4xdr.c",
++ [10341].name = "read_buf",
++ [10341].param2 = 1,
++ [10357].file = "net/sunrpc/cache.c",
++ [10357].name = "cache_read",
++ [10357].param3 = 1,
++ [10397].file = "drivers/gpu/drm/i915/i915_debugfs.c",
++ [10397].name = "i915_wedged_write",
++ [10397].param3 = 1,
++ [10414].file = "drivers/tty/vt/vt.c",
++ [10414].name = "vc_do_resize",
++ [10414].param3 = 1,
++ [10414].param4 = 1,
++ [10496].file = "drivers/bluetooth/hci_vhci.c",
++ [10496].name = "vhci_read",
++ [10496].param3 = 1,
++ [10565].file = "drivers/input/touchscreen/ad7879-spi.c",
++ [10565].name = "ad7879_spi_multi_read",
++ [10565].param3 = 1,
++ [10623].file = "drivers/infiniband/core/user_mad.c",
++ [10623].name = "ib_umad_write",
++ [10623].param3 = 1,
++ [10707].file = "fs/nfs/idmap.c",
++ [10707].name = "nfs_idmap_request_key",
++ [10707].param2 = 1,
++ [10773].file = "drivers/input/mousedev.c",
++ [10773].name = "mousedev_read",
++ [10773].param3 = 1,
++ [10777].file = "fs/ntfs/file.c",
++ [10777].name = "ntfs_file_buffered_write",
++ [10777].param6 = 1,
++ [10919].file = "net/ipv4/netfilter/arp_tables.c",
++ [10919].name = "do_arpt_set_ctl",
++ [10919].param4 = 1,
++ [11054].file = "drivers/net/wireless/libertas/debugfs.c",
++ [11054].name = "lbs_wrmac_write",
++ [11054].param3 = 1,
++ [11068].file = "drivers/net/wireless/libertas/debugfs.c",
++ [11068].name = "lbs_wrrf_write",
++ [11068].param3 = 1,
++ [11364].file = "fs/ext4/super.c",
++ [11364].name = "ext4_kvzalloc",
++ [11364].param1 = 1,
++ [11402].file = "drivers/net/wireless/libertas/debugfs.c",
++ [11402].name = "lbs_threshold_write",
++ [11402].param5 = 1,
++ [11494].file = "drivers/video/via/viafbdev.c",
++ [11494].name = "viafb_dvp1_proc_write",
++ [11494].param3 = 1,
++ [11616].file = "security/selinux/selinuxfs.c",
++ [11616].name = "sel_write_enforce",
++ [11616].param3 = 1,
++ [11699].file = "drivers/net/ethernet/neterion/vxge/vxge-config.h",
++ [11699].name = "vxge_os_dma_malloc",
++ [11699].param2 = 1,
++ [11766].file = "drivers/block/paride/pt.c",
++ [11766].name = "pt_read",
++ [11766].param3 = 1,
++ [11784].file = "fs/bio.c",
++ [11784].name = "bio_kmalloc",
++ [11784].param2 = 1,
++ [11814].file = "drivers/staging/speakup/kobjects.c",
++ [11814].name = "keymap_store",
++ [11814].param4 = 1,
++ [11912].file = "net/sunrpc/cache.c",
++ [11912].name = "cache_write_pipefs",
++ [11912].param3 = 1,
++ [11919].file = "drivers/lguest/core.c",
++ [11919].name = "__lgread",
++ [11919].param4 = 1,
++ [11986].file = "drivers/net/usb/asix.c",
++ [11986].name = "asix_read_cmd",
++ [11986].param5 = 1,
++ [12059].file = "drivers/net/wireless/libertas/debugfs.c",
++ [12059].name = "lbs_debugfs_write",
++ [12059].param3 = 1,
++ [12071].file = "lib/kstrtox.c",
++ [12071].name = "kstrtou8_from_user",
++ [12071].param2 = 1,
++ [12151].file = "fs/compat.c",
++ [12151].name = "compat_rw_copy_check_uvector",
++ [12151].param3 = 1,
++ [12205].file = "fs/reiserfs/journal.c",
++ [12205].name = "reiserfs_allocate_list_bitmaps",
++ [12205].param3 = 1,
++ [12234].file = "include/acpi/platform/aclinux.h",
++ [12234].name = "acpi_os_allocate",
++ [12234].param1 = 1,
++ [1227].file = "lib/cpu_rmap.c",
++ [1227].name = "alloc_cpu_rmap",
++ [1227].param1 = 1,
++ [12395].file = "drivers/char/hw_random/core.c",
++ [12395].name = "rng_dev_read",
++ [12395].param3 = 1,
++ [1248].file = "kernel/kprobes.c",
++ [1248].name = "write_enabled_file_bool",
++ [1248].param3 = 1,
++ [12501].file = "net/mac80211/debugfs.c",
++ [12501].name = "uapsd_max_sp_len_write",
++ [12501].param3 = 1,
++ [12591].file = "sound/core/pcm_lib.c",
++ [12591].name = "snd_pcm_lib_writev_transfer",
++ [12591].param5 = 1,
++ [12602].file = "net/sunrpc/cache.c",
++ [12602].name = "cache_downcall",
++ [12602].param3 = 1,
++ [12712].file = "drivers/net/wimax/i2400m/fw.c",
++ [12712].name = "i2400m_zrealloc_2x",
++ [12712].param3 = 1,
++ [12755].file = "sound/drivers/opl4/opl4_proc.c",
++ [12755].name = "snd_opl4_mem_proc_read",
++ [12755].param5 = 1,
++ [12833].file = "net/sctp/auth.c",
++ [12833].name = "sctp_auth_create_key",
++ [12833].param1 = 1,
++ [12840].file = "net/sctp/tsnmap.c",
++ [12840].name = "sctp_tsnmap_mark",
++ [12840].param2 = 1,
++ [12896].file = "drivers/net/wireless/wl12xx/debugfs.c",
++ [12896].name = "beacon_filtering_write",
++ [12896].param3 = 1,
++ [12931].file = "drivers/hid/hid-roccat.c",
++ [12931].name = "roccat_read",
++ [12931].param3 = 1,
++ [12954].file = "fs/proc/base.c",
++ [12954].name = "oom_adjust_write",
++ [12954].param3 = 1,
++ [13013].file = "drivers/media/dvb/ttpci/av7110_ca.c",
++ [13013].name = "dvb_ca_write",
++ [13013].param3 = 1,
++ [13103].file = "drivers/acpi/acpica/utobject.c",
++ [13103].name = "acpi_ut_create_string_object",
++ [13103].param1 = 1,
++ [13121].file = "net/ipv4/ip_sockglue.c",
++ [13121].name = "do_ip_setsockopt",
++ [13121].param5 = 1,
++ [13337].file = "net/core/iovec.c",
++ [13337].name = "csum_partial_copy_fromiovecend",
++ [13337].param4 = 1,
++ [13339].file = "security/smack/smackfs.c",
++ [13339].name = "smk_write_netlbladdr",
++ [13339].param3 = 1,
++ [13342].file = "fs/jbd2/journal.c",
++ [13342].name = "jbd2_alloc",
++ [13342].param1 = 1,
++ [13412].file = "fs/proc/base.c",
++ [13412].name = "oom_score_adj_write",
++ [13412].param3 = 1,
++ [13659].file = "drivers/net/wan/hdlc.c",
++ [13659].name = "attach_hdlc_protocol",
++ [13659].param3 = 1,
++ [13708].file = "drivers/usb/misc/usbtest.c",
++ [13708].name = "simple_alloc_urb",
++ [13708].param3 = 1,
++ [13863].file = "drivers/net/wireless/iwlwifi/iwl-agn-rs.c",
++ [13863].name = "rs_sta_dbgfs_scale_table_write",
++ [13863].param3 = 1,
++ [13924].file = "net/ipv4/netfilter/ip_tables.c",
++ [13924].name = "do_ipt_set_ctl",
++ [13924].param4 = 1,
++ [14019].file = "net/dns_resolver/dns_key.c",
++ [14019].name = "dns_resolver_instantiate",
++ [14019].param2 = 1,
++ [14019].param3 = 1,
++ [14025].file = "net/ax25/af_ax25.c",
++ [14025].name = "ax25_setsockopt",
++ [14025].param5 = 1,
++ [14029].file = "drivers/spi/spidev.c",
++ [14029].name = "spidev_compat_ioctl",
++ [14029].param2 = 1,
++ [14031].file = "drivers/net/wireless/ath/ath5k/debug.c",
++ [14031].name = "write_file_beacon",
++ [14031].param3 = 1,
++ [14086].file = "fs/nfs/nfs4proc.c",
++ [14086].name = "nfs4_reset_slot_table",
++ [14086].param2 = 1,
++ [14090].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [14090].name = "btmrvl_hsmode_write",
++ [14090].param3 = 1,
++ [14125].file = "kernel/module.c",
++ [14125].name = "load_module",
++ [14125].param2 = 1,
++ [14149].file = "drivers/hid/hidraw.c",
++ [14149].name = "hidraw_ioctl",
++ [14149].param2 = 1,
++ [14153].file = "drivers/staging/bcm/led_control.c",
++ [14153].name = "ValidateDSDParamsChecksum",
++ [14153].param3 = 1,
++ [14174].file = "sound/pci/es1938.c",
++ [14174].name = "snd_es1938_capture_copy",
++ [14174].param5 = 1,
++ [14207].file = "drivers/media/video/v4l2-event.c",
++ [14207].name = "v4l2_event_subscribe",
++ [14207].param3 = 1,
++ [14241].file = "drivers/platform/x86/asus_acpi.c",
++ [14241].name = "brn_proc_write",
++ [14241].param3 = 1,
++ [14299].file = "sound/core/oss/pcm_plugin.c",
++ [14299].name = "snd_pcm_plugin_alloc",
++ [14299].param2 = 1,
++ [14345].file = "fs/cachefiles/daemon.c",
++ [14345].name = "cachefiles_daemon_write",
++ [14345].param3 = 1,
++ [14347].file = "drivers/media/dvb/dvb-core/dvb_ca_en50221.c",
++ [14347].name = "dvb_ca_en50221_io_write",
++ [14347].param3 = 1,
++ [14462].file = "fs/namei.c",
++ [14462].name = "sys_rmdir",
++ [14462].param1 = 1,
++ [14478].file = "drivers/char/random.c",
++ [14478].name = "random_write",
++ [14478].param3 = 1,
++ [1458].file = "drivers/misc/lkdtm.c",
++ [1458].name = "direct_entry",
++ [1458].param3 = 1,
++ [145].file = "lib/xz/xz_dec_test.c",
++ [145].name = "xz_dec_test_write",
++ [145].param3 = 1,
++ [14646].file = "fs/compat.c",
++ [14646].name = "compat_writev",
++ [14646].param3 = 1,
++ [14736].file = "drivers/usb/misc/usbtest.c",
++ [14736].name = "unlink_queued",
++ [14736].param3 = 1,
++ [14842].file = "fs/namei.c",
++ [14842].name = "sys_renameat",
++ [14842].param2 = 1,
++ [14842].param4 = 1,
++ [15017].file = "drivers/edac/edac_device.c",
++ [15017].name = "edac_device_alloc_ctl_info",
++ [15017].param1 = 1,
++ [15087].file = "fs/bio.c",
++ [15087].name = "bio_map_kern",
++ [15087].param2 = 1,
++ [15087].param3 = 1,
++ [15112].file = "drivers/xen/evtchn.c",
++ [15112].name = "evtchn_write",
++ [15112].param3 = 1,
++ [15274].file = "crypto/shash.c",
++ [15274].name = "crypto_shash_setkey",
++ [15274].param3 = 1,
++ [15361].file = "drivers/char/agp/generic.c",
++ [15361].name = "agp_allocate_memory",
++ [15361].param2 = 1,
++ [15497].file = "drivers/media/dvb/ddbridge/ddbridge-core.c",
++ [15497].name = "ts_read",
++ [15497].param3 = 1,
++ [15551].file = "net/ipv4/netfilter/ipt_CLUSTERIP.c",
++ [15551].name = "clusterip_proc_write",
++ [15551].param3 = 1,
++ [15701].file = "drivers/hid/hid-roccat-common.c",
++ [15701].name = "roccat_common_receive",
++ [15701].param4 = 1,
++ [1572].file = "net/ceph/pagevec.c",
++ [1572].name = "ceph_copy_page_vector_to_user",
++ [1572].param4 = 1,
++ [15814].file = "net/mac80211/debugfs_netdev.c",
++ [15814].name = "ieee80211_if_write",
++ [15814].param3 = 1,
++ [15883].file = "security/keys/keyctl.c",
++ [15883].name = "sys_add_key",
++ [15883].param4 = 1,
++ [15884].file = "fs/exofs/super.c",
++ [15884].name = "exofs_read_lookup_dev_table",
++ [15884].param3 = 1,
++ [1603].file = "fs/debugfs/file.c",
++ [1603].name = "write_file_bool",
++ [1603].param3 = 1,
++ [16073].file = "net/sctp/socket.c",
++ [16073].name = "sctp_setsockopt",
++ [16073].param5 = 1,
++ [16138].file = "security/selinux/ss/services.c",
++ [16138].name = "security_context_to_sid_force",
++ [16138].param2 = 1,
++ [16166].file = "drivers/platform/x86/thinkpad_acpi.c",
++ [16166].name = "dispatch_proc_write",
++ [16166].param3 = 1,
++ [16229].file = "drivers/scsi/scsi_transport_iscsi.c",
++ [16229].name = "iscsi_offload_mesg",
++ [16229].param5 = 1,
++ [16353].file = "drivers/base/regmap/regmap.c",
++ [16353].name = "regmap_raw_write",
++ [16353].param4 = 1,
++ [16383].file = "fs/proc/base.c",
++ [16383].name = "comm_write",
++ [16383].param3 = 1,
++ [16447].file = "drivers/hid/usbhid/hiddev.c",
++ [16447].name = "hiddev_ioctl",
++ [16447].param2 = 1,
++ [16453].file = "include/linux/slab.h",
++ [16453].name = "kzalloc",
++ [16453].param1 = 1,
++ [16535].file = "fs/proc/generic.c",
++ [16535].name = "proc_file_read",
++ [16535].param3 = 1,
++ [16605].file = "fs/ecryptfs/miscdev.c",
++ [16605].name = "ecryptfs_send_miscdev",
++ [16605].param2 = 1,
++ [16606].file = "drivers/ide/ide-tape.c",
++ [16606].name = "idetape_chrdev_write",
++ [16606].param3 = 1,
++ [16741].file = "fs/namei.c",
++ [16741].name = "sys_unlinkat",
++ [16741].param2 = 1,
++ [16911].file = "drivers/media/dvb/ttpci/av7110_hw.c",
++ [16911].name = "LoadBitmap",
++ [16911].param2 = 1,
++ [17075].file = "sound/isa/gus/gus_dram.c",
++ [17075].name = "snd_gus_dram_write",
++ [17075].param4 = 1,
++ [17133].file = "drivers/usb/misc/iowarrior.c",
++ [17133].name = "iowarrior_read",
++ [17133].param3 = 1,
++ [17139].file = "fs/ubifs/xattr.c",
++ [17139].name = "ubifs_setxattr",
++ [17139].param4 = 1,
++ [17185].file = "net/wireless/scan.c",
++ [17185].name = "cfg80211_inform_bss",
++ [17185].param8 = 1,
++ [17349].file = "net/tipc/link.c",
++ [17349].name = "tipc_link_send_sections_fast",
++ [17349].param4 = 1,
++ [17377].file = "drivers/usb/class/cdc-wdm.c",
++ [17377].name = "wdm_write",
++ [17377].param3 = 1,
++ [17459].file = "drivers/usb/misc/rio500.c",
++ [17459].name = "write_rio",
++ [17459].param3 = 1,
++ [17460].file = "fs/nfsd/nfscache.c",
++ [17460].name = "nfsd_cache_update",
++ [17460].param3 = 1,
++ [17492].file = "net/dccp/proto.c",
++ [17492].name = "do_dccp_setsockopt",
++ [17492].param5 = 1,
++ [1754].file = "sound/core/oss/pcm_oss.c",
++ [1754].name = "snd_pcm_oss_write",
++ [1754].param3 = 1,
++ [17571].file = "drivers/ptp/ptp_chardev.c",
++ [17571].name = "ptp_read",
++ [17571].param4 = 1,
++ [17684].file = "fs/namei.c",
++ [17684].name = "sys_mknod",
++ [17684].param1 = 1,
++ [17718].file = "net/caif/caif_socket.c",
++ [17718].name = "setsockopt",
++ [17718].param5 = 1,
++ [17875].file = "fs/namei.c",
++ [17875].name = "sys_linkat",
++ [17875].param2 = 1,
++ [17875].param4 = 1,
++ [17946].file = "drivers/net/wireless/libertas/if_spi.c",
++ [17946].name = "if_spi_host_to_card",
++ [17946].param4 = 1,
++ [1800].file = "drivers/media/dvb/dvb-core/dmxdev.c",
++ [1800].name = "dvb_dvr_do_ioctl",
++ [1800].param3 = 1,
++ [18102].file = "net/netlink/af_netlink.c",
++ [18102].name = "netlink_change_ngroups",
++ [18102].param2 = 1,
++ [18183].file = "drivers/tty/tty_buffer.c",
++ [18183].name = "tty_insert_flip_string_fixed_flag",
++ [18183].param4 = 1,
++ [18224].file = "drivers/xen/grant-table.c",
++ [18224].name = "gnttab_map",
++ [18224].param2 = 1,
++ [18232].file = "fs/nfs/write.c",
++ [18232].name = "nfs_writedata_alloc",
++ [18232].param1 = 1,
++ [18277].file = "drivers/char/virtio_console.c",
++ [18277].name = "port_fops_write",
++ [18277].param3 = 1,
++ [18303].file = "fs/xattr.c",
++ [18303].name = "getxattr",
++ [18303].param4 = 1,
++ [18353].file = "net/rfkill/core.c",
++ [18353].name = "rfkill_fop_read",
++ [18353].param3 = 1,
++ [18386].file = "fs/read_write.c",
++ [18386].name = "vfs_readv",
++ [18386].param3 = 1,
++ [18391].file = "fs/ocfs2/stack_user.c",
++ [18391].name = "ocfs2_control_write",
++ [18391].param3 = 1,
++ [183].file = "crypto/ahash.c",
++ [183].name = "crypto_ahash_setkey",
++ [183].param3 = 1,
++ [18406].file = "drivers/media/video/tm6000/tm6000-core.c",
++ [18406].name = "tm6000_read_write_usb",
++ [18406].param7 = 1,
++ [1845].file = "drivers/net/wireless/rt2x00/rt2x00debug.c",
++ [1845].name = "rt2x00debug_write_rf",
++ [1845].param3 = 1,
++ [18465].file = "drivers/net/ethernet/chelsio/cxgb3/cxgb3_offload.c",
++ [18465].name = "cxgb_alloc_mem",
++ [18465].param1 = 1,
++ [1858].file = "net/ipv6/netfilter/ip6_tables.c",
++ [1858].name = "do_ip6t_set_ctl",
++ [1858].param4 = 1,
++ [18659].file = "drivers/media/dvb/dvb-core/dvbdev.c",
++ [18659].name = "dvb_usercopy",
++ [18659].param2 = 1,
++ [18775].file = "drivers/net/wireless/ath/ath5k/debug.c",
++ [18775].name = "write_file_frameerrors",
++ [18775].param3 = 1,
++ [18928].file = "drivers/staging/speakup/devsynth.c",
++ [18928].name = "speakup_file_write",
++ [18928].param3 = 1,
++ [18988].file = "drivers/staging/vme/devices/vme_user.c",
++ [18988].name = "vme_user_read",
++ [18988].param3 = 1,
++ [19012].file = "drivers/acpi/event.c",
++ [19012].name = "acpi_system_read_event",
++ [19012].param3 = 1,
++ [19028].file = "mm/filemap.c",
++ [19028].name = "iov_iter_copy_from_user_atomic",
++ [19028].param4 = 1,
++ [19107].file = "security/smack/smackfs.c",
++ [19107].name = "smk_write_load_list",
++ [19107].param3 = 1,
++ [19261].file = "net/netlabel/netlabel_domainhash.c",
++ [19261].name = "netlbl_domhsh_init",
++ [19261].param1 = 1,
++ [19274].file = "net/core/pktgen.c",
++ [19274].name = "pktgen_if_write",
++ [19274].param3 = 1,
++ [19286].file = "drivers/base/regmap/regmap.c",
++ [19286].name = "_regmap_raw_write",
++ [19286].param4 = 1,
++ [19288].file = "net/ipv6/raw.c",
++ [19288].name = "rawv6_setsockopt",
++ [19288].param5 = 1,
++ [19308].file = "drivers/char/mem.c",
++ [19308].name = "read_oldmem",
++ [19308].param3 = 1,
++ [19332].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [19332].name = "iwl_dbgfs_plcp_delta_write",
++ [19332].param3 = 1,
++ [19349].file = "drivers/acpi/acpica/utobject.c",
++ [19349].name = "acpi_ut_create_package_object",
++ [19349].param1 = 1,
++ [19504].file = "drivers/usb/serial/garmin_gps.c",
++ [19504].name = "pkt_add",
++ [19504].param3 = 1,
++ [19522].file = "mm/percpu.c",
++ [19522].name = "pcpu_mem_zalloc",
++ [19522].param1 = 1,
++ [19548].file = "drivers/scsi/qla2xxx/qla_init.c",
++ [19548].name = "qla2x00_get_ctx_sp",
++ [19548].param3 = 1,
++ [19738].file = "fs/sysfs/file.c",
++ [19738].name = "sysfs_write_file",
++ [19738].param3 = 1,
++ [19833].file = "drivers/xen/xenfs/privcmd.c",
++ [19833].name = "gather_array",
++ [19833].param3 = 1,
++ [19909].file = "drivers/net/wireless/libertas/debugfs.c",
++ [19909].name = "lbs_sleepparams_write",
++ [19909].param3 = 1,
++ [19920].file = "drivers/input/joydev.c",
++ [19920].name = "joydev_ioctl",
++ [19920].param2 = 1,
++ [19931].file = "drivers/usb/misc/ftdi-elan.c",
++ [19931].name = "ftdi_elan_write",
++ [19931].param3 = 1,
++ [19943].file = "drivers/net/wireless/ath/ath9k/debug.c",
++ [19943].name = "write_file_regval",
++ [19943].param3 = 1,
++ [19960].file = "drivers/usb/class/usblp.c",
++ [19960].name = "usblp_read",
++ [19960].param3 = 1,
++ [20023].file = "drivers/media/video/gspca/gspca.c",
++ [20023].name = "dev_read",
++ [20023].param3 = 1,
++ [20113].file = "drivers/net/wireless/libertas/debugfs.c",
++ [20113].name = "lbs_rdmac_write",
++ [20113].param3 = 1,
++ [20314].file = "drivers/gpu/drm/drm_hashtab.c",
++ [20314].name = "drm_ht_create",
++ [20314].param2 = 1,
++ [20376].file = "mm/nobootmem.c",
++ [20376].name = "__alloc_bootmem_nopanic",
++ [20376].param1 = 1,
++ [20606].file = "fs/nilfs2/mdt.c",
++ [20606].name = "nilfs_mdt_init",
++ [20606].param3 = 1,
++ [20611].file = "net/netfilter/x_tables.c",
++ [20611].name = "xt_alloc_table_info",
++ [20611].param1 = 1,
++ [20713].file = "drivers/gpu/drm/ttm/ttm_bo_vm.c",
++ [20713].name = "ttm_bo_io",
++ [20713].param5 = 1,
++ [20730].file = "drivers/media/video/videobuf2-vmalloc.c",
++ [20730].name = "vb2_vmalloc_alloc",
++ [20730].param2 = 1,
++ [20801].file = "drivers/vhost/vhost.c",
++ [20801].name = "vhost_add_used_n",
++ [20801].param3 = 1,
++ [20835].file = "drivers/isdn/i4l/isdn_common.c",
++ [20835].name = "isdn_read",
++ [20835].param3 = 1,
++ [20951].file = "crypto/rng.c",
++ [20951].name = "rngapi_reset",
++ [20951].param3 = 1,
++ [21134].file = "drivers/video/via/viafbdev.c",
++ [21134].name = "viafb_dfph_proc_write",
++ [21134].param3 = 1,
++ [21193].file = "net/wireless/sme.c",
++ [21193].name = "cfg80211_disconnected",
++ [21193].param4 = 1,
++ [21277].file = "drivers/usb/storage/shuttle_usbat.c",
++ [21277].name = "usbat_flash_write_data",
++ [21277].param4 = 1,
++ [21312].file = "lib/ts_kmp.c",
++ [21312].name = "kmp_init",
++ [21312].param2 = 1,
++ [21335].file = "net/econet/af_econet.c",
++ [21335].name = "econet_sendmsg",
++ [21335].param4 = 1,
++ [21397].file = "net/core/sock.c",
++ [21397].name = "sock_setsockopt",
++ [21397].param5 = 1,
++ [21406].file = "fs/libfs.c",
++ [21406].name = "simple_write_to_buffer",
++ [21406].param2 = 1,
++ [21406].param5 = 1,
++ [21451].file = "net/netfilter/ipvs/ip_vs_ctl.c",
++ [21451].name = "do_ip_vs_set_ctl",
++ [21451].param4 = 1,
++ [21459].file = "security/smack/smackfs.c",
++ [21459].name = "smk_write_doi",
++ [21459].param3 = 1,
++ [21468].file = "drivers/char/virtio_console.c",
++ [21468].name = "port_fops_read",
++ [21468].param3 = 1,
++ [21511].file = "drivers/input/ff-core.c",
++ [21511].name = "input_ff_create",
++ [21511].param2 = 1,
++ [21538].file = "net/bluetooth/l2cap_sock.c",
++ [21538].name = "l2cap_sock_setsockopt",
++ [21538].param5 = 1,
++ [21608].file = "drivers/char/tpm/tpm.c",
++ [21608].name = "tpm_write",
++ [21608].param3 = 1,
++ [2160].file = "drivers/net/wireless/ray_cs.c",
++ [2160].name = "int_proc_write",
++ [2160].param3 = 1,
++ [21632].file = "fs/afs/cell.c",
++ [21632].name = "afs_cell_create",
++ [21632].param2 = 1,
++ [21679].file = "drivers/net/wireless/ath/carl9170/debug.c",
++ [21679].name = "carl9170_debugfs_write",
++ [21679].param3 = 1,
++ [21712].file = "net/rxrpc/ar-output.c",
++ [21712].name = "rxrpc_send_data",
++ [21712].param5 = 1,
++ [2180].file = "drivers/char/ppdev.c",
++ [2180].name = "pp_write",
++ [2180].param3 = 1,
++ [21946].file = "fs/nfs/idmap.c",
++ [21946].name = "nfs_map_name_to_uid",
++ [21946].param3 = 1,
++ [22085].file = "drivers/staging/sep/sep_driver.c",
++ [22085].name = "sep_lock_user_pages",
++ [22085].param2 = 1,
++ [22085].param3 = 1,
++ [22187].file = "fs/namei.c",
++ [22187].name = "user_path_at_empty",
++ [22187].param2 = 1,
++ [22190].file = "drivers/char/tpm/tpm.c",
++ [22190].name = "tpm_read",
++ [22190].param3 = 1,
++ [22204].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [22204].name = "iwl_dbgfs_echo_test_write",
++ [22204].param3 = 1,
++ [22291].file = "net/core/pktgen.c",
++ [22291].name = "pgctrl_write",
++ [22291].param3 = 1,
++ [22439].file = "fs/afs/rxrpc.c",
++ [22439].name = "afs_alloc_flat_call",
++ [22439].param2 = 1,
++ [22439].param3 = 1,
++ [2243].file = "drivers/scsi/scsi_tgt_lib.c",
++ [2243].name = "scsi_tgt_kspace_exec",
++ [2243].param8 = 1,
++ [22546].file = "drivers/char/pcmcia/cm4040_cs.c",
++ [22546].name = "cm4040_read",
++ [22546].param3 = 1,
++ [22742].file = "drivers/tty/tty_buffer.c",
++ [22742].name = "tty_insert_flip_string_flags",
++ [22742].param4 = 1,
++ [22772].file = "drivers/target/iscsi/iscsi_target_erl1.c",
++ [22772].name = "iscsit_dump_data_payload",
++ [22772].param2 = 1,
++ [2286].file = "drivers/scsi/mvumi.c",
++ [2286].name = "mvumi_alloc_mem_resource",
++ [2286].param3 = 1,
++ [22904].file = "security/selinux/ss/services.c",
++ [22904].name = "security_context_to_sid_default",
++ [22904].param2 = 1,
++ [22932].file = "fs/compat.c",
++ [22932].name = "compat_sys_writev",
++ [22932].param3 = 1,
++ [2302].file = "drivers/media/video/stk-webcam.c",
++ [2302].name = "v4l_stk_read",
++ [2302].param3 = 1,
++ [23037].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [23037].name = "iwl_dbgfs_wd_timeout_write",
++ [23037].param3 = 1,
++ [2307].file = "drivers/pcmcia/cistpl.c",
++ [2307].name = "pcmcia_replace_cis",
++ [2307].param3 = 1,
++ [23093].file = "drivers/scsi/st.c",
++ [23093].name = "st_read",
++ [23093].param3 = 1,
++ [23117].file = "drivers/media/dvb/ttpci/av7110_av.c",
++ [23117].name = "dvb_audio_write",
++ [23117].param3 = 1,
++ [2324].file = "net/ieee802154/wpan-class.c",
++ [2324].name = "wpan_phy_alloc",
++ [2324].param1 = 1,
++ [23535].file = "ipc/sem.c",
++ [23535].name = "sys_semtimedop",
++ [23535].param3 = 1,
++ [2357].file = "drivers/usb/serial/garmin_gps.c",
++ [2357].name = "garmin_read_process",
++ [2357].param3 = 1,
++ [23589].file = "kernel/relay.c",
++ [23589].name = "subbuf_read_actor",
++ [23589].param3 = 1,
++ [23619].file = "drivers/tty/tty_buffer.c",
++ [23619].name = "tty_buffer_request_room",
++ [23619].param2 = 1,
++ [23640].file = "drivers/usb/host/ehci-dbg.c",
++ [23640].name = "debug_lpm_write",
++ [23640].param3 = 1,
++ [23684].file = "drivers/net/wireless/iwlegacy/iwl-debugfs.c",
++ [23684].name = "iwl_legacy_dbgfs_clear_traffic_statistics_write",
++ [23684].param3 = 1,
++ [23848].file = "crypto/blkcipher.c",
++ [23848].name = "async_setkey",
++ [23848].param3 = 1,
++ [2386].file = "drivers/acpi/acpica/exnames.c",
++ [2386].name = "acpi_ex_allocate_name_string",
++ [2386].param2 = 1,
++ [23883].file = "drivers/net/wireless/iwlwifi/iwl-trans-pcie.c",
++ [23883].name = "iwl_dbgfs_interrupt_write",
++ [23883].param3 = 1,
++ [23999].file = "sound/pci/rme9652/hdsp.c",
++ [23999].name = "snd_hdsp_capture_copy",
++ [23999].param5 = 1,
++ [24072].file = "drivers/staging/pohmelfs/inode.c",
++ [24072].name = "pohmelfs_send_readpages",
++ [24072].param3 = 1,
++ [24233].file = "drivers/pci/pcie/aer/aer_inject.c",
++ [24233].name = "aer_inject_write",
++ [24233].param3 = 1,
++ [24263].file = "kernel/cgroup.c",
++ [24263].name = "cgroup_file_write",
++ [24263].param3 = 1,
++ [24313].file = "drivers/staging/frontier/tranzport.c",
++ [24313].name = "usb_tranzport_write",
++ [24313].param3 = 1,
++ [24359].file = "kernel/power/qos.c",
++ [24359].name = "pm_qos_power_write",
++ [24359].param3 = 1,
++ [24410].file = "drivers/net/wireless/ipw2x00/libipw_module.c",
++ [24410].name = "debug_level_proc_write",
++ [24410].param3 = 1,
++ [24457].file = "fs/btrfs/backref.c",
++ [24457].name = "init_data_container",
++ [24457].param1 = 1,
++ [24539].file = "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c",
++ [24539].name = "vmw_framebuffer_dmabuf_dirty",
++ [24539].param6 = 1,
++ [24719].file = "drivers/input/evdev.c",
++ [24719].name = "bits_to_user",
++ [24719].param2 = 1,
++ [24719].param3 = 1,
++ [2472].file = "net/ipv4/netfilter/ip_tables.c",
++ [2472].name = "compat_do_ipt_set_ctl",
++ [2472].param4 = 1,
++ [24755].file = "drivers/infiniband/hw/qib/qib_diag.c",
++ [24755].name = "qib_diag_write",
++ [24755].param3 = 1,
++ [24805].file = "security/keys/user_defined.c",
++ [24805].name = "user_update",
++ [24805].param3 = 1,
++ [25036].file = "fs/pipe.c",
++ [25036].name = "pipe_iov_copy_from_user",
++ [25036].param3 = 1,
++ [25127].file = "drivers/scsi/device_handler/scsi_dh_alua.c",
++ [25127].name = "realloc_buffer",
++ [25127].param2 = 1,
++ [25157].file = "security/keys/request_key_auth.c",
++ [25157].name = "request_key_auth_new",
++ [25157].param3 = 1,
++ [25158].file = "drivers/net/ethernet/mellanox/mlx4/en_rx.c",
++ [25158].name = "mlx4_en_create_rx_ring",
++ [25158].param3 = 1,
++ [25223].file = "drivers/platform/x86/toshiba_acpi.c",
++ [25223].name = "fan_proc_write",
++ [25223].param3 = 1,
++ [25267].file = "fs/configfs/file.c",
++ [25267].name = "configfs_write_file",
++ [25267].param3 = 1,
++ [25356].file = "net/core/dev.c",
++ [25356].name = "alloc_netdev_mqs",
++ [25356].param4 = 1,
++ [25356].param5 = 1,
++ [25495].file = "drivers/scsi/bfa/bfad_debugfs.c",
++ [25495].name = "bfad_debugfs_write_regwr",
++ [25495].param3 = 1,
++ [25558].file = "fs/proc/task_mmu.c",
++ [25558].name = "clear_refs_write",
++ [25558].param3 = 1,
++ [25692].file = "drivers/net/wireless/ath/ath6kl/wmi.c",
++ [25692].name = "ath6kl_wmi_send_action_cmd",
++ [25692].param6 = 1,
++ [2609].file = "lib/kstrtox.c",
++ [2609].name = "kstrtoul_from_user",
++ [2609].param2 = 1,
++ [26100].file = "sound/core/info.c",
++ [26100].name = "snd_info_entry_write",
++ [26100].param3 = 1,
++ [26215].file = "drivers/md/dm-table.c",
++ [26215].name = "dm_table_create",
++ [26215].param3 = 1,
++ [26256].file = "fs/hpfs/name.c",
++ [26256].name = "hpfs_translate_name",
++ [26256].param3 = 1,
++ [26404].file = "drivers/net/wireless/mwifiex/debugfs.c",
++ [26404].name = "mwifiex_rdeeprom_write",
++ [26404].param3 = 1,
++ [26494].file = "kernel/signal.c",
++ [26494].name = "sys_rt_sigpending",
++ [26494].param2 = 1,
++ [26497].file = "security/keys/keyctl.c",
++ [26497].name = "sys_keyctl",
++ [26497].param4 = 1,
++ [26533].file = "drivers/block/aoe/aoechr.c",
++ [26533].name = "aoechr_write",
++ [26533].param3 = 1,
++ [26560].file = "crypto/algapi.c",
++ [26560].name = "crypto_alloc_instance2",
++ [26560].param3 = 1,
++ [26620].file = "net/bluetooth/mgmt.c",
++ [26620].name = "mgmt_control",
++ [26620].param3 = 1,
++ [26701].file = "drivers/mtd/chips/cfi_util.c",
++ [26701].name = "cfi_read_pri",
++ [26701].param3 = 1,
++ [26757].file = "fs/xattr.c",
++ [26757].name = "sys_fgetxattr",
++ [26757].param4 = 1,
++ [2678].file = "drivers/platform/x86/asus_acpi.c",
++ [2678].name = "disp_proc_write",
++ [2678].param3 = 1,
++ [26834].file = "drivers/gpu/drm/drm_drv.c",
++ [26834].name = "drm_ioctl",
++ [26834].param2 = 1,
++ [26843].file = "drivers/firewire/core-cdev.c",
++ [26843].name = "fw_device_op_compat_ioctl",
++ [26843].param2 = 1,
++ [26845].file = "drivers/scsi/qla2xxx/qla_bsg.c",
++ [26845].name = "qla2x00_get_ctx_bsg_sp",
++ [26845].param3 = 1,
++ [26962].file = "drivers/usb/class/usbtmc.c",
++ [26962].name = "usbtmc_write",
++ [26962].param3 = 1,
++ [26966].file = "drivers/media/dvb/ddbridge/ddbridge-core.c",
++ [26966].name = "ts_write",
++ [26966].param3 = 1,
++ [27004].file = "drivers/misc/hpilo.c",
++ [27004].name = "ilo_write",
++ [27004].param3 = 1,
++ [27025].file = "fs/ntfs/file.c",
++ [27025].name = "__ntfs_copy_from_user_iovec_inatomic",
++ [27025].param3 = 1,
++ [27025].param4 = 1,
++ [27061].file = "drivers/firewire/core-cdev.c",
++ [27061].name = "iso_callback",
++ [27061].param3 = 1,
++ [2711].file = "drivers/media/dvb/dvb-core/dvb_ringbuffer.c",
++ [2711].name = "dvb_ringbuffer_read_user",
++ [2711].param3 = 1,
++ [27129].file = "fs/lockd/mon.c",
++ [27129].name = "nsm_get_handle",
++ [27129].param4 = 1,
++ [27142].file = "fs/proc/kcore.c",
++ [27142].name = "read_kcore",
++ [27142].param3 = 1,
++ [27164].file = "include/drm/drm_mem_util.h",
++ [27164].name = "drm_calloc_large",
++ [27164].param1 = 1,
++ [2722].file = "drivers/gpu/drm/ttm/ttm_page_alloc.c",
++ [2722].name = "ttm_alloc_new_pages",
++ [2722].param5 = 1,
++ [27232].file = "security/apparmor/lib.c",
++ [27232].name = "kvmalloc",
++ [27232].param1 = 1,
++ [27275].file = "drivers/scsi/cxgbi/libcxgbi.c",
++ [27275].name = "cxgbi_ddp_reserve",
++ [27275].param4 = 1,
++ [27280].file = "drivers/net/ethernet/mellanox/mlx4/en_tx.c",
++ [27280].name = "mlx4_en_create_tx_ring",
++ [27280].param4 = 1,
++ [27290].file = "security/selinux/ss/services.c",
++ [27290].name = "security_context_to_sid_core",
++ [27290].param2 = 1,
++ [27302].file = "fs/proc/base.c",
++ [27302].name = "proc_loginuid_write",
++ [27302].param3 = 1,
++ [27472].file = "security/selinux/selinuxfs.c",
++ [27472].name = "sel_write_load",
++ [27472].param3 = 1,
++ [27491].file = "fs/proc/base.c",
++ [27491].name = "proc_pid_attr_write",
++ [27491].param3 = 1,
++ [27568].file = "drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c",
++ [27568].name = "t4_alloc_mem",
++ [27568].param1 = 1,
++ [27582].file = "drivers/platform/x86/asus_acpi.c",
++ [27582].name = "ledd_proc_write",
++ [27582].param3 = 1,
++ [27695].file = "fs/namei.c",
++ [27695].name = "sys_link",
++ [27695].param1 = 1,
++ [27695].param2 = 1,
++ [27697].file = "drivers/staging/mei/iorw.c",
++ [27697].name = "amthi_read",
++ [27697].param4 = 1,
++ [27927].file = "drivers/tty/tty_io.c",
++ [27927].name = "redirected_tty_write",
++ [27927].param3 = 1,
++ [28040].file = "kernel/kfifo.c",
++ [28040].name = "__kfifo_alloc",
++ [28040].param2 = 1,
++ [28040].param3 = 1,
++ [28092].file = "fs/select.c",
++ [28092].name = "do_sys_poll",
++ [28092].param2 = 1,
++ [28170].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [28170].name = "iwl_dbgfs_ucode_tracing_write",
++ [28170].param3 = 1,
++ [28247].file = "net/sctp/tsnmap.c",
++ [28247].name = "sctp_tsnmap_init",
++ [28247].param2 = 1,
++ [28265].file = "fs/notify/fanotify/fanotify_user.c",
++ [28265].name = "fanotify_write",
++ [28265].param3 = 1,
++ [28316].file = "drivers/input/joydev.c",
++ [28316].name = "joydev_ioctl_common",
++ [28316].param2 = 1,
++ [28360].file = "drivers/hid/usbhid/hiddev.c",
++ [28360].name = "hiddev_compat_ioctl",
++ [28360].param2 = 1,
++ [28407].file = "drivers/net/wireless/rt2x00/rt2x00debug.c",
++ [28407].name = "rt2x00debug_write_csr",
++ [28407].param3 = 1,
++ [28462].file = "net/rfkill/core.c",
++ [28462].name = "rfkill_fop_write",
++ [28462].param3 = 1,
++ [28635].file = "drivers/gpu/drm/drm_sman.c",
++ [28635].name = "drm_sman_init",
++ [28635].param2 = 1,
++ [28655].file = "drivers/infiniband/hw/mthca/mthca_allocator.c",
++ [28655].name = "mthca_alloc_init",
++ [28655].param2 = 1,
++ [28688].file = "mm/mempolicy.c",
++ [28688].name = "compat_sys_get_mempolicy",
++ [28688].param3 = 1,
++ [28783].file = "drivers/gpu/drm/i915/i915_debugfs.c",
++ [28783].name = "i915_cache_sharing_write",
++ [28783].param3 = 1,
++ [28787].file = "drivers/media/video/videobuf2-core.c",
++ [28787].name = "vb2_write",
++ [28787].param3 = 1,
++ [28879].file = "drivers/base/map.c",
++ [28879].name = "kobj_map",
++ [28879].param2 = 1,
++ [28879].param3 = 1,
++ [28889].file = "drivers/char/pcmcia/cm4040_cs.c",
++ [28889].name = "cm4040_write",
++ [28889].param3 = 1,
++ [29073].file = "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c",
++ [29073].name = "vmw_kms_readback",
++ [29073].param6 = 1,
++ [29085].file = "security/apparmor/apparmorfs.c",
++ [29085].name = "profile_load",
++ [29085].param3 = 1,
++ [29092].file = "lib/lru_cache.c",
++ [29092].name = "lc_create",
++ [29092].param3 = 1,
++ [29189].file = "drivers/gpu/drm/ttm/ttm_page_alloc.c",
++ [29189].name = "ttm_put_pages",
++ [29189].param2 = 1,
++ [29257].file = "drivers/vhost/vhost.c",
++ [29257].name = "vhost_add_used_and_signal_n",
++ [29257].param4 = 1,
++ [29366].file = "drivers/char/pcmcia/cm4000_cs.c",
++ [29366].name = "cmm_read",
++ [29366].param3 = 1,
++ [29405].file = "drivers/media/dvb/dvb-usb/dw2102.c",
++ [29405].name = "dw210x_op_rw",
++ [29405].param6 = 1,
++ [29437].file = "drivers/net/wireless/iwlegacy/iwl-4965-rs.c",
++ [29437].name = "iwl4965_rs_sta_dbgfs_scale_table_write",
++ [29437].param3 = 1,
++ [29465].file = "drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c",
++ [29465].name = "mem_read",
++ [29465].param3 = 1,
++ [29714].file = "drivers/scsi/cxgbi/libcxgbi.c",
++ [29714].name = "cxgbi_device_register",
++ [29714].param1 = 1,
++ [29714].param2 = 1,
++ [29859].file = "net/rds/page.c",
++ [29859].name = "rds_page_copy_user",
++ [29859].param4 = 1,
++ [29875].file = "sound/isa/gus/gus_pcm.c",
++ [29875].name = "snd_gf1_pcm_playback_copy",
++ [29875].param5 = 1,
++ [29905].file = "mm/nobootmem.c",
++ [29905].name = "___alloc_bootmem",
++ [29905].param1 = 1,
++ [2995].file = "mm/page_alloc.c",
++ [2995].name = "alloc_large_system_hash",
++ [2995].param2 = 1,
++ [30242].file = "fs/cifs/cifssmb.c",
++ [30242].name = "cifs_readdata_alloc",
++ [30242].param1 = 1,
++ [30341].file = "drivers/infiniband/hw/qib/qib_verbs.c",
++ [30341].name = "qib_verbs_send",
++ [30341].param3 = 1,
++ [30341].param5 = 1,
++ [30438].file = "mm/filemap_xip.c",
++ [30438].name = "xip_file_read",
++ [30438].param3 = 1,
++ [30449].file = "drivers/telephony/ixj.c",
++ [30449].name = "ixj_read",
++ [30449].param3 = 1,
++ [30489].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [30489].name = "iwl_dbgfs_rx_handlers_write",
++ [30489].param3 = 1,
++ [30693].file = "fs/namei.c",
++ [30693].name = "sys_rename",
++ [30693].param1 = 1,
++ [30693].param2 = 1,
++ [307].file = "drivers/base/regmap/regmap-debugfs.c",
++ [307].name = "regmap_map_read_file",
++ [307].param3 = 1,
++ [30970].file = "drivers/usb/misc/ldusb.c",
++ [30970].name = "ld_usb_read",
++ [30970].param3 = 1,
++ [31155].file = "drivers/staging/frontier/alphatrack.c",
++ [31155].name = "usb_alphatrack_write",
++ [31155].param3 = 1,
++ [31207].file = "drivers/platform/x86/asus_acpi.c",
++ [31207].name = "parse_arg",
++ [31207].param2 = 1,
++ [31348].file = "kernel/sched.c",
++ [31348].name = "sys_sched_getaffinity",
++ [31348].param2 = 1,
++ [31465].file = "net/rds/message.c",
++ [31465].name = "rds_message_map_pages",
++ [31465].param2 = 1,
++ [31492].file = "drivers/hid/hidraw.c",
++ [31492].name = "hidraw_read",
++ [31492].param3 = 1,
++ [31649].file = "fs/ecryptfs/crypto.c",
++ [31649].name = "ecryptfs_decode_and_decrypt_filename",
++ [31649].param5 = 1,
++ [3170].file = "security/integrity/ima/ima_fs.c",
++ [3170].name = "ima_write_policy",
++ [3170].param3 = 1,
++ [31730].file = "net/dccp/proto.c",
++ [31730].name = "dccp_setsockopt",
++ [31730].param5 = 1,
++ [31782].file = "drivers/misc/pti.c",
++ [31782].name = "pti_char_write",
++ [31782].param3 = 1,
++ [31789].file = "fs/file.c",
++ [31789].name = "alloc_fdmem",
++ [31789].param1 = 1,
++ [31957].file = "fs/afs/proc.c",
++ [31957].name = "afs_proc_cells_write",
++ [31957].param3 = 1,
++ [32025].file = "drivers/nfc/pn544.c",
++ [32025].name = "pn544_write",
++ [32025].param3 = 1,
++ [32182].file = "net/sunrpc/cache.c",
++ [32182].name = "cache_write",
++ [32182].param3 = 1,
++ [32326].file = "drivers/tty/n_r3964.c",
++ [32326].name = "r3964_write",
++ [32326].param4 = 1,
++ [32402].file = "net/ceph/pagevec.c",
++ [32402].name = "ceph_copy_user_to_page_vector",
++ [32402].param4 = 1,
++ [3241].file = "drivers/usb/wusbcore/crypto.c",
++ [3241].name = "wusb_prf",
++ [3241].param7 = 1,
++ [32459].file = "drivers/media/radio/radio-wl1273.c",
++ [32459].name = "wl1273_fm_fops_write",
++ [32459].param3 = 1,
++ [32560].file = "drivers/input/input-mt.c",
++ [32560].name = "input_mt_init_slots",
++ [32560].param2 = 1,
++ [32574].file = "mm/mempolicy.c",
++ [32574].name = "sys_get_mempolicy",
++ [32574].param3 = 1,
++ [32608].file = "security/selinux/selinuxfs.c",
++ [32608].name = "sel_write_checkreqprot",
++ [32608].param3 = 1,
++ [32950].file = "fs/reiserfs/resize.c",
++ [32950].name = "reiserfs_resize",
++ [32950].param2 = 1,
++ [33010].file = "drivers/media/dvb/dvb-core/dvb_ringbuffer.c",
++ [33010].name = "dvb_ringbuffer_pkt_read_user",
++ [33010].param5 = 1,
++ [33268].file = "mm/maccess.c",
++ [33268].name = "__probe_kernel_write",
++ [33268].param3 = 1,
++ [33280].file = "fs/xfs/kmem.c",
++ [33280].name = "kmem_realloc",
++ [33280].param2 = 1,
++ [33375].file = "drivers/staging/rtl8712/osdep_service.h",
++ [33375].name = "_malloc",
++ [33375].param1 = 1,
++ [33637].file = "net/9p/client.c",
++ [33637].name = "p9_client_read",
++ [33637].param5 = 1,
++ [33669].file = "fs/gfs2/glock.c",
++ [33669].name = "gfs2_glock_nq_m",
++ [33669].param1 = 1,
++ [33810].file = "net/mac80211/util.c",
++ [33810].name = "ieee80211_send_probe_req",
++ [33810].param6 = 1,
++ [3384].file = "drivers/block/paride/pg.c",
++ [3384].name = "pg_write",
++ [3384].param3 = 1,
++ [34016].file = "drivers/tty/tty_buffer.c",
++ [34016].name = "tty_prepare_flip_string_flags",
++ [34016].param4 = 1,
++ [34105].file = "fs/libfs.c",
++ [34105].name = "simple_read_from_buffer",
++ [34105].param2 = 1,
++ [34105].param5 = 1,
++ [34120].file = "drivers/media/video/pvrusb2/pvrusb2-io.c",
++ [34120].name = "pvr2_stream_buffer_count",
++ [34120].param2 = 1,
++ [34226].file = "mm/shmem.c",
++ [34226].name = "shmem_xattr_set",
++ [34226].param4 = 1,
++ [34251].file = "drivers/staging/cxt1e1/sbecom_inline_linux.h",
++ [34251].name = "OS_kmalloc",
++ [34251].param1 = 1,
++ [34276].file = "drivers/media/video/videobuf2-core.c",
++ [34276].name = "__vb2_perform_fileio",
++ [34276].param3 = 1,
++ [34278].file = "fs/ubifs/debug.c",
++ [34278].name = "dfs_global_file_write",
++ [34278].param3 = 1,
++ [34432].file = "drivers/edac/edac_pci.c",
++ [34432].name = "edac_pci_alloc_ctl_info",
++ [34432].param1 = 1,
++ [34551].file = "fs/ocfs2/stack_user.c",
++ [34551].name = "ocfs2_control_cfu",
++ [34551].param2 = 1,
++ [34666].file = "fs/cifs/cifs_debug.c",
++ [34666].name = "cifs_security_flags_proc_write",
++ [34666].param3 = 1,
++ [34672].file = "drivers/tty/tty_io.c",
++ [34672].name = "tty_write",
++ [34672].param3 = 1,
++ [34760].file = "include/acpi/platform/aclinux.h",
++ [34760].name = "acpi_os_allocate_zeroed",
++ [34760].param1 = 1,
++ [34802].file = "drivers/scsi/cxgbi/libcxgbi.h",
++ [34802].name = "cxgbi_alloc_big_mem",
++ [34802].param1 = 1,
++ [34847].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [34847].name = "iwl_dbgfs_clear_traffic_statistics_write",
++ [34847].param3 = 1,
++ [34863].file = "drivers/video/fbsysfs.c",
++ [34863].name = "framebuffer_alloc",
++ [34863].param1 = 1,
++ [34882].file = "drivers/platform/x86/toshiba_acpi.c",
++ [34882].name = "video_proc_write",
++ [34882].param3 = 1,
++ [34988].file = "drivers/net/wireless/libertas/debugfs.c",
++ [34988].name = "lbs_rdrf_write",
++ [34988].param3 = 1,
++ [35007].file = "drivers/usb/mon/mon_bin.c",
++ [35007].name = "mon_bin_read",
++ [35007].param3 = 1,
++ [35050].file = "fs/ocfs2/dlmfs/dlmfs.c",
++ [35050].name = "dlmfs_file_write",
++ [35050].param3 = 1,
++ [35119].file = "fs/xattr.c",
++ [35119].name = "sys_llistxattr",
++ [35119].param3 = 1,
++ [35129].file = "mm/nobootmem.c",
++ [35129].name = "___alloc_bootmem_nopanic",
++ [35129].param1 = 1,
++ [35176].file = "drivers/usb/misc/ldusb.c",
++ [35176].name = "ld_usb_write",
++ [35176].param3 = 1,
++ [35234].file = "net/irda/irnet/irnet_ppp.c",
++ [35234].name = "irnet_ctrl_write",
++ [35234].param3 = 1,
++ [35256].file = "sound/core/memory.c",
++ [35256].name = "copy_from_user_toio",
++ [35256].param3 = 1,
++ [35268].file = "security/keys/request_key_auth.c",
++ [35268].name = "request_key_auth_read",
++ [35268].param3 = 1,
++ [3541].file = "drivers/mtd/ubi/cdev.c",
++ [3541].name = "vol_cdev_write",
++ [3541].param3 = 1,
++ [35443].file = "sound/core/pcm_memory.c",
++ [35443].name = "_snd_pcm_lib_alloc_vmalloc_buffer",
++ [35443].param2 = 1,
++ [35449].file = "fs/namei.c",
++ [35449].name = "sys_mkdir",
++ [35449].param1 = 1,
++ [35542].file = "drivers/tty/ipwireless/hardware.c",
++ [35542].name = "ipwireless_send_packet",
++ [35542].param4 = 1,
++ [35556].file = "fs/read_write.c",
++ [35556].name = "sys_readv",
++ [35556].param3 = 1,
++ [35610].file = "net/batman-adv/translation-table.c",
++ [35610].name = "tt_save_orig_buffer",
++ [35610].param4 = 1,
++ [35693].file = "drivers/staging/mei/main.c",
++ [35693].name = "mei_read",
++ [35693].param3 = 1,
++ [35729].file = "include/linux/skbuff.h",
++ [35729].name = "__dev_alloc_skb",
++ [35729].param1 = 1,
++ [35731].file = "drivers/usb/class/cdc-wdm.c",
++ [35731].name = "wdm_read",
++ [35731].param3 = 1,
++ [35796].file = "drivers/mtd/nand/nand_bch.c",
++ [35796].name = "nand_bch_init",
++ [35796].param2 = 1,
++ [35796].param3 = 1,
++ [35880].file = "fs/ecryptfs/crypto.c",
++ [35880].name = "ecryptfs_encrypt_and_encode_filename",
++ [35880].param6 = 1,
++ [3604].file = "net/batman-adv/translation-table.c",
++ [3604].name = "tt_update_orig",
++ [3604].param4 = 1,
++ [36080].file = "drivers/media/video/v4l2-ioctl.c",
++ [36080].name = "video_usercopy",
++ [36080].param2 = 1,
++ [36149].file = "fs/udf/inode.c",
++ [36149].name = "udf_alloc_i_data",
++ [36149].param2 = 1,
++ [36183].file = "drivers/tty/vt/vc_screen.c",
++ [36183].name = "vcs_read",
++ [36183].param3 = 1,
++ [36199].file = "net/sunrpc/auth_gss/auth_gss.c",
++ [36199].name = "gss_pipe_downcall",
++ [36199].param3 = 1,
++ [3630].file = "drivers/video/broadsheetfb.c",
++ [3630].name = "broadsheetfb_write",
++ [3630].param3 = 1,
++ [3632].file = "drivers/firewire/core-cdev.c",
++ [3632].name = "fw_device_op_read",
++ [3632].param3 = 1,
++ [36490].file = "drivers/net/wireless/ath/ath6kl/cfg80211.c",
++ [36490].name = "ath6kl_cfg80211_connect_event",
++ [36490].param7 = 1,
++ [36522].file = "drivers/hid/hidraw.c",
++ [36522].name = "hidraw_send_report",
++ [36522].param3 = 1,
++ [36560].file = "net/sunrpc/cache.c",
++ [36560].name = "write_flush",
++ [36560].param3 = 1,
++ [36633].file = "drivers/net/wireless/rt2x00/rt2x00debug.c",
++ [36633].name = "rt2x00debug_read_queue_stats",
++ [36633].param3 = 1,
++ [3665].file = "drivers/media/video/ivtv/ivtvfb.c",
++ [3665].name = "ivtvfb_write",
++ [3665].param3 = 1,
++ [36981].file = "drivers/video/via/viafbdev.c",
++ [36981].name = "viafb_dfpl_proc_write",
++ [36981].param3 = 1,
++ [37034].file = "fs/cifs/cifssmb.c",
++ [37034].name = "cifs_writedata_alloc",
++ [37034].param1 = 1,
++ [37044].file = "sound/firewire/packets-buffer.c",
++ [37044].name = "iso_packets_buffer_init",
++ [37044].param3 = 1,
++ [37115].file = "drivers/tty/tty_buffer.c",
++ [37115].name = "tty_prepare_flip_string",
++ [37115].param3 = 1,
++ [37163].file = "net/core/skbuff.c",
++ [37163].name = "__netdev_alloc_skb",
++ [37163].param2 = 1,
++ [37204].file = "drivers/isdn/hardware/eicon/divasi.c",
++ [37204].name = "um_idi_read",
++ [37204].param3 = 1,
++ [37233].file = "fs/ocfs2/cluster/tcp.c",
++ [37233].name = "o2net_send_message_vec",
++ [37233].param4 = 1,
++ [37309].file = "drivers/mtd/mtdchar.c",
++ [37309].name = "mtd_do_readoob",
++ [37309].param4 = 1,
++ [37382].file = "drivers/staging/pohmelfs/inode.c",
++ [37382].name = "pohmelfs_readpages_trans_complete",
++ [37382].param2 = 1,
++ [37384].file = "drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c",
++ [37384].name = "vmw_fifo_reserve",
++ [37384].param2 = 1,
++ [37497].file = "net/mac80211/util.c",
++ [37497].name = "ieee80211_build_probe_req",
++ [37497].param7 = 1,
++ [37594].file = "include/linux/poll.h",
++ [37594].name = "get_fd_set",
++ [37594].param1 = 1,
++ [37611].file = "drivers/xen/xenbus/xenbus_xs.c",
++ [37611].name = "split",
++ [37611].param2 = 1,
++ [37661].file = "mm/filemap.c",
++ [37661].name = "file_read_actor",
++ [37661].param4 = 1,
++ [37872].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [37872].name = "iwl_dbgfs_protection_mode_write",
++ [37872].param3 = 1,
++ [37976].file = "drivers/platform/x86/asus_acpi.c",
++ [37976].name = "bluetooth_proc_write",
++ [37976].param3 = 1,
++ [3797].file = "sound/pci/asihpi/hpicmn.c",
++ [3797].name = "hpi_alloc_control_cache",
++ [3797].param1 = 1,
++ [3801].file = "drivers/block/paride/pt.c",
++ [3801].name = "pt_write",
++ [3801].param3 = 1,
++ [38057].file = "fs/coda/psdev.c",
++ [38057].name = "coda_psdev_write",
++ [38057].param3 = 1,
++ [38186].file = "kernel/signal.c",
++ [38186].name = "do_sigpending",
++ [38186].param2 = 1,
++ [38401].file = "drivers/xen/xenfs/xenbus.c",
++ [38401].name = "queue_reply",
++ [38401].param3 = 1,
++ [3841].file = "drivers/platform/x86/asus_acpi.c",
++ [3841].name = "write_led",
++ [3841].param2 = 1,
++ [38532].file = "fs/afs/cell.c",
++ [38532].name = "afs_cell_lookup",
++ [38532].param2 = 1,
++ [38576].file = "drivers/i2c/i2c-dev.c",
++ [38576].name = "i2cdev_read",
++ [38576].param3 = 1,
++ [38747].file = "fs/xattr.c",
++ [38747].name = "sys_lgetxattr",
++ [38747].param4 = 1,
++ [38972].file = "security/smack/smackfs.c",
++ [38972].name = "smk_write_logging",
++ [38972].param3 = 1,
++ [39001].file = "net/xfrm/xfrm_hash.c",
++ [39001].name = "xfrm_hash_alloc",
++ [39001].param1 = 1,
++ [39044].file = "lib/kstrtox.c",
++ [39044].name = "kstrtos16_from_user",
++ [39044].param2 = 1,
++ [39052].file = "drivers/input/evdev.c",
++ [39052].name = "evdev_ioctl",
++ [39052].param2 = 1,
++ [39154].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [39154].name = "iwl_dbgfs_clear_ucode_statistics_write",
++ [39154].param3 = 1,
++ [39155].file = "drivers/xen/grant-table.c",
++ [39155].name = "get_free_entries",
++ [39155].param1 = 1,
++ [39254].file = "drivers/char/pcmcia/cm4000_cs.c",
++ [39254].name = "cmm_write",
++ [39254].param3 = 1,
++ [39415].file = "fs/pstore/inode.c",
++ [39415].name = "pstore_mkfile",
++ [39415].param5 = 1,
++ [39417].file = "drivers/block/DAC960.c",
++ [39417].name = "dac960_user_command_proc_write",
++ [39417].param3 = 1,
++ [39479].file = "drivers/ide/ide-tape.c",
++ [39479].name = "idetape_chrdev_read",
++ [39479].param3 = 1,
++ [39573].file = "drivers/hid/hid-picolcd.c",
++ [39573].name = "picolcd_debug_reset_write",
++ [39573].param3 = 1,
++ [39583].file = "drivers/net/ethernet/broadcom/cnic.c",
++ [39583].name = "cnic_init_id_tbl",
++ [39583].param2 = 1,
++ [39606].file = "drivers/bluetooth/hci_vhci.c",
++ [39606].name = "vhci_write",
++ [39606].param3 = 1,
++ [39638].file = "security/selinux/selinuxfs.c",
++ [39638].name = "sel_write_avc_cache_threshold",
++ [39638].param3 = 1,
++ [39645].file = "drivers/media/dvb/dvb-core/dvbdev.c",
++ [39645].name = "dvb_generic_ioctl",
++ [39645].param2 = 1,
++ [39741].file = "drivers/video/via/viafbdev.c",
++ [39741].name = "viafb_iga2_odev_proc_write",
++ [39741].param3 = 1,
++ [39888].file = "net/core/skbuff.c",
++ [39888].name = "__alloc_skb",
++ [39888].param1 = 1,
++ [40043].file = "drivers/media/video/v4l2-ioctl.c",
++ [40043].name = "video_ioctl2",
++ [40043].param2 = 1,
++ [40049].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [40049].name = "btmrvl_psmode_write",
++ [40049].param3 = 1,
++ [40075].file = "drivers/media/video/c-qcam.c",
++ [40075].name = "qc_capture",
++ [40075].param3 = 1,
++ [40163].file = "fs/ncpfs/file.c",
++ [40163].name = "ncp_file_write",
++ [40163].param3 = 1,
++ [40240].file = "drivers/char/nvram.c",
++ [40240].name = "nvram_write",
++ [40240].param3 = 1,
++ [40256].file = "drivers/tty/vt/vc_screen.c",
++ [40256].name = "vcs_write",
++ [40256].param3 = 1,
++ [40302].file = "sound/isa/gus/gus_dram.c",
++ [40302].name = "snd_gus_dram_poke",
++ [40302].param4 = 1,
++ [40355].file = "drivers/staging/mei/main.c",
++ [40355].name = "mei_write",
++ [40355].param3 = 1,
++ [40373].file = "fs/cifs/cifs_spnego.c",
++ [40373].name = "cifs_spnego_key_instantiate",
++ [40373].param3 = 1,
++ [40412].file = "fs/namei.c",
++ [40412].name = "user_path_at",
++ [40412].param2 = 1,
++ [40578].file = "sound/soc/soc-core.c",
++ [40578].name = "codec_reg_write_file",
++ [40578].param3 = 1,
++ [40678].file = "drivers/net/wireless/iwlegacy/iwl-debugfs.c",
++ [40678].name = "iwl_legacy_dbgfs_traffic_log_write",
++ [40678].param3 = 1,
++ [40713].file = "net/mac80211/debugfs.c",
++ [40713].name = "noack_write",
++ [40713].param3 = 1,
++ [40754].file = "fs/btrfs/delayed-inode.c",
++ [40754].name = "btrfs_alloc_delayed_item",
++ [40754].param1 = 1,
++ [40786].file = "net/ipv4/netfilter/nf_nat_snmp_basic.c",
++ [40786].name = "asn1_octets_decode",
++ [40786].param2 = 1,
++ [40901].file = "drivers/block/drbd/drbd_bitmap.c",
++ [40901].name = "drbd_bm_resize",
++ [40901].param2 = 1,
++ [40952].file = "drivers/misc/sgi-xp/xpc_partition.c",
++ [40952].name = "xpc_kmalloc_cacheline_aligned",
++ [40952].param1 = 1,
++ [41000].file = "sound/core/pcm_native.c",
++ [41000].name = "snd_pcm_aio_read",
++ [41000].param3 = 1,
++ [41003].file = "fs/namei.c",
++ [41003].name = "user_path_parent",
++ [41003].param2 = 1,
++ [41005].file = "net/bridge/netfilter/ebtables.c",
++ [41005].name = "copy_counters_to_user",
++ [41005].param5 = 1,
++ [41090].file = "drivers/net/wireless/iwlegacy/iwl-debugfs.c",
++ [41090].name = "iwl_legacy_dbgfs_sram_write",
++ [41090].param3 = 1,
++ [41122].file = "fs/binfmt_misc.c",
++ [41122].name = "bm_status_write",
++ [41122].param3 = 1,
++ [41230].file = "drivers/usb/storage/datafab.c",
++ [41230].name = "datafab_read_data",
++ [41230].param4 = 1,
++ [41249].file = "drivers/media/video/zr364xx.c",
++ [41249].name = "send_control_msg",
++ [41249].param6 = 1,
++ [41302].file = "net/dns_resolver/dns_query.c",
++ [41302].name = "dns_query",
++ [41302].param3 = 1,
++ [41418].file = "fs/libfs.c",
++ [41418].name = "simple_attr_write",
++ [41418].param3 = 1,
++ [4155].file = "kernel/kexec.c",
++ [4155].name = "do_kimage_alloc",
++ [4155].param3 = 1,
++ [41592].file = "net/sctp/ssnmap.c",
++ [41592].name = "sctp_ssnmap_new",
++ [41592].param1 = 1,
++ [41592].param2 = 1,
++ [41616].file = "net/core/filter.c",
++ [41616].name = "sk_chk_filter",
++ [41616].param2 = 1,
++ [41676].file = "fs/compat.c",
++ [41676].name = "compat_sys_preadv",
++ [41676].param3 = 1,
++ [41727].file = "drivers/media/video/meye.c",
++ [41727].name = "rvmalloc",
++ [41727].param1 = 1,
++ [41884].file = "sound/core/oss/pcm_plugin.c",
++ [41884].name = "snd_pcm_plug_alloc",
++ [41884].param2 = 1,
++ [41924].file = "security/keys/keyctl.c",
++ [41924].name = "keyctl_get_security",
++ [41924].param3 = 1,
++ [4202].file = "drivers/edac/edac_mc.c",
++ [4202].name = "edac_mc_alloc",
++ [4202].param1 = 1,
++ [42143].file = "drivers/media/video/c-qcam.c",
++ [42143].name = "qcam_read",
++ [42143].param3 = 1,
++ [42206].file = "fs/quota/quota_tree.c",
++ [42206].name = "getdqbuf",
++ [42206].param1 = 1,
++ [42270].file = "net/wireless/scan.c",
++ [42270].name = "cfg80211_inform_bss_frame",
++ [42270].param4 = 1,
++ [4233].file = "fs/select.c",
++ [4233].name = "sys_poll",
++ [4233].param2 = 1,
++ [42378].file = "drivers/net/wireless/ath/ath6kl/debug.c",
++ [42378].name = "ath6kl_regread_write",
++ [42378].param3 = 1,
++ [42420].file = "drivers/net/wireless/hostap/hostap_ioctl.c",
++ [42420].name = "prism2_set_genericelement",
++ [42420].param3 = 1,
++ [42466].file = "drivers/scsi/lpfc/lpfc_debugfs.c",
++ [42466].name = "lpfc_idiag_cmd_get",
++ [42466].param2 = 1,
++ [42472].file = "fs/compat.c",
++ [42472].name = "compat_readv",
++ [42472].param3 = 1,
++ [42483].file = "drivers/media/video/videobuf-dma-sg.c",
++ [42483].name = "videobuf_dma_init_user_locked",
++ [42483].param3 = 1,
++ [42483].param4 = 1,
++ [42562].file = "kernel/kfifo.c",
++ [42562].name = "__kfifo_to_user_r",
++ [42562].param3 = 1,
++ [42666].file = "drivers/pcmcia/cistpl.c",
++ [42666].name = "read_cis_cache",
++ [42666].param4 = 1,
++ [42882].file = "security/keys/user_defined.c",
++ [42882].name = "user_instantiate",
++ [42882].param3 = 1,
++ [42964].file = "drivers/video/fb_sys_fops.c",
++ [42964].name = "fb_sys_read",
++ [42964].param3 = 1,
++ [43023].file = "drivers/usb/misc/usblcd.c",
++ [43023].name = "lcd_write",
++ [43023].param3 = 1,
++ [4324].file = "drivers/video/fbmem.c",
++ [4324].name = "fb_read",
++ [4324].param3 = 1,
++ [43380].file = "drivers/scsi/bfa/bfad_debugfs.c",
++ [43380].name = "bfad_debugfs_write_regrd",
++ [43380].param3 = 1,
++ [43393].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [43393].name = "iwl_dbgfs_sram_write",
++ [43393].param3 = 1,
++ [4344].file = "fs/namei.c",
++ [4344].name = "sys_mkdirat",
++ [4344].param2 = 1,
++ [43510].file = "kernel/kexec.c",
++ [43510].name = "compat_sys_kexec_load",
++ [43510].param2 = 1,
++ [43515].file = "drivers/usb/storage/jumpshot.c",
++ [43515].name = "jumpshot_read_data",
++ [43515].param4 = 1,
++ [43540].file = "include/rdma/ib_verbs.h",
++ [43540].name = "ib_copy_to_udata",
++ [43540].param3 = 1,
++ [4357].file = "security/tomoyo/securityfs_if.c",
++ [4357].name = "tomoyo_read_self",
++ [4357].param3 = 1,
++ [43590].file = "security/smack/smackfs.c",
++ [43590].name = "smk_write_onlycap",
++ [43590].param3 = 1,
++ [43596].file = "drivers/usb/core/buffer.c",
++ [43596].name = "hcd_buffer_alloc",
++ [43596].param2 = 1,
++ [43632].file = "drivers/media/video/videobuf2-core.c",
++ [43632].name = "vb2_read",
++ [43632].param3 = 1,
++ [43731].file = "drivers/hid/hid-picolcd.c",
++ [43731].name = "picolcd_debug_eeprom_read",
++ [43731].param3 = 1,
++ [43777].file = "drivers/acpi/acpica/utobject.c",
++ [43777].name = "acpi_ut_create_buffer_object",
++ [43777].param1 = 1,
++ [43834].file = "security/apparmor/apparmorfs.c",
++ [43834].name = "profile_replace",
++ [43834].param3 = 1,
++ [43899].file = "drivers/media/rc/imon.c",
++ [43899].name = "vfd_write",
++ [43899].param3 = 1,
++ [43982].file = "drivers/platform/x86/toshiba_acpi.c",
++ [43982].name = "keys_proc_write",
++ [43982].param3 = 1,
++ [44039].file = "drivers/video/via/viafbdev.c",
++ [44039].name = "odev_update",
++ [44039].param2 = 1,
++ [44050].file = "fs/nfs/idmap.c",
++ [44050].name = "nfs_map_group_to_gid",
++ [44050].param3 = 1,
++ [44125].file = "fs/ext4/super.c",
++ [44125].name = "ext4_kvmalloc",
++ [44125].param1 = 1,
++ [44180].file = "drivers/video/via/viafbdev.c",
++ [44180].name = "viafb_vt1636_proc_write",
++ [44180].param3 = 1,
++ [44290].file = "drivers/net/usb/dm9601.c",
++ [44290].name = "dm_read",
++ [44290].param3 = 1,
++ [44298].file = "drivers/scsi/pmcraid.c",
++ [44298].name = "pmcraid_copy_sglist",
++ [44298].param3 = 1,
++ [44365].file = "fs/namei.c",
++ [44365].name = "do_rmdir",
++ [44365].param2 = 1,
++ [44640].file = "fs/select.c",
++ [44640].name = "sys_ppoll",
++ [44640].param2 = 1,
++ [44649].file = "mm/page_cgroup.c",
++ [44649].name = "swap_cgroup_swapon",
++ [44649].param2 = 1,
++ [44656].file = "drivers/net/wireless/iwlegacy/iwl-debugfs.c",
++ [44656].name = "iwl_legacy_dbgfs_wd_timeout_write",
++ [44656].param3 = 1,
++ [4471].file = "fs/ntfs/malloc.h",
++ [4471].name = "__ntfs_malloc",
++ [4471].param1 = 1,
++ [44773].file = "drivers/staging/vme/devices/vme_user.c",
++ [44773].name = "vme_user_write",
++ [44773].param3 = 1,
++ [44825].file = "drivers/scsi/osd/osd_initiator.c",
++ [44825].name = "_osd_realloc_seg",
++ [44825].param3 = 1,
++ [44943].file = "mm/util.c",
++ [44943].name = "kmemdup",
++ [44943].param2 = 1,
++ [44990].file = "drivers/media/video/pvrusb2/pvrusb2-ioread.c",
++ [44990].name = "pvr2_ioread_set_sync_key",
++ [44990].param3 = 1,
++ [45000].file = "fs/afs/proc.c",
++ [45000].name = "afs_proc_rootcell_write",
++ [45000].param3 = 1,
++ [45119].file = "drivers/usb/misc/yurex.c",
++ [45119].name = "yurex_write",
++ [45119].param3 = 1,
++ [45169].file = "drivers/video/metronomefb.c",
++ [45169].name = "metronomefb_write",
++ [45169].param3 = 1,
++ [45200].file = "drivers/scsi/scsi_proc.c",
++ [45200].name = "proc_scsi_write_proc",
++ [45200].param3 = 1,
++ [45217].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [45217].name = "iwl_dbgfs_debug_level_write",
++ [45217].param3 = 1,
++ [45231].file = "fs/ecryptfs/crypto.c",
++ [45231].name = "ecryptfs_copy_filename",
++ [45231].param4 = 1,
++ [45233].file = "net/rds/info.c",
++ [45233].name = "rds_info_getsockopt",
++ [45233].param3 = 1,
++ [45244].file = "drivers/mfd/ab3100-core.c",
++ [45244].name = "ab3100_get_set_reg",
++ [45244].param3 = 1,
++ [45264].file = "drivers/net/wireless/ath/ath5k/debug.c",
++ [45264].name = "write_file_ani",
++ [45264].param3 = 1,
++ [45326].file = "drivers/mtd/ubi/cdev.c",
++ [45326].name = "vol_cdev_read",
++ [45326].param3 = 1,
++ [45335].file = "fs/read_write.c",
++ [45335].name = "vfs_writev",
++ [45335].param3 = 1,
++ [45421].file = "drivers/message/fusion/mptctl.c",
++ [45421].name = "mptctl_do_mpt_command",
++ [45421].param3 = 1,
++ [45534].file = "drivers/net/wireless/ath/carl9170/cmd.c",
++ [45534].name = "carl9170_cmd_buf",
++ [45534].param3 = 1,
++ [45576].file = "net/netfilter/xt_recent.c",
++ [45576].name = "recent_mt_proc_write",
++ [45576].param3 = 1,
++ [45586].file = "drivers/net/wireless/rt2x00/rt2x00debug.c",
++ [45586].name = "rt2x00debug_write_bbp",
++ [45586].param3 = 1,
++ [45629].file = "lib/bch.c",
++ [45629].name = "bch_alloc",
++ [45629].param1 = 1,
++ [45633].file = "drivers/input/evdev.c",
++ [45633].name = "evdev_do_ioctl",
++ [45633].param2 = 1,
++ [45740].file = "drivers/net/wireless/ath/ath6kl/debug.c",
++ [45740].name = "ath6kl_lrssi_roam_write",
++ [45740].param3 = 1,
++ [45747].file = "net/netlink/af_netlink.c",
++ [45747].name = "__netlink_change_ngroups",
++ [45747].param2 = 1,
++ [45930].file = "security/apparmor/apparmorfs.c",
++ [45930].name = "profile_remove",
++ [45930].param3 = 1,
++ [45954].file = "drivers/usb/misc/legousbtower.c",
++ [45954].name = "tower_write",
++ [45954].param3 = 1,
++ [45995].file = "fs/namei.c",
++ [45995].name = "sys_mknodat",
++ [45995].param2 = 1,
++ [46072].file = "drivers/video/arcfb.c",
++ [46072].name = "arcfb_write",
++ [46072].param3 = 1,
++ [46140].file = "sound/core/memalloc.c",
++ [46140].name = "snd_mem_proc_write",
++ [46140].param3 = 1,
++ [4614].file = "sound/core/pcm_lib.c",
++ [4614].name = "snd_pcm_lib_write_transfer",
++ [4614].param5 = 1,
++ [4616].file = "net/sunrpc/cache.c",
++ [4616].name = "cache_do_downcall",
++ [4616].param3 = 1,
++ [46243].file = "fs/binfmt_misc.c",
++ [46243].name = "bm_register_write",
++ [46243].param3 = 1,
++ [46250].file = "fs/xattr.c",
++ [46250].name = "sys_getxattr",
++ [46250].param4 = 1,
++ [46343].file = "fs/compat.c",
++ [46343].name = "compat_do_readv_writev",
++ [46343].param4 = 1,
++ [4644].file = "drivers/net/usb/mcs7830.c",
++ [4644].name = "mcs7830_get_reg",
++ [4644].param3 = 1,
++ [46605].file = "sound/core/oss/pcm_oss.c",
++ [46605].name = "snd_pcm_oss_sync1",
++ [46605].param2 = 1,
++ [46630].file = "net/decnet/af_decnet.c",
++ [46630].name = "__dn_setsockopt",
++ [46630].param5 = 1,
++ [46655].file = "drivers/media/video/hdpvr/hdpvr-video.c",
++ [46655].name = "hdpvr_read",
++ [46655].param3 = 1,
++ [46685].file = "drivers/gpu/drm/ttm/ttm_bo_vm.c",
++ [46685].name = "ttm_bo_fbdev_io",
++ [46685].param4 = 1,
++ [46752].file = "drivers/staging/pohmelfs/dir.c",
++ [46752].name = "pohmelfs_name_alloc",
++ [46752].param1 = 1,
++ [46881].file = "drivers/char/lp.c",
++ [46881].name = "lp_write",
++ [46881].param3 = 1,
++ [47130].file = "kernel/kfifo.c",
++ [47130].name = "kfifo_copy_to_user",
++ [47130].param3 = 1,
++ [47265].file = "drivers/scsi/bnx2fc/bnx2fc_io.c",
++ [47265].name = "bnx2fc_cmd_mgr_alloc",
++ [47265].param2 = 1,
++ [47265].param3 = 1,
++ [47342].file = "fs/proc/base.c",
++ [47342].name = "sched_autogroup_write",
++ [47342].param3 = 1,
++ [47363].file = "drivers/input/evdev.c",
++ [47363].name = "evdev_ioctl_handler",
++ [47363].param2 = 1,
++ [47385].file = "drivers/net/wireless/zd1211rw/zd_usb.c",
++ [47385].name = "zd_usb_iowrite16v",
++ [47385].param3 = 1,
++ [47463].file = "fs/xfs/kmem.c",
++ [47463].name = "kmem_zalloc",
++ [47463].param1 = 1,
++ [47636].file = "drivers/usb/class/usblp.c",
++ [47636].name = "usblp_ioctl",
++ [47636].param2 = 1,
++ [47637].file = "drivers/block/cciss.c",
++ [47637].name = "cciss_proc_write",
++ [47637].param3 = 1,
++ [47652].file = "lib/kstrtox.c",
++ [47652].name = "kstrtoll_from_user",
++ [47652].param2 = 1,
++ [47881].file = "security/selinux/selinuxfs.c",
++ [47881].name = "sel_write_disable",
++ [47881].param3 = 1,
++ [48010].file = "drivers/net/wireless/ath/ath9k/debug.c",
++ [48010].name = "write_file_rx_chainmask",
++ [48010].param3 = 1,
++ [48155].file = "net/sctp/sm_make_chunk.c",
++ [48155].name = "sctp_make_abort_user",
++ [48155].param3 = 1,
++ [48182].file = "crypto/cryptd.c",
++ [48182].name = "cryptd_alloc_instance",
++ [48182].param2 = 1,
++ [48248].file = "security/keys/keyctl.c",
++ [48248].name = "keyctl_instantiate_key",
++ [48248].param3 = 1,
++ [48461].file = "drivers/gpu/drm/drm_memory.c",
++ [48461].name = "agp_remap",
++ [48461].param2 = 1,
++ [48642].file = "fs/hugetlbfs/inode.c",
++ [48642].name = "hugetlbfs_read",
++ [48642].param3 = 1,
++ [48720].file = "drivers/gpu/drm/i915/i915_debugfs.c",
++ [48720].name = "i915_max_freq_write",
++ [48720].param3 = 1,
++ [48768].file = "net/irda/irnet/irnet_ppp.c",
++ [48768].name = "dev_irnet_write",
++ [48768].param3 = 1,
++ [48856].file = "drivers/acpi/acpica/utalloc.c",
++ [48856].name = "acpi_ut_initialize_buffer",
++ [48856].param2 = 1,
++ [48941].file = "drivers/gpu/drm/nouveau/nouveau_vm.c",
++ [48941].name = "nouveau_vm_new",
++ [48941].param2 = 1,
++ [48941].param3 = 1,
++ [49126].file = "lib/prio_heap.c",
++ [49126].name = "heap_init",
++ [49126].param2 = 1,
++ [49143].file = "sound/core/oss/pcm_oss.c",
++ [49143].name = "snd_pcm_oss_write2",
++ [49143].param3 = 1,
++ [49216].file = "fs/read_write.c",
++ [49216].name = "do_readv_writev",
++ [49216].param4 = 1,
++ [49354].file = "drivers/media/video/cx18/cx18-fileops.c",
++ [49354].name = "cx18_v4l2_read",
++ [49354].param3 = 1,
++ [49448].file = "drivers/isdn/gigaset/common.c",
++ [49448].name = "gigaset_initdriver",
++ [49448].param2 = 1,
++ [49494].file = "drivers/virtio/virtio_ring.c",
++ [49494].name = "vring_new_virtqueue",
++ [49494].param1 = 1,
++ [49507].file = "fs/namei.c",
++ [49507].name = "sys_symlink",
++ [49507].param1 = 1,
++ [49604].file = "crypto/af_alg.c",
++ [49604].name = "alg_setsockopt",
++ [49604].param5 = 1,
++ [49646].file = "drivers/tty/vt/vt.c",
++ [49646].name = "vc_resize",
++ [49646].param2 = 1,
++ [49646].param3 = 1,
++ [49663].file = "drivers/media/video/uvc/uvc_driver.c",
++ [49663].name = "uvc_simplify_fraction",
++ [49663].param3 = 1,
++ [49718].file = "drivers/hid/hid-roccat-common.c",
++ [49718].name = "roccat_common_send",
++ [49718].param4 = 1,
++ [4972].file = "drivers/video/fb_sys_fops.c",
++ [4972].name = "fb_sys_write",
++ [4972].param3 = 1,
++ [49746].file = "net/ipv4/netfilter/arp_tables.c",
++ [49746].name = "compat_do_arpt_set_ctl",
++ [49746].param4 = 1,
++ [49780].file = "net/mac80211/key.c",
++ [49780].name = "ieee80211_key_alloc",
++ [49780].param3 = 1,
++ [49845].file = "mm/vmalloc.c",
++ [49845].name = "__vmalloc_node",
++ [49845].param1 = 1,
++ [49935].file = "fs/xfs/kmem.c",
++ [49935].name = "kmem_zalloc_greedy",
++ [49935].param2 = 1,
++ [49935].param3 = 1,
++ [50001].file = "sound/pci/ctxfi/ctresource.c",
++ [50001].name = "rsc_mgr_init",
++ [50001].param3 = 1,
++ [50022].file = "drivers/usb/storage/shuttle_usbat.c",
++ [50022].name = "usbat_flash_read_data",
++ [50022].param4 = 1,
++ [50096].file = "drivers/net/wireless/libertas/debugfs.c",
++ [50096].name = "lbs_rdbbp_write",
++ [50096].param3 = 1,
++ [50102].file = "drivers/telephony/ixj.c",
++ [50102].name = "ixj_write",
++ [50102].param3 = 1,
++ [50238].file = "drivers/net/wireless/iwlegacy/iwl-debugfs.c",
++ [50238].name = "iwl_legacy_dbgfs_clear_ucode_statistics_write",
++ [50238].param3 = 1,
++ [50267].file = "drivers/net/wireless/rt2x00/rt2x00debug.c",
++ [50267].name = "rt2x00debug_read_crypto_stats",
++ [50267].param3 = 1,
++ [50398].file = "fs/proc/base.c",
++ [50398].name = "mem_write",
++ [50398].param3 = 1,
++ [50518].file = "drivers/gpu/drm/nouveau/nouveau_gem.c",
++ [50518].name = "u_memcpya",
++ [50518].param2 = 1,
++ [50518].param3 = 1,
++ [5052].file = "drivers/char/ppdev.c",
++ [5052].name = "pp_read",
++ [5052].param3 = 1,
++ [50562].file = "drivers/media/video/zoran/zoran_procfs.c",
++ [50562].name = "zoran_write",
++ [50562].param3 = 1,
++ [50653].file = "net/sunrpc/cache.c",
++ [50653].name = "cache_write_procfs",
++ [50653].param3 = 1,
++ [50692].file = "lib/ts_bm.c",
++ [50692].name = "bm_init",
++ [50692].param2 = 1,
++ [50813].file = "mm/vmalloc.c",
++ [50813].name = "__vmalloc_node_flags",
++ [50813].param1 = 1,
++ [5087].file = "drivers/atm/solos-pci.c",
++ [5087].name = "console_store",
++ [5087].param4 = 1,
++ [5102].file = "drivers/usb/misc/usbtest.c",
++ [5102].name = "usbtest_alloc_urb",
++ [5102].param3 = 1,
++ [5102].param5 = 1,
++ [51052].file = "drivers/base/firmware_class.c",
++ [51052].name = "firmware_data_write",
++ [51052].param6 = 1,
++ [51177].file = "net/sunrpc/xprtrdma/transport.c",
++ [51177].name = "xprt_rdma_allocate",
++ [51177].param2 = 1,
++ [51182].file = "drivers/misc/sgi-xp/xpc_main.c",
++ [51182].name = "xpc_kzalloc_cacheline_aligned",
++ [51182].param1 = 1,
++ [51250].file = "fs/read_write.c",
++ [51250].name = "rw_copy_check_uvector",
++ [51250].param3 = 1,
++ [51253].file = "drivers/net/wireless/rt2x00/rt2x00debug.c",
++ [51253].name = "rt2x00debug_write_eeprom",
++ [51253].param3 = 1,
++ [51284].file = "drivers/net/wireless/iwlegacy/iwl-debugfs.c",
++ [51284].name = "iwl_legacy_dbgfs_interrupt_write",
++ [51284].param3 = 1,
++ [51323].file = "sound/pci/ac97/ac97_pcm.c",
++ [51323].name = "snd_ac97_pcm_assign",
++ [51323].param2 = 1,
++ [51340].file = "drivers/usb/class/usblp.c",
++ [51340].name = "usblp_write",
++ [51340].param3 = 1,
++ [51471].file = "drivers/block/floppy.c",
++ [51471].name = "fd_locked_ioctl",
++ [51471].param3 = 1,
++ [5197].file = "net/core/dev.c",
++ [5197].name = "dev_set_alias",
++ [5197].param3 = 1,
++ [51998].file = "drivers/net/macvtap.c",
++ [51998].name = "macvtap_get_user",
++ [51998].param4 = 1,
++ [5204].file = "drivers/media/video/usbvision/usbvision-video.c",
++ [5204].name = "usbvision_v4l2_read",
++ [5204].param3 = 1,
++ [52086].file = "drivers/usb/image/mdc800.c",
++ [52086].name = "mdc800_device_read",
++ [52086].param3 = 1,
++ [52172].file = "drivers/pcmcia/cistpl.c",
++ [52172].name = "pccard_store_cis",
++ [52172].param6 = 1,
++ [52173].file = "drivers/misc/ibmasm/ibmasmfs.c",
++ [52173].name = "remote_settings_file_write",
++ [52173].param3 = 1,
++ [52199].file = "mm/nobootmem.c",
++ [52199].name = "__alloc_bootmem",
++ [52199].param1 = 1,
++ [52201].file = "drivers/video/via/viafbdev.c",
++ [52201].name = "viafb_dvp0_proc_write",
++ [52201].param3 = 1,
++ [5233].file = "include/linux/poll.h",
++ [5233].name = "set_fd_set",
++ [5233].param1 = 1,
++ [52343].file = "drivers/usb/misc/adutux.c",
++ [52343].name = "adu_read",
++ [52343].param3 = 1,
++ [52364].file = "sound/core/pcm_lib.c",
++ [52364].name = "snd_pcm_lib_readv_transfer",
++ [52364].param5 = 1,
++ [52401].file = "drivers/staging/rtl8712/rtl871x_ioctl_linux.c",
++ [52401].name = "r871x_set_wpa_ie",
++ [52401].param3 = 1,
++ [52699].file = "lib/ts_fsm.c",
++ [52699].name = "fsm_init",
++ [52699].param2 = 1,
++ [52721].file = "security/keys/encrypted-keys/encrypted.c",
++ [52721].name = "encrypted_instantiate",
++ [52721].param3 = 1,
++ [53041].file = "fs/libfs.c",
++ [53041].name = "simple_transaction_get",
++ [53041].param3 = 1,
++ [5313].file = "fs/gfs2/quota.c",
++ [5313].name = "do_sync",
++ [5313].param1 = 1,
++ [53209].file = "drivers/usb/host/ehci-sched.c",
++ [53209].name = "iso_sched_alloc",
++ [53209].param1 = 1,
++ [53302].file = "drivers/firewire/core-cdev.c",
++ [53302].name = "dispatch_ioctl",
++ [53302].param2 = 1,
++ [53355].file = "fs/ceph/dir.c",
++ [53355].name = "ceph_read_dir",
++ [53355].param3 = 1,
++ [53405].file = "drivers/media/video/videobuf-core.c",
++ [53405].name = "__videobuf_copy_to_user",
++ [53405].param4 = 1,
++ [53407].file = "net/wireless/sme.c",
++ [53407].name = "cfg80211_connect_result",
++ [53407].param4 = 1,
++ [53407].param6 = 1,
++ [53426].file = "fs/libfs.c",
++ [53426].name = "simple_transaction_read",
++ [53426].param3 = 1,
++ [5344].file = "security/selinux/ss/hashtab.c",
++ [5344].name = "hashtab_create",
++ [5344].param3 = 1,
++ [53468].file = "drivers/char/mem.c",
++ [53468].name = "write_mem",
++ [53468].param3 = 1,
++ [53513].file = "drivers/mmc/core/mmc_ops.c",
++ [53513].name = "mmc_send_bus_test",
++ [53513].param4 = 1,
++ [53539].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [53539].name = "iwl_dbgfs_txfifo_flush_write",
++ [53539].param3 = 1,
++ [53626].file = "drivers/block/paride/pg.c",
++ [53626].name = "pg_read",
++ [53626].param3 = 1,
++ [53631].file = "mm/util.c",
++ [53631].name = "memdup_user",
++ [53631].param2 = 1,
++ [53680].file = "lib/kstrtox.c",
++ [53680].name = "kstrtol_from_user",
++ [53680].param2 = 1,
++ [5389].file = "drivers/infiniband/core/uverbs_cmd.c",
++ [5389].name = "ib_uverbs_unmarshall_recv",
++ [5389].param5 = 1,
++ [53901].file = "net/rds/message.c",
++ [53901].name = "rds_message_alloc",
++ [53901].param1 = 1,
++ [53904].file = "fs/namei.c",
++ [53904].name = "sys_unlink",
++ [53904].param1 = 1,
++ [5410].file = "kernel/kexec.c",
++ [5410].name = "sys_kexec_load",
++ [5410].param2 = 1,
++ [54182].file = "drivers/block/rbd.c",
++ [54182].name = "rbd_snap_add",
++ [54182].param4 = 1,
++ [5419].file = "drivers/net/wireless/iwlegacy/iwl-debugfs.c",
++ [5419].name = "iwl_legacy_dbgfs_disable_ht40_write",
++ [5419].param3 = 1,
++ [54201].file = "drivers/platform/x86/asus_acpi.c",
++ [54201].name = "mled_proc_write",
++ [54201].param3 = 1,
++ [5422].file = "fs/namei.c",
++ [5422].name = "do_unlinkat",
++ [5422].param2 = 1,
++ [54252].file = "drivers/scsi/st.c",
++ [54252].name = "st_write",
++ [54252].param3 = 1,
++ [54263].file = "security/keys/trusted.c",
++ [54263].name = "trusted_instantiate",
++ [54263].param3 = 1,
++ [54298].file = "drivers/usb/wusbcore/crypto.c",
++ [54298].name = "wusb_ccm_mac",
++ [54298].param7 = 1,
++ [54318].file = "include/drm/drm_mem_util.h",
++ [54318].name = "drm_malloc_ab",
++ [54318].param1 = 1,
++ [54318].param2 = 1,
++ [54335].file = "drivers/md/dm-table.c",
++ [54335].name = "dm_vcalloc",
++ [54335].param1 = 1,
++ [54335].param2 = 1,
++ [54339].file = "security/smack/smackfs.c",
++ [54339].name = "smk_write_cipso",
++ [54339].param3 = 1,
++ [5438].file = "sound/core/memory.c",
++ [5438].name = "copy_to_user_fromio",
++ [5438].param3 = 1,
++ [54401].file = "lib/dynamic_debug.c",
++ [54401].name = "ddebug_proc_write",
++ [54401].param3 = 1,
++ [54427].file = "drivers/usb/storage/jumpshot.c",
++ [54427].name = "jumpshot_write_data",
++ [54427].param4 = 1,
++ [54467].file = "net/packet/af_packet.c",
++ [54467].name = "packet_setsockopt",
++ [54467].param5 = 1,
++ [54573].file = "ipc/sem.c",
++ [54573].name = "sys_semop",
++ [54573].param3 = 1,
++ [54643].file = "drivers/isdn/hardware/eicon/divasi.c",
++ [54643].name = "um_idi_write",
++ [54643].param3 = 1,
++ [54657].file = "mm/migrate.c",
++ [54657].name = "do_pages_stat",
++ [54657].param2 = 1,
++ [54663].file = "drivers/isdn/hardware/eicon/platform.h",
++ [54663].name = "diva_os_malloc",
++ [54663].param2 = 1,
++ [54751].file = "drivers/infiniband/core/device.c",
++ [54751].name = "ib_alloc_device",
++ [54751].param1 = 1,
++ [54806].file = "drivers/scsi/lpfc/lpfc_debugfs.c",
++ [54806].name = "lpfc_debugfs_dif_err_write",
++ [54806].param3 = 1,
++ [5494].file = "fs/cifs/cifsacl.c",
++ [5494].name = "cifs_idmap_key_instantiate",
++ [5494].param3 = 1,
++ [55066].file = "net/ipv6/ipv6_sockglue.c",
++ [55066].name = "do_ipv6_setsockopt",
++ [55066].param5 = 1,
++ [55105].file = "drivers/base/devres.c",
++ [55105].name = "devres_alloc",
++ [55105].param2 = 1,
++ [55115].file = "net/sctp/probe.c",
++ [55115].name = "sctpprobe_read",
++ [55115].param3 = 1,
++ [55155].file = "net/bluetooth/rfcomm/sock.c",
++ [55155].name = "rfcomm_sock_setsockopt",
++ [55155].param5 = 1,
++ [55187].file = "security/keys/keyctl.c",
++ [55187].name = "keyctl_describe_key",
++ [55187].param3 = 1,
++ [5524].file = "lib/kstrtox.c",
++ [5524].name = "kstrtos8_from_user",
++ [5524].param2 = 1,
++ [55253].file = "drivers/net/wireless/ray_cs.c",
++ [55253].name = "ray_cs_essid_proc_write",
++ [55253].param3 = 1,
++ [5548].file = "drivers/media/media-entity.c",
++ [5548].name = "media_entity_init",
++ [5548].param2 = 1,
++ [5548].param4 = 1,
++ [55580].file = "drivers/usb/mon/mon_bin.c",
++ [55580].name = "copy_from_buf",
++ [55580].param2 = 1,
++ [55682].file = "drivers/net/wireless/libertas/debugfs.c",
++ [55682].name = "lbs_host_sleep_write",
++ [55682].param3 = 1,
++ [55712].file = "drivers/char/mem.c",
++ [55712].name = "read_zero",
++ [55712].param3 = 1,
++ [55857].file = "drivers/net/wireless/ath/ath9k/debug.c",
++ [55857].name = "write_file_tx_chainmask",
++ [55857].param3 = 1,
++ [55978].file = "drivers/usb/misc/iowarrior.c",
++ [55978].name = "iowarrior_write",
++ [55978].param3 = 1,
++ [5599].file = "drivers/char/random.c",
++ [5599].name = "write_pool",
++ [5599].param3 = 1,
++ [56090].file = "drivers/media/video/videobuf-dma-sg.c",
++ [56090].name = "__videobuf_alloc_vb",
++ [56090].param1 = 1,
++ [56199].file = "fs/binfmt_misc.c",
++ [56199].name = "parse_command",
++ [56199].param2 = 1,
++ [56218].file = "drivers/mmc/card/mmc_test.c",
++ [56218].name = "mtf_test_write",
++ [56218].param3 = 1,
++ [56416].file = "drivers/misc/lkdtm.c",
++ [56416].name = "do_register_entry",
++ [56416].param4 = 1,
++ [56432].file = "drivers/mfd/aat2870-core.c",
++ [56432].name = "aat2870_reg_write_file",
++ [56432].param3 = 1,
++ [56471].file = "include/linux/slab.h",
++ [56471].name = "kcalloc",
++ [56471].param1 = 1,
++ [56471].param2 = 1,
++ [56513].file = "fs/cifs/connect.c",
++ [56513].name = "cifs_readv_from_socket",
++ [56513].param3 = 1,
++ [56544].file = "drivers/block/drbd/drbd_receiver.c",
++ [56544].name = "receive_DataRequest",
++ [56544].param3 = 1,
++ [5661].file = "lib/dma-debug.c",
++ [5661].name = "filter_write",
++ [5661].param3 = 1,
++ [56672].file = "drivers/char/agp/generic.c",
++ [56672].name = "agp_alloc_page_array",
++ [56672].param1 = 1,
++ [56843].file = "drivers/scsi/scsi_transport_iscsi.c",
++ [56843].name = "iscsi_recv_pdu",
++ [56843].param4 = 1,
++ [57120].file = "lib/kstrtox.c",
++ [57120].name = "kstrtouint_from_user",
++ [57120].param2 = 1,
++ [57128].file = "drivers/pnp/pnpbios/proc.c",
++ [57128].name = "pnpbios_proc_write",
++ [57128].param3 = 1,
++ [57190].file = "drivers/char/agp/generic.c",
++ [57190].name = "agp_generic_alloc_user",
++ [57190].param1 = 1,
++ [57471].file = "drivers/media/video/sn9c102/sn9c102_core.c",
++ [57471].name = "sn9c102_read",
++ [57471].param3 = 1,
++ [57605].file = "net/netlink/af_netlink.c",
++ [57605].name = "netlink_kernel_create",
++ [57605].param3 = 1,
++ [57670].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [57670].name = "btmrvl_pscmd_write",
++ [57670].param3 = 1,
++ [57675].file = "drivers/net/wireless/ath/ath9k/debug.c",
++ [57675].name = "write_file_regidx",
++ [57675].param3 = 1,
++ [57724].file = "net/bluetooth/hci_sock.c",
++ [57724].name = "hci_sock_setsockopt",
++ [57724].param5 = 1,
++ [57748].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [57748].name = "iwl_dbgfs_missed_beacon_write",
++ [57748].param3 = 1,
++ [57786].file = "net/ipv6/netfilter/ip6_tables.c",
++ [57786].name = "compat_do_ip6t_set_ctl",
++ [57786].param4 = 1,
++ [57872].file = "fs/ceph/xattr.c",
++ [57872].name = "ceph_setxattr",
++ [57872].param4 = 1,
++ [57927].file = "fs/read_write.c",
++ [57927].name = "sys_preadv",
++ [57927].param3 = 1,
++ [58020].file = "drivers/firewire/core-cdev.c",
++ [58020].name = "fw_device_op_ioctl",
++ [58020].param2 = 1,
++ [58043].file = "kernel/auditfilter.c",
++ [58043].name = "audit_unpack_string",
++ [58043].param3 = 1,
++ [5805].file = "drivers/xen/grant-table.c",
++ [5805].name = "gnttab_alloc_grant_references",
++ [5805].param1 = 1,
++ [58087].file = "kernel/module.c",
++ [58087].name = "module_alloc_update_bounds_rw",
++ [58087].param1 = 1,
++ [58107].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [58107].name = "iwl_dbgfs_sleep_level_override_write",
++ [58107].param3 = 1,
++ [58124].file = "drivers/usb/misc/usbtest.c",
++ [58124].name = "ctrl_out",
++ [58124].param3 = 1,
++ [58124].param5 = 1,
++ [58263].file = "security/keys/keyring.c",
++ [58263].name = "keyring_read",
++ [58263].param3 = 1,
++ [58278].file = "drivers/net/wireless/iwlwifi/iwl-trans-pcie.c",
++ [58278].name = "iwl_dbgfs_log_event_write",
++ [58278].param3 = 1,
++ [5830].file = "drivers/gpu/vga/vga_switcheroo.c",
++ [5830].name = "vga_switcheroo_debugfs_write",
++ [5830].param3 = 1,
++ [58320].file = "drivers/scsi/scsi_proc.c",
++ [58320].name = "proc_scsi_write",
++ [58320].param3 = 1,
++ [58344].file = "net/sunrpc/cache.c",
++ [58344].name = "read_flush",
++ [58344].param3 = 1,
++ [58392].file = "fs/namei.c",
++ [58392].name = "getname_flags",
++ [58392].param1 = 1,
++ [58418].file = "kernel/module.c",
++ [58418].name = "sys_init_module",
++ [58418].param2 = 1,
++ [58502].file = "sound/core/sgbuf.c",
++ [58502].name = "snd_malloc_sgbuf_pages",
++ [58502].param2 = 1,
++ [58597].file = "kernel/kfifo.c",
++ [58597].name = "__kfifo_to_user",
++ [58597].param3 = 1,
++ [58641].file = "drivers/usb/misc/adutux.c",
++ [58641].name = "adu_write",
++ [58641].param3 = 1,
++ [58709].file = "fs/compat.c",
++ [58709].name = "compat_sys_pwritev",
++ [58709].param3 = 1,
++ [58769].file = "drivers/net/wireless/zd1211rw/zd_usb.c",
++ [58769].name = "zd_usb_read_fw",
++ [58769].param4 = 1,
++ [5876].file = "drivers/net/ppp/ppp_generic.c",
++ [5876].name = "ppp_write",
++ [5876].param3 = 1,
++ [58826].file = "net/sunrpc/xprt.c",
++ [58826].name = "xprt_alloc",
++ [58826].param2 = 1,
++ [58867].file = "drivers/platform/x86/asus_acpi.c",
++ [58867].name = "wled_proc_write",
++ [58867].param3 = 1,
++ [58878].file = "drivers/net/wireless/libertas/debugfs.c",
++ [58878].name = "lbs_wrbbp_write",
++ [58878].param3 = 1,
++ [58888].file = "fs/xattr.c",
++ [58888].name = "listxattr",
++ [58888].param3 = 1,
++ [58912].file = "drivers/lguest/core.c",
++ [58912].name = "__lgwrite",
++ [58912].param4 = 1,
++ [58918].file = "sound/core/pcm_native.c",
++ [58918].name = "snd_pcm_aio_write",
++ [58918].param3 = 1,
++ [58919].file = "net/netlabel/netlabel_unlabeled.c",
++ [58919].name = "netlbl_unlabel_init",
++ [58919].param1 = 1,
++ [58942].file = "drivers/block/aoe/aoedev.c",
++ [58942].name = "aoedev_flush",
++ [58942].param2 = 1,
++ [58958].file = "fs/fuse/control.c",
++ [58958].name = "fuse_conn_limit_write",
++ [58958].param3 = 1,
++ [58].file = "lib/kstrtox.c",
++ [58].name = "kstrtoull_from_user",
++ [58].param2 = 1,
++ [59034].file = "drivers/acpi/acpica/dsobject.c",
++ [59034].name = "acpi_ds_build_internal_package_obj",
++ [59034].param3 = 1,
++ [59073].file = "drivers/staging/speakup/i18n.c",
++ [59073].name = "msg_set",
++ [59073].param3 = 1,
++ [59108].file = "drivers/net/wireless/ath/ath5k/debug.c",
++ [59108].name = "write_file_queue",
++ [59108].param3 = 1,
++ [59297].file = "drivers/media/dvb/ttpci/av7110_av.c",
++ [59297].name = "dvb_play",
++ [59297].param3 = 1,
++ [59472].file = "drivers/misc/ibmasm/ibmasmfs.c",
++ [59472].name = "command_file_write",
++ [59472].param3 = 1,
++ [59505].file = "drivers/media/video/pvrusb2/pvrusb2-ioread.c",
++ [59505].name = "pvr2_ioread_read",
++ [59505].param3 = 1,
++ [59681].file = "fs/xfs/kmem.c",
++ [59681].name = "kmem_alloc",
++ [59681].param1 = 1,
++ [5968].file = "net/sunrpc/sched.c",
++ [5968].name = "rpc_malloc",
++ [5968].param2 = 1,
++ [59794].file = "mm/mincore.c",
++ [59794].name = "sys_mincore",
++ [59794].param1 = 1,
++ [59794].param2 = 1,
++ [59838].file = "net/netlink/af_netlink.c",
++ [59838].name = "nl_pid_hash_zalloc",
++ [59838].param1 = 1,
++ [59856].file = "drivers/base/devres.c",
++ [59856].name = "devm_kzalloc",
++ [59856].param2 = 1,
++ [59991].file = "drivers/media/video/uvc/uvc_queue.c",
++ [59991].name = "uvc_alloc_buffers",
++ [59991].param2 = 1,
++ [59991].param3 = 1,
++ [60005].file = "fs/namei.c",
++ [60005].name = "getname",
++ [60005].param1 = 1,
++ [60066].file = "mm/filemap.c",
++ [60066].name = "iov_iter_copy_from_user",
++ [60066].param4 = 1,
++ [60198].file = "fs/nfs/nfs4proc.c",
++ [60198].name = "nfs4_write_cached_acl",
++ [60198].param3 = 1,
++ [60330].file = "drivers/media/video/w9966.c",
++ [60330].name = "w9966_v4l_read",
++ [60330].param3 = 1,
++ [6041].file = "drivers/mtd/mtdchar.c",
++ [6041].name = "mtd_write",
++ [6041].param3 = 1,
++ [60436].file = "drivers/net/macvtap.c",
++ [60436].name = "macvtap_sendmsg",
++ [60436].param4 = 1,
++ [60483].file = "drivers/char/virtio_console.c",
++ [60483].name = "fill_readbuf",
++ [60483].param3 = 1,
++ [604].file = "drivers/staging/rtl8712/usb_ops_linux.c",
++ [604].name = "r8712_usbctrl_vendorreq",
++ [604].param6 = 1,
++ [60543].file = "drivers/usb/class/usbtmc.c",
++ [60543].name = "usbtmc_read",
++ [60543].param3 = 1,
++ [60683].file = "sound/drivers/opl4/opl4_proc.c",
++ [60683].name = "snd_opl4_mem_proc_write",
++ [60683].param5 = 1,
++ [60693].file = "drivers/misc/hpilo.c",
++ [60693].name = "ilo_read",
++ [60693].param3 = 1,
++ [60744].file = "sound/pci/emu10k1/emuproc.c",
++ [60744].name = "snd_emu10k1_fx8010_read",
++ [60744].param5 = 1,
++ [60833].file = "drivers/block/aoe/aoenet.c",
++ [60833].name = "set_aoe_iflist",
++ [60833].param2 = 1,
++ [60878].file = "drivers/net/wireless/rt2x00/rt2x00debug.c",
++ [60878].name = "rt2x00debug_read_queue_dump",
++ [60878].param3 = 1,
++ [60882].file = "drivers/input/joydev.c",
++ [60882].name = "joydev_compat_ioctl",
++ [60882].param2 = 1,
++ [60891].file = "kernel/sched.c",
++ [60891].name = "sys_sched_setaffinity",
++ [60891].param2 = 1,
++ [60927].file = "drivers/net/wireless/ath/ath9k/debug.c",
++ [60927].name = "write_file_disable_ani",
++ [60927].param3 = 1,
++ [60928].file = "drivers/staging/bcm/Bcmchar.c",
++ [60928].name = "bcm_char_read",
++ [60928].param3 = 1,
++ [61058].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [61058].name = "iwl_dbgfs_disable_ht40_write",
++ [61058].param3 = 1,
++ [61120].file = "drivers/char/mem.c",
++ [61120].name = "read_mem",
++ [61120].param3 = 1,
++ [61222].file = "net/sunrpc/rpc_pipe.c",
++ [61222].name = "rpc_pipe_generic_upcall",
++ [61222].param4 = 1,
++ [61254].file = "drivers/scsi/scsi_devinfo.c",
++ [61254].name = "proc_scsi_devinfo_write",
++ [61254].param3 = 1,
++ [61283].file = "drivers/net/wireless/ath/ath6kl/debug.c",
++ [61283].name = "ath6kl_fwlog_read",
++ [61283].param3 = 1,
++ [61289].file = "security/apparmor/apparmorfs.c",
++ [61289].name = "aa_simple_write_to_buffer",
++ [61289].param4 = 1,
++ [61389].file = "include/linux/slab.h",
++ [61389].name = "kzalloc_node",
++ [61389].param1 = 1,
++ [61546].file = "mm/filemap.c",
++ [61546].name = "__iovec_copy_from_user_inatomic",
++ [61546].param3 = 1,
++ [61546].param4 = 1,
++ [61552].file = "drivers/input/evdev.c",
++ [61552].name = "str_to_user",
++ [61552].param2 = 1,
++ [61673].file = "security/keys/trusted.c",
++ [61673].name = "trusted_update",
++ [61673].param3 = 1,
++ [61676].file = "kernel/module.c",
++ [61676].name = "module_alloc_update_bounds_rx",
++ [61676].param1 = 1,
++ [61770].file = "drivers/media/video/et61x251/et61x251_core.c",
++ [61770].name = "et61x251_read",
++ [61770].param3 = 1,
++ [6186].file = "drivers/char/mem.c",
++ [6186].name = "read_kmem",
++ [6186].param3 = 1,
++ [61932].file = "drivers/message/fusion/mptctl.c",
++ [61932].name = "__mptctl_ioctl",
++ [61932].param2 = 1,
++ [62081].file = "drivers/net/irda/vlsi_ir.c",
++ [62081].name = "vlsi_alloc_ring",
++ [62081].param3 = 1,
++ [62116].file = "fs/libfs.c",
++ [62116].name = "simple_attr_read",
++ [62116].param3 = 1,
++ [6225].file = "drivers/block/floppy.c",
++ [6225].name = "fd_ioctl",
++ [6225].param3 = 1,
++ [62294].file = "sound/core/info.c",
++ [62294].name = "resize_info_buffer",
++ [62294].param2 = 1,
++ [62378].file = "net/ipv4/tcp.c",
++ [62378].name = "do_tcp_setsockopt",
++ [62378].param5 = 1,
++ [62387].file = "fs/nfs/idmap.c",
++ [62387].name = "nfs_idmap_lookup_id",
++ [62387].param2 = 1,
++ [62453].file = "fs/namei.c",
++ [62453].name = "user_path_create",
++ [62453].param2 = 1,
++ [62495].file = "drivers/block/floppy.c",
++ [62495].name = "fallback_on_nodma_alloc",
++ [62495].param2 = 1,
++ [62498].file = "fs/xattr.c",
++ [62498].name = "sys_listxattr",
++ [62498].param3 = 1,
++ [62583].file = "drivers/net/wireless/mwifiex/debugfs.c",
++ [62583].name = "mwifiex_regrdwr_write",
++ [62583].param3 = 1,
++ [625].file = "fs/read_write.c",
++ [625].name = "sys_pwritev",
++ [625].param3 = 1,
++ [62669].file = "drivers/platform/x86/asus_acpi.c",
++ [62669].name = "tled_proc_write",
++ [62669].param3 = 1,
++ [62714].file = "security/keys/keyctl.c",
++ [62714].name = "keyctl_update_key",
++ [62714].param3 = 1,
++ [62799].file = "fs/proc/task_mmu.c",
++ [62799].name = "pagemap_read",
++ [62799].param3 = 1,
++ [62811].file = "drivers/usb/misc/legousbtower.c",
++ [62811].name = "tower_read",
++ [62811].param3 = 1,
++ [62851].file = "fs/proc/vmcore.c",
++ [62851].name = "read_vmcore",
++ [62851].param3 = 1,
++ [62925].file = "include/rdma/ib_verbs.h",
++ [62925].name = "ib_copy_from_udata",
++ [62925].param3 = 1,
++ [62967].file = "security/keys/encrypted-keys/encrypted.c",
++ [62967].name = "encrypted_update",
++ [62967].param3 = 1,
++ [62970].file = "net/sched/sch_api.c",
++ [62970].name = "qdisc_class_hash_alloc",
++ [62970].param1 = 1,
++ [62999].file = "net/core/neighbour.c",
++ [62999].name = "neigh_hash_alloc",
++ [62999].param1 = 1,
++ [63004].file = "drivers/usb/storage/datafab.c",
++ [63004].name = "datafab_write_data",
++ [63004].param4 = 1,
++ [63007].file = "fs/proc/base.c",
++ [63007].name = "proc_coredump_filter_write",
++ [63007].param3 = 1,
++ [63010].file = "drivers/gpu/drm/ttm/ttm_page_alloc.c",
++ [63010].name = "ttm_page_pool_free",
++ [63010].param2 = 1,
++ [63076].file = "fs/cifs/xattr.c",
++ [63076].name = "cifs_setxattr",
++ [63076].param4 = 1,
++ [63091].file = "drivers/net/usb/pegasus.c",
++ [63091].name = "get_registers",
++ [63091].param3 = 1,
++ [63169].file = "drivers/scsi/sg.c",
++ [63169].name = "sg_read",
++ [63169].param3 = 1,
++ [6331].file = "drivers/atm/solos-pci.c",
++ [6331].name = "solos_param_store",
++ [6331].param4 = 1,
++ [63367].file = "net/netfilter/ipset/ip_set_core.c",
++ [63367].name = "ip_set_alloc",
++ [63367].param1 = 1,
++ [63473].file = "drivers/staging/pohmelfs/trans.c",
++ [63473].name = "netfs_trans_alloc",
++ [63473].param2 = 1,
++ [63473].param4 = 1,
++ [63489].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [63489].name = "btmrvl_hscfgcmd_write",
++ [63489].param3 = 1,
++ [63490].file = "crypto/shash.c",
++ [63490].name = "shash_compat_setkey",
++ [63490].param3 = 1,
++ [63583].file = "drivers/char/mem.c",
++ [63583].name = "write_kmem",
++ [63583].param3 = 1,
++ [63605].file = "mm/mempool.c",
++ [63605].name = "mempool_kmalloc",
++ [63605].param2 = 1,
++ [63717].file = "drivers/net/wireless/iwlwifi/iwl-trans-pcie.c",
++ [63717].name = "iwl_dbgfs_csr_write",
++ [63717].param3 = 1,
++ [63748].file = "drivers/staging/crystalhd/crystalhd_misc.c",
++ [63748].name = "crystalhd_map_dio",
++ [63748].param3 = 1,
++ [63765].file = "fs/seq_file.c",
++ [63765].name = "seq_read",
++ [63765].param3 = 1,
++ [63777].file = "drivers/virtio/virtio_ring.c",
++ [63777].name = "virtqueue_add_buf_gfp",
++ [63777].param3 = 1,
++ [63777].param4 = 1,
++ [63961].file = "fs/xattr.c",
++ [63961].name = "sys_flistxattr",
++ [63961].param3 = 1,
++ [63988].file = "drivers/input/evdev.c",
++ [63988].name = "evdev_ioctl_compat",
++ [63988].param2 = 1,
++ [64118].file = "fs/namei.c",
++ [64118].name = "sys_symlinkat",
++ [64118].param1 = 1,
++ [64156].file = "drivers/net/wireless/ath/ath6kl/cfg80211.c",
++ [64156].name = "ath6kl_mgmt_tx",
++ [64156].param9 = 1,
++ [64227].file = "mm/nobootmem.c",
++ [64227].name = "__alloc_bootmem_node_nopanic",
++ [64227].param2 = 1,
++ [64312].file = "drivers/video/hecubafb.c",
++ [64312].name = "hecubafb_write",
++ [64312].param3 = 1,
++ [64351].file = "kernel/kfifo.c",
++ [64351].name = "kfifo_copy_from_user",
++ [64351].param3 = 1,
++ [64392].file = "drivers/mmc/core/mmc_ops.c",
++ [64392].name = "mmc_send_cxd_data",
++ [64392].param5 = 1,
++ [64471].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [64471].name = "btmrvl_hscmd_write",
++ [64471].param3 = 1,
++ [64667].file = "sound/core/oss/pcm_oss.c",
++ [64667].name = "snd_pcm_oss_read",
++ [64667].param3 = 1,
++ [64689].file = "sound/isa/gus/gus_dram.c",
++ [64689].name = "snd_gus_dram_read",
++ [64689].param4 = 1,
++ [64692].file = "fs/binfmt_misc.c",
++ [64692].name = "bm_entry_write",
++ [64692].param3 = 1,
++ [64705].file = "drivers/staging/iio/accel/sca3000_ring.c",
++ [64705].name = "sca3000_read_first_n_hw_rb",
++ [64705].param2 = 1,
++ [64743].file = "fs/ocfs2/dlmfs/dlmfs.c",
++ [64743].name = "dlmfs_file_read",
++ [64743].param3 = 1,
++ [6477].file = "net/bluetooth/mgmt.c",
++ [6477].name = "mgmt_pending_add",
++ [6477].param5 = 1,
++ [64898].file = "drivers/media/video/videobuf-dma-sg.c",
++ [64898].name = "videobuf_dma_init_user",
++ [64898].param3 = 1,
++ [64898].param4 = 1,
++ [64906].file = "drivers/net/wireless/b43legacy/debugfs.c",
++ [64906].name = "b43legacy_debugfs_write",
++ [64906].param3 = 1,
++ [64961].file = "drivers/spi/spidev.c",
++ [64961].name = "spidev_ioctl",
++ [64961].param2 = 1,
++ [65033].file = "crypto/shash.c",
++ [65033].name = "shash_async_setkey",
++ [65033].param3 = 1,
++ [65093].file = "security/integrity/evm/evm_secfs.c",
++ [65093].name = "evm_write_key",
++ [65093].param3 = 1,
++ [65098].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [65098].name = "iwl_dbgfs_traffic_log_write",
++ [65098].param3 = 1,
++ [6514].file = "mm/nobootmem.c",
++ [6514].name = "__alloc_bootmem_low",
++ [6514].param1 = 1,
++ [65169].file = "net/core/skbuff.c",
++ [65169].name = "dev_alloc_skb",
++ [65169].param1 = 1,
++ [6517].file = "drivers/md/dm-table.c",
++ [6517].name = "alloc_targets",
++ [6517].param2 = 1,
++ [65195].file = "fs/jffs2/xattr.c",
++ [65195].name = "do_jffs2_setxattr",
++ [65195].param5 = 1,
++ [65237].file = "kernel/profile.c",
++ [65237].name = "read_profile",
++ [65237].param3 = 1,
++ [65345].file = "lib/xz/xz_dec_lzma2.c",
++ [65345].name = "xz_dec_lzma2_create",
++ [65345].param2 = 1,
++ [65364].file = "sound/core/pcm_lib.c",
++ [65364].name = "snd_pcm_lib_read_transfer",
++ [65364].param5 = 1,
++ [65409].file = "net/802/garp.c",
++ [65409].name = "garp_request_join",
++ [65409].param4 = 1,
++ [65432].file = "drivers/hid/hid-roccat-kone.c",
++ [65432].name = "kone_receive",
++ [65432].param4 = 1,
++ [65452].file = "drivers/message/fusion/mptctl.c",
++ [65452].name = "mptctl_ioctl",
++ [65452].param2 = 1,
++ [65514].file = "drivers/media/video/gspca/t613.c",
++ [65514].name = "reg_w_ixbuf",
++ [65514].param4 = 1,
++ [6551].file = "drivers/usb/host/xhci-mem.c",
++ [6551].name = "xhci_alloc_stream_info",
++ [6551].param3 = 1,
++ [65535].file = "drivers/media/dvb/dvb-usb/opera1.c",
++ [65535].name = "opera1_xilinx_rw",
++ [65535].param5 = 1,
++ [6657].file = "drivers/hid/hid-roccat-kone.c",
++ [6657].name = "kone_send",
++ [6657].param4 = 1,
++ [6672].file = "drivers/net/wireless/b43/debugfs.c",
++ [6672].name = "b43_debugfs_write",
++ [6672].param3 = 1,
++ [6691].file = "drivers/acpi/proc.c",
++ [6691].name = "acpi_system_write_wakeup_device",
++ [6691].param3 = 1,
++ [6772].file = "drivers/net/wireless/iwlwifi/iwl-debugfs.c",
++ [6772].name = "iwl_dbgfs_force_reset_write",
++ [6772].param3 = 1,
++ [6780].file = "sound/core/info.c",
++ [6780].name = "snd_info_entry_read",
++ [6780].param3 = 1,
++ [6800].file = "drivers/net/wireless/iwlegacy/iwl-debugfs.c",
++ [6800].name = "iwl_legacy_dbgfs_missed_beacon_write",
++ [6800].param3 = 1,
++ [680].file = "drivers/misc/ibmasm/ibmasmfs.c",
++ [680].name = "command_file_read",
++ [680].param3 = 1,
++ [6865].file = "drivers/staging/iio/ring_sw.c",
++ [6865].name = "iio_read_first_n_sw_rb",
++ [6865].param2 = 1,
++ [6867].file = "fs/coda/psdev.c",
++ [6867].name = "coda_psdev_read",
++ [6867].param3 = 1,
++ [6891].file = "drivers/bluetooth/btmrvl_debugfs.c",
++ [6891].name = "btmrvl_gpiogap_write",
++ [6891].param3 = 1,
++ [6944].file = "drivers/ide/ide-proc.c",
++ [6944].name = "ide_settings_proc_write",
++ [6944].param3 = 1,
++ [6950].file = "drivers/isdn/capi/capi.c",
++ [6950].name = "capi_write",
++ [6950].param3 = 1,
++ [697].file = "sound/isa/gus/gus_dram.c",
++ [697].name = "snd_gus_dram_peek",
++ [697].param4 = 1,
++ [7066].file = "security/keys/keyctl.c",
++ [7066].name = "keyctl_instantiate_key_common",
++ [7066].param4 = 1,
++ [7129].file = "mm/maccess.c",
++ [7129].name = "__probe_kernel_read",
++ [7129].param3 = 1,
++ [720].file = "sound/pci/rme9652/hdsp.c",
++ [720].name = "snd_hdsp_playback_copy",
++ [720].param5 = 1,
++ [7411].file = "drivers/vhost/vhost.c",
++ [7411].name = "__vhost_add_used_n",
++ [7411].param3 = 1,
++ [7488].file = "security/keys/user_defined.c",
++ [7488].name = "user_read",
++ [7488].param3 = 1,
++ [7551].file = "drivers/input/touchscreen/ad7879-spi.c",
++ [7551].name = "ad7879_spi_xfer",
++ [7551].param3 = 1,
++ [7676].file = "drivers/acpi/custom_method.c",
++ [7676].name = "cm_write",
++ [7676].param3 = 1,
++ [7832].file = "drivers/net/wireless/ath/ath5k/debug.c",
++ [7832].name = "write_file_antenna",
++ [7832].param3 = 1,
++ [7843].file = "fs/compat.c",
++ [7843].name = "compat_sys_readv",
++ [7843].param3 = 1,
++ [7958].file = "drivers/gpu/vga/vgaarb.c",
++ [7958].name = "vga_arb_write",
++ [7958].param3 = 1,
++ [7976].file = "drivers/usb/gadget/rndis.c",
++ [7976].name = "rndis_add_response",
++ [7976].param2 = 1,
++ [8014].file = "net/netfilter/ipset/ip_set_list_set.c",
++ [8014].name = "init_list_set",
++ [8014].param2 = 1,
++ [8014].param3 = 1,
++ [8087].file = "drivers/video/via/viafbdev.c",
++ [8087].name = "viafb_iga1_odev_proc_write",
++ [8087].param3 = 1,
++ [8126].file = "sound/soc/soc-core.c",
++ [8126].name = "codec_reg_read_file",
++ [8126].param3 = 1,
++ [8185].file = "drivers/net/wireless/ath/ath6kl/debug.c",
++ [8185].name = "ath6kl_regwrite_write",
++ [8185].param3 = 1,
++ [8317].file = "security/smack/smackfs.c",
++ [8317].name = "smk_write_ambient",
++ [8317].param3 = 1,
++ [8334].file = "drivers/scsi/sg.c",
++ [8334].name = "sg_proc_write_adio",
++ [8334].param3 = 1,
++ [8481].file = "drivers/isdn/i4l/isdn_common.c",
++ [8481].name = "isdn_write",
++ [8481].param3 = 1,
++ [8536].file = "fs/cifs/dns_resolve.c",
++ [8536].name = "dns_resolve_server_name_to_ip",
++ [8536].param1 = 1,
++ [8650].file = "drivers/gpu/drm/vmwgfx/vmwgfx_kms.c",
++ [8650].name = "vmw_kms_present",
++ [8650].param9 = 1,
++ [865].file = "drivers/base/regmap/regmap-debugfs.c",
++ [865].name = "regmap_access_read_file",
++ [865].param3 = 1,
++ [8663].file = "net/bridge/netfilter/ebtables.c",
++ [8663].name = "do_update_counters",
++ [8663].param4 = 1,
++ [8684].file = "fs/read_write.c",
++ [8684].name = "sys_writev",
++ [8684].param3 = 1,
++ [8699].file = "security/selinux/selinuxfs.c",
++ [8699].name = "sel_commit_bools_write",
++ [8699].param3 = 1,
++ [8714].file = "lib/kstrtox.c",
++ [8714].name = "kstrtou16_from_user",
++ [8714].param2 = 1,
++ [8764].file = "drivers/usb/core/devio.c",
++ [8764].name = "usbdev_read",
++ [8764].param3 = 1,
++ [8802].file = "fs/dlm/user.c",
++ [8802].name = "device_write",
++ [8802].param3 = 1,
++ [8810].file = "net/mac80211/debugfs_sta.c",
++ [8810].name = "sta_agg_status_write",
++ [8810].param3 = 1,
++ [8815].file = "security/tomoyo/securityfs_if.c",
++ [8815].name = "tomoyo_write_self",
++ [8815].param3 = 1,
++ [8821].file = "net/wireless/sme.c",
++ [8821].name = "cfg80211_roamed",
++ [8821].param5 = 1,
++ [8821].param7 = 1,
++ [8833].file = "security/selinux/ss/services.c",
++ [8833].name = "security_context_to_sid",
++ [8833].param2 = 1,
++ [8851].file = "net/key/af_key.c",
++ [8851].name = "pfkey_sendmsg",
++ [8851].param4 = 1,
++ [8917].file = "net/ipv4/raw.c",
++ [8917].name = "raw_setsockopt",
++ [8917].param5 = 1,
++ [8983].file = "include/linux/skbuff.h",
++ [8983].name = "alloc_skb",
++ [8983].param1 = 1,
++ [9226].file = "mm/migrate.c",
++ [9226].name = "sys_move_pages",
++ [9226].param2 = 1,
++ [9341].file = "drivers/acpi/apei/erst-dbg.c",
++ [9341].name = "erst_dbg_write",
++ [9341].param3 = 1,
++ [9463].file = "drivers/infiniband/hw/ipath/ipath_verbs.c",
++ [9463].name = "ipath_verbs_send",
++ [9463].param3 = 1,
++ [9463].param5 = 1,
++ [9546].file = "drivers/video/fbmem.c",
++ [9546].name = "fb_write",
++ [9546].param3 = 1,
++ [9601].file = "kernel/kfifo.c",
++ [9601].name = "__kfifo_from_user",
++ [9601].param3 = 1,
++ [9618].file = "security/selinux/selinuxfs.c",
++ [9618].name = "sel_write_bool",
++ [9618].param3 = 1,
++ [9768].file = "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c",
++ [9768].name = "vmw_execbuf_process",
++ [9768].param5 = 1,
++ [9828].file = "drivers/media/dvb/dvb-core/dmxdev.c",
++ [9828].name = "dvb_demux_do_ioctl",
++ [9828].param3 = 1,
++ [9870].file = "net/atm/addr.c",
++ [9870].name = "atm_get_addr",
++ [9870].param3 = 1,
++ [9962].file = "drivers/scsi/sg.c",
++ [9962].name = "sg_proc_write_dressz",
++ [9962].param3 = 1,
++ [9977].file = "drivers/net/wireless/zd1211rw/zd_usb.c",
++ [9977].name = "zd_usb_iowrite16v_async",
++ [9977].param3 = 1,
++ [16344].collision = 1,
++ [30494].collision = 1,
++ [31291].collision = 1,
++ [33040].collision = 1,
++ [38314].collision = 1,
++ [54338].collision = 1,
++ [60651].collision = 1,
++};
+diff --git a/tools/gcc/size_overflow_hash2.h b/tools/gcc/size_overflow_hash2.h
+new file mode 100644
+index 0000000..8ed7d96
+--- /dev/null
++++ b/tools/gcc/size_overflow_hash2.h
+@@ -0,0 +1,44 @@
++struct size_overflow_hash size_overflow_hash2[65536] = {
++ [2118].file = "fs/ntfs/malloc.h",
++ [2118].name = "ntfs_malloc_nofs",
++ [2118].param1 = 1,
++ [22224].file = "fs/proc/vmcore.c",
++ [22224].name = "read_from_oldmem",
++ [22224].param2 = 1,
++ [26518].file = "drivers/gpu/vga/vgaarb.c",
++ [26518].name = "vga_arb_read",
++ [26518].param3 = 1,
++ [26569].file = "lib/kstrtox.c",
++ [26569].name = "kstrtoint_from_user",
++ [26569].param2 = 1,
++ [30632].file = "drivers/ide/ide-proc.c",
++ [30632].name = "ide_driver_proc_write",
++ [30632].param3 = 1,
++ [36150].file = "net/ceph/buffer.c",
++ [36150].name = "ceph_buffer_new",
++ [36150].param1 = 1,
++ [39024].file = "lib/scatterlist.c",
++ [39024].name = "sg_kmalloc",
++ [39024].param1 = 1,
++ [39105].file = "drivers/gpu/drm/ttm/ttm_tt.c",
++ [39105].name = "ttm_tt_create",
++ [39105].param2 = 1,
++ [43208].file = "fs/nfs/read.c",
++ [43208].name = "nfs_readdata_alloc",
++ [43208].param1 = 1,
++ [46911].file = "drivers/media/video/ivtv/ivtv-fileops.c",
++ [46911].name = "ivtv_v4l2_read",
++ [46911].param3 = 1,
++ [50359].file = "kernel/sched.c",
++ [50359].name = "alloc_sched_domains",
++ [50359].param1 = 1,
++ [52857].file = "sound/pci/rme9652/rme9652.c",
++ [52857].name = "snd_rme9652_capture_copy",
++ [52857].param5 = 1,
++ [57500].file = "drivers/spi/spidev.c",
++ [57500].name = "spidev_write",
++ [57500].param3 = 1,
++ [65149].file = "fs/nilfs2/ioctl.c",
++ [65149].name = "nilfs_ioctl_wrap_copy",
++ [65149].param4 = 1,
++};
+diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
+new file mode 100644
+index 0000000..a9ae886
+--- /dev/null
++++ b/tools/gcc/size_overflow_plugin.c
+@@ -0,0 +1,1042 @@
++/*
++ * Copyright 2011, 2012 by Emese Revfy <re.emese@gmail.com>
++ * Licensed under the GPL v2, or (at your option) v3
++ *
++ * Homepage:
++ * http://www.grsecurity.net/~ephox/overflow_plugin/
++ *
++ * This plugin recomputes expressions of function arguments marked by a size_overflow attribute
++ * with double integer precision (DImode/TImode for 32/64 bit integer types).
++ * The recomputed argument is checked against INT_MAX and an event is logged on overflow and the triggering process is killed.
++ *
++ * Usage:
++ * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o size_overflow_plugin.so size_overflow_plugin.c
++ * $ gcc -fplugin=size_overflow_plugin.so test.c -O2
++ */
++
++#include "gcc-plugin.h"
++#include "config.h"
++#include "system.h"
++#include "coretypes.h"
++#include "tree.h"
++#include "tree-pass.h"
++#include "intl.h"
++#include "plugin-version.h"
++#include "tm.h"
++#include "toplev.h"
++#include "function.h"
++#include "tree-flow.h"
++#include "plugin.h"
++#include "gimple.h"
++#include "c-common.h"
++#include "diagnostic.h"
++
++struct size_overflow_hash {
++ const char *name;
++ const char *file;
++ unsigned short collision:1;
++ unsigned short param1:1;
++ unsigned short param2:1;
++ unsigned short param3:1;
++ unsigned short param4:1;
++ unsigned short param5:1;
++ unsigned short param6:1;
++ unsigned short param7:1;
++ unsigned short param8:1;
++ unsigned short param9:1;
++};
++
++#include "size_overflow_hash1.h"
++#include "size_overflow_hash2.h"
++
++#define __unused __attribute__((__unused__))
++#define NAME(node) IDENTIFIER_POINTER(DECL_NAME(node))
++#define BEFORE_STMT true
++#define AFTER_STMT false
++#define CREATE_NEW_VAR NULL_TREE
++
++int plugin_is_GPL_compatible;
++void debug_gimple_stmt (gimple gs);
++
++static tree expand(struct pointer_set_t *visited, tree var);
++static tree signed_size_overflow_type;
++static tree unsigned_size_overflow_type;
++static tree report_size_overflow_decl;
++static tree const_char_ptr_type_node;
++static unsigned int handle_function(void);
++
++static struct plugin_info size_overflow_plugin_info = {
++ .version = "20120311beta",
++ .help = "no-size_overflow\tturn off size overflow checking\n",
++};
++
++static tree handle_size_overflow_attribute(tree *node, tree __unused name, tree args, int __unused flags, bool *no_add_attrs)
++{
++ unsigned int arg_count = type_num_arguments(*node);
++
++ for (; args; args = TREE_CHAIN(args)) {
++ tree position = TREE_VALUE(args);
++ if (TREE_CODE(position) != INTEGER_CST || TREE_INT_CST_HIGH(position) || TREE_INT_CST_LOW(position) < 1 || TREE_INT_CST_LOW(position) > arg_count ) {
++ error("handle_size_overflow_attribute: overflow parameter outside range.");
++ *no_add_attrs = true;
++ }
++ }
++ return NULL_TREE;
++}
++
++static struct attribute_spec no_size_overflow_attr = {
++ .name = "size_overflow",
++ .min_length = 1,
++ .max_length = -1,
++ .decl_required = false,
++ .type_required = true,
++ .function_type_required = true,
++ .handler = handle_size_overflow_attribute
++};
++
++static void register_attributes(void __unused *event_data, void __unused *data)
++{
++ register_attribute(&no_size_overflow_attr);
++}
++
++// http://www.team5150.com/~andrew/noncryptohashzoo2~/CrapWow.html
++static unsigned int CrapWow(const char *key, unsigned int len, unsigned int seed)
++{
++#define cwfold( a, b, lo, hi ) { p = (unsigned int)(a) * (unsigned long long)(b); lo ^= (unsigned int)p; hi ^= (unsigned int)(p >> 32); }
++#define cwmixa( in ) { cwfold( in, m, k, h ); }
++#define cwmixb( in ) { cwfold( in, n, h, k ); }
++
++ const unsigned int m = 0x57559429;
++ const unsigned int n = 0x5052acdb;
++ const unsigned int *key4 = (const unsigned int *)key;
++ unsigned int h = len;
++ unsigned int k = len + seed + n;
++ unsigned long long p;
++
++ while (len >= 8) {
++ cwmixb(key4[0]) cwmixa(key4[1]) key4 += 2;
++ len -= 8;
++ }
++ if (len >= 4) {
++ cwmixb(key4[0]) key4 += 1;
++ len -= 4;
++ }
++ if (len)
++ cwmixa(key4[0] & ((1 << (len * 8)) - 1 ));
++ cwmixb(h ^ (k + n));
++ return k ^ h;
++
++#undef cwfold
++#undef cwmixa
++#undef cwmixb
++}
++
++static inline unsigned int size_overflow_hash(const char *fndecl, unsigned int seed)
++{
++ return CrapWow(fndecl, strlen(fndecl), seed) & 0xffff;
++}
++
++static inline tree get_original_function_decl(tree fndecl)
++{
++ if (DECL_ABSTRACT_ORIGIN(fndecl))
++ return DECL_ABSTRACT_ORIGIN(fndecl);
++ return fndecl;
++}
++
++static inline gimple get_def_stmt(tree node)
++{
++ gcc_assert(TREE_CODE(node) == SSA_NAME);
++ return SSA_NAME_DEF_STMT(node);
++}
++
++static struct size_overflow_hash *get_function_hash(tree fndecl)
++{
++ unsigned int hash;
++ const char *func = NAME(fndecl);
++
++ hash = size_overflow_hash(func, 0);
++
++ if (size_overflow_hash1[hash].collision) {
++ hash = size_overflow_hash(func, 23432);
++ return &size_overflow_hash2[hash];
++ }
++ return &size_overflow_hash1[hash];
++}
++
++static void check_missing_attribute(tree arg)
++{
++ tree var, func = get_original_function_decl(current_function_decl);
++ const char *curfunc = NAME(func);
++ unsigned int new_hash, argnum = 1;
++ struct size_overflow_hash *hash;
++ location_t loc;
++ expanded_location xloc;
++ bool match = false;
++
++ loc = DECL_SOURCE_LOCATION(func);
++ xloc = expand_location(loc);
++
++ if (lookup_attribute("size_overflow", TYPE_ATTRIBUTES(TREE_TYPE(func))))
++ return;
++
++ hash = get_function_hash(func);
++ if (hash->name && !strcmp(hash->name, NAME(func)) && !strcmp(hash->file, xloc.file))
++ return;
++
++ gcc_assert(TREE_CODE(arg) != COMPONENT_REF);
++
++ if (TREE_CODE(arg) == SSA_NAME)
++ arg = SSA_NAME_VAR(arg);
++
++ for (var = DECL_ARGUMENTS(func); var; var = TREE_CHAIN(var)) {
++ if (strcmp(NAME(arg), NAME(var))) {
++ argnum++;
++ continue;
++ }
++ match = true;
++ if (!TYPE_UNSIGNED(TREE_TYPE(var)))
++ return;
++ break;
++ }
++ if (!match) {
++ warning(0, "check_missing_attribute: cannot find the %s argument in %s", NAME(arg), NAME(func));
++ return;
++ }
++
++#define check_param(num) \
++ if (num == argnum && hash->param##num) \
++ return;
++ check_param(1);
++ check_param(2);
++ check_param(3);
++ check_param(4);
++ check_param(5);
++ check_param(6);
++ check_param(7);
++ check_param(8);
++ check_param(9);
++#undef check_param
++
++ new_hash = size_overflow_hash(curfunc, 0);
++ inform(loc, "Function %s is missing from the size_overflow hash table +%s+%d+%u+%s", curfunc, curfunc, argnum, new_hash, xloc.file);
++}
++
++static tree create_new_var(tree type)
++{
++ tree new_var = create_tmp_var(type, "cicus");
++
++ add_referenced_var(new_var);
++ mark_sym_for_renaming(new_var);
++ return new_var;
++}
++
++static bool is_bool(tree node)
++{
++ tree type;
++
++ if (node == NULL_TREE)
++ return false;
++
++ type = TREE_TYPE(node);
++ if (!INTEGRAL_TYPE_P(type))
++ return false;
++ if (TREE_CODE(type) == BOOLEAN_TYPE)
++ return true;
++ if (TYPE_PRECISION(type) == 1)
++ return true;
++ return false;
++}
++
++static gimple build_cast_stmt(tree type, tree var, tree new_var, location_t loc)
++{
++ gimple assign;
++
++ if (new_var == CREATE_NEW_VAR)
++ new_var = create_new_var(type);
++
++ assign = gimple_build_assign(new_var, fold_convert(type, var));
++ gimple_set_location(assign, loc);
++ gimple_set_lhs(assign, make_ssa_name(new_var, assign));
++
++ return assign;
++}
++
++static tree create_assign(struct pointer_set_t *visited, gimple oldstmt, tree rhs1, bool before)
++{
++ tree oldstmt_rhs1;
++ enum tree_code code;
++ gimple stmt;
++ gimple_stmt_iterator gsi;
++
++ if (is_bool(rhs1)) {
++ pointer_set_insert(visited, oldstmt);
++ return gimple_get_lhs(oldstmt);
++ }
++
++ if (rhs1 == NULL_TREE) {
++ debug_gimple_stmt(oldstmt);
++ error("create_assign: rhs1 is NULL_TREE");
++ gcc_unreachable();
++ }
++
++ oldstmt_rhs1 = gimple_assign_rhs1(oldstmt);
++ code = TREE_CODE(oldstmt_rhs1);
++ if (code == PARM_DECL || (code == SSA_NAME && gimple_code(get_def_stmt(oldstmt_rhs1)) == GIMPLE_NOP))
++ check_missing_attribute(oldstmt_rhs1);
++
++ stmt = build_cast_stmt(signed_size_overflow_type, rhs1, CREATE_NEW_VAR, gimple_location(oldstmt));
++ gsi = gsi_for_stmt(oldstmt);
++ if (before)
++ gsi_insert_before(&gsi, stmt, GSI_NEW_STMT);
++ else
++ gsi_insert_after(&gsi, stmt, GSI_NEW_STMT);
++ update_stmt(stmt);
++ pointer_set_insert(visited, oldstmt);
++ return gimple_get_lhs(stmt);
++}
++
++static tree dup_assign(struct pointer_set_t *visited, gimple oldstmt, tree rhs1, tree rhs2, tree __unused rhs3)
++{
++ tree new_var, lhs = gimple_get_lhs(oldstmt);
++ gimple stmt;
++ gimple_stmt_iterator gsi;
++
++ if (gimple_num_ops(oldstmt) != 4 && rhs1 == NULL_TREE) {
++ rhs1 = gimple_assign_rhs1(oldstmt);
++ rhs1 = create_assign(visited, oldstmt, rhs1, BEFORE_STMT);
++ }
++ if (gimple_num_ops(oldstmt) == 3 && rhs2 == NULL_TREE) {
++ rhs2 = gimple_assign_rhs2(oldstmt);
++ rhs2 = create_assign(visited, oldstmt, rhs2, BEFORE_STMT);
++ }
++
++ stmt = gimple_copy(oldstmt);
++ gimple_set_location(stmt, gimple_location(oldstmt));
++
++ if (gimple_assign_rhs_code(oldstmt) == WIDEN_MULT_EXPR)
++ gimple_assign_set_rhs_code(stmt, MULT_EXPR);
++
++ if (is_bool(lhs))
++ new_var = SSA_NAME_VAR(lhs);
++ else
++ new_var = create_new_var(signed_size_overflow_type);
++ new_var = make_ssa_name(new_var, stmt);
++ gimple_set_lhs(stmt, new_var);
++
++ if (rhs1 != NULL_TREE) {
++ if (!gimple_assign_cast_p(oldstmt))
++ rhs1 = fold_convert(signed_size_overflow_type, rhs1);
++ gimple_assign_set_rhs1(stmt, rhs1);
++ }
++
++ if (rhs2 != NULL_TREE)
++ gimple_assign_set_rhs2(stmt, rhs2);
++#if BUILDING_GCC_VERSION >= 4007
++ if (rhs3 != NULL_TREE)
++ gimple_assign_set_rhs3(stmt, rhs3);
++#endif
++ gimple_set_vuse(stmt, gimple_vuse(oldstmt));
++ gimple_set_vdef(stmt, gimple_vdef(oldstmt));
++
++ gsi = gsi_for_stmt(oldstmt);
++ gsi_insert_after(&gsi, stmt, GSI_SAME_STMT);
++ update_stmt(stmt);
++ pointer_set_insert(visited, oldstmt);
++ return gimple_get_lhs(stmt);
++}
++
++static gimple overflow_create_phi_node(gimple oldstmt, tree var)
++{
++ basic_block bb;
++ gimple phi;
++ gimple_stmt_iterator gsi = gsi_for_stmt(oldstmt);
++
++ bb = gsi_bb(gsi);
++ phi = make_phi_node(var, EDGE_COUNT(bb->preds));
++
++ gsi_insert_after(&gsi, phi, GSI_NEW_STMT);
++ gimple_set_bb(phi, bb);
++ return phi;
++}
++
++static tree signed_cast_constant(tree node)
++{
++ gcc_assert(is_gimple_constant(node));
++
++ if (TYPE_PRECISION(signed_size_overflow_type) == TYPE_PRECISION(TREE_TYPE(node)))
++ return build_int_cst_wide(signed_size_overflow_type, TREE_INT_CST_LOW(node), TREE_INT_CST_HIGH(node));
++ else
++ return build_int_cst(signed_size_overflow_type, int_cst_value(node));
++}
++
++static gimple cast_old_phi_arg(gimple oldstmt, tree arg, tree new_var)
++{
++ basic_block first_bb;
++ gimple newstmt;
++ gimple_stmt_iterator gsi;
++
++ newstmt = build_cast_stmt(signed_size_overflow_type, arg, new_var, gimple_location(oldstmt));
++
++ first_bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest;
++ if (dom_info_available_p(CDI_DOMINATORS))
++ set_immediate_dominator(CDI_DOMINATORS, first_bb, ENTRY_BLOCK_PTR);
++ gsi = gsi_start_bb(first_bb);
++
++ gsi_insert_before(&gsi, newstmt, GSI_NEW_STMT);
++ return newstmt;
++}
++
++static gimple handle_new_phi_arg(tree arg, tree new_var, tree new_rhs)
++{
++ gimple newstmt;
++ gimple_stmt_iterator gsi;
++ void (*gsi_insert)(gimple_stmt_iterator *, gimple, enum gsi_iterator_update);
++ gimple def_newstmt = get_def_stmt(new_rhs);
++
++ gsi_insert = gsi_insert_after;
++ gsi = gsi_for_stmt(def_newstmt);
++
++ switch (gimple_code(get_def_stmt(arg))) {
++ case GIMPLE_PHI:
++ newstmt = gimple_build_assign(new_var, new_rhs);
++ gsi = gsi_after_labels(gimple_bb(def_newstmt));
++ gsi_insert = gsi_insert_before;
++ break;
++ case GIMPLE_ASM:
++ case GIMPLE_CALL:
++ newstmt = gimple_build_assign(new_var, new_rhs);
++ break;
++ case GIMPLE_ASSIGN:
++ newstmt = gimple_copy(def_newstmt);
++ break;
++ default:
++ /* unknown gimple_code (build_new_phi_arg) */
++ gcc_unreachable();
++ }
++
++ gimple_set_lhs(newstmt, make_ssa_name(new_var, newstmt));
++ gsi_insert(&gsi, newstmt, GSI_NEW_STMT);
++ return newstmt;
++}
++
++static tree build_new_phi_arg(struct pointer_set_t *visited, gimple oldstmt, tree arg, tree new_var)
++{
++ gimple newstmt;
++ tree new_rhs;
++
++ if (is_gimple_constant(arg))
++ return signed_cast_constant(arg);
++
++ pointer_set_insert(visited, oldstmt);
++ new_rhs = expand(visited, arg);
++ if (new_rhs == NULL_TREE) {
++ gcc_assert(TREE_CODE(TREE_TYPE(arg)) != VOID_TYPE);
++ newstmt = cast_old_phi_arg(oldstmt, arg, new_var);
++ } else
++ newstmt = handle_new_phi_arg(arg, new_var, new_rhs);
++ update_stmt(newstmt);
++ return gimple_get_lhs(newstmt);
++}
++
++static tree build_new_phi(struct pointer_set_t *visited, gimple oldstmt)
++{
++ gimple phi;
++ tree new_var = create_new_var(signed_size_overflow_type);
++ unsigned int i, n = gimple_phi_num_args(oldstmt);
++
++ phi = overflow_create_phi_node(oldstmt, new_var);
++
++ for (i = 0; i < n; i++) {
++ tree arg, lhs;
++
++ arg = gimple_phi_arg_def(oldstmt, i);
++ lhs = build_new_phi_arg(visited, oldstmt, arg, new_var);
++ add_phi_arg(phi, lhs, gimple_phi_arg_edge(oldstmt, i), gimple_location(oldstmt));
++ }
++ update_stmt(phi);
++ return gimple_phi_result(phi);
++}
++
++static tree handle_unary_ops(struct pointer_set_t *visited, tree var)
++{
++ gimple def_stmt = get_def_stmt(var);
++ tree new_rhs1, rhs1 = gimple_assign_rhs1(def_stmt);
++
++ if (is_gimple_constant(rhs1))
++ return dup_assign(visited, def_stmt, signed_cast_constant(rhs1), NULL_TREE, NULL_TREE);
++
++ switch (TREE_CODE(rhs1)) {
++ case SSA_NAME:
++ new_rhs1 = expand(visited, rhs1);
++ break;
++ case ARRAY_REF:
++ case ADDR_EXPR:
++ case COMPONENT_REF:
++ case COND_EXPR:
++ case INDIRECT_REF:
++#if BUILDING_GCC_VERSION >= 4006
++ case MEM_REF:
++#endif
++ case PARM_DECL:
++ case TARGET_MEM_REF:
++ case VAR_DECL:
++ return create_assign(visited, def_stmt, var, AFTER_STMT);
++ default:
++ debug_gimple_stmt(def_stmt);
++ debug_tree(rhs1);
++ gcc_unreachable();
++ }
++
++ if (new_rhs1 == NULL_TREE)
++ return create_assign(visited, def_stmt, rhs1, AFTER_STMT);
++ return dup_assign(visited, def_stmt, new_rhs1, NULL_TREE, NULL_TREE);
++}
++
++static tree transform_mult_overflow(tree rhs, tree const_rhs, tree log2const_rhs, location_t loc)
++{
++ tree new_def_rhs;
++
++ if (!is_gimple_constant(rhs))
++ return NULL_TREE;
++
++ new_def_rhs = fold_build2_loc(loc, MULT_EXPR, TREE_TYPE(const_rhs), rhs, const_rhs);
++ new_def_rhs = signed_cast_constant(new_def_rhs);
++ if (int_cst_value(new_def_rhs) >= 0)
++ return NULL_TREE;
++ return fold_build2_loc(loc, RSHIFT_EXPR, TREE_TYPE(new_def_rhs), new_def_rhs, log2const_rhs);
++}
++
++static tree handle_intentional_mult_overflow(struct pointer_set_t *visited, tree rhs, tree const_rhs)
++{
++ gimple new_def_stmt, def_stmt;
++ tree def_rhs1, def_rhs2, new_def_rhs;
++ location_t loc;
++ tree log2const_rhs;
++ int log2 = exact_log2(TREE_INT_CST_LOW(const_rhs));
++
++ if (log2 == -1) {
++// warning(0, "Possibly unhandled intentional integer truncation");
++ return NULL_TREE;
++ }
++
++ def_stmt = get_def_stmt(rhs);
++ loc = gimple_location(def_stmt);
++ def_rhs1 = gimple_assign_rhs1(def_stmt);
++ def_rhs2 = gimple_assign_rhs2(def_stmt);
++ new_def_stmt = get_def_stmt(expand(visited, rhs));
++ log2const_rhs = build_int_cstu(TREE_TYPE(const_rhs), log2);
++
++ new_def_rhs = transform_mult_overflow(def_rhs1, const_rhs, log2const_rhs, loc);
++ if (new_def_rhs != NULL_TREE) {
++ gimple_assign_set_rhs1(new_def_stmt, new_def_rhs);
++ } else {
++ new_def_rhs = transform_mult_overflow(def_rhs2, const_rhs, log2const_rhs, loc);
++ if (new_def_rhs != NULL_TREE)
++ gimple_assign_set_rhs2(new_def_stmt, new_def_rhs);
++ }
++ if (new_def_rhs == NULL_TREE)
++ return NULL_TREE;
++
++ update_stmt(new_def_stmt);
++// warning(0, "Handle integer truncation (gcc optimization)");
++ return gimple_get_lhs(new_def_stmt);
++}
++
++static bool is_mult_overflow(gimple def_stmt, tree rhs1)
++{
++ gimple rhs1_def_stmt = get_def_stmt(rhs1);
++
++ if (gimple_assign_rhs_code(def_stmt) != MULT_EXPR)
++ return false;
++ if (gimple_code(rhs1_def_stmt) != GIMPLE_ASSIGN)
++ return false;
++ if (gimple_assign_rhs_code(rhs1_def_stmt) != PLUS_EXPR)
++ return false;
++ return true;
++}
++
++static tree handle_intentional_overflow(struct pointer_set_t *visited, gimple def_stmt, tree rhs1, tree rhs2)
++{
++ if (is_mult_overflow(def_stmt, rhs1))
++ return handle_intentional_mult_overflow(visited, rhs1, rhs2);
++ return NULL_TREE;
++}
++
++static tree handle_binary_ops(struct pointer_set_t *visited, tree var)
++{
++ tree rhs1, rhs2;
++ gimple def_stmt = get_def_stmt(var);
++ tree new_rhs1 = NULL_TREE;
++ tree new_rhs2 = NULL_TREE;
++
++ rhs1 = gimple_assign_rhs1(def_stmt);
++ rhs2 = gimple_assign_rhs2(def_stmt);
++
++ /* no DImode/TImode division in the 32/64 bit kernel */
++ switch (gimple_assign_rhs_code(def_stmt)) {
++ case RDIV_EXPR:
++ case TRUNC_DIV_EXPR:
++ case CEIL_DIV_EXPR:
++ case FLOOR_DIV_EXPR:
++ case ROUND_DIV_EXPR:
++ case TRUNC_MOD_EXPR:
++ case CEIL_MOD_EXPR:
++ case FLOOR_MOD_EXPR:
++ case ROUND_MOD_EXPR:
++ case EXACT_DIV_EXPR:
++ case POINTER_PLUS_EXPR:
++ /* logical AND cannot cause an overflow */
++ case BIT_AND_EXPR:
++ return create_assign(visited, def_stmt, var, AFTER_STMT);
++ default:
++ break;
++ }
++
++ if (is_gimple_constant(rhs2)) {
++ new_rhs2 = signed_cast_constant(rhs2);
++ new_rhs1 = handle_intentional_overflow(visited, def_stmt, rhs1, rhs2);
++ }
++
++ if (is_gimple_constant(rhs1)) {
++ new_rhs1 = signed_cast_constant(rhs1);
++ new_rhs2 = handle_intentional_overflow(visited, def_stmt, rhs2, rhs1);
++ }
++
++ if (new_rhs1 == NULL_TREE && TREE_CODE(rhs1) == SSA_NAME)
++ new_rhs1 = expand(visited, rhs1);
++ if (new_rhs2 == NULL_TREE && TREE_CODE(rhs2) == SSA_NAME)
++ new_rhs2 = expand(visited, rhs2);
++
++ return dup_assign(visited, def_stmt, new_rhs1, new_rhs2, NULL_TREE);
++}
++
++#if BUILDING_GCC_VERSION >= 4007
++static tree get_new_rhs(struct pointer_set_t *visited, tree rhs)
++{
++ if (is_gimple_constant(rhs))
++ return signed_cast_constant(rhs);
++ if (TREE_CODE(rhs) != SSA_NAME)
++ return NULL_TREE;
++ return expand(visited, rhs);
++}
++
++static tree handle_ternary_ops(struct pointer_set_t *visited, tree var)
++{
++ tree rhs1, rhs2, rhs3, new_rhs1, new_rhs2, new_rhs3;
++ gimple def_stmt = get_def_stmt(var);
++
++ rhs1 = gimple_assign_rhs1(def_stmt);
++ rhs2 = gimple_assign_rhs2(def_stmt);
++ rhs3 = gimple_assign_rhs3(def_stmt);
++ new_rhs1 = get_new_rhs(visited, rhs1);
++ new_rhs2 = get_new_rhs(visited, rhs2);
++ new_rhs3 = get_new_rhs(visited, rhs3);
++
++ if (new_rhs1 == NULL_TREE && new_rhs2 != NULL_TREE && new_rhs3 != NULL_TREE)
++ return dup_assign(visited, def_stmt, new_rhs1, new_rhs2, new_rhs3);
++ error("handle_ternary_ops: unknown rhs");
++ gcc_unreachable();
++}
++#endif
++
++static void set_size_overflow_type(tree node)
++{
++ switch (TYPE_MODE(TREE_TYPE(node))) {
++ case SImode:
++ signed_size_overflow_type = intDI_type_node;
++ unsigned_size_overflow_type = unsigned_intDI_type_node;
++ break;
++ case DImode:
++ if (LONG_TYPE_SIZE == GET_MODE_BITSIZE(SImode)) {
++ signed_size_overflow_type = intDI_type_node;
++ unsigned_size_overflow_type = unsigned_intDI_type_node;
++ } else {
++ signed_size_overflow_type = intTI_type_node;
++ unsigned_size_overflow_type = unsigned_intTI_type_node;
++ }
++ break;
++ default:
++ error("set_size_overflow_type: unsupported gcc configuration.");
++ gcc_unreachable();
++ }
++}
++
++static tree expand_visited(gimple def_stmt)
++{
++ gimple tmp;
++ gimple_stmt_iterator gsi = gsi_for_stmt(def_stmt);
++
++ gsi_next(&gsi);
++ tmp = gsi_stmt(gsi);
++ switch (gimple_code(tmp)) {
++ case GIMPLE_ASSIGN:
++ return gimple_get_lhs(tmp);
++ case GIMPLE_PHI:
++ return gimple_phi_result(tmp);
++ case GIMPLE_CALL:
++ return gimple_call_lhs(tmp);
++ default:
++ return NULL_TREE;
++ }
++}
++
++static tree expand(struct pointer_set_t *visited, tree var)
++{
++ gimple def_stmt;
++
++ if (is_gimple_constant(var))
++ return NULL_TREE;
++
++ if (TREE_CODE(var) == ADDR_EXPR)
++ return NULL_TREE;
++
++ if (SSA_NAME_IS_DEFAULT_DEF(var))
++ return NULL_TREE;
++
++ def_stmt = get_def_stmt(var);
++
++ if (!def_stmt)
++ return NULL_TREE;
++
++ if (pointer_set_contains(visited, def_stmt))
++ return expand_visited(def_stmt);
++
++ switch (gimple_code(def_stmt)) {
++ case GIMPLE_NOP:
++ check_missing_attribute(var);
++ return NULL_TREE;
++ case GIMPLE_PHI:
++ return build_new_phi(visited, def_stmt);
++ case GIMPLE_CALL:
++ case GIMPLE_ASM:
++ gcc_assert(TREE_CODE(TREE_TYPE(var)) != VOID_TYPE);
++ return create_assign(visited, def_stmt, var, AFTER_STMT);
++ case GIMPLE_ASSIGN:
++ switch (gimple_num_ops(def_stmt)) {
++ case 2:
++ return handle_unary_ops(visited, var);
++ case 3:
++ return handle_binary_ops(visited, var);
++#if BUILDING_GCC_VERSION >= 4007
++ case 4:
++ return handle_ternary_ops(visited, var);
++#endif
++ }
++ default:
++ debug_gimple_stmt(def_stmt);
++ error("expand: unknown gimple code");
++ gcc_unreachable();
++ }
++}
++
++static void change_function_arg(gimple func_stmt, tree origarg, unsigned int argnum, tree newarg)
++{
++ gimple assign, stmt;
++ gimple_stmt_iterator gsi = gsi_for_stmt(func_stmt);
++ tree origtype = TREE_TYPE(origarg);
++
++ stmt = gsi_stmt(gsi);
++ gcc_assert(gimple_code(stmt) == GIMPLE_CALL);
++
++ assign = build_cast_stmt(origtype, newarg, CREATE_NEW_VAR, gimple_location(stmt));
++ gsi_insert_before(&gsi, assign, GSI_SAME_STMT);
++ update_stmt(assign);
++
++ gimple_call_set_arg(stmt, argnum, gimple_get_lhs(assign));
++ update_stmt(stmt);
++}
++
++static tree get_function_arg(unsigned int argnum, gimple stmt, tree fndecl)
++{
++ const char *origid;
++ tree arg, origarg;
++
++ if (!DECL_ABSTRACT_ORIGIN(fndecl)) {
++ gcc_assert(gimple_call_num_args(stmt) > argnum);
++ return gimple_call_arg(stmt, argnum);
++ }
++
++ origarg = DECL_ARGUMENTS(DECL_ABSTRACT_ORIGIN(fndecl));
++ while (origarg && argnum) {
++ argnum--;
++ origarg = TREE_CHAIN(origarg);
++ }
++
++ gcc_assert(argnum == 0);
++
++ gcc_assert(origarg != NULL_TREE);
++ origid = NAME(origarg);
++ for (arg = DECL_ARGUMENTS(fndecl); arg; arg = TREE_CHAIN(arg)) {
++ if (!strcmp(origid, NAME(arg)))
++ return arg;
++ }
++ return NULL_TREE;
++}
++
++static void insert_cond(tree arg, basic_block cond_bb)
++{
++ gimple cond_stmt;
++ gimple_stmt_iterator gsi = gsi_last_bb(cond_bb);
++
++ cond_stmt = gimple_build_cond(GT_EXPR, arg, build_int_cstu(signed_size_overflow_type, 0x7fffffff), NULL_TREE, NULL_TREE);
++ gsi_insert_after(&gsi, cond_stmt, GSI_CONTINUE_LINKING);
++ update_stmt(cond_stmt);
++}
++
++static tree create_string_param(tree string)
++{
++ tree array_ref = build4(ARRAY_REF, TREE_TYPE(string), string, integer_zero_node, NULL, NULL);
++
++ return build1(ADDR_EXPR, ptr_type_node, array_ref);
++}
++
++static void insert_cond_result(basic_block bb_true, gimple stmt, tree arg)
++{
++ gimple func_stmt, def_stmt;
++ tree current_func, loc_file, loc_line;
++ expanded_location xloc;
++ gimple_stmt_iterator gsi = gsi_start_bb(bb_true);
++
++ def_stmt = get_def_stmt(arg);
++ xloc = expand_location(gimple_location(def_stmt));
++
++ if (!gimple_has_location(def_stmt)) {
++ xloc = expand_location(gimple_location(stmt));
++ gcc_assert(gimple_has_location(stmt));
++ }
++
++ loc_line = build_int_cstu(unsigned_type_node, xloc.line);
++
++ loc_file = build_string(strlen(xloc.file), xloc.file);
++ TREE_TYPE(loc_file) = char_array_type_node;
++ loc_file = create_string_param(loc_file);
++
++ current_func = build_string(IDENTIFIER_LENGTH(DECL_NAME(current_function_decl)), NAME(current_function_decl));
++ TREE_TYPE(current_func) = char_array_type_node;
++ current_func = create_string_param(current_func);
++
++ // void report_size_overflow(const char *file, unsigned int line, const char *func)
++ func_stmt = gimple_build_call(report_size_overflow_decl, 3, loc_file, loc_line, current_func);
++
++ gsi_insert_after(&gsi, func_stmt, GSI_CONTINUE_LINKING);
++}
++
++static void insert_check_size_overflow(gimple stmt, tree arg)
++{
++ basic_block cond_bb, join_bb, bb_true;
++ edge e;
++ gimple_stmt_iterator gsi = gsi_for_stmt(stmt);
++
++ cond_bb = gimple_bb(stmt);
++ gsi_prev(&gsi);
++ if (gsi_end_p(gsi))
++ e = split_block_after_labels(cond_bb);
++ else
++ e = split_block(cond_bb, gsi_stmt(gsi));
++ cond_bb = e->src;
++ join_bb = e->dest;
++ e->flags = EDGE_FALSE_VALUE;
++ e->probability = REG_BR_PROB_BASE;
++
++ bb_true = create_empty_bb(cond_bb);
++ make_edge(cond_bb, bb_true, EDGE_TRUE_VALUE);
++
++ if (dom_info_available_p(CDI_DOMINATORS)) {
++ set_immediate_dominator(CDI_DOMINATORS, bb_true, cond_bb);
++ set_immediate_dominator(CDI_DOMINATORS, join_bb, cond_bb);
++ }
++
++ insert_cond(arg, cond_bb);
++ insert_cond_result(bb_true, stmt, arg);
++}
++
++static void handle_function_arg(gimple stmt, tree fndecl, unsigned int argnum)
++{
++ struct pointer_set_t *visited;
++ tree arg, newarg;
++ gimple ucast_stmt;
++ gimple_stmt_iterator gsi;
++ location_t loc = gimple_location(stmt);
++
++ arg = get_function_arg(argnum, stmt, fndecl);
++ if (arg == NULL_TREE)
++ return;
++
++ if (is_gimple_constant(arg))
++ return;
++ if (TREE_CODE(arg) != SSA_NAME)
++ return;
++
++ set_size_overflow_type(arg);
++ visited = pointer_set_create();
++ newarg = expand(visited, arg);
++ pointer_set_destroy(visited);
++
++ if (newarg == NULL_TREE)
++ return;
++
++ change_function_arg(stmt, arg, argnum, newarg);
++
++ ucast_stmt = build_cast_stmt(unsigned_size_overflow_type, newarg, CREATE_NEW_VAR, loc);
++ gsi = gsi_for_stmt(stmt);
++ gsi_insert_before(&gsi, ucast_stmt, GSI_SAME_STMT);
++
++ insert_check_size_overflow(stmt, gimple_get_lhs(ucast_stmt));
++// inform(loc, "Integer size_overflow check applied here.");
++}
++
++static void handle_function_by_attribute(gimple stmt, tree attr, tree fndecl)
++{
++ tree p = TREE_VALUE(attr);
++ do {
++ handle_function_arg(stmt, fndecl, TREE_INT_CST_LOW(TREE_VALUE(p))-1);
++ p = TREE_CHAIN(p);
++ } while (p);
++}
++
++static void handle_function_by_hash(gimple stmt, tree fndecl)
++{
++ struct size_overflow_hash *hash;
++ expanded_location xloc;
++
++ hash = get_function_hash(fndecl);
++ xloc = expand_location(DECL_SOURCE_LOCATION(fndecl));
++
++ fndecl = get_original_function_decl(fndecl);
++ if (!hash->name || !hash->file)
++ return;
++ if (strcmp(hash->name, NAME(fndecl)) || strcmp(hash->file, xloc.file))
++ return;
++
++#define search_param(argnum) \
++ if (hash->param##argnum) \
++ handle_function_arg(stmt, fndecl, argnum - 1);
++
++ search_param(1);
++ search_param(2);
++ search_param(3);
++ search_param(4);
++ search_param(5);
++ search_param(6);
++ search_param(7);
++ search_param(8);
++ search_param(9);
++#undef search_param
++}
++
++static unsigned int handle_function(void)
++{
++ basic_block bb = ENTRY_BLOCK_PTR->next_bb;
++ int saved_last_basic_block = last_basic_block;
++
++ do {
++ gimple_stmt_iterator gsi;
++ basic_block next = bb->next_bb;
++
++ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
++ tree fndecl, attr;
++ gimple stmt = gsi_stmt(gsi);
++
++ if (!(is_gimple_call(stmt)))
++ continue;
++ fndecl = gimple_call_fndecl(stmt);
++ if (fndecl == NULL_TREE)
++ continue;
++ if (gimple_call_num_args(stmt) == 0)
++ continue;
++ attr = lookup_attribute("size_overflow", TYPE_ATTRIBUTES(TREE_TYPE(fndecl)));
++ if (!attr || !TREE_VALUE(attr))
++ handle_function_by_hash(stmt, fndecl);
++ else
++ handle_function_by_attribute(stmt, attr, fndecl);
++ gsi = gsi_for_stmt(stmt);
++ }
++ bb = next;
++ } while (bb && bb->index <= saved_last_basic_block);
++ return 0;
++}
++
++static struct gimple_opt_pass size_overflow_pass = {
++ .pass = {
++ .type = GIMPLE_PASS,
++ .name = "size_overflow",
++ .gate = NULL,
++ .execute = handle_function,
++ .sub = NULL,
++ .next = NULL,
++ .static_pass_number = 0,
++ .tv_id = TV_NONE,
++ .properties_required = PROP_cfg | PROP_referenced_vars,
++ .properties_provided = 0,
++ .properties_destroyed = 0,
++ .todo_flags_start = 0,
++ .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi | TODO_cleanup_cfg | TODO_ggc_collect | TODO_verify_flow
++ }
++};
++
++static void start_unit_callback(void __unused *gcc_data, void __unused *user_data)
++{
++ tree fntype;
++
++ const_char_ptr_type_node = build_pointer_type(build_type_variant(char_type_node, 1, 0));
++
++ // void report_size_overflow(const char *loc_file, unsigned int loc_line, const char *current_func)
++ fntype = build_function_type_list(void_type_node,
++ const_char_ptr_type_node,
++ unsigned_type_node,
++ const_char_ptr_type_node,
++ NULL_TREE);
++ report_size_overflow_decl = build_fn_decl("report_size_overflow", fntype);
++
++ TREE_PUBLIC(report_size_overflow_decl) = 1;
++ DECL_EXTERNAL(report_size_overflow_decl) = 1;
++ DECL_ARTIFICIAL(report_size_overflow_decl) = 1;
++}
++
++extern struct gimple_opt_pass pass_dce;
++
++int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
++{
++ int i;
++ const char * const plugin_name = plugin_info->base_name;
++ const int argc = plugin_info->argc;
++ const struct plugin_argument * const argv = plugin_info->argv;
++ bool enable = true;
++
++ struct register_pass_info size_overflow_pass_info = {
++ .pass = &size_overflow_pass.pass,
++ .reference_pass_name = "mudflap2",
++ .ref_pass_instance_number = 1,
++ .pos_op = PASS_POS_INSERT_BEFORE
++ };
++
++ struct register_pass_info dce_pass_info = {
++ .pass = &pass_dce.pass,
++ .reference_pass_name = "mudflap2",
++ .ref_pass_instance_number = 1,
++ .pos_op = PASS_POS_INSERT_BEFORE
++ };
++
++ if (!plugin_default_version_check(version, &gcc_version)) {
++ error(G_("incompatible gcc/plugin versions"));
++ return 1;
++ }
++
++ for (i = 0; i < argc; ++i) {
++ if (!(strcmp(argv[i].key, "no-size_overflow"))) {
++ enable = false;
++ continue;
++ }
++ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
++ }
++
++ register_callback(plugin_name, PLUGIN_INFO, NULL, &size_overflow_plugin_info);
++ if (enable) {
++ register_callback ("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL);
++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &size_overflow_pass_info);
++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &dce_pass_info);
++ }
++ register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
++
++ return 0;
++}
diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
new file mode 100644
-index 0000000..4e82b16
+index 0000000..b87ec9d
--- /dev/null
+++ b/tools/gcc/stackleak_plugin.c
-@@ -0,0 +1,311 @@
+@@ -0,0 +1,313 @@
+/*
+ * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -80853,12 +86107,14 @@ index 0000000..4e82b16
+ }
+ }
+
-+ // special case for some bad linux code: taking the address of static inline functions will materialize them
++ // special cases for some bad linux code: taking the address of static inline functions will materialize them
+ // but we mustn't instrument some of them as the resulting stack alignment required by the function call ABI
+ // will break other assumptions regarding the expected (but not otherwise enforced) register clobbering ABI.
+ // case in point: native_save_fl on amd64 when optimized for size clobbers rdx if it were instrumented here.
+ if (is_leaf && !TREE_PUBLIC(current_function_decl) && DECL_DECLARED_INLINE_P(current_function_decl))
+ return 0;
++ if (is_leaf && !strncmp(IDENTIFIER_POINTER(DECL_NAME(current_function_decl)), "_paravirt_", 10))
++ return 0;
+
+ // 4. insert track call at the beginning
+ if (!prologue_instrumented) {
diff --git a/3.2.11/4425_grsec_enable_xtpax.patch b/3.2.11/4425_grsec_enable_xtpax.patch
deleted file mode 100644
index 9735ecf..0000000
--- a/3.2.11/4425_grsec_enable_xtpax.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-
-Unlock PAX_XATTR_PAX_FLAGS option
-
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2012-02-05 12:24:37.000000000 -0500
-+++ b/security/Kconfig 2012-02-05 12:25:04.000000000 -0500
-@@ -92,7 +92,7 @@
-
- config PAX_XATTR_PAX_FLAGS
- bool 'Use filesystem extended attributes marking'
-- depends on EXPERT
-+# depends on EXPERT
- select CIFS_XATTR if CIFS
- select EXT2_FS_XATTR if EXT2_FS
- select EXT3_FS_XATTR if EXT3_FS
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-03-19 12:11 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-19 12:11 [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.11/, 2.6.32/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox